Change Ratify namespace in "Ratify on Azure"

[bspaans]

What would you like to be added?

We found that installing Ratify into the gatekeeper-system namespace doesn't inject the workload identity environment variables and fails to start up.

From here: "To protect the stability of the system and prevent custom admission controllers from impacting internal services in the kube-system, namespace AKS has an Admissions Enforcer, which automatically excludes kube-system and AKS internal namespaces."

And apparently "gatekeeper-system" is one of those internal namespaces. Things started working when we deployed into another namespace. It would be nice if the docs could mention this or be updated to use another namespace by default.

NB. We don't use the workload identity add-on, but manage the chart ourselves, so maybe this is not an issue with the add-on, but probably still worth mentioning on the page.

Anything else you would like to add?

No response

Are you willing to submit PRs to contribute to this feature?

• [X] Yes, I am willing to implement it.

[binbin-li]

Hi @bspaans thanks for calling it out! Actually we have an e2e test running on Azure which does work in gatekeeper-system namspace. https://github.com/deislabs/ratify/blob/main/scripts/azure-ci-test.sh#L72C58-L72C58 It follows the steps in doc which you might already check out. Wonder if you could find any difference between your setup and e2e test so that we can futher investigate the root cause. Thanks!

[binbin-li]

@bspaans btw, just wanna check with you that if you enabled workload identity addon when creating AKS cluster which would disable the enforcer. https://github.com/deislabs/ratify/blob/main/scripts/create-azure-resources.sh#L67