Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Excluded namespaces do not appear in inventory #3243

Closed
skaven81 opened this issue Jan 30, 2024 · 4 comments
Closed

Excluded namespaces do not appear in inventory #3243

skaven81 opened this issue Jan 30, 2024 · 4 comments
Labels
bug Something isn't working stale

Comments

@skaven81
Copy link

What steps did you take and what happened:

With a Gatekeeper Config containing something like this:

spec:
  match:
  - excludedNamespaces:
    - kube-system
    - cattle-gatekeeper-system
    processes:
    - '*'
  sync:
    syncOnly:
    - group: ""
      kind: Namespace
      version: v1

Neither kube-system nor cattle-gatekeeper-system appear in the synced inventory.

What did you expect to happen:

I expect sync (which is about the inventory) to be decoupled from the match.excludedNamespaces (which is about Constraint and Mutator evaluation). It is confusing and unintuitive that excluding resources in a namespace from Cosntraint evaluation would also exclude that namespace (and presumably any resources inside) from being enumerated in the Gatekeeper inventory. The inventory should always be complete -- Constraints that depend on the inventory would naturally expect the inventory to contain all the resources in the cluster, not just the ones that are in namespaces where Constraints are allowed to be evaluated.

Workaround:

I have worked around this for now by not using excludedNamespaces at all in the Gatekeeper Config, and instead exclude namespaces using the admission.gatekeeper.sh/ignore=true label on namespaces I want to be excluded. But this doesn't exclude them from audit, so it's not a complete solution.

Environment:

  • Gatekeeper version: 3.13.4
  • Kubernetes version: (use kubectl version): {Major:"1", Minor:"26", GitVersion:"v1.26.8", GitCommit:"395f0a2fdc940aeb9ab88849e8fa4321decbf6e1", GitTreeState:"clean", BuildDate:"2023-08-24T00:43:07Z", GoVersion:"go1.20.7", Compiler:"gc", Platform:"linux/amd64"}
@skaven81 skaven81 added the bug Something isn't working label Jan 30, 2024
@ritazh
Copy link
Member

ritazh commented Jan 31, 2024

Sounds like you want to exclude some namespaces from being evaluated by a given policy but you still want the namespace to be part of the inventory for all policies. Is that right? Can you see if the excludedNamespaces match field helps? https://open-policy-agent.github.io/gatekeeper/website/docs/howto#the-match-field

@skaven81
Copy link
Author

I want some namespaces to be entirely exempt from all Gatekeeper constraints and mutators, but not excluded from the inventory.

As I noted in the original report, the workaround is to use the ignore label on the namespace, or (as you note) to have each individual constraint/mutator exclude the namespace(s).

The problem with these approaches, though, is twofold.

First, the fact that the Config resource's excludedNamespaces represents a "master switch" that can disable ALL evaluation for the given namespaces, is very useful, especially in an emergency. But its utility is severely hampered if adding namespaces to the Config resource's excludedNamespaces list has unintended side effects, namely that those namespaces (and presumably resources in those namespaces) are also removed from the inventory.

Second, the Config resource is logically split into multiple sections, which are logically independent of each other -- there is the "exclusion" section (documented here: https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces/), and then there is the "inventory' section (documented here: https://open-policy-agent.github.io/gatekeeper/website/docs/sync), and finally there is the "debugging" section (documented here: https://open-policy-agent.github.io/gatekeeper/website/docs/debug). The documentation is split into three different sections, so it is natural to think that the configuration settings in each of those sections are independent of each other.

That said, I will walk back my initial statement, as I do see that in https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces, it does show that processes includes sync, and so it should be possible to selectively exclude namespaces from just validation and/or mutation, without excluding it from sync.

So I suppose my real beef boils down to the fact that the documentation did not make it clear to me (when reading https://open-policy-agent.github.io/gatekeeper/website/docs/sync) that the excludedNamespaces part of the Config also impacts this feature.

@JaydipGabani
Copy link
Contributor

@skaven81 would you be interested in helping improve this documentation? May be raise a PR?

@stale Stale
Copy link

stale bot commented Apr 12, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Apr 12, 2024
@stale stale bot closed this as completed Apr 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ritazh @skaven81 @JaydipGabani