-
Notifications
You must be signed in to change notification settings - Fork 762
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow excluding namespaces via labels #1078
Comments
Sounds good. I think we already have a potential design of this as part of config exclusion doc: https://docs.google.com/document/d/1yHuXFs_HQL5N9yT9QVi6AMyflWPtZS4Pg-uXczdqgZ8/edit |
+1 agree we should support this. |
+1 for adding this to the gatekeeper configs resource. In the meantime, if you want to exclude namespaces by label for both admission and audit, you could use the namespaceSelector match criteria in the constraint. |
true, that is a workaround! (... just ugly to copy-paste into all ... and
still has overhead of the request hitting gatekeeper)
…On Sun, Jan 24, 2021 at 5:55 PM Rita Zhang ***@***.***> wrote:
+1 for adding this to the gatekeeper configs resource. In the meantime, if
you want to exclude namespaces by label for both admission and audit, you
could use the namespaceSelector match criteria in the constraint.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#1078 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAACYZZWEJYOIIPFVNR26R3S3TFSJANCNFSM4WMBQYJA>
.
|
I thought of an edge case for this. Example: there is a config that says to sync all pods unless the pod's namespace has a do-not-sync label
To get around this, we should send a "delete" message for any resource event involving an excluded namespace. We also may need to trigger replays for all synced resource inside a namespace whose labels change... |
As discussed, this issue is not just for audit, it should be for all processes. |
I have a similar situation to the OP here. I'd like to only include namespaces that have a specific label ( I know this doesn't solve for all the scenarios mentioned above in the comments/design doc, but would you be open to a contribution that modifies the Helm chart to allow for toggling on I think there would need to be some other changes to toggle the existing namespaceSelector:
matchLabels:
gatekeeper/enabled: "true" |
I'm open to a PR like the above (though of course the specifics pending). Some considerations:
|
what's the state on this one? would appreciate the proposed solution, thanks for the update! |
It'd be good to fix the "object cache must be wiped every time a namespace changes" problem before using namespace selectors for sync. That requires being able to iterate over cached data, which is something we're looking at now. |
I am interested in this option, it would be very useful for the operation. |
Folks, if you want to exclude namespaces by label for both admission and audit, you could use the namespaceSelector match criteria in the constraint. https://open-policy-agent.github.io/gatekeeper/website/docs/howto#the-match-field |
Currently I have to list all my "bad" namespaces since I don't want to audit them.
When only using the webhook I excluded them by configuring a namespaceSelector on the webhook, which is more flexible and efficient since the request never gets sent to opa.
But since I also use auditing I need a way to replicate that.
I'd propose namespaceSelector to also be an option for exclusion so I can use the same setting in the webhook and for auditing (... ideally auditing would read the namespaceSelector from the webhook to avoid duplication)
The text was updated successfully, but these errors were encountered: