Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow excluding namespaces via labels #1078

Open
grosser opened this issue Jan 21, 2021 · 13 comments
Open

Allow excluding namespaces via labels #1078

grosser opened this issue Jan 21, 2021 · 13 comments

Comments

@grosser
Copy link
Contributor

grosser commented Jan 21, 2021

Currently I have to list all my "bad" namespaces since I don't want to audit them.

When only using the webhook I excluded them by configuring a namespaceSelector on the webhook, which is more flexible and efficient since the request never gets sent to opa.

But since I also use auditing I need a way to replicate that.

I'd propose namespaceSelector to also be an option for exclusion so I can use the same setting in the webhook and for auditing (... ideally auditing would read the namespaceSelector from the webhook to avoid duplication)

@grosser grosser added the enhancement New feature or request label Jan 21, 2021
@maxsmythe
Copy link
Contributor

Makes sense. There are eventual consistency concerns in that the cached version of a namespace may lag behind the public version, but this is no worse than the namespaceSelector match criteria.

@sozercan @ritazh @shomron @brycecr thoughts?

@sozercan
Copy link
Member

Sounds good. I think we already have a potential design of this as part of config exclusion doc: https://docs.google.com/document/d/1yHuXFs_HQL5N9yT9QVi6AMyflWPtZS4Pg-uXczdqgZ8/edit

@shomron
Copy link
Contributor

shomron commented Jan 24, 2021

+1 agree we should support this.

@ritazh
Copy link
Member

ritazh commented Jan 25, 2021

+1 for adding this to the gatekeeper configs resource. In the meantime, if you want to exclude namespaces by label for both admission and audit, you could use the namespaceSelector match criteria in the constraint.

@grosser
Copy link
Contributor Author

grosser commented Jan 25, 2021 via email

becky-hd added a commit to becky-hd/gatekeeper that referenced this issue Feb 19, 2021
becky-hd added a commit to becky-hd/gatekeeper that referenced this issue Feb 19, 2021
becky-hd added a commit to becky-hd/gatekeeper that referenced this issue Feb 19, 2021
becky-hd added a commit to becky-hd/gatekeeper that referenced this issue Feb 19, 2021
becky-hd added a commit to becky-hd/gatekeeper that referenced this issue Feb 19, 2021
@maxsmythe
Copy link
Contributor

I thought of an edge case for this.

Example: there is a config that says to sync all pods unless the pod's namespace has a do-not-sync label

  • Namespace foo has no label and 5 pods, those 5 pods are synced

  • A user applies a do-not-sync label to namespace foo

  • A user modifies all 5 pods and adds a 6th.

  • Namespace foo's cache shows the older version of those 5 pods and no 6th pod.

To get around this, we should send a "delete" message for any resource event involving an excluded namespace.

We also may need to trigger replays for all synced resource inside a namespace whose labels change...

@ritazh
Copy link
Member

ritazh commented Jul 20, 2022

As discussed, this issue is not just for audit, it should be for all processes.

@ritazh ritazh added the triaged label Jul 20, 2022
@phenixblue
Copy link

I have a similar situation to the OP here. I'd like to only include namespaces that have a specific label (gatekeeper/enabled=true). This is in an environment where platform users would not be allowed to manipulate namespace resources/labels.

I know this doesn't solve for all the scenarios mentioned above in the comments/design doc, but would you be open to a contribution that modifies the Helm chart to allow for toggling on namespaceSelector and setting a value for the label or is the preference to continue to add namespaceSelector config to the Constraints until a more intelligent solution is made?

I think there would need to be some other changes to toggle the existing matchExpressions configuration as well, but I wanted to check on feasibility before I dig in too deep.
This would essentially set the following in the VWC:

namespaceSelector:
      matchLabels:
        gatekeeper/enabled: "true"

@maxsmythe
Copy link
Contributor

I'm open to a PR like the above (though of course the specifics pending). Some considerations:

  • We should warn users about namespace label selectors and security just in case they do allow untrusted users to create namespaces
  • I'd be looking to make sure the user story around the "exclusion" label isn't made brittle, since that is also done via a namespaceSelector

@ritazh @sozercan thoughts?

@joeltraber
Copy link

what's the state on this one? would appreciate the proposed solution, thanks for the update!

@maxsmythe
Copy link
Contributor

It'd be good to fix the "object cache must be wiped every time a namespace changes" problem before using namespace selectors for sync. That requires being able to iterate over cached data, which is something we're looking at now.

@zeusal
Copy link

zeusal commented Dec 18, 2023

I am interested in this option, it would be very useful for the operation.

@ritazh
Copy link
Member

ritazh commented Feb 21, 2024

Folks, if you want to exclude namespaces by label for both admission and audit, you could use the namespaceSelector match criteria in the constraint.

https://open-policy-agent.github.io/gatekeeper/website/docs/howto#the-match-field

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

8 participants