Exclude certain namespaces from a OPA gatekeeper rule

2 min read | by Jordi Prats

While some policies can be safely applied to all the namespaces of a cluster, some other can become problematic since they can interfere with the normal operations of certain controllers. When we create a constrain rule we can exclude some namespaces using the spec.match.excludedNamespaces attribute

Under spec.match we can define the objects that this rule is going to apply to, so by adding excludedNamespaces we can tell it not to apply it to objects belonging to that namespace:

apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sBlockNodePort metadata:  name: block-node-port spec:  enforcementAction: deny  match:  kinds:  - apiGroups: [""]  kinds: ["Service"]  scope: Namespaced  excludedNamespaces:  - "kube-*" 

We can test it bye trying to create a NodePort on any namespace and then apply it again on kube-system:

$ kubectl apply -f test-nodeport.yaml -n pet2cattle Error from server (Forbidden): error when creating "test-nodeport.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [block-node-port] User is not allowed to create service of type NodePort $ kubectl apply -f test-nodeport.yaml -n kube-system service/test-nodeport created 

Posted on 18/11/2022