UNCLASSIFIED - NO CUI

Skip to content

Gatekeeper default policy blocking twistlock and monitoring

The default configuration of the gatekeeper no-host-namespace policy (k8spsphostnamespace.constraints.gatekeeper.sh) appears to be blocking the deployment of monitoring and twistlock components in BigBang 1.13.1.

~ kubectl get k8spsphostnamespace.constraints.gatekeeper.sh -A no-host-namespace -o yaml
...
violations:
 - enforcementAction: deny
    kind: Pod
    message: 'Sharing the host namespace is not allowed: monitoring-monitoring-prometheus-node-exporter-zwp5h'
    name: monitoring-monitoring-prometheus-node-exporter-zwp5h
    namespace: monitoring
  - enforcementAction: deny
    kind: Pod
    message: 'Sharing the host namespace is not allowed: twistlock-defender-ds-5gsbq'
    name: twistlock-defender-ds-5gsbq
    namespace: twistlock
...

Suggest excluding those namespaces from enforcement by default here: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy/-/blob/main/chart/values.yaml#L227

With:

  noHostNamespace:
    match:
      excludedNamespaces:
        - monitoring
        - twistlock

UNCLASSIFIED - NO CUI