Gatekeeper default policy blocking twistlock and monitoring
The default configuration of the gatekeeper no-host-namespace
policy (k8spsphostnamespace.constraints.gatekeeper.sh
) appears to be blocking the deployment of monitoring and twistlock components in BigBang 1.13.1
.
~ kubectl get k8spsphostnamespace.constraints.gatekeeper.sh -A no-host-namespace -o yaml
...
violations:
- enforcementAction: deny
kind: Pod
message: 'Sharing the host namespace is not allowed: monitoring-monitoring-prometheus-node-exporter-zwp5h'
name: monitoring-monitoring-prometheus-node-exporter-zwp5h
namespace: monitoring
- enforcementAction: deny
kind: Pod
message: 'Sharing the host namespace is not allowed: twistlock-defender-ds-5gsbq'
name: twistlock-defender-ds-5gsbq
namespace: twistlock
...
Suggest excluding those namespaces from enforcement by default here: https://repo1.dso.mil/platform-one/big-bang/apps/core/policy/-/blob/main/chart/values.yaml#L227
With:
noHostNamespace:
match:
excludedNamespaces:
- monitoring
- twistlock