Adding gatekeeper policy exceptions for restic deployments (!1606) · Merge requests · Big Bang / bigbang

Andrew Blanchard requested to merge feature/restic-gatekeeper-policy into master Apr 29, 2022

When enabling velero/restic through the addon packages, we ran into the following gatekeeper exception:

Warning  FailedCreate  67s (x8 over 6m44s)  daemonset-controller  (combined from similar events): Error creating: admission webhook "validation.gatekeeper.sh" denied the request: [allowed-host-filesystem] HostPath volume {"hostPath": {"path": "/var/lib/kubelet/pods", "type": ""}, "name": "host-pods"} is not allowed, pod: restic-sbbng. Allowed path: []

Per the docs:

Velero's restic daemonset uses a hostPath mount of /var/lib/kubelet/pods to get access to pods' volume mounts. If a pod is using a hostPath mount, it won't be mounted under that directory, so Velero isn't able to access it.

In order to resolve the issue we added the appropriate exceptions to our gatekeeper value overrides as follows:

gatekeeper:
  values:
    violations:
      allowedHostFilesystem:
        parameters:
          allowedHostPaths:
          - pathPrefix: /var/lib/kubelet/pods
          excludedResources:
          - velero/restic-.*
      volumeTypes:
        parameters:
          excludedResources:
          - velero/restic-.*

The changes in the MR follow existing convention/examples to add these exceptions as default bigbang configuration, conditioned on the deployment of velero and restic.

Admin message

Adding gatekeeper policy exceptions for restic deployments

Merge request reports