UNCLASSIFIED - NO CUI

Skip to content

Added Exclusion for istioGateway to Gatekeeper Umbrella Chart

Jimmy Bourquerequested to merge
2737-Gatekeeper-Default-Exclusion into master

General MR

Summary

Gatekeeper is blocking deployment of gateway helm charts due to the use of the net.ipv4.ip_unprivileged_port_start sysctl. An exclusion was added for the entire istio-gateway namespace to ensure default gateways work and any custom gateways added by users will also work.

Justification for Exclusion:

As mentioned here Istio applies only the minimum permissions required to allow binding to ports 80 and 443. Additionally, Kubernetes documentation here lists the specific sysctl in use as safe as of Kubernetes version 1.22 and above.

Relevant logs/screenshots

Output of kubectl get K8sPSPForbiddenSysctls -o yaml | grep excludedResources -A 5 with istioGateway disabled:

      excludedResources:
      - default/restrict-sysctls-.?
      forbiddenSysctls:
      - '*'
  status:
    auditTimestamp: "2025-05-14T11:08:27Z"

Output of kubectl get K8sPSPForbiddenSysctls -o yaml | grep excludedResources -A 5 with istioGateway enabled:

      excludedResources:
      - istio-gateway/*.*
      - default/restrict-sysctls-.?
      forbiddenSysctls:
      - '*'
  status:

Output of flux get hr -A showing successful helm deployment without custom exception in test-values.yaml file:

image

Linked Issue

issue

Upgrade Notices

N/A

Merge request reports

UNCLASSIFIED - NO CUI