Gke Autopilot/Standard cluster warns about gatekeeper validating webhhok permissions

[btwseeu78]

We found when gatekeeper validation/mutationwebhook has kube-system/kube-node-lease or any of them enabled a supported scope we are warned by gke as warning. For our autopilot cluster the issue is much more severe since it does not allow provide manual as well automatic patches by post install jobs to modify/patch these namespaces. so we have only option to use default k8s labels, like name based labels.

As of now we only use Release namespace as default excluded namespaces list. we need to enable support template it to add other namespaces as we need.

Environment:

• Gatekeeper version:
• Kubernetes version: (use kubectl version): v1.27.3 GKE

[btwseeu78]

duplicate to : #3038

[Markieta]

@btwseeu78 for those namespace warnings you may exempt them from being intercepted as well. For example with Helm values:

mutatingWebhookExemptNamespacesLabels:
  kubernetes.io/metadata.name:
    - kube-node-lease
    - kube-system
validatingWebhookExemptNamespacesLabels:
  kubernetes.io/metadata.name:
    - kube-node-lease
    - kube-system

[btwseeu78]

I think we already have the key for name and it's value as release.namespaces.

Would not it be duplicate key in label selector. Need to check , I did with exempting them fin using label namespace post install job, autopilot is easy it has mutation to patch these namespaces automatically.

[Markieta]

I don't think it's an issue because matchExpressions takes a list, not a map. So I don't see an issue with reusing the key kubernetes.io/metadata.name here with a list of additional namespaces to exempt.