How to use OPA Gatekeeper to require a label on all namespaces.

By default, Kubernetes will create namespaces without any labels. This can tracking the owner of the namespace difcult. Also, by having all namespaces labeled. You can use labels for running show-back and charge-back reports based on owner labels.

Pre-requisites

Installation

Creating policy

Test the policy

To test that our new policy is working correctly, we’re going to try deploying two files. allowed.yaml should work with disallowed.yaml being blocked.


- Create a file named `disallowed.yaml` with the following content:

apiVersion: v1 kind: Namespace metadata: name: disallowed-namespace


- Then, create the allowed pod to the cluster by running:

kubectl apply -f allowed.yaml


- We should see the following output:

namespace/allowed-namespace created


- Then, create the disallowed pod to the cluster by running:

kubectl apply -f disallowed.yaml


- We should see the following output:

Error from server ([denied by all-must-have-owner] All namespaces must have an owner label): error when creating “example_disallowed.yaml”: admission webhook “validation.gatekeeper.sh” denied the request: [denied by all-must-have-owner] All namespaces must have an owner label ```

comments powered by Disqus