Exclude certain namespaces from a OPA gatekeeper rule

Kubernetes OPA gatekeeper scope labels

2 min read | by Jordi Prats

While some policies can be safely applied to all the namespaces of a cluster, some other can become problematic since they can interfere with the normal operations of certain controllers. When we create a constrain rule we can exclude some namespaces using the spec.match.excludedNamespaces attribute

Under spec.match we can define the objects that this rule is going to apply to, so by adding excludedNamespaces we can tell it not to apply it to objects belonging to that namespace:

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockNodePort
  name: block-node-port
  enforcementAction: deny
      - apiGroups: [""]
        kinds: ["Service"]
    scope: Namespaced
      - "kube-*"

We can test it bye trying to create a NodePort on any namespace and then apply it again on kube-system:

$ kubectl apply -f test-nodeport.yaml -n pet2cattle
Error from server (Forbidden): error when creating "test-nodeport.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [block-node-port] User is not allowed to create service of type NodePort
$ kubectl apply -f test-nodeport.yaml -n kube-system
service/test-nodeport created

Posted on 18/11/2022