Gatekeeper Does not trigger on run pod

[lir1ka]

What steps did you take and what happened:
[A clear and concise description of what the bug is.]

I am testing gatekeeper in testing cluster. I block access to gatekeeper pods to check what will happen in this situation.

When i try to create namespace:

Error from server (InternalError): Internal error occurred: failed calling webhook "check-ignore-label.gatekeeper.sh": failed to call webhook: Post "https://gatekeeper-webhook-service.gatekeeper-system.svc:443/v1/admitlabel?timeout=3s": dial tcp 10.112.0.99:8443: i/o timeout

So, it is normal behavior

But when i use command kubectl run pod:

user@vmfordeploy:~/terraform-newlife$   kubectl run nginx --image=nginx
pod/nginx created

Gatekeeper did not block this operation and i created pod without any problems. Why?

What did you expect to happen:
Gatekeeper block creation of resource.

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

Environment:

• Gatekeeper version: 3.16.3
• Kubernetes version: (use kubectl version): v1.29.1

[sozercan]

@lir1ka what you are seeing is expected behavior in kubernetes webhooks, and if Gatekeeper controller deployments are not accessible. Please see https://open-policy-agent.github.io/gatekeeper/website/docs/failing-closed for further information

[lir1ka]

@sozercan, hello! I Understood, that it is expected behavior (in situation with inability to create namespace). But still i dont understand why i can create pod

[JaydipGabani]

@lir1ka You need to set validatingWebhookFailurePolicy: Fail if using helm, or set failurePolicy: Fail (default is Ignore) for validation.gatekeeper.sh (used for all admission events) webhook - https://github.com/open-policy-agent/gatekeeper/blob/master/deploy/gatekeeper.yaml#L5205 - to deny the creation of pod.

The situation you are facing is caused by, check-ignore-label.gatekeeper.sh webhook (used only for namespace admission events)- https://github.com/open-policy-agent/gatekeeper/blob/master/deploy/gatekeeper.yaml#L5251 with default failurePolicy set to Fail. You can use validatingWebhookCheckIgnoreFailurePolicy helm variable to update failurePolicy for check-ignore-label.gatekeeper.sh webhook.

[lir1ka]

The situation you are facing is caused by, check-ignore-label.gatekeeper.sh webhook (used only for namespace admission events)- https://github.com/open-policy-agent/gatekeeper/blob/master/deploy/gatekeeper.yaml#L5251 with default failurePolicy set to Fail. You can use validatingWebhookCheckIgnoreFailurePolicy helm variable to update failurePolicy for check-ignore-label.gatekeeper.sh webhook.

@JaydipGabani, Hello! Thank you for your answer. Overall, could you please describe, what check-ignore-label.gatekeeper.sh do? and what is ignore-label?

[JaydipGabani]

@lir1ka This webhook validates namespaces to make sure "only allowed namespaces are using admission.gatekeeper.sh/ignore label label to prevent Gatekeeper validation webhook from being called by api-server for respective namespace". Here is some more information on the same. For more information/context - here is the pr - #350

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.