Regarding Namespace owner label policy using kubewarden

[saiben10]

Hello,

I want the user to restrict the namespace creation if he doesn't provide the namespace owner label. The below is the code. Even though i applied this status is showing pending and able to create a namespace without owner label.But when default policies are working fine. What i need to make change to fix it.

apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
  name: psa-enforcer-privileged-namespaces
spec:
  module: registry://ghcr.io/kubewarden/policies/psa-label-enforcer:v0.1.1
  rules:
    - apiGroups: [""]
      apiVersions: ["v1"]
      resources: ["namespaces"]
      operations:
        - CREATE
        - UPDATE
  mutating: true
  namespaceSelector:
    matchExpressions:
      - key: "kubernetes.io/metadata.name"
        operator: In
        values: [kube-system]
  settings:
    required_labels:
      - owner

[flavio]

I've moved the issue to the controller repository and I've added the syntax highlighting to the original message

[flavio]

I want the user to restrict the namespace creation if he doesn't provide the namespace owner label.

You want to enforce all namespaces to have a label owner set. Do I get it right?

If that's what you're looking for, you have to use this policy, not the one that is defined inside of the policy definition you provided. Also, the settings you provided for the PSA Label enforcer are wrong, they are not part of the policy (see here). That's why the policy stays in status pending, because the validation of the settings fails.

You should define a policy like this one:

apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
  name: namespace-must-have-owner-label
spec:
  module: ghcr.io/kubewarden/policies/safe-labels:v0.1.14
  rules:
    - apiGroups: [""]
      apiVersions: ["v1"]
      resources: ["namespaces"]
      operations:
        - CREATE
        - UPDATE
  namespaceSelector:
    matchExpressions:
      - key: "kubernetes.io/metadata.name"
        operator: NotIn # you probably don't want the policy to impact this namespace and other ones
        values: [kube-system]
  settings:
    mandatory_labels:
      - owner

I didn't try out the policy defintion, but it should work and point you in the right direction.

Let me know if you have other issues

[saiben10]

I have applied the same but stil namespace is creating without providing owner label. getting like this whenn i try to describe the policy

Name:         namespace-must-have-owner-label
Namespace:    
Labels:       <none>
Annotations:  <none>
API Version:  policies.kubewarden.io/v1
Kind:         ClusterAdmissionPolicy
Metadata:
  Creation Timestamp:  2024-10-24T09:05:01Z
  Finalizers:
    kubewarden.io/finalizer
  Generation:        1
  Resource Version:  941797495
  UID:               2508b8ac-7852-426e-9402-434710a0b1e2
Spec:
  Background Audit:  true
  Mode:              protect
  Module:            ghcr.io/kubewarden/policies/safe-labels:v0.1.14
  Mutating:          false
  Namespace Selector:
    Match Expressions:
      Key:       kubernetes.io/metadata.name
      Operator:  NotIn
      Values:
        kube-system
  Policy Server:  default
  Rules:
    API Groups:

    API Versions:
      v1
    Operations:
      CREATE
      UPDATE
    Resources:
      namespaces
  Settings:
    mandatory_labels:
      owner
  Timeout Seconds:  10
Status:
  Conditions:
    Last Transition Time:  2024-10-24T09:05:01Z
    Message:               The policy webhook has not been created
    Reason:                PolicyActive
    Status:                False
    Type:                  PolicyActive
  Policy Status:           scheduled
Events:                    <none>

what might be the issue the controller pods are running fine

[saiben10]

can you please clarify on this @flavio