Open saiben10 opened 10 hours ago
I've moved the issue to the controller repository and I've added the syntax highlighting to the original message
I want the user to restrict the namespace creation if he doesn't provide the namespace owner label.
You want to enforce all namespaces to have a label owner
set. Do I get it right?
If that's what you're looking for, you have to use this policy, not the one that is defined inside of the policy definition you provided. Also, the settings you provided for the PSA Label enforcer are wrong, they are not part of the policy (see here). That's why the policy stays in status pending, because the validation of the settings fails.
You should define a policy like this one:
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
name: namespace-must-have-owner-label
spec:
module: ghcr.io/kubewarden/policies/safe-labels:v0.1.14
rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["namespaces"]
operations:
- CREATE
- UPDATE
namespaceSelector:
matchExpressions:
- key: "kubernetes.io/metadata.name"
operator: NotIn # you probably don't want the policy to impact this namespace and other ones
values: [kube-system]
settings:
mandatory_labels:
- owner
I didn't try out the policy defintion, but it should work and point you in the right direction.
Let me know if you have other issues
I have applied the same but stil namespace is creating without providing owner label. getting like this whenn i try to describe the policy
Name: namespace-must-have-owner-label
Namespace:
Labels: <none>
Annotations: <none>
API Version: policies.kubewarden.io/v1
Kind: ClusterAdmissionPolicy
Metadata:
Creation Timestamp: 2024-10-24T09:05:01Z
Finalizers:
kubewarden.io/finalizer
Generation: 1
Resource Version: 941797495
UID: 2508b8ac-7852-426e-9402-434710a0b1e2
Spec:
Background Audit: true
Mode: protect
Module: ghcr.io/kubewarden/policies/safe-labels:v0.1.14
Mutating: false
Namespace Selector:
Match Expressions:
Key: kubernetes.io/metadata.name
Operator: NotIn
Values:
kube-system
Policy Server: default
Rules:
API Groups:
API Versions:
v1
Operations:
CREATE
UPDATE
Resources:
namespaces
Settings:
mandatory_labels:
owner
Timeout Seconds: 10
Status:
Conditions:
Last Transition Time: 2024-10-24T09:05:01Z
Message: The policy webhook has not been created
Reason: PolicyActive
Status: False
Type: PolicyActive
Policy Status: scheduled
Events: <none>
what might be the issue the controller pods are running fine
can you please clarify on this @flavio
Hello,
I want the user to restrict the namespace creation if he doesn't provide the namespace owner label. The below is the code. Even though i applied this status is showing pending and able to create a namespace without owner label.But when default policies are working fine. What i need to make change to fix it.