feat: enable exempting additional labels in the webhooks (#1778)

* feat: enable exempting additional labels in the webhooks

Signed-off-by: Robin Opletal <me@robinopletal.com>

* review the README

Signed-off-by: Robin Opletal <me@robinopletal.com>

Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com>
Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com>

cmd/build/helmify/kustomize-for-helm.yaml

@@ -201,6 +201,7 @@ webhooks:
     matchExpressions:
     - key: admission.gatekeeper.sh/ignore
       operator: DoesNotExist
+    - HELMSUBST_MUTATING_WEBHOOK_EXEMPT_NAMESPACE_LABELS
   sideEffects: None
   timeoutSeconds: HELMSUBST_MUTATING_WEBHOOK_TIMEOUT
 ---
@@ -217,6 +218,11 @@ webhooks:
       namespace: gatekeeper-system
       path: /v1/admit
   name: validation.gatekeeper.sh
+  namespaceSelector:
+    matchExpressions:
+    - key: admission.gatekeeper.sh/ignore
+      operator: DoesNotExist
+    - HELMSUBST_VALIDATING_WEBHOOK_EXEMPT_NAMESPACE_LABELS
   timeoutSeconds: HELMSUBST_VALIDATING_WEBHOOK_TIMEOUT
   failurePolicy: HELMSUBST_VALIDATING_WEBHOOK_FAILURE_POLICY
   rules:

cmd/build/helmify/replacements.go

@@ -57,12 +57,26 @@ var replacements = map[string]string{
 
 	"HELMSUBST_MUTATING_WEBHOOK_FAILURE_POLICY": `{{ .Values.mutatingWebhookFailurePolicy }}`,
 
+	"- HELMSUBST_MUTATING_WEBHOOK_EXEMPT_NAMESPACE_LABELS": `
+    {{- range $key, $value := .Values.mutatingWebhookExemptNamespacesLabels}}
+    - key: {{ $key }}
+      operator: NotIn
+      value: {{ $value }}
+    {{- end }}`,
+
 	"HELMSUBST_MUTATING_WEBHOOK_TIMEOUT": `{{ .Values.mutatingWebhookTimeoutSeconds }}`,
 
 	"HELMSUBST_VALIDATING_WEBHOOK_TIMEOUT": `{{ .Values.validatingWebhookTimeoutSeconds }}`,
 
 	"HELMSUBST_VALIDATING_WEBHOOK_FAILURE_POLICY": `{{ .Values.validatingWebhookFailurePolicy }}`,
 
+	"- HELMSUBST_VALIDATING_WEBHOOK_EXEMPT_NAMESPACE_LABELS": `
+    {{- range $key, $value := .Values.validatingWebhookExemptNamespacesLabels}}
+    - key: {{ $key }}
+      operator: NotIn
+      value: {{ $value }}
+    {{- end }}`,
+
 	"HELMSUBST_VALIDATING_WEBHOOK_CHECK_IGNORE_FAILURE_POLICY": `{{ .Values.validatingWebhookCheckIgnoreFailurePolicy }}`,
 
 	"HELMSUBST_RESOURCEQUOTA_POD_LIMIT": `{{ .Values.podCountLimit }}`,

cmd/build/helmify/static/README.md

@@ -81,10 +81,12 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
 | validatingWebhookTimeoutSeconds              | The timeout for the validating webhook in seconds                                      | `3`                                                                       |
 | validatingWebhookFailurePolicy               | The failurePolicy for the validating webhook                                           | `Ignore`                                                                  |
 | validatingWebhookCheckIgnoreFailurePolicy    | The failurePolicy for the check-ignore-label validating webhook                        | `Fail`                                                                    |
+| validatingWebhookExemptNamespacesLabels      | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}`                                                                    |
 | enableDeleteOperations                       | Enable validating webhook for delete operations                                        | `false`                                                                   |
 | enableExternalData                           | Enable external data (alpha feature)                                                   | `false`                                                                   |
 | enableTLSHealthcheck                         | Enable probing webhook API with certificate stored in certDir                          | `false`                                                                   |
 | mutatingWebhookFailurePolicy                 | The failurePolicy for the mutating webhook                                             | `Ignore`                                                                  |
+| mutatingWebhookExemptNamespacesLabels        | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}`                                                                    |
 | mutatingWebhookTimeoutSeconds                | The timeout for the mutating webhook in seconds                                        | `3`                                                                       |
 | emitAdmissionEvents                          | Emit K8s events in gatekeeper namespace for admission violations (alpha feature)       | `false`                                                                   |
 | emitAuditEvents                              | Emit K8s events in gatekeeper namespace for audit violations (alpha feature)           | `false`                                                                   |

cmd/build/helmify/static/values.yaml

@@ -7,11 +7,13 @@ disableMutation: false
 disableValidatingWebhook: false
 validatingWebhookTimeoutSeconds: 3
 validatingWebhookFailurePolicy: Ignore
+validatingWebhookExemptNamespacesLabels: {}
 validatingWebhookCheckIgnoreFailurePolicy: Fail
 enableDeleteOperations: false
 enableExternalData: false
 enableTLSHealthcheck: false
 mutatingWebhookFailurePolicy: Ignore
+mutatingWebhookExemptNamespacesLabels: {}
 mutatingWebhookTimeoutSeconds: 3
 auditChunkSize: 500
 logLevel: INFO

manifest_staging/charts/gatekeeper/README.md

@@ -81,10 +81,12 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi
 | validatingWebhookTimeoutSeconds              | The timeout for the validating webhook in seconds                                      | `3`                                                                       |
 | validatingWebhookFailurePolicy               | The failurePolicy for the validating webhook                                           | `Ignore`                                                                  |
 | validatingWebhookCheckIgnoreFailurePolicy    | The failurePolicy for the check-ignore-label validating webhook                        | `Fail`                                                                    |
+| validatingWebhookExemptNamespacesLabels      | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}`                                                                    |
 | enableDeleteOperations                       | Enable validating webhook for delete operations                                        | `false`                                                                   |
 | enableExternalData                           | Enable external data (alpha feature)                                                   | `false`                                                                   |
 | enableTLSHealthcheck                         | Enable probing webhook API with certificate stored in certDir                          | `false`                                                                   |
 | mutatingWebhookFailurePolicy                 | The failurePolicy for the mutating webhook                                             | `Ignore`                                                                  |
+| mutatingWebhookExemptNamespacesLabels        | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}`                                                                    |
 | mutatingWebhookTimeoutSeconds                | The timeout for the mutating webhook in seconds                                        | `3`                                                                       |
 | emitAdmissionEvents                          | Emit K8s events in gatekeeper namespace for admission violations (alpha feature)       | `false`                                                                   |
 | emitAuditEvents                              | Emit K8s events in gatekeeper namespace for audit violations (alpha feature)           | `false`                                                                   |

manifest_staging/charts/gatekeeper/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml

@@ -25,6 +25,12 @@ webhooks:
     matchExpressions:
     - key: admission.gatekeeper.sh/ignore
       operator: DoesNotExist
+
+    {{- range $key, $value := .Values.mutatingWebhookExemptNamespacesLabels}}
+    - key: {{ $key }}
+      operator: NotIn
+      value: {{ $value }}
+    {{- end }}
   rules:
   - apiGroups:
     - '*'

manifest_staging/charts/gatekeeper/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml

@@ -25,6 +25,12 @@ webhooks:
     matchExpressions:
     - key: admission.gatekeeper.sh/ignore
       operator: DoesNotExist
+
+    {{- range $key, $value := .Values.validatingWebhookExemptNamespacesLabels}}
+    - key: {{ $key }}
+      operator: NotIn
+      value: {{ $value }}
+    {{- end }}
   rules:
   - apiGroups:
     - '*'

manifest_staging/charts/gatekeeper/values.yaml

@@ -7,11 +7,13 @@ disableMutation: false
 disableValidatingWebhook: false
 validatingWebhookTimeoutSeconds: 3
 validatingWebhookFailurePolicy: Ignore
+validatingWebhookExemptNamespacesLabels: {}
 validatingWebhookCheckIgnoreFailurePolicy: Fail
 enableDeleteOperations: false
 enableExternalData: false
 enableTLSHealthcheck: false
 mutatingWebhookFailurePolicy: Ignore
+mutatingWebhookExemptNamespacesLabels: {}
 mutatingWebhookTimeoutSeconds: 3
 auditChunkSize: 500
 logLevel: INFO