-
Story
-
Resolution: Done
-
Major
-
None
-
3
-
False
-
None
-
False
-
-
ACM-2707 - ACM Gatekeeper Enhancements
-
-
-
GRC Sprint 2023-23, GRC Sprint 2024-01, GRC Sprint 2024-04, GRC Sprint 2024-05
-
No
Feature Overview
Goal:
As a user, I want to have a default exempting namespace list
Requirements
- First, we should collect namespaces that most users want to exclude.
- Add this idea to the gatekeeper operator
Criteria
the proposal based on option 1: # Add a new field of matches to the Gatekeeper CRD which is of the same type as the Gatekeeper Config object. All new non-default excluded namespaces must go here.
- Add a new field of disableDefaultMatches if the user wants to opt out of the Gatekeeper operator appending the default exclude namespaces to the matches value on the Gatekeeper CR.
- On upgrades, when an existing Config object has the matches field set, the Gatekeeper operator does not manage that field until the matches field is set on the Gatekeeper CR. Note that an empty array is different than nil /not set in this case.
For users that configured the excluded namespaces with the policy collection configuration policy, they would delete the policy and either set matches on the Gatekeeper CR to [] or some other value. This causes the Gatekeeper operator to take ownership.
