Configuring policies

Skipping namespaces for a specific policy

By default, policies apply to all Namespaces that the PolicyServer is configured for. If you want a policy to target only specific namespaces, you can deploy several AdmissionPolicies in each Namespace.

Another option is to configure ClusterAdmissionPolicies by setting their spec.namespaceSelector (see CRD docs). The spec.namespaceSelector decides whether to run the policy on an object, based on whether the namespace for that object matches the selector.

For example, here is a policy that only targets the kube-system and my-namespace Namespaces:

---
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
  name: psa-enforcer-privileged-namespaces
spec:
  module: registry://ghcr.io/kubewarden/policies/psa-label-enforcer:v0.1.1
  rules:
    - apiGroups: [""]
      apiVersions: ["v1"]
      resources: ["namespaces"]
      operations:
        - CREATE
        - UPDATE
  mutating: true
  namespaceSelector:
    matchExpressions:
      - key: "kubernetes.io/metadata.name"
        operator: In
        values: [kube-system, my-namespace]
  settings:
    modes:
      enforce: "privileged"

Here is a policy that targets all the Namespaces besides the kube-system and my-namespace:

---
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
  name: psa-enforcer-default-mode
spec:
  module: registry://ghcr.io/kubewarden/policies/psa-label-enforcer:v0.1.1
  rules:
    - apiGroups: [""]
      apiVersions: ["v1"]
      resources: ["namespaces"]
      operations:
        - CREATE
        - UPDATE
  mutating: true
  namespaceSelector:
    matchExpressions:
      - key: "kubernetes.io/metadata.name"
        operator: NotIn
        values: [kube-system, my-namespace]
  settings:
    modes:
      enforce: "restricted"