This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 91%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
I am working with an AKS cluster and AKS comes with an pre-deployed instance of Gatekeeper for validating webhooks, in case you have policy Add-on enabled.
Hence I am curious, how can one go about installing their own instance of Gatekeeper next to the one provided by AKS. Given that I am working on setting up a policy infrastructure for multi cloud (both on prem and cloud) using OPA and Gatekeeper, I wanted to keep the overall solution as much as cloud/platform agnostic, as possible. Additionally it also makes for a better developer experience where they can simply deploy their gatekeeper policies from CLI using kubectl instead of having to go through Azure Policy Engine.
Hence this got me thinking if I can deploy a separate instance of gatekeeper on the same cluster and create a new validating webhook configuration.
The reason why I wanted to deploy a second instance of gatekeeper was to keep the developer experience intact, where they can still deploy their policies to a K8s cluster using kubectl like they do with other K8s systems currently. Additionally this also allows us to keep the overall policy solution as much as cloud/platform agnostic, as possible. We operate a multi cloud/on-prem infrastructure for K8s.
So I went ahead and deployed a new instance of Gatekeeper (after updating the existing webhook with --exempt-namespace arg). However when trying to apply a "constraint template" , I still get following error :
admission webhook "byovalidation.policy.azure.com" denied the request: This cluster is governed by Azure Policy. Policies must be created through Azure.
The above error is coming from custom azure webhook azure-policy-validating-webhook-configuration. It seems likely that this webhook rejects any policies that are not coming in through Azure policy portal. Is that correct ?
According to K8s doc, it says that one can definitely have more than one validating webhooks deployed in the same cluster, but for a request to be allowed, all validating webhooks would need to reply with either "allow" or "I don't know". However, In our case, since one webhook would always reject the request, the whole request would always get rejected.
I understand that disabling the policy add-on for AKS as a whole would allow us to achieve what we are looking for, but we would like to avoid that option if possible.
Hence what might be the best way forward. Thoughts ?
PS : @SRIJIT-BOSE-MSFT This question is an follow up to an earlier question, https://learn.microsoft.com/en-us/answers/questions/563748/deploying-multiple-validating-webhooks-in-the-same.html. For Some strange reason, site wouldn't allow me to add any comments on the answer received. Hence adding a new question here with additional details.
@Akshay Sinha , thank you for sharing your concern here. We regret the issues you faced.
We followed up internally on https://learn.microsoft.com/en-us/answers/questions/563748/deploying-multiple-validating-webhooks-in-the-same.html
According to the updated limitations of Azure Policy Add-on for Kubernetes clusters, at the time of writing:
Installations of Gatekeeper outside of the Azure Policy Add-on aren't supported. Uninstall any components installed by a previous Gatekeeper installation before enabling the Azure Policy Add-on.
For now, as you mentioned, disabling the Azure policy add-on for AKS as a whole would allow you to bring in your Gatekeeper and deploy your own Constraint Template (which does not have to be through Azure).
----
Hope this helps.
Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 73%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Hello @Akshay Sinha @SRIJIT-BOSE-MSFT ,
I am also facing the same issue. We have created the custom policy in Azure and deployed the constraint templates. Now we are trying to edit the constraint template we are facing this error.
admission webhook "byovalidation.policy.azure.com" denied the request: This cluster is governed by Azure Policy. Policies must be created through Azure.
The above error is coming from custom azure webhook azure-policy-validating-webhook-configuration. It seems likely that this webhook rejects any policies that are not coming in through Azure policy portal.
Also there are deployments and replica set which gets created when azure policy add on is enabled.
kube-system pod/azure-policy-795c78444-phjl2 1/1 Running 0 8d
kube-system pod/azure-policy-webhook-84884d989b-zmqbd 1/1 Running 0 16h
kube-system service/azure-policy-webhook-service ClusterIP 192.168.66.219 <none> 443/TCP 16h
kube-system deployment.apps/azure-policy 1/1 1 1 8d
kube-system deployment.apps/azure-policy-webhook 1/1 1 1 16h
kube-system replicaset.apps/azure-policy-795c78444 1 1 1 8d
kube-system replicaset.apps/azure-policy-webhook-84884d989b 1 1 1 16h
We tried deleting the webhooks but it reappeared again. Can you please help on the same if we can fix this error.
If the existing webhook can be modified or completely removed.
Note: We want the Azure Add on to be enabled as part of the security requirement.
Please help