I am working with an AKS cluster and AKS comes with an pre-deployed instance of Gatekeeper for validating webhooks, in case you have policy Add-on enabled.
Hence I am curious, how can one go about installing their own instance of Gatekeeper next to the one provided by AKS. Given that I am working on setting up a policy infrastructure for multi cloud (both on prem and cloud) using OPA and Gatekeeper, I wanted to keep the overall solution as much as cloud/platform agnostic, as possible. Additionally it also makes for a better developer experience where they can simply deploy their gatekeeper policies from CLI using kubectl instead of having to go through Azure Policy Engine.
Hence this got me thinking if I can deploy a separate instance of gatekeeper on the same cluster and create a new validating webhook configuration.
The reason why I wanted to deploy a second instance of gatekeeper was to keep the developer experience intact, where they can still deploy their policies to a K8s cluster using kubectl like they do with other K8s systems currently. Additionally this also allows us to keep the overall policy solution as much as cloud/platform agnostic, as possible. We operate a multi cloud/on-prem infrastructure for K8s.
So I went ahead and deployed a new instance of Gatekeeper (after updating the existing webhook with --exempt-namespace
arg). However when trying to apply a "constraint template" , I still get following error :
admission webhook "byovalidation.policy.azure.com" denied the request: This cluster is governed by Azure Policy. Policies must be created through Azure.
The above error is coming from custom azure webhook azure-policy-validating-webhook-configuration
. It seems likely that this webhook rejects any policies that are not coming in through Azure policy portal. Is that correct ?
According to K8s doc, it says that one can definitely have more than one validating webhooks deployed in the same cluster, but for a request to be allowed, all validating webhooks would need to reply with either "allow" or "I don't know". However, In our case, since one webhook would always reject the request, the whole request would always get rejected.
I understand that disabling the policy add-on for AKS as a whole would allow us to achieve what we are looking for, but we would like to avoid that option if possible.
Hence what might be the best way forward. Thoughts ?
PS : @SRIJIT-BOSE-MSFT This question is an follow up to an earlier question, https://learn.microsoft.com/en-us/answers/questions/563748/deploying-multiple-validating-webhooks-in-the-same.html. For Some strange reason, site wouldn't allow me to add any comments on the answer received. Hence adding a new question here with additional details.