This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 91%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
I am working with an AKS cluster and AKS comes with an pre-deployed instance of Gatekeeper for validating webhooks.
Hence I am curious, how can one go about installing their own instance of Gatekeeper next to the one provided by AKS. Given that I am working on setting up a policy infrastructure for multi cloud (both on prem and cloud) using OPA and Gatekeeper, I wanted to keep the overall solution as much as cloud/platform agnostic, as possible. Additionally it also makes for a better developer experience where they can simply deploy their gatekeeper policies from CLI using kubectl instead of having to go through Azure Policy Engine.
Hence this got me thinking if I can deploy a separate instance of gatekeeper on the same cluster and create a new validating webhook configuration ? Would that even work ?
If yes, what all changes would need to be made.. Any thoughts ?
@Akshay Sinha , thank you for your question. Yes, multiple validating webhooks in the same AKS cluster is possible. Although you can install a second gatekeeper instance in a different namespace (the gatekeeper-controller-manager's spec.containers[name=manager].args should be appropriately set with --exempt-namespace) on the AKS cluster than the Azure Policy Addon's gatekeeper-system namespace, it would be completely unnecessary. The gatekeeper Deployments made by Azure Policy Addon is sufficient to accommodate your own OPA ConstraintTemplates and Constraints or Azure Custom policy definitions
If you have not enabled Azure Policy Addon for the AKS cluster, then you can follow these installation instructions for Gatekeeper on AKS
----
AKS supports the following admission controllers:
Currently, you can't modify the list of admission controllers in AKS.
Yes, you may use admission controller webhooks on AKS. It's recommended you exclude internal AKS namespaces, which are marked with the control-plane label. For example, by adding the below to the webhook configuration:
namespaceSelector:
matchExpressions:
- key: control-plane
operator: DoesNotExist
AKS firewalls the API server egress so your admission controller webhooks need to be accessible from within the cluster.
To protect the stability of the system and prevent custom admission controllers from impacting internal services in the kube-system, namespace AKS has an Admissions Enforcer, which automatically excludes kube-system and AKS internal namespaces. This service ensures the custom admission controllers don't affect the services running in kube-system.
If you have a critical use case for having something deployed on kube-system (not recommended) which you require to be covered by your custom admission webhook, you may add the below label or annotation so that Admissions Enforcer ignores it.
Label: "admissions.enforcer/disabled": "true" or Annotation: "admissions.enforcer/disabled": true
----
Hope this helps.
Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.