Skip to content

https://issues.redhat.com/browse/ACM-26213 note about fail-over #8417

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dockerymick wants to merge 15 commits into
base: 2.15_stage
Choose a base branch
from
+74 −49
Open

https://issues.redhat.com/browse/ACM-26213 note about fail-over #8417

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
1fd833d
https://issues.redhat.com/browse/ACM-26213 note about fail-over
dockerymick Dec 1, 2025
32d748f
small change
dockerymick Dec 1, 2025
30e4dbd
Apply suggestion from @dockerymick
dockerymick Dec 2, 2025
c2517dc
Apply suggestion from @dockerymick
dockerymick Dec 2, 2025
23f651e
Updates after peer review
dockerymick Dec 2, 2025
2b47d81
Apply suggestion from @dockerymick
dockerymick Dec 2, 2025
aadb64f
Updates after reconsidering migration and file improvements
dockerymick Dec 4, 2025
668f58e
Merge branch '2.15_stage' into mj-ACM-26213
dockerymick Dec 4, 2025
8136118
Update config_gk_operator.adoc
dockerymick Dec 4, 2025
bd2b55b
Apply suggestions from code review
dockerymick Dec 4, 2025
6bba7a1
Clarify prerequisite for Gatekeeper installation
dockerymick Dec 4, 2025
3424691
Update support information for Gatekeeper Operator
dockerymick Dec 4, 2025
f99b23a
Update gk_policy_constraints.adoc
dockerymick Dec 4, 2025
59dbe1e
Update gk_operator_overview.adoc
dockerymick Dec 4, 2025
bac84b8
improving short description, tell users the purpose for integrating
dockerymick Dec 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
107 changes: 63 additions & 44 deletions governance/gatekeeper_operator/config_gk_operator.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,53 @@

Install the {gate} from the {olm} catalog to install Gatekeeper on your cluster. With {acm-short} you can use a policy to install the {gate} by using the governance framework. After you install the {gate}, configure the {gate} custom resource to install Gatekeeper.

[#configure-gk-operator-prerequisites]
== Prerequisites
*Required access*: Cluster administrator.

- *Required access*: Cluster administrator.
.Prerequisites

- You need a {acm} or {ocp} Plus subscription to install Gatekeeper and apply Gatekeeper policies to your cluster.
- Understand how to use the Operator Lifecycle Manager and the {ocp-catalog} by completing the _Adding Operators to a cluster_ and the _Additional resources_ section in the link:https://access.redhat.com/documentation/en-us/openshift_container_platform/4.18/html/operators/administrator-tasks#olm-adding-operators-to-a-cluster[{ocp-short} documentation].

[#gatekeeper-custom-resource]
== Gatekeeper custom resource sample
.Procedure

The {gate} custom resource tells the {gate} to start the Gatekeeper installation on the cluster. Complete the following steps to configure the {gate} custom resource:

. Enable the `auditEventsInvolvedNamespace` parameter to manage the namespace audit event you want to create. When you enable this parameter, the Gatekeeper controller deployment runs with the following argument: `--audit-events-involved-namespace=true`.

. Specify `containerArguments` in the `audit` and `webhook` specification by providing a list of argument names and values to pass to the container. Omit leading dashes from the argument name. An omitted value is treated as `true`. Arguments that you provide are ignored if the argument is set previously by the operator or configurations from other fields. See the following list of flags that are deny-listed and are not currently supported:

+
- `port`
- `prometheus-port`
- `health-addr`
- `validating-webhook-configuration-name`
- `mutating-webhook-configuration-name`
- `disable-cert-rotation`
- `client-cert-name`
- `tls-min-version`

. For Gatekeeper version 3.20 and later, specify `audit.podAnnotations` that are specific to the audit pod by providing a list of annotation names and values to add to the pod. An omitted value is treated as `true`.

. Enable the `admissionEventsInvolvedNamespace` parameter to manage the namespace admission event you want to create. When you enable this parameter, the Gatekeeper controller deployment runs with the following argument: `--admission-events-involved-namespace=true`.

. *Optional:* If you want to enforce your Gatekeeper constraints, set the `failurePolicy` parameter to `Fail`. By default, the `failurePolicy` parameter for Gatekeeper is set to `Ignore`. If the Gatekeeper webhook becomes unavailable, constraints are not enforced.
Copy link
Contributor Author

@dockerymick dockerymick Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of adding the important note, I suggest we add it as a step. I created steps here to remove the callouts


. Define `operations` for your webhook. Use one or more of the following supported values: `CREATE`, `UPDATE`, `CONNECT`, and `DELETE`.

. For version 3.20 and later, specify `rules` to overwrite the `rules` configuration in the `webhook` configuration. The `rules` parameter preceeds the `operations` field.

The {gate} custom resource tells the {gate} to start the Gatekeeper installation on the cluster. To install Gatekeeper, use the following sample YAML, which includes sample and default values:
. For version 3.20 and later, specify the timeout for the webhook configuration by defining a value for the `timeoutSeconds` parameter.

. For version 3.20 and later, configure the mutating webhook by adding configurations for the `mutatingWebhookConfig` specification. The configurations override the values from `spec.webhook` or are specific to the mutating webhook.

. Use the `config` section to exclude namespaces from certain processes for all constraints on your cluster.

. The `disableDefaultMatches` parameter is a boolean parameter that disables appending the default exempt namespaces provided by the Gatekeeper operator. The default exempt namespaces are {ocp-short} or Kubernetes system namespaces. By default, this parameter is set to `false` to allow the default namespaces to be appended.

+
See the following sample YAML file:

+
[source,yaml]
----
apiVersion: operator.gatekeeper.sh/v1alpha1
Expand All @@ -23,11 +59,11 @@ metadata:
spec:
audit:
auditChunkSize: 66
auditEventsInvolvedNamespace: Enabled <1>
auditEventsInvolvedNamespace: Enabled
auditFromCache: Enabled
auditInterval: 10s
constraintViolationLimit: 55
containerArguments: <4>
containerArguments:
- name: ""
value: ""
resources:
Expand All @@ -39,20 +75,20 @@ spec:
memory: 130Mi
emitAuditEvents: Enabled
logLevel: DEBUG
podAnnotations: {} <2>
podAnnotations: {}
replicas: 1
validatingWebhook: Enabled
mutatingWebhook: Enabled
webhook:
admissionEventsInvolvedNamespace: Enabled <3>
containerArguments: <4>
admissionEventsInvolvedNamespace: Enabled
containerArguments:
- name: ""
value: ""
disabledBuiltins:
- http.send
emitAdmissionEvents: Enabled
failurePolicy: Fail
operations: <5>
operations:
- CREATE
- UPDATE
- CONNECT
Expand All @@ -64,25 +100,25 @@ spec:
requests:
cpu: 400m
memory: 120Mi
rules: <6>
rules:
- operations: []
resources: []
timeoutSeconds: 3 <7>
mutatingWebhookConfig: <8>
timeoutSeconds: 3
mutatingWebhookConfig:
failurePolicy: ""
logMutations: Disabled
mutationAnnotations: Disabled
namespaceSelector: {}
operations: []
rules: <6>
rules:
- operations: []
resources: []
timeoutSeconds: 1 <7>
config: <9>
timeoutSeconds: 1
config:
matches:
- excludedNamespaces: ["test-*", "my-namespace"]
processes: ["*"]
disableDefaultMatches: false <10>
disableDefaultMatches: false
nodeSelector:
region: "EMEA"
affinity:
Expand All @@ -100,34 +136,13 @@ spec:
some-annotation: "this is a test"
other-annotation: "another test"
----
<1> Enable the `auditEventsInvolvedNamespace` parameter to manage the namespace audit event you want to create. When you enable this parameter, the Gatekeeper controller deployment runs with the following argument: `--audit-events-involved-namespace=true`.
<2> For version 3.20 and later, specify `audit.podAnnotations` specific to the audit pod by providing a list of annotation names and values to add to the pod. An omitted value is treated as `true`.
<3> Enable the `admissionEventsInvolvedNamespace` parameter to manage the namespace admission event you want to create. When you enable this parameter, the Gatekeeper controller deployment runs with the following argument: `--admission-events-involved-namespace=true`.
<4> Specify `containerArguments` by providing a list of argument names and values to pass to the container. Omit leading dashes from the argument name. An omitted value is treated as `true`. Arguments that you provide are ignored if the argument is set previously by the operator or configurations from other fields. See the following list of flags that are deny-listed and are not currently supported:
- `port`
- `prometheus-port`
- `health-addr`
- `validating-webhook-configuration-name`
- `mutating-webhook-configuration-name`
- `disable-cert-rotation`
- `client-cert-name`
- `tls-min-version`
<5> Use `operations` to manage the operations for which the webhook is invoked. For example, `CREATE`, `UPDATE`, `CONNECT`, and `DELETE`.
<6> For version 3.20 and later, specify `rules` to overwrite the rules configuration in the webhook configuration. When set, this field takes precedence over the Operations field.
<7> For version 3.20 and later, specify the timeout for the webhook configuration.
<8> For version 3.20 and later, use the `mutatingWebhookConfig` section to configure the mutating webhook with configurations that override the values from `spec.webhook` or are specific to the mutating webhook.
<9> Use the `config` section to exclude namespaces from certain processes for all constraints on your cluster.
<10> The `disableDefaultMatches` parameter is a boolean parameter that disables appending the default exempt namespaces provided by the Gatekeeper operator. The default exempt namespaces are {ocp-short} or Kubernetes system namespaces. By default, this parameter is set to `false` to allow the default namespaces to be appended.

[#config-audit-sync]

== Configuring _auditFromCache_ for sync details

The {gate} exposes a setting in the {gate} custom resource for the audit configuration with the `auditFromCache` parameter, which is disabled by default. Configure the `auditFromCache` parameter to collect resources from constraints.

When you set the `auditFromCache` parameter to `Automatic`, the {gate} collects resources from constraints and inserts those resources into your Gatekeeper `Config` resource. If the resource does not exist, the {gate} creates the `Config` resource.

If you set the `auditFromCache` parameter to `Enabled`, you need to manually set the Gatekeeper `Config` resource with the objects to sync to the cache. For more information, see _Configuring Audit_ in the Gatekeeper documentation.

To configure the `auditFromCache` parameter for resource collection from constraints, complete the following steps:

. Set `auditFromCache` to `Automatic` in the `Gatekeeper` resource. See the following example:
Expand All @@ -146,6 +161,9 @@ spec:
auditFromCache: Automatic
----

+
*Note:* If you set the `auditFromCache` parameter to `Enabled`, you need to manually set the Gatekeeper `Config` resource with the objects to sync to the cache. For more information, see _Configuring Audit_ in the Gatekeeper documentation.

. To verify that the resources are added to your `Config` resource, view that the `syncOnly` parameter section is added. Run the following command:

+
Expand Down Expand Up @@ -175,14 +193,15 @@ spec:
kind: "Pod"
----

*Optional:* You can view the explanation of the `auditFromCache` setting from the description of the {gate} custom resource by running the following command:
. *Optional:* You can view the explanation of the `auditFromCache` setting from the description of the {gate} custom resource by running the following command:

+
[source,bash]
----
oc explain gatekeeper.spec.audit.auditFromCache
----

[#gk-add-resources]
== Additional resources
.Additional resources

- For more information, see link:https://open-policy-agent.github.io/gatekeeper/website/docs/audit/#configuring-audit[Configuring Audit] in the Gatekeeper documentation.
- For more information about configuring fail-open and fail-closed behavior, see link:https://open-policy-agent.github.io/gatekeeper/website/docs/failing-closed[Gatekeeper documentation].
4 changes: 3 additions & 1 deletion governance/gatekeeper_operator/general_support.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,13 @@
[#general-support]
= General support

Red Hat supports only the Gatekeeper Operator and does not support individual Gatekeeper policies. Support ensures that the operator is functioning. To receive support, you need a {acm} or {ocp} Plus subscription for installing Gatekeeper and applying Gatekeeper policies to your cluster.
Copy link
Contributor Author

@dockerymick dockerymick Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of listing this as an Important note in the overview, I suggest we add it here to the General support file


To understand the support you receive from the {gate}, see the following list:

- Supports current version of the {gate}, preceding versions, and all z-stream releases of those versions.
- Receive maintenance support and relevant security vulnerability fixes for preceding and current versions.
- Support for all {ocp} versions that receive standard support.
*Note*: The {gate} is not supported on end-of-life {ocp-short} versions or versions that receive extended support.

To view the release notes for the {gate}, see link:https://catalog.redhat.com/software/containers/gatekeeper/gatekeeper-operator-bundle/64ba9da52b6048f1d6695232[gatekeeper-operator-bundle].
To view the release notes for the {gate}, see link:https://catalog.redhat.com/software/containers/gatekeeper/gatekeeper-operator-bundle/64ba9da52b6048f1d6695232[gatekeeper-operator-bundle].
4 changes: 1 addition & 3 deletions governance/gatekeeper_operator/gk_operator_overview.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,12 +8,10 @@ The {gate} installs Gatekeeper, which is a validating webhook with auditing capa
- Evaluate Kubernetes resource compliance requests for the Kubernetes API by using the Gatekeeper constraints.
- Use OPA as the policy engine and use Rego as the policy language.

*Prerequisite:* You need a {acm} or {ocp} Plus subscription to install Gatekeeper and apply Gatekeeper policies to your cluster.
Copy link
Contributor

@dhaiducek dhaiducek Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is the subscription requirement being removed? It seems to me it's still relevant?

Copy link
Contributor Author

@dockerymick dockerymick Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is removed because this is not a task file. I will add it to the file where it applies. making a few more commits

Copy link
Contributor

@dhaiducek dhaiducek Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, I get that it's not a task file, but it does seem more relevant to me in the overview since users would acquire the subscription before looking at how to install or configure it, right? So maybe this content can just move under the new "Important" heading?

Copy link
Contributor Author

@dockerymick dockerymick Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I moved it to the General Support topic. We can do a live review so that I can explain my changes.


To learn more about using the {gate}, see the following resources:

- xref:../gatekeeper_operator/general_support.adoc#general-support[General support]
- xref:../gatekeeper_operator/channels.adoc#operator-channels[Operator channels]
- xref:../gatekeeper_operator/config_gk_operator.adoc#config-gk-operator[Configuring the {gate}]
- xref:../gatekeeper_operator/manage_gk.adoc#managing-gk-policies[Managing the {gate} installation policies]
- xref:../gatekeeper_operator/gk_policy_constraints.adoc#integrate-gk-constraints-templates[Integrating Gatekeeper constraints and constraint templates]
- xref:../gatekeeper_operator/gk_policy_constraints.adoc#integrate-gk-constraints-templates[Integrating Gatekeeper constraints and constraint templates]
4 changes: 3 additions & 1 deletion governance/gatekeeper_operator/gk_policy_constraints.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
[#integrate-gk-constraints-templates]
= Integrating Gatekeeper constraints and constraint templates

To create Gatekeeper policies, use `ConstraintTemplates` and constraints. Add templates and constraints to the `policy-templates` of a `Policy` resource. View the following YAML examples that use Gatekeeper constraints in {acm-short} policies:
Integrate Gatekeeper constraints and constraint templates for multicluster distribution of Gatekeeper constraints and audit results. Configure constraints by creating a configuration policy to check for Kubernetes API requests denied by the Gatekeeper admission webhook. To create Gatekeeper policies, use `ConstraintTemplates` resources and constraints. Add templates and constraints to the `policy-templates` of a `Policy` resource.

View the following YAML examples that use Gatekeeper constraints in {acm-short} policies:

* `ConstraintTemplates` and constraints: Use the Gatekeeper integration feature by using {acm-short} policies for multicluster distribution of Gatekeeper constraints and Gatekeeper audit results aggregation on the hub cluster. The following example defines a Gatekeeper `ConstraintTemplate` and constraint (`K8sRequiredLabels`) to ensure the `gatekeeper` label is set on all namespaces:

Expand Down
4 changes: 4 additions & 0 deletions governance/gatekeeper_operator/manage_gk.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ Use the {acm-short} policy to install the {gate} and Gatekeeper on a managed clu

*Required access*: Cluster administrator

.Prerequisite

- You need a {acm} or {ocp} Plus subscription to install Gatekeeper and apply Gatekeeper policies to your cluster.

To create, view, and update your {gate} installation policies, complete the following sections:

- <<installing-gk-operator-policy,Installing Gatekeeper using a {gate} policy>>
Expand Down