I am trying to add following comments to answer posted on one of my questions, but the site not allowing me to :
Request you to kindly help with the same
Hi @srbose-msft ,
Thanks for your response. The reason why I wanted to deploy a second instance of gatekeeper was to keep the developer experience intact, where they can still deploy their policies to a K8s cluster using kubectl like they do with other K8s systems currently. Additionally this also allows us to keep the overall policy solution as much as cloud/platform agnostic, as possible. We operate a multi cloud/on-prem infrastructure for K8s.
So I went ahead and deployed a new instance of Gatekeeper (after updating the existing webhook with
--exempt-namespace arg). However when trying to apply a "constraint template" , I still get following error :
admission webhook "byovalidation.policy.azure.com" denied the request: This cluster is governed by Azure Policy. Policies must be created through Azure.
The above error is coming from custom azure webhook
azure-policy-validating-webhook-configuration. It seems likely that this webhook rejects any policies that are not coming in through Azure policy portal. Is that correct ?
According to K8s doc, it says that one can definitely have more than one validating webhooks deployed in the same cluster, but for a request to be allowed, all validating webhooks would need to reply with either "allow" or "I don't know". However, In our case, since one webhook would always reject the request, the whole request would always get rejected.
I understand that disabling the policy add-on for AKS as a whole would allow us to achieve what we are looking for, but we would like to avoid that option if possible.