From 91427e1c1c5e8ab38bb99c91c58294616f7a5920 Mon Sep 17 00:00:00 2001 From: kcarmich Date: Wed, 22 Oct 2025 13:46:37 -0400 Subject: [PATCH] Update docs with namespace exclusions for admission controller --- modules/namespace-exclusions.adoc | 42 ++++++++++++++++++++++++++++--- 1 file changed, 39 insertions(+), 3 deletions(-) diff --git a/modules/namespace-exclusions.adoc b/modules/namespace-exclusions.adoc index 30a3a3dcb3a4..9a44c2f3396c 100644 --- a/modules/namespace-exclusions.adoc +++ b/modules/namespace-exclusions.adoc @@ -6,8 +6,44 @@ :_mod-docs-content-type: CONCEPT [id="namespace-exclusions_{context}"] -= Namespace exclusions += Namespace exclusions from admission controller enforcement -By default, {product-title-short} excludes certain administrative namespaces, such as the `stackrox`, `kube-system`, and `istio-system` namespaces, from enforcement blocking. The reason for this is that some items in these namespaces must be deployed for {product-title-short} to work correctly. +[role="_abstract"] +By default, {rh-rhacs-first} excludes certain administrative namespaces from from the validating webhook configurations in the admission controller. Policy evaluation and enforcement is not performed on review requests originating from these administrative namespaces. Some items in these namespaces must be deployed for {product-title-short} to work correctly so they are excluded. + +In addition to excluding namespaces, the {product-title-short} admission controller bypasses requests that originate from from a Kubernetes `ServiceAccount` in a system namespace. +[NOTE] +==== +Consider this factor when choosing the namespace to deploy your continuous deployment tool of choice. +==== + +The following namespaces are excluded by default: + +* `stackrox` +* `kube-system` +* `kube-public` +* `istio-system` + +For Helm installations on Kubernetes secured clusters, you can customize the namespaces that are excluded from the validating webhook configuration by configuring the `values-public.yaml` file. In the `admissionControl.namespaceSelector` field, you can specify the namespaces that you want to exclude. See the following example: + +[source,yaml] +---- +... +admissionControl: + namespaceSelector: + matchExpressions: + - key: namespace.metadata.stackrox.io/name + operator: NotIn + values: + - stackrox + - kube-system + - kube-public + - istio-system + - example-namespace +... +---- +where: + +example-namespace:: +Signifies the namespace that you want to exclude. -In addition, the {product-title-short} admission controller bypasses requests that originate from a `service` account in a `system` namespace. Consider this factor when deploying the CI/CD tool of your choice.