Gatekeeper Audit not ignoring excluded namespaces

[skaven81]

What steps did you take and what happened:
I have configured the Config resource with a list of excluded namespaces:

spec:
  match:
  - excludedNamespaces:
    - calico-apiserver
    - calico-system
    ...
    ...
    processes:
    - '*'

And despite this, the audit process is generating audit violations for resources in these namespaces:

{"level":"info","ts":1698266075.7612457,"logger":"controller",
 "msg":"container <calico-apiserver> is not dropping all required capabilities. Container must drop all of [...] or \"ALL\"",
 "process":"audit","audit_id":"2023-10-25T20:34:20Z",
 "details":{}, 
 "event_type":"violation_audited",
 "constraint_group":"constraints.gatekeeper.sh","constraint_api_version":"v1beta1","constraint_kind":"K8sPSPCapabilities","constraint_name":"psp-capabilities","constraint_namespace":"","constraint_action":"deny",
 "constraint_annotations":{"meta.helm.sh/release-name":"gkopa-constraints-dev-constraints","meta.helm.sh/release-namespace":"kube-system","objectset.rio.cattle.io/id":"default-gkopa-constraints-dev-constraints"},
 "resource_group":"","resource_api_version":"v1","resource_kind":"Pod","resource_namespace":"calico-apiserver","resource_name":"calico-apiserver-544c8fd886-rxbz9",
 "resource_labels":{"apiserver":"true","k8s-app":"calico-apiserver","pod-template-hash":"544c8fd886"}
}

What did you expect to happen:

Audit should be completely ignoring resources in (in this example) the calico-system namespace, because I have processes: ['*'] set in the Config excluded namespaces spec.

Anything else you would like to add:
This isn't just happening with one or two isolated namespaces. Audit is auditing EVERYTHING in the cluster, including kube-system... it's like it's completely ignoring the Config resource's exclusions.

Environment:

• Gatekeeper version: 3.12.0
• Kubernetes version: (use kubectl version): Server Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.8", GitCommit:"395f0a2fdc940aeb9ab88849e8fa4321decbf6e1", GitTreeState:"clean", BuildDate:"2023-08-24T00:43:07Z", GoVersion:"go1.20.7", Compiler:"gc", Platform:"linux/amd64"}
• Audit Pod command line arguments:

    - --audit-interval=3600
    - --log-level=INFO
    - --constraint-violations-limit=20
    - --validating-webhook-configuration-name=gatekeeper-validating-webhook-configuration
    - --mutating-webhook-configuration-name=gatekeeper-mutating-webhook-configuration
    - --audit-from-cache=true
    - --audit-chunk-size=500
    - --audit-match-kind-only=true
    - --emit-audit-events=true
    - --audit-events-involved-namespace=true
    - --operation=audit
    - --operation=status
    - --operation=mutation-status
    - --logtostderr
    - --health-addr=:9090
    - --prometheus-port=8888
    - --enable-external-data=true
    - --enable-generator-resource-expansion=true
    - --metrics-backend=prometheus
    - --disable-cert-rotation=true

[acpana]

I took a cursory dive into the 3.12 code. AFAICT, the auditFromCache branch does not actually have a skipExcludedNamespace check on the objects it receives from its special lister.

https://github.com/open-policy-agent/gatekeeper/blob/release-3.12/pkg/audit/manager.go#L463-L503

IIUC, I think this may be an ongoing bug/ issue, not just 3.12 specific.

[skaven81]

Ah ha...so auditing "from cache" just takes the resources that were synced, and just blindly audits all of them, without regard to whether they match the spec.match in the Config resource. I would rather not audit against the kube-apiserver, so I suppose I will need to wait for a bugfix on this.