Azure policy reconciler error for constraints k8sazurev2blockautomounttoken

ahd 210 Reputation points
2025-08-06T17:53:41.9233333+00:00

I have enabled DFC and azure policy on my aks cluster.

I assigned a policy with exclusions for a namespace nginx (but it doesn't show up in the excluded namespace default values in policy definition as in the last image attached). When I deploy the helm chart for nginx controller. I still see logs in gateway controller for (info) denied admission automounting service account token is disallowed and another set of Reconciler error messages. Unable to understand what is missing or is it safe to ignore these messages ?

Also, the policy id that was assigned and the constraint template annotation for az policy definition id matches. The az policy parameters has the ingress namespace

{"level":"error","ts":1754501128.6829498,"msg":"Reconciler error","controller":"constraint-controller","object":{"name":"gvk:K8sAzureV2BlockAutomountToken.v1beta1.constraints.gatekeeper.sh:azurepolicy-k8sazurev2blockautomounttoken-a1c7f996f6dd05ff6ea5"},"namespace":"","name":"gvk:K8sAzureV2BlockAutomountToken.v1beta1.constraints.gatekeeper.sh:azurepolicy-k8sazurev2blockautomounttoken-a1c7f996f6dd05ff6ea5","reconcileID":"50838bd7-9717-46e7-a1b7-215ee9e1be91","error":"validatingadmissionpolicybindings.admissionregistration.k8s.io \"gatekeeper-azurepolicy-k8sazurev2blockautomounttoken-a1c7f996f6dd05ff6ea5\" is forbidden: User \"system:serviceaccount:gatekeeper-system:gatekeeper-admin\" cannot delete resource \"validatingadmissionpolicybindings\" in API group \"admissionregistration.k8s.io\" at the cluster scope: Azure does not have opinion for this user.","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...[]).reconcileHandler\n\t/build/top/BUILD/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:347\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...[]).processNextWorkItem\n\t/build/top/BUILD/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:294\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/build/top/BUILD/gatekeeper/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:255"}

{"level":"info","ts":1754501766.5359077,"logger":"webhook","msg":"denied admission: Automounting service account token is disallowed, pod: ingress-nginx-controller-5955dc6c59-xcwlc","hookType":"validation","process":"admission","details":{},"event_type":"violation","constraint_name":"azurepolicy-k8sazurev2blockautomounttoken-cefda45f1b679f4fbee5","constraint_group":"constraints.gatekeeper.sh","constraint_api_version":"v1beta1","constraint_kind":"K8sAzureV2BlockAutomountToken","constraint_action":"dryrun","constraint_enforcement_actions":[],"resource_group":"","resource_api_version":"v1","resource_kind":"Pod","resource_namespace":"ingress","resource_name":"ingress-nginx-controller-5955dc6c59-xcwlc","request_username":"system:serviceaccount:kube-system:replicaset-controller"}

{"level":"info","ts":1754501766.5359352,"logger":"webhook","msg":"denied admission: Container image registry.k8s.io/ingress-nginx/controller:v1.12.3@sha256:ac444cd9515af325ba577b596 for container controller has not been allowed.","hookType":"validation","process":"admission","details":{},"event_type":"violation","constraint_name":"azurepolicy-k8sazurev2containerallowedimag-45fb70f969fb8329baf0","constraint_group":"constraints.gatekeeper.sh","constraint_api_version":"v1beta1","constraint_kind":"K8sAzureV2ContainerAllowedImages","constraint_action":"dryrun","constraint_enforcement_actions":[],"resource_group":"","resource_api_version":"v1","resource_kind":"Pod","resource_namespace":"ingress","resource_name":"ingress-nginx-controller-5955dc6c59-xcwlc","request_username":"system:serviceaccount:kube-system:replicaset-controller"}


gateway controller logsUser's image

User's image

User's image

Azure Policy from portal

User's image

User's image

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
{count} votes

1 answer

Sort by: Most helpful
  1. Sandhya Kommineni 245 Reputation points Microsoft External Staff Moderator
    2025-08-26T10:11:35.4766667+00:00

    Hi ahd,

    Thanks for posting your question in Microsoft Q&A and for the detailed logs and context

    We can see two issues here: policy reconciliation errors and denied admission for pods in the error you have shared. please find below points to resolve your issue

    1.policy reconciliation errors

    The Gatekeeper controller is trying to reconcile your Azure Policy-based constraints but lacks the necessary RBAC permissions to manage ValidatingAdmissionPolicyBindings at the cluster level. This is a known limitationAzure doesn’t grant Gatekeeper admin rights to delete certain cluster-scoped resources.

    1. Check the ClusterRole and ClusterRoleBinding for gatekeeper-admin service account in gatekeeper-system namespace.
    2. Ensure it has delete, get, list, watch, create, update, patch permissions on validatingadmissionpolicybindings in admissionregistration.k8s.io

    Without this, Gatekeeper will log errors during reconciliation, but it does not block your cluster, it just means policy enforcement might not fully reconcile.

    Refer document: https://learn.microsoft.com/en-us/azure/role-based-access-control/troubleshooting?utm_source=chatgpt.com&tabs

    2. Denied admission for pods

    1. Your Azure Policy for K8sAzureV2BlockAutomountToken is actively denying pods that request automountServiceAccountToken: true.
    2. Your namespace exclusion may not be working, which explains why the ingress namespace pod is still being blocked.

    This could happen if:

    1. The policy parameters (excluded namespaces) were not set correctly in the constraint.
    2. There is a mismatch between Azure Policy assignment parameters and Gatekeeper constraint parameters.
    3. The Helm chart sets automountServiceAccountToken: true and Gatekeeper sees it before Azure Policy reconciles the exclusion.

    Steps to validate namespace exclusion:

    Even though you've excluded the nginx namespace in the policy assignment, the policy definition itself doesn’t reflect this. Azure Policy only respects exclusions defined in the policy definition, not just in the assignment.

    kubectl get K8sAzureV2BlockAutomountToken -A -o yaml | grep -A5 "exemptNamespaces"
    

    1.Ensure nginx (or ingress) namespace is listed under exemptNamespaces or equivalent parameter.

    2.If it’s missing, update the Gatekeeper constraint to include that namespace

    spec:
      parameters:
        exemptNamespaces: ["nginx"]
    

    Reapply the constraint and redeploy the pod.

    When deploying nginx ingress, explicitly set automountServiceAccountToken: false in your Helm values if you want to comply with the policy.

    You also see container image restrictions:

    Container image registry.k8s.io/ingress-nginx/controller:v1.12.3 ... has not been allowed
    
    1. This is controlled by K8sAzureV2ContainerAllowedImages constraint.
    2. The same rule applies either adjust the constraint to allow the image or run it in dry-run to test.

    The logs show "constraint_action":"dryrun", meaning the policy is not actively blocking but is reporting violations. So, while the logs look alarming, they’re informational unless enforcement is turned on.

    Reconciler errors are temporarily safe to ignore but fixing RBAC is recommended, while denied pod admissions cannot be ignored if pods need to run and require adjusting namespace exclusions or policy parameters.

    If you need more inputs on Azure Policy for Kubernetes clusters https://learn.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes

    I hope this helps you resolve the issue. If you have any further quires, I am happy to assist

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.