add some exemptions for kube-system (#292)

2026-05-08 10:16:43 +00:00 · 2020-05-18 12:46:32 -04:00
parent c571b97bc9
commit cf10a9617f
1 changed files with 41 additions and 0 deletions
--- a/examples/config.yaml
+++ b/examples/config.yaml
@@ -22,7 +22,48 @@ checks:
  runAsPrivileged: error
  dangerousCapabilities: error
  insecureCapabilities: warning
+
 exemptions:
+  - controllerNames:
+      - kube-apiserver
+      - kube-proxy
+      - kube-scheduler
+      - etcd-manager-events
+      - kube-controller-manager
+      - kube-dns
+      - etcd-manager-main
+    rules:
+      - hostPortSet
+      - hostNetworkSet
+      - readinessProbeMissing
+      - livenessProbeMissing
+      - cpuRequestsMissing
+      - cpuLimitsMissing
+      - memoryRequestsMissing
+      - memoryLimitsMissing
+      - runAsRootAllowed
+      - runAsPrivileged
+      - notReadOnlyRootFilesystem
+      - hostPIDSet
+
+  - controllerNames:
+      - kube-flannel-ds
+    rules:
+      - notReadOnlyRootFilesystem
+      - runAsRootAllowed
+      - notReadOnlyRootFilesystem
+      - readinessProbeMissing
+      - livenessProbeMissing
+      - cpuLimitsMissing
+
+  - controllerNames:
+      - vpa
+    rules:
+      - runAsRootAllowed
+      - readinessProbeMissing
+      - livenessProbeMissing
+      - notReadOnlyRootFilesystem
+
  - controllerNames:
      - dns-controller
      - datadog-datadog