From cf10a9617faafaa4bc5cf7993c8196a348422f2f Mon Sep 17 00:00:00 2001
From: Robert Brennan <accounts@rbren.io>
Date: Mon, 18 May 2020 12:46:32 -0400
Subject: [PATCH] add some exemptions for kube-system (#292)

---
 examples/config.yaml | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/examples/config.yaml b/examples/config.yaml
index 35095df2..46981b86 100644
--- a/examples/config.yaml
+++ b/examples/config.yaml
@@ -22,7 +22,48 @@ checks:
   runAsPrivileged: error
   dangerousCapabilities: error
   insecureCapabilities: warning
+
 exemptions:
+  - controllerNames:
+      - kube-apiserver
+      - kube-proxy
+      - kube-scheduler
+      - etcd-manager-events
+      - kube-controller-manager
+      - kube-dns
+      - etcd-manager-main
+    rules:
+      - hostPortSet
+      - hostNetworkSet
+      - readinessProbeMissing
+      - livenessProbeMissing
+      - cpuRequestsMissing
+      - cpuLimitsMissing
+      - memoryRequestsMissing
+      - memoryLimitsMissing
+      - runAsRootAllowed
+      - runAsPrivileged
+      - notReadOnlyRootFilesystem
+      - hostPIDSet
+
+  - controllerNames:
+      - kube-flannel-ds
+    rules:
+      - notReadOnlyRootFilesystem
+      - runAsRootAllowed
+      - notReadOnlyRootFilesystem
+      - readinessProbeMissing
+      - livenessProbeMissing
+      - cpuLimitsMissing
+
+  - controllerNames:
+      - vpa
+    rules:
+      - runAsRootAllowed
+      - readinessProbeMissing
+      - livenessProbeMissing
+      - notReadOnlyRootFilesystem
+
   - controllerNames:
       - dns-controller
       - datadog-datadog