resources:
  cpuRequestsMissing: warning
  cpuLimitsMissing: warning
  memoryRequestsMissing: warning
  memoryLimitsMissing: warning
images:
  tagNotSpecified: error
  pullPolicyNotAlways: ignore
healthChecks:
  readinessProbeMissing: warning
  livenessProbeMissing: warning
networking:
  hostNetworkSet: warning
  hostPortSet: warning
security:
  hostIPCSet: error
  hostPIDSet: error
  notReadOnlyRootFileSystem: warning
  privilegeEscalationAllowed: error
  runAsRootAllowed: warning
  runAsPrivileged: error
  capabilities:
    error:
      ifAnyAdded:
        - SYS_ADMIN
        - NET_ADMIN
        - ALL
    warning:
      ifAnyAddedBeyond:
        - CHOWN
        - DAC_OVERRIDE
        - FSETID
        - FOWNER
        - MKNOD
        - NET_RAW
        - SETGID
        - SETUID
        - SETFCAP
        - SETPCAP
        - NET_BIND_SERVICE
        - SYS_CHROOT
        - KILL
        - AUDIT_WRITE
controllers_to_scan:
  - Deployments
  - StatefulSets
  - DaemonSets
  - CronJobs
  - Jobs
  - ReplicationControllers
exemptions:
  - controllerNames:
      - dns-controller
      - datadog-datadog
      - kube-flannel-ds
      - kube2iam
      - aws-iam-authenticator
      - datadog
      - kube2iam
    rules:
      - hostNetworkSet
  - controllerNames:
      - aws-iam-authenticator
      - aws-cluster-autoscaler
      - kube-state-metrics
      - dns-controller
      - external-dns
      - dnsmasq
      - autoscaler
      - kubernetes-dashboard
      - install-cni
      - kube2iam
    rules:
      - readinessProbeMissing
      - livenessProbeMissing
  - controllerNames:
      - aws-iam-authenticator
      - nginx-ingress-controller
      - nginx-ingress-default-backend
      - aws-cluster-autoscaler
      - kube-state-metrics
      - dns-controller
      - external-dns
      - kubedns
      - dnsmasq
      - autoscaler
      - tiller
      - kube2iam
    rules:
      - runAsRootAllowed
  - controllerNames:
      - aws-iam-authenticator
      - nginx-ingress-controller
      - nginx-ingress-default-backend
      - aws-cluster-autoscaler
      - kube-state-metrics
      - dns-controller
      - external-dns
      - kubedns
      - dnsmasq
      - autoscaler
      - tiller
      - kube2iam
    rules:
      - notReadOnlyRootFileSystem
  - controllerNames:
      - cert-manager
      - dns-controller
      - kubedns
      - dnsmasq
      - autoscaler
    rules:
      - cpuRequestsMissing
      - cpuLimitsMissing
      - memoryRequestsMissing
      - memoryLimitsMissing
  - controllerNames:
      - kube2iam
    rules:
      - runAsPrivileged
  - controllerNames:
      - kube-hunter
    rules:
      - hostPIDSet
  - controllerNames:
      - polaris
      - kube-hunter
      - goldilocks
    rules:
      - readOnlyRootFilesystem