github/polaris
1
0
Fork 0
mirror of https://github.com/FairwindsOps/polaris.git synced 2026-05-09 18:56:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
rb/machine
polaris/docs/customization/exemptions.md
Robert Brennan ca3e46ebbd Update documentation from template (#609)
2021-08-17 11:26:25 -04:00

62 lines
2.2 KiB
Markdown
Raw Permalink Blame History

---
meta:
- name: description
content: "Fairwinds Polaris | Exemptions"
---
# Exemptions
Sometimes a workload really does need to do things that Polaris considers insecure. For instance,
many of the `kube-system` workloads need to run as root, or need access to the host network. In these
cases, we can add **exemptions** to allow the workload to pass Polaris checks.
Exemptions can be added in a few different ways:
- Namespace: By editing the Polaris config.
- Controller: By annotating a controller, or editing the Polaris config.
- Container: By editing the Polaris config.
## Annotations
To exempt a controller from all checks via annotations, use the annotation `polaris.fairwinds.com/exempt=true`, e.g.
```
kubectl annotate deployment my-deployment polaris.fairwinds.com/exempt=true
```
To exempt a controller from a particular check via annotations, use an annotation in the form of `polaris.fairwinds.com/<check>-exempt=true`, e.g.
```
kubectl annotate deployment my-deployment polaris.fairwinds.com/cpuRequestsMissing-exempt=true
```
## Config
To add exemptions via the config, you have to specify at least one or more of the following:
- A namespace
- A list of controller names
- A list of container names
You can also specify a list of particular rules. If no rules are specified then every rule is exempted.
Controller names and container names are matched as a prefix, so an empty string will match every controller or container respectively.
For example:
```yaml
exemptions:
# exemption valid for all rules on all containers in all controllers in default namespace
- namespace: default
# exemption valid for hostNetworkSet rule on all containers in dns-controller controller in kube-system namespace
- namespace: kube-system
controllerNames:
- dns-controller
rules:
- hostNetworkSet
# exemption valid for hostNetworkSet rule on all containers in dns-controller controller in all namespaces
- controllerNames:
- dns-controller
rules:
- hostNetworkSet
# exemption valid for hostNetworkSet rule on coredns container in all controllers in kube-system namespace
- namespace: kube-system
- containerNames:
- coredns
rules:
- hostNetworkSet
```
Reference in New Issue View Git Blame Copy Permalink