1a8fb44b78
* first pass * fix up homepage * more work * housekeeping * add script to modify home link * add check docs * build docs site * Create CNAME * fix path to check-docs * update from template * fix logo in readme * fix link * remove logspam * remove old folders * fix all links * fix up readme * change up Insights description * add customization docs * phrasing * title * titles * titles * change webhook docs * refresh template * rebuild site * refresh from template repo * phrasing * add tagline * update readme\, add readme sync script * fix logo * rebuild * fix readme script * rebuild
1.3 KiB
Exemptions
Sometimes a workload really does need to do things that Polaris considers insecure. For instance,
many of the kube-system workloads need to run as root, or need access to the host network. In these
cases, we can add exemptions to allow the workload to pass Polaris checks.
Exemptions can be added two ways: by annotating a controller, or editing the Polaris config.
Annotations
To exempt a controller from all checks via annotations, use the annotation polaris.fairwinds.com/exempt=true, e.g.
kubectl annotate deployment my-deployment polaris.fairwinds.com/exempt=true
To exempt a controller from a particular check via annotations, use an annotation in the form of polaris.fairwinds.com/<check>-exempt=true, e.g.
kubectl annotate deployment my-deployment polaris.fairwinds.com/cpuRequestsMissing-exempt=true
Config
To exempt a controller via the config, you have to specify a namespace (optional), a list of controller names and a list of rules, e.g.
exemptions:
# exemption valid for kube-system namespace
- namespace: kube-system
controllerNames:
- dns-controller
rules:
- hostNetworkSet
# exemption valid in all namespaces
- controllerNames:
- dns-controller
rules:
- hostNetworkSet