Ability to specify exemptions

[gabegorelick]

Similar to https://polaris.docs.fairwinds.com/customization/exemptions.

Example use case: policy/v1beta1 was deprecated in Kubernetes 1.21, but won't be removed until 1.25. For my own first-party code, I want to enforce that policy/v1 is used for any new code. But it doesn't make sense for third party vendors to migrate to policy/v1 yet since that would mean dropping support for Kubernetes < 1.21 (1.20 isn't EOL until 2022-02-28, for example). Thus, I need to be able to add exemptions for certain resources to allow them to use deprecated APIs without breaking CI checks.

As a workaround, I'm using --only-show-removed to only flag usages of APIs that definitely won't work in the current target version. But this means that nothing stops you from adding new consumers of deprecated APIs.

[lucasreed]

Hey @gabegorelick :wave:

Have you tried --ignore-deprecations? Here is some documentation on it: https://pluto.docs.fairwinds.com/advanced/#ci-pipelines

If I remember correctly, this should still show the deprecations but not give you an exit code of 2 for the CI run. Please let us know if this works or not in your use-case.

[gabegorelick]

If I remember correctly, this should still show the deprecations but not give you an exit code of 2 for the CI run. Please let us know if this works or not in your use-case.

It doesn't really help me. I want to fail the build if I add deprecated apiVersions to a subset of my resources.

When you add warnings, as opposed to errors that fail the build, it's too easy to miss them. And if you do notice them, you often end up with alert fatigue if they're not resolved quickly. But it may be years until a resource can be migrated to a newer API, so you may have a warning going off for a long time.

[lucasreed]

Ok, thanks for that feedback. We'll have some chats about this to see if we can support it and what it would look like.