Exemptions

[technotaff-nbs]

Hello, just a quick question regarding these policies.

They seem like a really good starting-point for an eventual native PSP re-implementation.

Currently we are using Gatekeeper, with all of the webhook-related fun that brings.

I would like to ask, are you planning on adding exemption configuration to the rules?

We have forked gatekeeper-library in order to extend exemptions to namespace/image (instead of just image path).

It would be great to see similar exemptions be allowed per rule on this project.

This project could be the starting-point for defacto secure policy on k8s, well done.

[slashben]

Hey, @technotaff-nbs !

Yes, we were talking about what we call "ignore rules" implementation. I guess it is essentially the same as the exemption configuration you have mentioned.

We have been thinking about two approaches:

1. Annotate objects with "ignore" directives for specific rules (eg. do not apply C-0012 to this Deployment)
2. Create CRs that are able to describe "ignore" cases (eg. C-0012 and an object that match the rule namespace==test should be ignored)

We'd really love to hear more about how you see this and how would you like to describe your exemptions.

I think we will start to work on it in the second part of the summer, any user input is gold for us right now.

Thx B