Resource Validation - Add Exceptions

[Akatuoro]

Description

When validating resources to be uploaded or validating the cluster, there should be a possibility to specify exceptions to the rules. The exceptions should specify that specific rules or policies should not be applied to specific namespaces, resources or items.

This could e.g. be realised by adding another section to the possible rulesets in a ConfigMap with the busola.io/resource-validation=rule-set:

exceptions:
- description: Ignore container root privilege warnings in nginx workload
  reason: The nginx image needs container root privileges to run (<link to documented exception approval>)
  selector:
    namespace: default
    kind: Deployment
    name: nginx
    labels:
      label-key: label-value
      app.kubernetes.io/name: nginx
  rules:
  - K8S_POD_SEC_RUNNING_AS_NON_ROOT
  - K8S_POD_SEC_RUNNING_AS_NON_ROOT_USER

When validating, there could then be a check whether an exception applies for the resource item.

Reasons

For some workloads, it is not possible to adhere to the rules that should normally be followed in a productive cluster. An application might e.g. need root level privileges in the container to do its job, which is not in line with the Kubernetes Pod Security Standards (restricted). For these known cases, it is typical that an exception is given as part of a compliance process. It would be good to be able to also exclude them in a cluster validation, because these cases are otherwise still shown as warnings, which might lead to real warnings being overlooked.