Is it possible to allow exemption for a given sidecar container only

[araj-cloud]

I am new to gatekeeper and trying to use PSP constraints.. We are successful in implementing the constraints and exempting some namespaces by using excludednamespaces option.. We have a use case to exempt the constraint only for a side car container in a pod. Is this possible? If so can you point me to an example. Thanks.

[maxsmythe]

I don't think this is currently possible with the PSP constraint templates as currently written. You would need to modify their Rego to check for which containers you specifically want to exempt.

One note of caution: exempting by container name is likely a poor choice because users would be able to rename their malicious containers to use the exempt name. Exempting by something more fundamental to identity, such as the image name/tag would be harder to circumvent.

[stale[bot]]

This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.