# Exemptions

Sometimes a workload really does need to do things that Polaris considers insecure. For instance, many of the kube-system workloads need to run as root, or need access to the host network. In these cases, we can add exemptions to allow the workload to pass Polaris checks.

Exemptions can be added two ways: by annotating a controller, or editing the Polaris config.

# Annotations

To exempt a controller from all checks via annotations, use the annotation polaris.fairwinds.com/exempt=true, e.g.

kubectl annotate deployment my-deployment polaris.fairwinds.com/exempt=true

To exempt a controller from a particular check via annotations, use an annotation in the form of polaris.fairwinds.com/<check>-exempt=true, e.g.

kubectl annotate deployment my-deployment polaris.fairwinds.com/cpuRequestsMissing-exempt=true

# Config

To exempt a controller via the config, you have to specify a namespace (optional), a list of controller names and a list of rules, e.g.

exemptions:
  # exemption valid for kube-system namespace
  - namespace: kube-system
    controllerNames:
      - dns-controller
    rules:
      - hostNetworkSet
  # exemption valid in all namespaces
  - controllerNames:
      - dns-controller
    rules:
      - hostNetworkSet