add some exemptions for kube-system (#292)

cf10a961 · Robert Brennan · GitHub · c571b97b · cf10a961
Unverified Commit cf10a961 authored 5 years ago by Robert Brennan Committed by GitHub 5 years ago
Hide whitespace changes
Inline Side-by-side

Showing

with 41 additions and 0 deletions
+41 -0
--- a/examples/config.yaml
+++ b/examples/config.yaml
@@ -22,7 +22,48 @@ checks:
  runAsPrivileged: error
  dangerousCapabilities: error
  insecureCapabilities: warning
+
 exemptions:
+  - controllerNames:
+      - kube-apiserver
+      - kube-proxy
+      - kube-scheduler
+      - etcd-manager-events
+      - kube-controller-manager
+      - kube-dns
+      - etcd-manager-main
+    rules:
+      - hostPortSet
+      - hostNetworkSet
+      - readinessProbeMissing
+      - livenessProbeMissing
+      - cpuRequestsMissing
+      - cpuLimitsMissing
+      - memoryRequestsMissing
+      - memoryLimitsMissing
+      - runAsRootAllowed
+      - runAsPrivileged
+      - notReadOnlyRootFilesystem
+      - hostPIDSet
+
+  - controllerNames:
+      - kube-flannel-ds
+    rules:
+      - notReadOnlyRootFilesystem
+      - runAsRootAllowed
+      - notReadOnlyRootFilesystem
+      - readinessProbeMissing
+      - livenessProbeMissing
+      - cpuLimitsMissing
+
+  - controllerNames:
+      - vpa
+    rules:
+      - runAsRootAllowed
+      - readinessProbeMissing
+      - livenessProbeMissing
+      - notReadOnlyRootFilesystem
+
  - controllerNames:
      - dns-controller
      - datadog-datadog