# Exemptions
Sometimes a workload really does need to do things that Polaris considers insecure. For instance,
many of the kube-system workloads need to run as root, or need access to the host network. In these
cases, we can add exemptions to allow the workload to pass Polaris checks.
Exemptions can be added in a few different ways:
- Namespace: By editing the Polaris config.
- Controller: By annotating a controller, or editing the Polaris config.
- Container: By editing the Polaris config.
# Annotations
To exempt a controller from all checks via annotations, use the annotation polaris.fairwinds.com/exempt=true, e.g.
kubectl annotate deployment my-deployment polaris.fairwinds.com/exempt=true
To exempt a controller from a particular check via annotations, use an annotation in the form of polaris.fairwinds.com/<check>-exempt=true, e.g.
kubectl annotate deployment my-deployment polaris.fairwinds.com/cpuRequestsMissing-exempt=true
# Config
To add exemptions via the config, you have to specify at least one or more of the following:
- A namespace
- A list of controller names
- A list of container names
You can also specify a list of particular rules. If no rules are specified then every rule is exempted.
Controller names and container names are matched as a prefix, so an empty string will match every controller or container respectively.
For example:
exemptions:
# exemption valid for all rules on all containers in all controllers in default namespace
- namespace: default
# exemption valid for hostNetworkSet rule on all containers in dns-controller controller in kube-system namespace
- namespace: kube-system
controllerNames:
- dns-controller
rules:
- hostNetworkSet
# exemption valid for hostNetworkSet rule on all containers in dns-controller controller in all namespaces
- controllerNames:
- dns-controller
rules:
- hostNetworkSet
# exemption valid for hostNetworkSet rule on coredns container in all controllers in kube-system namespace
- namespace: kube-system
- containerNames:
- coredns
rules:
- hostNetworkSet