restricted level and blocks that behavior. Rather than weakening the central policy, we’ll create a narrow, auditable exception that allows only the specific workload to run as root.
Scenario recap
- Alice runs a ClusterPolicy that enforces the official Kubernetes Pod Security Standards at the
restrictedlevel. - One control in that profile—
Running as Non-root—prevents containers from running as root. - Alex needs a monitoring agent to run as root in a specific namespace (
delta). - Goal: create a scoped exception that targets only that control for the targeted workload(s) without modifying the global policy.
- The
restrictedprofile includes aRunning as Non-rootcontrol. - Any Pod that tries to run containers as root will be rejected by this policy.
- We do not want to disable the control cluster-wide; we want a narrowly scoped exception.
matchselects resources in thedeltanamespace.spec.exceptionspoints to thepsapolicy and itsrestrictedrule.podSecurity.controlNameinstructs Kyverno to ignore only theRunning as Non-rootcontrol for the matched scope.- Effect: only the specified control is ignored for resources in
delta; the rest of therestrictedprofile still applies.
The
podSecurity block in a PolicyException mirrors the exclude block you can add inside a podSecurity rule. This makes exceptions expressive and predictable, and easier to reason about when auditing policy changes.-
Policy modification (not recommended for scoped needs)
- Adding an
excludeto the policy weakens enforcement for every resource matched by that policy. - Changes apply cluster-wide (or to all resources matched by the policy) and affect all teams.
- Adding an
-
PolicyException (recommended)
- Keeps the central policy intact.
- Provides an auditable, separate object that grants a narrow allowance for a specific scope (namespace, image, etc.).
- Supports separation of duties and easier review / rollback.
Example of weakening the policy (not recommended if you only need a scoped exception)
hostPath restrictions). Others operate at the container level (for example, Capabilities). When a control applies to containers, Kyverno supports finer-grained exceptions using an images field so you can target only the containers that need the exemption.
Policy-level exclude example (applies at policy authoring time)
- With this exception, only containers whose image matches
nginx*orrediswill be exempted from theCapabilitiescontrol. - Other containers in the same Pod (for example, an Ubuntu-based sidecar) still must comply with the
Capabilitiescontrol. - Use image patterns carefully to avoid accidentally broadening the exception.
Keep exceptions as narrow, well-documented, and time-limited as possible. Exceptions expand risk when left open or when they are overly broad (for example, matching many image names or many namespaces).
- Prefer PolicyException to modifying a central PodSecurity rule when you need a scoped exemption.
- Use
controlNamefor pod-wide exemptions (e.g.,Running as Non-root). - For container-level controls, add
imagesto target only specific images and avoid exempting sidecars or unrelated containers. - Make exceptions:
- Narrow in scope (namespace, image, label selector).
- Audited and documented (reason, owner, expiration).
- Temporary when possible; review regularly.
- Document the business or technical reason for each exception and record its owner and planned removal date.