Skip to main content
Previously, Alex applied Pod Security Standards (PSS) cluster-wide using the podSecurity sub-rule in Kyverno. This lesson shows how to create narrow, controlled exemptions when a small number of trusted workloads legitimately require settings that would otherwise violate the profile.
This lesson explains how to use the exclude list inside podSecurity to create safe, scoped exemptions for Pod Security Standard (PSS) controls.
Real-world teams often need to allow a limited exception without disabling an entire policy. For example:
  • A monitoring agent requires access to the host IPC namespace (violates baseline).
  • A legacy application needs a special Linux capability (violates restricted profile).
The image presents a challenge where Alex needs exceptions for a specific monitoring agent and legacy application, despite successful deployment of a baseline profile for most applications.
Disabling the security rule for entire namespaces would be a large regression. Instead, Kyverno provides the exclude block in the podSecurity rule, which lets you exempt a specific PSS control and optionally scope that exemption to particular container images. How the exclude block works
  • controlName — the name of the PSS control to exempt.
  • images (optional) — a list of image patterns to scope container-level exemptions. Wildcards are supported.
Example: exempt a control and scope it to specific images
Common patterns for exclude Below are three patterns you will frequently use when creating scoped exemptions.
  1. Pod-level control exemption
Some PSS controls are evaluated at the Pod level (they inspect Pod fields such as hostIPC and hostPID). For these, a single controlName entry in exclude is sufficient. Example Pod that requires host IPC:
PodSecurity exemption (pod-level):
When Kyverno evaluates this Pod, it sees a baseline violation but permits it because the Host Namespaces control is excluded.
  1. Container-level control exemption (scoped by image)
Some controls are checked per container, so exemptions must be scoped to container images using images. Container spec that needs an extra capability:
PodSecurity exemption scoped to images:
Notes:
  • Wildcards are allowed in the images list.
  • If a different image (for instance, busybox) attempts the same capability, Kyverno will reject the Pod. Example admission webhook error:
Kyverno compares the container image against your images patterns; if there’s no match, the exemption does not apply.
  1. Mixed controls (both Pod- and container-level)
Some controls (like Seccomp) can be configured at both the Pod level and overridden per container. To fully exempt such a control, provide two exclude entries: one for the Pod-level check and one for container-level checks (with an images list).
The image is about "Exemption Type 3: Mixed Pod and Container Controls," explaining that some controls like Seccomp can be defined at both the pod and container level, requiring two entries in the exclude list for full exemption.
Correct way to exempt a mixed control:
  • The first Seccomp entry covers the Pod-level configuration.
  • The second Seccomp entry, with an images list, covers per-container checks.
  • Together they fully exempt Seccomp for the specified images.
Do not use exclude to broadly relax cluster security. Scope exemptions tightly (by control and by image) and document why each exemption exists to reduce attack surface and aid future audits.
Summary
  • Use the exclude list inside podSecurity to make narrow, controlled exceptions to PSS controls.
  • Pod-level controls: specify only the controlName.
  • Container-level controls: include images to scope the exemption to specific container images.
  • Mixed controls: add two entries—one for pod-level and one for container-level (with images).
The image is a summary highlighting four points about using exclusions for exemptions in PSS profiles, with explanations for pod-level, container-level, and mixed-level controls. The points are numbered and color-coded.
With scoped exclude entries, Alex can enforce broad Pod Security Standards while safely managing one-off exemptions for trusted workloads. References and further reading

Watch Video

Practice Lab