podSecurity sub-rule in Kyverno. This lesson shows how to create narrow, controlled exemptions when a small number of trusted workloads legitimately require settings that would otherwise violate the profile.
This lesson explains how to use the
exclude list inside podSecurity to create safe, scoped exemptions for Pod Security Standard (PSS) controls.- A monitoring agent requires access to the host IPC namespace (violates baseline).
- A legacy application needs a special Linux capability (violates restricted profile).

exclude block in the podSecurity rule, which lets you exempt a specific PSS control and optionally scope that exemption to particular container images.
How the exclude block works
controlName— the name of the PSS control to exempt.images(optional) — a list of image patterns to scope container-level exemptions. Wildcards are supported.
exclude
Below are three patterns you will frequently use when creating scoped exemptions.
- Pod-level control exemption
hostIPC and hostPID). For these, a single controlName entry in exclude is sufficient.
Example Pod that requires host IPC:
Host Namespaces control is excluded.
- Container-level control exemption (scoped by image)
images.
Container spec that needs an extra capability:
- Wildcards are allowed in the
imageslist. - If a different image (for instance,
busybox) attempts the same capability, Kyverno will reject the Pod. Example admission webhook error:
images patterns; if there’s no match, the exemption does not apply.
- Mixed controls (both Pod- and container-level)
Seccomp) can be configured at both the Pod level and overridden per container. To fully exempt such a control, provide two exclude entries: one for the Pod-level check and one for container-level checks (with an images list).

- The first
Seccompentry covers the Pod-level configuration. - The second
Seccompentry, with animageslist, covers per-container checks. - Together they fully exempt Seccomp for the specified images.
Do not use
exclude to broadly relax cluster security. Scope exemptions tightly (by control and by image) and document why each exemption exists to reduce attack surface and aid future audits.- Use the
excludelist insidepodSecurityto make narrow, controlled exceptions to PSS controls. - Pod-level controls: specify only the
controlName. - Container-level controls: include
imagesto scope the exemption to specific container images. - Mixed controls: add two entries—one for pod-level and one for container-level (with
images).

exclude entries, Alex can enforce broad Pod Security Standards while safely managing one-off exemptions for trusted workloads.
References and further reading
- Kyverno Pod Security (podSecurity rule): https://kyverno.io/docs/writing-policies/validate/#pod-security
- Pod Security Standards (Kubernetes): https://kubernetes.io/docs/concepts/security/pod-security-standards/
- Pod Security Admission docs: https://kubernetes.io/docs/concepts/security/pod-security-admission/