Configuring Policy Exemptions
By default policy exemptions (UDSExemptions) are only allowed in a single namespace — uds-policy-exemptions
. We recognize this is not a conventional pattern in K8s, but believe it is ideal for UDS for the following reasons:
- highlights the fact that an exemption can reduce the overall security posture of the cluster
- makes maintaining RBAC for controlling exemptions more straightforward
- reduces the risk that an unintentional mis-configuration of RBAC allows a cluster exemption that would otherwise be denied
Allow All Namespaces
Section titled “Allow All Namespaces”If you believe that the default scoping is not the right approach for your cluster, you can configure UDS-CORE at deploy time to allow exemption CRs in all namespaces.
zarf package deploy zarf-package-uds-core-*.zst --set ALLOW_ALL_NS_EXEMPTIONS=true
or via a uds bundle config:
uds-config.yaml
options: # options here
shared: ALLOW_ALL_NS_EXEMPTIONS: "true"
variables: # package specific variables here