When a policy is activated, then it is enforced for all manifests which are deployed in this cluster. From a security perspective this is exactly what we want, but as with every rule there could be exceptions. Imagine that you are using software provided by a vendor, which you are deploying by rendering a helm chart. If those manifests do not conform to all your policies then you have different options. First you could raise the issues with the vendor, or even provide a patch by yourself, but this process could take some time. Another option is making the required changes by post-processing the manifests, e.g. with kustomize. This requires some effort, you will potentially have to adapt with every version upgrade of the software.
For those rare cases where those options are not feasible or even possible, there is a way out. Every policy provides a custom Kubernetes annotation, which you can put on objects you want to exclude from validation. The reason for this exclusion has to be put into the value of the annotation.
The name of the Risk Acceptance annotation is
Risk Acceptances can be defined on different levels.
On the object itself:
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: missing-tls annotations: securitytower.io/policy.exclusion.ingresstls: Vendor requires non-tls connections. spec: rules: - host: some.service.com http: paths: - backend: serviceName: insecure-service servicePort: 8080
On the pod template, if the object specifies a pod via a template:
apiVersion: apps/v1 kind: Deployment metadata: name: test-deployment spec: selector: matchLabels: app: test-policies template: metadata: annotations: securitytower.io/policy.exclusion.containerlivenessprobe: Vendor does not expose liveness probe. labels: app: test-policies spec: containers: - name: test-policies image: some-software:1.0
On the namespace, to exclude the policy for all objects in that namespace:
apiVersion: v1 kind: Namespace metadata: name: ns-with-policyexclusion annotations: securitytower.io/policy.exclusion.containerlivenessprobe: This is a playground namespace used for testing.
NOTE: To provide correct Pull Request feedback, Syncier Security Tower must be able to find the namespace definitions in the GitOps repository. Make sure to add the location(s) of the namespace definitions to your cluster configuration.