Policy Exceptions

This tutorial explains how to create exceptions for Kyverno policies, such as excluding a specific namespace from a particular policy.

1. Identify the Problem

Example: when using a local Kind cluster, the built-in local-path-provisioner relies on hostPath volumes for storage. However, the restricted pod security standard blocks these volumes by default. You’ll notice errors in the local-path-storage pod logs indicating this restriction:

resource Pod/local-path-storage/helper-pod-create-pvc-350709fd-a87a-4b59-9eae-ce8225f5ca65 was blocked due to the following policies 

restrict-volume-types:
  restricted-volumes: 'Only the following types of volumes may be used: configMap,
    csi, downwardAPI, emptyDir, ephemeral, persistentVolumeClaim, projected, and secret.'

Solution: Add an exception to the restrict-volume-types Kyverno policy.

2. Add Namespace-Based Exceptions

Kyverno configuration has overlays for each supported provider, including the Local provider. These overlays allow you to define policy exceptions.

Namespace exceptions apply to all workloads within the specified namespace.
To exclude the local-path-storage namespace (or any other), add it to the spec.values.policyExclude.restrict-volume-types list:
```
restrict-volume-types:
  any:
  - resources:
      namespaces:
      - ...
      - local-path-storage
```

3. Refine Exceptions with Pod Labels

For granular control, you can exclude specific workloads using pod labels. For example, to exempt all workloads with the label app: awesome-workload from the restrict-volume-types policy:

restrict-volume-types:
  any:
  - resources:
      selector:
        matchLabels:
          app: awesome-workload  # Exclude pods with this label

1. Identify the Problem​

2. Add Namespace-Based Exceptions​

3. Refine Exceptions with Pod Labels​

1. Identify the Problem

2. Add Namespace-Based Exceptions

3. Refine Exceptions with Pod Labels