Finegrained Exemptions

[mjnagel]

Currently exemptions are allowed for all policies. Exemptions can be scoped by:

• name matcher (regex) for the resource name
• namespace identifier
• policy list

There are several policies that have been identified as potentially needing more fine-grained exemption configurations:

• RestrictCapabilities: Allow configuration of specific allowed capabilities (currently all are allowed if exempted)
• Host path policies (RestrictHostPathWrite and RestrictVolumeTypes): Allow configuration of specific allowed host paths (currently all are allowed if exempted)
• SELinux option policies (RestrictSELinuxType and DisallowSELinuxOptions): Allow configuration of specific allowed selinux options/types (currently all are allowed if exempted)

It may be useful to write a design document for this to start - explore how we could modify the exemption CR to support something like "allowed values" for a given exemption. In order to be backwards compatible we should likely default to all values being allowed if that config option is not provided.