Description
If I could go back in time I'd add to the discussion in #315, however..
We currently have a mechanism for suppressing named rules for an entire input file (or, as noted in that issue, the entire input when using --combine).
It would be nice to be able to add exceptions for specific matches on the input. Extending the deployment from the example:
apiVersion: apps/v1
kind: Deployment
metadata:
name: mydep
spec:
template:
spec:
containers:
- name: web
image: nginx
ports:
- containerPort: 8080
- name: host-agent
image: host-agentHere the exception I want to be able to express is "mydep can run host-agent as root".
I don't want to say "mydep can run any containers as root", nor do I want to say "any deployment that includes the host-agent can run any container as root". As far as I can tell, those are the two closest options that are currently supported.
I'm not sure how this could be implemented.
Perhaps it could pair nicely with structured errors, so given:
violation_noservice[{"msg": msg, "details":{"name":name}}] {
...
msg = sprintf("Found service %s but services are not allowed", [name])
}we can somehow match against details->name?
Or alternatively you could do a textual match against a violation's msg, and then you can ensure that whatever contextual information you need is included in the msg. A little fragile, but perhaps straightforward. That's essentially the workaround I'm adopting - don't use the built-in exceptions, instead output all violations to json and then filter out any with msgs matching a list of exceptions.
I can't think of a way to express it more directly, i.e. tell conftest to ignore the no_service rule for mydep's host-agent container. If there is though that would be ideal, as it avoids depending on the rule to output the data you need, instead you can just define it directly in terms of the input.