Managing exceptions from KSPM security control rules

Go to Yandex Security Deck.

In the left-hand panel, select Rules and exceptions.

At the top of the window, select the workspace for which you want to view the info on control rule exceptions.

On the Security control rules page that opens, go to the Exceptions tab.

The list of exceptions for the Kubernetes rules is provided under Kubernetes® Security Posture Management and contains the following fields:

• Status: Active or inactive.
• Rules: List of rules subject to exception.
• Resources: List of resources.
• Objects: List of objects.
• Reason for exclusion: Reason for exception.
• Author: User who created the exception, along with the date and time of its creation.

1. Under Rules, select the Kubernetes control rules the selected resources should not be checked against:

   • All rules: To exclude the selected resources from the check for compliance with all the Kubernetes control rules.

   • Selected rules: To exclude the selected resources from the check for compliance with a given set of rules. To select rules that the new exception will disable compliance checks for:

     • Click Select rules.
     • In the window that opens, select the rules you want to exclude from compliance checks. If required, use the filter or search at the top of the window.
     • Click Save selection.

2. Under Scope, specify the resources you want to exclude when checking the Kubernetes control rules:

   • All workspace resources: To exclude all resources controlled in the workspace.

   • Resources selected: To exclude only some resources. To select resources excluded from the check:

     • Click Select resources.
     • In the window that opens, select the resources to exclude from the rule and click Apply.

3. Optionally, under Objects (optional), specify objects for the exception to cover. You can specify multiple values separated by a comma, space, or Enter. To set a value for a parameter or its part, use * in names and labels.

   • Check Namespaces and enter the namespace name. The naming requirements are as follows:

     • It may be up to 63 characters long.
     • It can only include lowercase Latin letters, numbers, hyphens, and the wildcard symbol (*).

   • Check Workload names and enter the workload name. The naming requirements are as follows:

     • It may be up to 63 characters long.
     • It can only include lowercase Latin letters, numbers, hyphens, and the wildcard symbol (*).
     • The first and last characters must be a letter, number, or *.

   • Check Workload types and enter the workload type. It can be Deployment, StatefulSet, DaemonSet, Job, CronJob, ReplicaSet, or Pod. Format requirements:

     • It may be up to 63 characters long.
     • It may only include Latin letters and numbers.

   • Check Pod labels and enter the pod label. Format requirements:

     • The label must be in key=value format.
     • The key and value must be no longer than 63 characters each.
     • The key and value can include Latin letters, numbers, hyphens, underscores, and dots.
     • The key may include a forward slash.
     • The value may include *.
     • The first and last characters must be a letter or number.

4. Under Reason for exclusion, give in any format the reason why you are creating an exception.

5. Select Activate exception.

6. Click Create exception.