This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 68%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Team,
I have situation where I need to exempt the policies while creation of pods if a specific label is assigned to it.
I'm applying container no privilege policy on the cluster i.e. Kubernetes cluster should not allow privileged containers.
Can anyone suggest the procedure to exempt the labels. I tried this one but getting syntax error.
Please help. Thank you.
Please 'Accept as answer' if the provided information is helpful, so that it can help others in the community looking for help on similar topics.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 98%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Hello @Tanul ,
Thanks for your query !
I just tried out below syntax and it works , can you also try out from your end.
Kindly adjust the values accordingly.
{
"matchLabels":{"app":"nginx"},
"matchExpressions":
[
{"key": "test", "operator": "NotIn", "values": ["1"]}
]
}
Explanation:-
Based upon the Schema:
matchLabels is of type Json Object
Match Expression is an Array of values
Let us know if the above helps out !
Make sure to "Upvote & Accept the answer"
@shiva patpi , Hey shiv. Thanx a lot for sharing. Will check this on weekend. I wasn’t aware pf the syntax at all.
One more thing could you please share some info regarding constraints as well. Actually I’m making this policy so that it should apply only on those resources which doesn’t have that specific label.
Once applied, I have to make a constraint which will allow people only with specific RBAC roles(like admin) has the ability to add that label on the resources.
If you have something like this please let me know. Thanks. Take care.
@Tanul Apologies for the delay in response and all the inconvenience caused because of the issue.
Can you please help me understand your requirement better so I can help you further with your issue.
One such option in Conditional Access as well and another is Azure Information Protection in Azure.
I do need more details around the label part and your scenario.
Looking forward to your response :)
Thanks
·
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 59%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
I know this is a few years old but I'm also having difficulty in creating exclusions based on labels. I'd like to give the ability to bypass the "deny" effect based on a label per policy in a initiative using a initiative parameter. The above example is exactly what I was looking for but I can't seem to get it to work. If I put a label such as "NoAZPolicy":"true" on a pod I'd like the pod to be excluded from the policy. I see it pushed the constraint template to my cluster but still showing nginx as not compliant. I envision using these labels for each policy as a way to allow development teams to bypass the policies if they chose to as they don't have the ability to make the azure policies, meaning I can have this policy higher up in a management group with very little edits and if they chose to go against best practices I'll have a second audit policy to catch the exclusions they chose to make. This will create less over head for my team that manages azure policy.
In this example I was just using a label that was already on nginx. What am I missing? If I understand this correct its looking for a label of "app.kubernetes.io/name" with a value of "ingress-nginx" and the match expression is what would make it not match since there is no label "test" with a value of "1", thus excluding it from the condition.
spec:
enforcementAction: dryrun
match:
excludedNamespaces:
- kube-system
- gatekeeper-system
- azure-arc
- azure-extensions-usage-system
kinds:
- apiGroups:
- ''
kinds:
- Pod
labelSelector:
matchExpressions:
- key: test
operator: NotIn
values:
- 1
matchLabels:
app.kubernetes.io/name: ingress-nginx