Configure infrastructure exemptions

What you’ll accomplish

You’ll configure policy exemptions for infrastructure workloads that legitimately require elevated privileges, such as Istio gateway NodePort services or third-party storage and networking components.

Prerequisites

• UDS CLI installed
• UDS Registry account created and authenticated locally with a read token
• Access to a Kubernetes cluster with UDS Core deployed (or ready to deploy Core to)
• Familiarity with UDS Bundles
• The exemption policy names for your workload (see Policy Engine reference)

Before you begin

Infrastructure Exemptions are typically applied during or before Core installation to resolve infrastructure-specific issues that would otherwise block deployment. For application-level Exemptions, deploy manifests alongside the applications instead; see Create UDS policy exemptions.

Some infrastructure workloads require privileges that UDS Core policies normally block. For example:

• Istio gateways may use NodePort services when an external load balancer handles traffic routing
• Storage drivers (e.g., OpenEBS) require privileged containers and host path access
• CNI plugins need host networking and elevated privileges

UDS Core provides a built-in exemption for Istio gateway NodePorts (a common configuration change when external load balancers handle traffic routing) and supports custom exemptions for everything else. All exemptions are deployed via bundle overrides.

Tip

UDS Core already handles exemptions for its own components internally. You generally only need custom exemptions for third-party infrastructure or when you configure Core components beyond their defaults.

Steps

1. Choose the exemption type

   Istio gateway NodePort

   UDS Core includes a ready-to-use exemption for Istio gateway NodePort services. Enable it in your bundle:

   uds-bundle.yaml

   packages:
     - name: core
       repository: registry.defenseunicorns.com/public/core
       ref: x.x.x-upstream
       overrides:
         uds-exemptions:
           uds-exemptions:
             values:
               - path: exemptions.istioGatewayNodeport.enabled
                 value: true

   This creates DisallowNodePortServices exemptions for the admin and tenant gateway services. To also include the passthrough gateway, override the gateways list:

   uds-bundle.yaml

   packages:
     - name: core
       repository: registry.defenseunicorns.com/public/core
       ref: x.x.x-upstream
       overrides:
         uds-exemptions:
           uds-exemptions:
             values:
               - path: exemptions.istioGatewayNodeport.enabled
                 value: true
               - path: exemptions.istioGatewayNodeport.gateways
                 value:
                   - admin
                   - tenant
                   - passthrough

   Custom infrastructure exemption

   For third-party infrastructure workloads, use the exemptions.custom path. This example exempts a storage driver that needs privileged access and host paths:

   uds-bundle.yaml

   packages:
     - name: core
       repository: registry.defenseunicorns.com/public/core
       ref: x.x.x-upstream
       overrides:
         uds-exemptions:
           uds-exemptions:
             values:
               - path: exemptions.custom
                 value:
                   - name: openebs-exemptions
                     exemptions:
                       - policies:
                           - DisallowPrivileged
                           - RestrictVolumeTypes
                           - RestrictHostPathWrite
                         matcher:
                           namespace: openebs
                           name: "^openebs.*"
                         title: "OpenEBS storage driver"
                         description: "Requires privileged access and hostPath volumes for local PV provisioning"

   Caution

   Scope each exemption as narrowly as possible. Use specific namespace and name regexes, and only list the policies that are genuinely required. Document the reason in the title and description fields for audit purposes.

2. Create and deploy your bundle

   uds create --confirm && uds deploy uds-bundle-*.tar.zst --confirm

Verification

Confirm the exemptions were created:

# List all exemptions
uds zarf tools kubectl get exemptions -n uds-policy-exemptions

Verify that the target workload is running without admission denials:

# For NodePort exemptions, check gateway services
uds zarf tools kubectl get svc -n istio-admin-gateway
uds zarf tools kubectl get svc -n istio-tenant-gateway

# For custom exemptions, check pods/services are running
uds zarf tools kubectl get pods -n <namespace>

Troubleshooting

Problem: NodePort exemption not created

Symptom: Gateway services are still blocked after enabling the NodePort exemption.

Solution: Verify the exemptions.istioGatewayNodeport.enabled value is set to true in your bundle and that you redeployed Core after the change. Check that the Exemption CR exists:

uds zarf tools kubectl get exemptions -n uds-policy-exemptions | grep nodeport

Problem: Custom exemption not taking effect

Symptom: The infrastructure workload is still blocked despite the custom exemption.

Solution: Verify the matcher fields match your workload exactly. The namespace must match the workload’s namespace and the name regex must match the pod or service name. If the exemption CR exists but pods still aren’t being exempted, see the Exemptions & Packages Not Updating runbook for detailed diagnostics.

Related documentation

• Policy Engine - full reference of all enforced policies and exemption names
• Exemption CR specification - full CR schema and field reference
• Create UDS policy exemptions - Create Exemption CRs to allow workloads to bypass specific UDS policies.
• Audit security posture - Review exemptions and Package CR network rules across your cluster.