Allow exemptions in all namespaces

What you’ll accomplish

You’ll configure UDS Core to accept Exemption CRs in any namespace instead of only the default uds-policy-exemptions namespace, and verify the configuration works.

Prerequisites

• UDS CLI installed
• Access to a Kubernetes cluster with prerequisites met
• Familiarity with Kubernetes RBAC

Before you begin

By default, Exemption CRs are only accepted in the uds-policy-exemptions namespace. This provides a single, controlled location where platform engineers manage all policy exemptions. Enabling all-namespace exemptions allows teams to manage their own exemptions in their application namespaces.

Caution

Enabling all-namespace exemptions means any user with permission to create Exemption CRs in any namespace can bypass UDS policies. Before enabling this, ensure your RBAC configuration restricts who can create, update, and delete Exemption resources. Without proper RBAC controls, this setting significantly increases the risk of unintended or unauthorized policy bypasses.

Steps

1. Enable all-namespace exemptions

   Set the ALLOW_ALL_NS_EXEMPTIONS variable in your uds-config.yaml:

   uds-config.yaml

   variables:
     core:
       ALLOW_ALL_NS_EXEMPTIONS: "true"

2. Create and deploy your bundle

   uds create --confirm && uds deploy uds-bundle-*.tar.zst --confirm

Verification

Create a test Exemption CR in an application namespace to confirm the configuration is working:

test-exemption.yaml

apiVersion: uds.dev/v1alpha1
kind: Exemption
metadata:
  name: test-exemption
  namespace: my-app
spec:
  exemptions:
    - policies:
        - RequireNonRootUser
      matcher:
        namespace: my-app
        name: "^test-pod.*"
      title: "Test exemption"
      description: "Verifying all-namespace exemptions are working"

uds zarf tools kubectl apply -f test-exemption.yaml

Confirm the exemption was created and processed:

# Verify the `Exemption` CR exists in the application namespace
uds zarf tools kubectl get exemptions -n my-app

# Check Pepr logs for processing
uds zarf tools kubectl logs -n pepr-system deploy/pepr-uds-core --tail=50 | grep "Processing exemption"

Clean up the test exemption:

uds zarf tools kubectl delete exemption test-exemption -n my-app

Troubleshooting

Problem: Exemption rejected in application namespace

Symptom: Creating an Exemption CR outside uds-policy-exemptions returns a validation error.

Solution: Verify that ALLOW_ALL_NS_EXEMPTIONS is set to "true" and that the Core bundle was redeployed after the change. Check the UDS Operator config:

uds zarf tools kubectl get clusterconfig uds-cluster-config -o jsonpath='{.spec.policy}'

Related documentation

• Exemption CR specification - full CR schema and field reference
• Kubernetes RBAC documentation - securing who can create Exemption resources
• Audit security posture - Review exemptions across all namespaces for scope and justification.
• Create UDS policy exemptions - Create Exemption CRs to allow workloads to bypass specific UDS policies.