Add exemptions to config

[rbren]

No description provided.

[codecov]

Codecov Report

Merging #204 into master will decrease coverage by 1.84%.
The diff coverage is 86.25%.

@@            Coverage Diff            @@
##           master    #204      +/-   ##
=========================================
- Coverage   81.15%   79.3%   -1.85%     
=========================================
  Files          11      12       +1     
  Lines         711     749      +38     
=========================================
+ Hits          577     594      +17     
- Misses        107     130      +23     
+ Partials       27      25       -2

Impacted Files	Coverage Δ
pkg/config/config.go	72% <ø> (ø)	⬆️
pkg/config/ids.go	0% <0%> (ø)
pkg/config/exemptions.go	0% <0%> (ø)
pkg/validator/pod.go	100% <100%> (ø)	⬆️
pkg/validator/controller.go	88.88% <100%> (ø)	⬆️
pkg/validator/container.go	94.84% <98.91%> (+0.42%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b172f61...81d44f1. Read the comment docs.

[rbren]

[endzyme]

Initial testing

Tested:

• Ignore all errors for all scanned deployments (results in 100% score) (seems fine)
• Using with examples/config-full.yaml and got very weird results (see
  ) (bug?) (found the issue, full isn't setup to scan any deployment controllers, thus no checks are run)
• Tried to figure out how to exclude capabilities individually (can't right now) but wasn't immediately clear how to look up the rule names
• Tested invalid configuration for exemptions (tried a non-valid rule name but didn't fail as I might expect) - accidentally had a typo in a rule name and it just skips over it

Initial thoughts: Looks like maybe the reflection should have the context of the "group" since it is using the `json:"<name>"` as the name of the rule. I think you might accidentally exempt something if there happened to be a duplicate name in the json formatting options.

Example:

type Configuration struct {
...
	Security           Security              `json:"security"`
	AnotherThing       TheThing              `json:"theThing"`
	Exemptions         []Exemption           `json:"exemptions"`
...
}

type Security struct {
...
	Capabilities SecurityCapabilities `json:"capabilities"`
...
}

type AnotherThing struct {
...
	Capabilities []string `json:"capabilities"`
...
}
---------

Coupled with:

exemptions:
- controllerNames:
  - some-controller-name-here
  rules:
  - capabilities

This would accidentally exclude both the "security" context group as well as the AnotherThing context group. (if i'm reading the code right).

[endzyme]

Overall this is definitely a huge +1 - some stuff to chat about in the future but for now this seems to satisfy the need, assuming we're ok with the accidental exemption issue noted in my previous comment.

[rbren]

Good points! Thanks for the review. Can definitely try and hit some of these (esp failing on invalid names) in a future PR.