Suppressions¶
Suppressions allow you to mark specific findings as accepted risks or false positives without modifying the manifests.
Suppression File Format¶
Create suppressions.yaml in your project root:
suppressions:
- rule_id: KC-001
resource_name: admin-cluster-role
reason: "Required for cluster operator"
- rule_id: KC-004
resource_name: default
resource_namespace: kube-system
reason: "kube-system default SA needs elevated permissions"
Fields¶
| Field | Required | Description |
|---|---|---|
rule_id |
Yes | Rule to suppress (e.g., KC-001) |
resource_name |
Yes | Resource name to match (exact match) |
resource_namespace |
No | Namespace to match (omit for cluster-scoped or wildcard) |
reason |
No | Why this finding is suppressed (for documentation) |
Matching Logic¶
A suppression matches a finding if all specified fields match:
rule_idmust match exactlyresource_namemust match exactly- If
resource_namespaceis specified, it must match exactly; if omitted, acts as a wildcard (matches any namespace or cluster-scoped resources)
Example 1: Suppress KC-001 for a specific ClusterRole:
suppressions:
- rule_id: KC-001
resource_name: admin-role
reason: "Admin role requires wildcard verbs"
Example 2: Suppress KC-004 for default ServiceAccount in kube-system:
suppressions:
- rule_id: KC-004
resource_name: default
resource_namespace: kube-system
reason: "System namespace uses default ServiceAccounts"
Example 3: Suppress KC-014 for all RoleBindings named "viewer-binding" in any namespace:
suppressions:
- rule_id: KC-014
resource_name: viewer-binding
reason: "Standard pattern across all namespaces"
Suppression Validation¶
kube-chainsaw validates suppressions at load time:
rule_idmust be non-emptyresource_namemust be non-empty- If
rule_iddoesn't match the known pattern (KC-001 through KC-015), a warning is printed to stderr
Unrecognized rule_id values (e.g., typos or custom rules) generate warnings but don't fail the scan.
Using Suppressions in CI¶
Commit the suppression file to version control:
Reference it in CI:
Suppressed Findings in Output¶
Suppressed findings are included in the output but marked with [SUPPRESSED]:
=== HIGH ===
[KC-001] Wildcard resource access [SUPPRESSED]
File: k8s/admin-role.yaml
Resource: ClusterRole/admin-role
...
Suppressed findings do not count toward the exit code threshold.
Best Practices¶
- Always provide reason: Future maintainers need to understand why findings are suppressed
- Scope suppressions narrowly: Match specific resources with explicit namespace when possible
- Review suppressions regularly: Audit the suppression file during security reviews
- Commit suppressions to version control: Track changes and provide accountability
Examples¶
Suppress admin role findings:¶
suppressions:
- rule_id: KC-001
resource_name: cluster-admin-role
reason: "Required for Kubernetes cluster operator"
- rule_id: KC-010
resource_name: cluster-admin-role
reason: "Required for Kubernetes cluster operator"
Suppress cluster-admin pod in specific namespace:¶
suppressions:
- rule_id: KC-013
resource_name: operator-deployment
resource_namespace: operators
reason: "Operator requires cluster-admin for CRD management"
Suppress RoleBinding to ClusterRole pattern:¶
suppressions:
- rule_id: KC-014
resource_name: read-pods-binding
resource_namespace: monitoring
reason: "Standard read-only pattern for monitoring"
Next Steps¶
- Understanding Findings: Learn what each severity level means
- CLI Reference: All command-line options
- Detection Rules: Full rule descriptions