Support excluding some containers of pods from privileged check

[horecoli]

Overview

Kubescape supports some exceptions, but it is only possible at the level of pods. Since a pod can have more than one container, it would be useful to allow the exclusion of specific containers of pod from scan.

Problem

If your deployment workload resource definition (eg. helm) pulls in external upstream container images during runtime, those images may have Pod definitions with the privilege flag policy set to true for one or more their Pods. It is recommended that the CNF developer audits and cleans up any upstream images to respect this rule ensuring the privilege flag is set to false when following this best practice.
Some Pods may need privileges to provide required functionality. For example kube-proxy or the Envoy side-car.
It is the responsibility of the CNF developer to communicate the privileges needed by their CNF. Source ( https://github.com/lfn-cnti/bestpractices/blob/main/doc/cbpps/0004-do-not-run-containers-with-privilege-flag.md#notesconstraintscaveats ).

So, I believe it would be beneficial to allow the exclusion of specific containers from the privileged test.

Solution

To address this, the ability to add container types to the exception file can be implemented. This will allow the exclusion of those containers from the scan.