feat(exceptions): support container-level exceptions via containerName attribute

[Tomgrinds777]

Overview

Exceptions in Kubescape currently work at the pod/workload level. If a pod has multiple containers and only one of them needs to be excluded from a check, there's no way to do that.

The containerName attribute key already exists in armoapi-go (identifiers.AttributeContainerName), but it was falling into the labels bucket in DigestAttributesDesignator and being compared against pod labels — which always fails.

This PR wires it up properly.

What changed:

• exceptions/comparator.go — added compareContainerName that checks all containers and init containers in a workload using regex (same as namespace/name/kind matching)
• exceptions/exceptionprocessor.go — metadataHasException now strips containerName from the labels map before label comparison and runs compareContainerName separately

Example exception that now works:

{
  "designators": [{
    "designatorType": "Attributes",
    "attributes": {
      "namespace": "kube-system",
      "name":      "kube-proxy",
      "containerName": "kube-proxy"
    }
  }]
}

Related issues/PRs

Closes kubescape/kubescape#1684

Summary by CodeRabbit

• New Features

  • Exception rules support matching by container name (regular & init), including regex/wildcards, combined with other attributes like namespace.

• Improvements

  • Exception evaluation now determines which container(s) actually failed and applies exceptions precisely; container-scoped checks no longer fall back incorrectly.
  • Container-name filtering option enables restricting matches to an explicit list when provided.

• Tests

  • Added comprehensive tests validating container-name matching, filtering behavior, and precision with response vectors.

[coderabbitai]

Warning

Rate limit exceeded

@workwithsarang has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 52 minutes and 35 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: deabe752-4713-41a1-8d24-5ca6a5962788

📥 Commits

Reviewing files that changed from the base of the PR and between 8b6a830 and 020001e.

📒 Files selected for processing (1)

• exceptions/exceptionprocessor_test.go

📝 Walkthrough

Walkthrough

Adds container-name-aware exception matching: comparator.compareContainerName performs regex matching (with optional failing-name filter). The exception processor extracts failing container names from FailedPaths, propagates them through exception evaluation, and updates metadata/hasException flows and tests accordingly.

Changes

Container-level exception filtering

Layer / File(s)	Summary
Container name comparison exceptions/comparator.go, exceptions/comparator_test.go	compareContainerName checks provided failingNames first; otherwise inspects workload containers and initContainers, regex-matching against names. Tests include pod helper and cover exact, init, regex, no-match, and failingNames-filter cases.
Exception processor integration exceptions/exceptionprocessor.go, exceptions/exceptionprocessor_test.go	Adds rexContainerPath and extractFailingContainerNames; threads failingContainerNames through SetRuleResponsExceptions/GetResourceExceptions/hasException/iterateRegoResponseVector; isolates container-name from other label/annotation matches and validates it via compareContainerName. Updates test imports, call sites, and adds container-scoped precision tests.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested reviewers

• matthyx

Poem

🐰 I hopped through pods at break of day,
Names and regex led the way.
Init or main, each one I check,
Exceptions now land on the correct deck.
Hop, hop — tests pass and errors stray!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 7.69% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main feature: adding container-level exception support via the containerName attribute.
Linked Issues check	✅ Passed	All coding requirements from issue #1684 are met: compareContainerName method validates container names, exceptionprocessor extracts failing containers from FailedPaths, and containerName-based matching prevents unintended container exclusions.
Out of Scope Changes check	✅ Passed	All changes are within scope: comparator and processor modifications handle container-level exceptions, test additions cover containerName matching and precision scenarios, and no unrelated refactoring is present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[matthyx]

I found two blocker-level issues with the new containerName matching.

[matthyx]

This only enforces containerName for workload objects. hasException() still falls back from a RegoResponseVector to metadataHasException() on the base vector object, so a designator that includes containerName plus a base-object field like name can still match after the related-object scan misses because the container constraint is silently skipped in that fallback path. I reproduced this with a small test: a vector named base-subject with only an app pod in relatedObjects still returns true for {name: base-subject, containerName: missing}.

[matthyx]

This only proves that the workload contains some matching container. The exception is still attached to the whole RuleResponse, so on a pod with app + sidecar, a containerName: sidecar exception will also suppress a finding that was raised for app. I reproduced that with SetRuleResponsExceptions: a response whose alert message points at container 'app' still gets excepted as soon as the pod also contains sidecar. We need a way to match against the failing container identity, not just container membership in the pod.

[Tomgrinds777]

Thanks for the detailed analysis — both issues are now fixed.

Issue 1 (RegoResponseVector fallback bypass): When containerName is in the designator and iterateRegoResponseVector finds no match in the related objects, hasException now returns false immediately instead of falling through to the base vector object. Added TestHasException_RegoResponseVector_ContainerNameFallbackBlocked to cover the exact scenario you described ({name: base-subject, containerName: missing} on a vector that only has an app container).

Issue 2 (wrong container excepted): SetRuleResponsExceptions now extracts the failing container names from FailedPaths by parsing containers[N]/initContainers[N] indices and mapping them to names via the workload spec. compareContainerName receives that list and, when non-empty, only matches against those containers. The public GetResourceExceptions API is unchanged (passes nil, which falls back to full workload scan). Added TestSetRuleResponsExceptions_ContainerNamePrecision with three sub-cases: finding on sidecar (match), finding on app (no match), no paths (fallback match).

[matthyx]

Rechecked on the latest commit. The earlier base-object fallback bug is fixed, but one blocker remains in the RegoResponseVector path.

[matthyx]

This still loses container precision for RegoResponseVector alerts. Here workloads[w] is the vector object, so extractFailingContainerNames() sees no containers and returns nil. That nil then flows through iterateRegoResponseVector() into metadataHasException(), so compareContainerName() falls back to scanning every container in the related pod. I reproduced it locally: a vector wrapping a pod with containers [app, sidecar], FailedPaths = ["spec.containers[0].securityContext.privileged"], and an exception {containerName: sidecar} still sets the exception. We need to derive failing container names from the related workload in the vector path (and add a regression test for AlertObject.ExternalObjects / RegoResponseVector).

[matthyx]

Rechecked the latest head. The RegoResponseVector containerName precision issue is fixed, and I do not see any blocker-level issues remaining.