There are multiple rules, which filter on kube- or openshift- to exclude red hat provided namespaces from certain rules.

applications/openshift/networking/routes_rate_limit/rule.yml

applications/openshift/networking/route_ip_whitelist/rule.yml

applications/openshift/general/resource_requests_limits_in_statefulset/rule.yml

applications/openshift/general/resource_requests_limits_in_deployment/rule.yml

applications/openshift/general/resource_requests_limits_in_daemonset/rule.yml

from my understanding this is done, so a customer doesnt have alerts from things he cannot change, because he would lose support.

some layered products (like ACM) do not use openshift- prefixed namespaces, or allow users to deploy to a custom namespace. In this cases, the exceptions do not apply.

a customer in this situation has only two choices:

1. disable the rule - which would not show them if anyone else (where risk is not accepted) is incompliant.
2. accept a incompliant result for the rule and continuously check if this is another namespace than the ones where risk is accepted

while 1 will just degrade compliance visibility, 2 will apply a additional work upon the user.

I propose, that compliance operator adds configurable variables for exclusion of namespaces for rules, where CO already does namespace exclusion based on the prefixes.

This would add the choice for the user to only exclude certain namespaces from the check, which would maintain compliance visibility and not inflict additional continuous burden upon the user.

There were some internal discussions around this:

https://redhat-internal.slack.com/archives/CTDEY6EEA/p1709696299449919

https://redhat-internal.slack.com/archives/CHCRR73PF/p1709734486932619