yum/recipes/default.rb

template "/etc/yum.conf" do
  node[:excludes] = []
  source "yum.conf.erb"
  owner  "root"
  mode   0644
end

yum/templates/default/yum.conf.erb

[main] cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release

#  This is the default, if you make this bigger yum won't see if the metadata
# is newer on the remote and so you'll "gain" the bandwidth of not having to
# download the new metadata and "pay" for it by yum not having correct
# information.
#  It is esp. important, to have correct metadata, for distributions like
# Fedora which don't keep old packages around. If you don't like this checking
# interupting your command line usage, it's much better to have something
# manually check the metadata once an hour (yum-updatesd will do this).
# metadata_expire=90m

# PUT YOUR REPOS HERE OR IN separate files named file.repo
# in /etc/yum.repos.d

まぁこんな感じですよね。
んで、アップデート対象にしてほしくないcookbookのrecipeに

redis/recipes/default.rb

#
# Cookbook Name:: Redis
# Recipe:: default
#
# Copyright 2011, YOUR_COMPANY_NAME
#
# All rights reserved - Do Not Redistribute
#
package "tcl"

bin = "/usr/local/bin/redis-server"
version  = node[:redis][:version]
file = "redis-#{version}"
url = "https://redis.googlecode.com/files/redis-#{version}.tar.gz"
installed_version = `#{bin} -v 2>&1`.chomp.split(/\s/)[3]
log "installed version: #{installed_version}"
do_install = ( version != installed_version )


remote_file "/tmp/redis-#{version}.tar.gz" do
  source "#{url}"
  mode "0644"
  only_if { do_install }
end

bash "install_redis" do
  cwd "/tmp"
  code <<-EOH
  tar zxvf #{file}.tar.gz && cd #{file} && make && make install && cp utils/redis_init_script /etc/init.d/redis && mkdir /etc/redis/ && cp redis.conf /etc/redis/6379.conf
  EOH
  only_if { do_install }
end

file "/tmp/#{file}.tar.gz" do
  action :delete
end

node[:yum][:installonlypkgs].push("redis")

ということで

node[:yum][:installonlypkgs].push("redis")

こんな感じで、アップデートしたくないパッケージ名をpushして突っ込んで
yum_excludeというcookbookをつくります。

yum_installonlypkgs/recipes/default.rb

template "/etc/yum.conf" do
  source "yum.conf.erb"
  owner  "root"
  mode   0644
end

node[:yum][:installonlypkgs].push("kernel, kernel-bigmem, kernel-enterprise, kernel-smp, kernel-debug, kernel-unsupported, kernel-source, kernel-devel, kernel-PAE, kernel-PAE-debug")

yum_installonlypkgs/templates/default/yum.conf.erb

[main] 
cachedir=/var/cache/yum/$basearch/$releasever 
keepcache=0 
debuglevel=2 
logfile=/var/log/yum.log 
exactarch=1 
obsoletes=1 
gpgcheck=1 
plugins=1 
installonly_limit=5 
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum 
distroverpkg=centos-release 
 
#  This is the default, if you make this bigger yum won't see if the metadata 
# is newer on the remote and so you'll "gain" the bandwidth of not having to 
# download the new metadata and "pay" for it by yum not having correct 
# information. 
#  It is esp. important, to have correct metadata, for distributions like 
# Fedora which don't keep old packages around. If you don't like this checking 
# interupting your command line usage, it's much better to have something 
# manually check the metadata once an hour (yum-updatesd will do this). 
# metadata_expire=90m 
 
# PUT YOUR REPOS HERE OR IN separate files named file.repo 
# in /etc/yum.repos.d 
 
installonlypkgs=<%= node[:yum][:installonlypkgs].join(", ") %> 

という感じでyum_installonlypkgsを追加する用のrecipeを用意することで
対応できそうって感じです。

kernel, kernel-bigmem, kernel-enterprise, kernel-smp, kernel-debug, kernel-unsupported, kernel-source, kernel-devel, kernel-PAE, kernel-PAE-debug

この一覧は、自分で指定しない場合はデフォルトで入ってるけど、自分でyum_installonlypkgsを指定する場合は
自分で追加してね。という一覧ですね。

正規表現が使えないのがアレですけど、直接的に指定できるから問題なさそう。
マニュアル読むと新発見があって面白いです。