Kaspersky Container Security
1.0
English

Contents

Runtime control policies

A runtime policy determines the actions that are taken by the solution when monitoring and controlling runtime operations of containers in accordance with the security policies. Kaspersky Container Security maintains control based on security threats detected in an image, the severity level of these threats, and the availability of

digital signatures
.

Containers in the runtime may run from verified images or from images that are still unknown to the solution.

The configured runtime policies are displayed as a table in the PoliciesRuntime policies section.

You can use the list to do the following:

  • Add new policies. Click the Add policy button located above the table to open the policy settings window.
  • Change policy settings. You can open the editing window by clicking the policy name link.
  • Enable and disable policies. Policies are disabled and enabled by using the Disable/Enable toggle button in the Status column of the table containing the list of created policies.

    Kaspersky Container Security does not use disabled policies when operating.

  • Search for policies. To find a policy, use the search field above the list of response policies to specify the policy name or part of it.
  • Delete policies.

Page top

[Topic 255361]

Creating a runtime policy

To add a runtime policy:

  1. In the PoliciesRuntime policies section, click the Add policy button.

    The policy settings window opens.

  2. Enter a policy name and, if required, policy description.
  3. In the Mode section, select one of the following policy enforcement modes:
    • Audit. In this mode, a scan takes into account the contents of containers.
    • Enforce. In this mode, the solution blocks all objects that do not comply with the rules and criteria defined in the policy.
  4. In the Scope section, define the policy enforcement scope. In the Clusters field, select the applicable group of clusters from the drop-down list.

    If necessary, define exclusions for which the runtime policy will not be applied. To do so, select the relevant objects from the drop-down list, specify their names, then click Add.

    Existing exclusions in the policy are checked when deploying a container.

  5. In the Best practice check section, use the Disabled / Enabled toggle switch to activate the scan for compliance with best security practices. From the list of settings, select the scan settings that guarantee that the correct image is run and that the CPU and RAM usage settings are correctly configured.
  6. In the Block non-compliant images section, use the Disabled / Enabled toggle switch to prevent containers running from images that do not comply with the requirements. This check will be performed only for scanned images that are registered in the solution and have the Compliant status.
  7. In the Block unregistered images section, use the Disabled / Enabled toggle switch to block an image check if the image is unknown and has not been fully scanned by Kaspersky Container Security. To deploy the image, you must register it in the solution and wait for it to appear in the registry.
  8. In the Capabilities block section, use the Disabled / Enabled toggle switch to activate a usage lock of defined system functions of Unix. To do so, select specific system functions from the drop-down list. You can also lock the use of all system functions of Unix by selecting ALL from the drop-down list.
  9. In the Limit container privileges section, use the Disabled / Enabled toggle switch to activate blocked startup of containers with a specific set of rights and permissions. From the list of settings, select the settings of rights and permissions to lock the settings of pods.
  10. In the Registries allowed section, use the Disabled / Enabled toggle switch to set the permission to deploy containers in a cluster only from specific registries. To do so, select the relevant registries from the Registries drop-down list.
  11. In the Volumes blocked section, use the Disabled / Enabled toggle switch to prevent the selected volumes from being mounted in containers. To do so, specify the names of the relevant volumes in the Volumes field.
  12. Click Save.

By default, the added policy is Enabled.

Page top
[Topic 260379]

Editing runtime policy settings

To change runtime control policy settings:

  1. In the PoliciesRuntime policies section, click the policy name in the list of existing runtime policies.

    The policy settings editing window opens.

  2. Change the policy name.
  3. Add or edit the policy description.
  4. Make changes to the relevant sections of the policy:
    • Mode.
    • Scope.
    • Bypass criteria.
    • Best practice check.
    • Block non-compliant images.
    • Block unregistered images.
    • Capabilities block.
    • Limit container privileges.
    • Registries allowed.
    • Volumes blocked.
  5. Click Save.
Page top
[Topic 260380]