Runtime policies

A runtime policy determines the actions that are taken by the solution when monitoring and controlling runtime operations of containers in accordance with the security policies. Kaspersky Container Security maintains control based on security threats detected in an image, the severity level of these threats, and the availability of

Containers in the runtime may run from verified images or from images that are still unknown to the solution.

On the Policies tab, under Policies → Runtime policies, a table lists configured runtime policies.

You can use the list to do the following:

• Add new policies. Click the Add policy button located above the table to open the policy settings window.
• Change policy settings. You can open the editing window by clicking the policy name link.
• Enable and disable policies. Policies are disabled and enabled by using the Disable/Enable toggle button in the Status column of the table containing the list of created policies.

  If you disable a policy, Kaspersky Container Security will not perform the actions specified in that policy.

• Search for policies. To find a policy, use the search field above the list of response policies to specify the policy name or part of it.
• Delete policies.

To work optimally, a runtime policy must be supplemented by runtime container profiles, which define the rules and restrictions for running containers in the runtime environment.

Creating a runtime policy

Rights to manage runtime policy settings are required to add a runtime policy in Kaspersky Container Security.

To add a runtime policy:

1. Under Policies → Runtime policies, select the Policies tab.
2. Click the Add policy button.

   The policy settings window opens.

3. Enter a policy name and, if required, policy description.
4. In the Scope field, select the scope for the runtime policy from the available options. Since runtime policies are only used for deployed and/or running containers, scopes containing resources across clusters can be selected.

   Scopes containing only registry resources are not available for selection. If necessary, you can specify individual images and pods for the runtime policy that you are creating in the Container runtime profiles section, as specified in step 11.

   If you plan to implement the policy with the global scope, one of your user roles must be granted the rights to view global scopes.

5. If necessary, select the Exclusions check box to define exclusions to which the runtime policy will not be applied. To do so, select the relevant objects in the drop-down list, specify their names, and then click Add.

   Existing exclusions in the policy are checked when deploying a container.

6. In the Mode section, select one of the following policy enforcement modes:
   • Audit. In this mode, a scan takes into account the contents of containers.
   • Enforce. In this mode, the solution blocks all objects that do not comply with the rules and criteria defined in the policy.
7. In the Best practice check section, use the Disabled / Enabled toggle switch to activate the scan for compliance with best security practices. From the list of settings, select the scan settings that guarantee that the correct image is run and that the CPU and RAM usage settings are correctly configured.
8. In the Block non-compliant images section, use the Disabled / Enabled toggle switch to prevent containers running from images that do not comply with the requirements. This check will be performed only for scanned images that are registered in the solution and have the Compliant status.
9. In the Block unregistered images section, use the Disabled / Enabled toggle switch to block image deployment if the image is unknown to Kaspersky Container Security. To deploy the image, you must register it in the solution and wait for it to appear in the registry.
10. In the Capabilities block section, use the Disabled / Enabled toggle switch to block the use of specified Unix functions. To do so, select specific system functions from the drop-down list. You can also lock the use of all Unix system functions by selecting ALL from the drop-down list.
11. In the Container runtime profiles section, use the Disabled / Enabled toggle switch to block processes inside containers and network connections for pods. To do this, perform the following actions:
    1. In the drop-down list, select an attribute to define the pods that the container runtime profiles will be applied to.
    2. Depending on the selected attribute, do the following:
       • If you selected By pod labels, enter the pod label key and the pod label value.

         You can add additional pod labels for pod selection by clicking the Add label pair button.

       • If you selected Image URL template, enter the template for the web address of the image registry.

         If the cluster contains images from the public Docker Hub registry, the solution equally considers the full path and the short path to the images. For example, if you specify the URL of the container image in the cluster as docker.io/library/ubuntu:focal, the solution accepts it equally as ubuntu: focal.

         You can add additional web addresses for pod selection by clicking the Add Image URL button.

    3. In the Container runtime profile field, specify one or more runtime profiles that will be applied to pods that match the attributes you defined.
    4. If necessary, you can add pods for mapping using the Add pod mapping button. Pods with different attributes or applied runtime profiles will be mapped under the same runtime policy.
12. Under File Threat Protection, use the Disabled / Enabled toggle to activate File Threat Protection. It is used to find and analyze potential file threats, and provides security for containerized objects, such as archives and email files.

    When a runtime policy is applied with the File Threat Protection component enabled, Kaspersky Container Security activates real-time file threat protection on all nodes within the scopes defined for that policy. The configuration of the deployed agents depends on the settings that you specify for File Threat Protection. You can configure the File Threat Protection settings by clicking Settings in the Policies tab under Policies → Runtime policies.

    File Threat Protection settings are applied to all active runtime policies.

13. In the Image content protection section, use the Disabled / Enabled toggle switch to enable verification of digital signatures that confirm the integrity and origin of images in the container. To do this, perform the following actions:
    1. In the Image registry URL template field, enter the template for the web address of the image registry in which you want to verify signatures.
    2. In the drop-down list, select Check to enable verification or Don't check to disable verification.
    3. In the drop-down list, select one of the configured image signature validators.
    4. If necessary, add signature verification rules by using the Add signature verification rule button. The solution will apply multiple signature verification rules under a single runtime policy.
14. In the Limit container privileges section, use the Disabled / Enabled toggle switch to block the start of containers with a specific set of rights and permissions. In the list of settings, select the rights and permissions configuration to block pod settings.
15. In the Registries allowed section, use the Disabled / Enabled toggle switch to allow deployment of containers in a cluster only from specific registries. To do so, select the relevant registries from the Registries drop-down list.
16. In the Volumes blocked section, use the Disabled / Enabled toggle switch to prevent the selected volumes from being mounted in containers. To do this, specify the volume mount points on the host system in the Volumes field.

    The Volumes field must begin with a forward slash ("/") because this represents the operating system path.

17. Click Save.

By default, the added policy is Enabled.

Editing runtime policy settings

You can edit the runtime policy settings in Kaspersky Container Security if your account has been assigned at least one role that the policy's creator had at the time of the policy's creation.

To change runtime policy settings:

1. In the Policies → Runtime policies → Policies section, click the policy name in the list of existing runtime policies.

   The policy settings window opens.

2. Change the policy name.
3. Add or edit the policy description.
4. Make changes to the relevant sections of the policy:
   • Mode.
   • Scope of application.
   • Bypass criteria.
   • Best practice check.
   • Block non-compliant images.
   • Block unregistered images.
   • Capabilities block.
   • Container runtime profiles.
   • File threat protection.
   • Image content protection.
   • Limit container privileges.
   • Registries allowed.
   • Blocking volumes.
5. Click Save.