Creating a runtime policy
Rights to manage runtime policy settings are required to add a runtime policy in Kaspersky Container Security.
To add a runtime policy:
- Under Policies → Runtime policies, select the Policies tab.
- Click the Add policy button.
The policy settings window opens.
- If necessary, use the Disabled / Enabled switch to set the policy status. By default, the added policy is Enabled.
- Enter a policy name and, if required, policy description.
- In the Scope field, select the scope for the runtime policy from the available options. Since runtime policies are only used for deployed and/or running containers, scopes containing resources across clusters can be selected.
Scopes containing only registry resources are not available for selection. If necessary, you can specify individual images and pods for the runtime policy that you are creating in the Container runtime profiles section, as specified in step 11.
If you plan to implement the policy with the global scope, one of your user roles must be granted the rights to view global scopes.
- In the Mode section, select one of the following policy enforcement modes:
- Audit. In this mode, a scan takes into account the contents of containers.
- Enforce. In this mode, the solution blocks all objects that do not comply with the rules and criteria defined in the policy.
If a scope includes an object subject to a runtime policy in Audit mode and a runtime policy in Enforce mode, all actions specified in the runtime policies are applied in Enforce mode.
- On the Admission controller tab, configure the following settings:
- In the Best practice check section, use the Disabled / Enabled toggle switch to activate the scan for compliance with best security practices. From the list of settings, select the scan settings that guarantee that the correct image is run and that the CPU and RAM usage settings are correctly configured.
- In the Block non-compliant images section, use the Disabled / Enabled toggle switch to prevent containers running from images that do not comply with the requirements. This check will be performed only for scanned images that are registered in the solution and have the Compliant status.
- In the Block unregistered images section, use the Disabled / Enabled toggle switch to block image deployment if the image is unknown to Kaspersky Container Security. To deploy the image, you must register it in the solution and wait for it to appear in the registry.
- In the Dynamic Admission Controller bypass criteria block, use the Disabled / Enabled switch to define the exclusions for which the runtime policy will not be applied. To do so, select the relevant objects in the drop-down list, specify their names, and then click Add.
Existing exclusions in the policy are checked when deploying a container.
- In the Capabilities block section, use the Disabled / Enabled toggle switch to block the use of specified Unix functions. To do so, select specific system functions from the drop-down list. You can also lock the use of all Unix system functions by selecting ALL from the drop-down list.
- In the Image content protection section, use the Disabled / Enabled toggle switch to enable verification of digital signatures that confirm the integrity and origin of images in the container. To do this, perform the following actions:
- In the Image registry URL template field, enter the template for the web address of the image registry in which you want to verify signatures.
- In the drop-down list, select Check to enable verification or Don't check to disable verification.
- In the drop-down list, select one of the configured image signature validators.
- If necessary, add signature verification rules by using the Add signature verification rule button. The solution will apply multiple signature verification rules under a single runtime policy.
- In the Limit container privileges section, use the Disabled / Enabled toggle switch to block the start of containers with a specific set of rights and permissions. In the list of settings, select the rights and permissions configuration to block pod settings.
- In the Registries allowed section, use the Disabled / Enabled toggle switch to allow deployment of containers in a cluster only from specific registries. To do so, select the relevant registries from the Registries drop-down list.
- In the Volumes blocked section, use the Disabled / Enabled toggle switch to prevent the selected volumes from being mounted in containers. To do this, specify the volume mount points on the host system in the Volumes field.
The Volumes field must begin with a forward slash ("/") because this represents the operating system path.
- On the Container runtime tab, configure the following settings:
- In the Container runtime profiles section, use the Disabled / Enabled toggle switch to block processes inside containers and network connections for pods. To do this, perform the following actions:
- In the drop-down list, select an attribute to define the pods that the container runtime profiles will be applied to.
- Depending on the selected attribute, do the following:
- If you selected By pod labels, enter the pod label key and the pod label value.
You can add additional pod labels for pod selection by clicking the Add label pair button.
- If you selected Image URL template, enter the template for the web address of the image registry.
If the cluster contains images from the public Docker Hub registry, the solution equally considers the full path and the short path to the images. For example, if you specify the URL of the container image in the cluster as docker.io/library/ubuntu:focal, the solution accepts it equally as ubuntu: focal.
You can add additional web addresses for pod selection by clicking the Add Image URL button.
- If you selected Image digest, enter the image digest created using the SHA256 hash algorithm. You can specify the image digest with or without the sha256 prefix (for example, sha256:ef957...eb43 or ef957...eb43).
You can add additional image digests to select pods by clicking the Add image digest button.
- If you selected By pod labels, enter the pod label key and the pod label value.
- In the Container runtime profile field, specify one or more runtime profiles that will be applied to pods that match the attributes you defined.
- If necessary, you can add pods for mapping using the Add pod mapping button. Pods with different attributes or applied runtime profiles will be mapped under the same runtime policy.
- In the Container autoprofiles section, use the Disabled / Enabled switch to activate scanning of containers in the specified scope using the autoprofiles associated with images in these containers.
You can view all autoprofiles included in the scope by clicking the Show autoprofiles attributed to the scope link. In the sidebar that opens, the solution shows a table with a list of autoprofiles. For each autoprofile, its name, date and time of the last modification, as well as the image associated with the autoprofile are displayed.
- In the Container runtime profiles section, use the Disabled / Enabled toggle switch to block processes inside containers and network connections for pods. To do this, perform the following actions:
- Click the Add button.