Views:
Cluster-managed policies should include deployment and continuous rules, exceptions for admission evaluation with exceptions, and the toggle for XDR features, including telemetry, with xdrEnabled. Use the following information to create your policy for cluster-managed policies.

rules

Rules include an array of deployment and continuous rules. For each rule, you can specify the following:
  • type: Type of policy rule. See the table of policy rule types below.
  • action: Deployment action to take when a rule fails during admission control. Use either log or block.
  • mitigation: Mitigation action to take when a rule fails during continuous oversight. Use one of the following: log, terminate, or isolate
    Note
    Note
    If the action is block, the mitigation can only be terminate or isolate.
  • properties: The rule properties object that specifies additional properties for the rule type. See the table of policy rule types below for more details on the required properties.
  • namespaces: A list of namespaces where the rule is applied. Exceptions are applied to all namespaces by default.

exceptions

For each policy exception rule, you can specify the following:
  • type: Type of exception. Supported types include:
    • imageRegistry
    • imageName
    • imageTag
    • imagePath
  • properties: Properties for each exception that must specify the operator and values.
    • operator: Conditional operator to apply to the exception values, including equals, notEquals, contains and notContains.
    • values: A list of string values to match the exception type.
  • namespaces: A list of namespaces where the rule is applied. Exceptions are applied to all namespaces by default.

xdrEnabled

Include xdrEnabled to access XDR telemetry and resources.

Policy rule types

Rule type Description Rule properties (required)
hostIPC
Pods that do not generally permit containers to run with the hostIPC flag set to true
N/A
hostNetwork
Pods that do not generally permit containers to run with the hostNetwork flag set to true
N/A
hostPID
Pods that do not generally permit containers to run with the hostPID flag set to true
N/A
runAsNonRoot
Pods with containers that can run as root due to runAsNonRoot setting not being used
N/A
privileged
Containers that run with the securityContext.privileged flag set to true
N/A
allowPrivilegeEscalation
Containers that run with the allowPrivilegeEscalation flag set to true
N/A
readOnlyRootFilesystem
Containers that allow writing to the root filesystem where the readOnlyRootFilesystem flag set to false
N/A
podPortForward
Attempts to create a port-forward on a running kubernetes pod
N/A
podExec
Attempts to execute in/attach to a running kubernetes pod
N/A
containerCapabilities
Containers with capabilities that do not conform with the capability restriction
capabilityRestriction: Type of container capability restriction to enforce
Supported values:
  • restrict-nondefaults
  • restrict-all
  • baseline
  • restricted
imageRegistry
Containers running images that match registries
  • operator: Conditional operator to apply to values
    Supported values:
    • equals
    • notEquals
    • contains
    • notContains
    • startsWith
  • values: An array of string values to match for the rule type
imageName
Containers running images that match the path after the registry and before the tag
Example: http://example.com/org/image:latest
  • operator: Conditional operator to apply to values
    Supported values:
    • equals
    • notEquals
    • contains
    • notContains
    • startsWith
  • values: An array of string values to match for the rule type
imageTag
Containers running images that match tags
  • operator: Conditional operator to apply to values
    Supported values:
    • equals
    • notEquals
    • contains
    • notContains
    • startsWith
  • values: An array of string values to match for the rule type
imagePath
Containers running images that match the path from the registry to the tag
Example: example.com/org/image:latest
  • operator: Conditional operator to apply to values
    Supported values:
    • equals
    • notEquals
    • contains
    • notContains
    • startsWith
  • values: An array of string values to match for the rule type
imagesNotScanned
Images that have not been scanned for vulnerabilities, malware, or secrets in the last number of days selected
  • scanType: Type of artifact scan
    Supported values:
    • vulnerability
    • malware
    • secret
  • maxScanAge: Maximum age of the scan result in days (integer value between 0 and 35 days)
imagesWithMalware
Images that contain malware
N/A
imagesWithSecrets
Images that contain secrets
N/A
imagesWithVulnerabilities
Images with vulnerabilities that include a minimum severity
severity: Severity of the vulnerability
Supported values:
  • critical
  • high
  • medium
  • low
  • any
imagesWithCVSSAttackVector
Images with vulnerabilities that meet the defined CVSS attack vector and minimum severity
  • severity: Severity of the vulnerability
    Supported values:
    • critical
    • high
    • medium
    • low
    • any
  • attackVector: CVSS attack vector
    • network
    • physical
    • adjacent
imagesWithCVSSAttackComplexity
Images with vulnerabilities that meet the defined CVSS attack complexity and minimum severity
  • severity: Severity of the vulnerability
    Supported values:
    • critical
    • high
    • medium
    • low
    • any
  • attackComplexity: CVSS attack complexity
    Supported values:
    • low
    • high
imagesWithCVSSAvailabilityImpact
Images with vulnerabilities that meet the defined CVSS availability impact and minimum severity
  • severity: Severity of the vulnerability
    Supported values:
    • critical
    • high
    • medium
    • low
    • any
  • availabilityImpact: CVSS availability impact
    Supported values:
    • low
    • high