Enabling cluster-managed policies

Views:

Use the following commands and examples to create the cluster policy and runtime ruleset custom resources for your cluster-managed policies in Container Security.

Cluster-managed policies are not enabled by default. To enable this policy type, add the following to your overrides.yaml file:

visionOne:
  policyOperator:
    enabled: true
    clusterPolicyName: <name of your policy custom resource>

Apply policy to cluster

For information on the rules, exceptions, and XDR enablement resources that you can apply to your cluster managed policy, see Custom resources for cluster-managed policies.

Use the following command to apply your policy to a cluster:

Note

Your file does not have to be named policy.yaml.

kubectl apply -f policy.yaml

Note

The cluster policy custom resource name must match the name specified in the values or the overrides.yaml file.

The following is an example of a cluster-managed policy file:

apiVersion: container-security.trendmicro.com/v1alpha1
kind: ClusterPolicy
metadata:
  name: trendmicro-cluster-policy
spec:
  xdrEnabled: true
  rules:
    # Pod properties
    - type: hostNetwork
      action: log
      mitigation: log
    - type: hostIPC
      action: log
      mitigation: log
    - type: hostPID
      action: log
      mitigation: log

    # Container properties
    - type: runAsNonRoot
      action: log
      mitigation: log
    - type: privileged
      action: log
      mitigation: log
    - type: privileged
      action: log
      mitigation: log
    - type: allowPrivilegeEscalation
      action: log
      mitigation: log
    - type: readOnlyRootFilesystem
      action: log
      mitigation: log
    - type: containerCapabilities
      properties:
        capabilityRestriction: baseline
      action: log
      mitigation: log

    # Image properties
    - type: imageRegistry
      properties:
        operator: equals
        values:
          - 198890578717.dkr.ecr.us-east-1.amazonaws.com/sample-registry
      action: log
      mitigation: log
    - type: imageName
      properties:
        operator: startsWith
        values:
          - nginx
          - alpine
      action: log
      mitigation: log
    - type: imageTag
      properties:
        operator: notEquals
        values:
          - latest
      action: log
      mitigation: log
    - type: imagePath
      properties:
        operator: contains
        values:
          - example.com/org/repo
          - example.com/image
      action: log
      mitigation: log

    # Unscanned images
    - type: imagesNotScanned
      properties:
        scanType: vulnerability
        maxScanAge: 30
      action: log
      mitigation: log
    - type: imagesNotScanned
      properties:
        scanType: malware
        maxScanAge: 30
      action: log
      mitigation: log
    - type: imagesNotScanned
      properties:
        scanType: secret
        maxScanAge: 30
      action: log
      mitigation: log

    # Artifact Scanner Scan results
    - type: imagesWithMalware
      action: log
      mitigation: log
    - type: imagesWithSecrets
      action: log
      mitigation: log
    - type: imagesWithVulnerabilities
      properties:
        severity: critical
      action: log
      mitigation: log
    - type: imagesWithCVSSAttackVector
      properties:
        attackVector: network
        severity: high
      action: log
      mitigation: log
    - type: imagesWithCVSSAttackComplexity
      properties:
        attackComplexity: high
        severity: high
      action: log
      mitigation: log
    - type: imagesWithCVSSAvailabilityImpact
      properties:
        availabilityImpact: low
        severity: high
      action: log
      mitigation: log

    # Kubectl Access
    - type: podExec
      action: log
      mitigation: log
    - type: podPortForward
      action: log
      mitigation: log

  # Exceptions
  exceptions:
    - type: imageName
      properties:
        operator: equals
        values:
          - sampleImage
      namespaces: # exclude to apply to all namespaces
        - sample-namespace
    - type: imageRegistry
      properties:
        operator: equals
        values:
          - 198890578717.dkr.ecr.us-east-1.amazonaws.com/sample-registry

Custom resource ruleset

The Runtime Ruleset defines the rules for runtime security. These Falco rules are managed by Trend Micro and referenced with the ruleID. The RuntimeRuleset spec contains the runtime definition with two fields: labels and rules.

labels: An array of pod labels where the rules are applied using label selectors. Without the labels, the rules are applied to all pods.

key: Label key.
value: Label value.

rules: An array of rule IDs and the mitigation to apply when the rule is triggered.

ruleID: The Trend Micro runtime ruleID as TM-{8 digit id} (example: TM-00000001). View the list of available, predefined rules.
mitigation: The action taken when a rule is matched. Use log, isolate, or terminate.

Use the following command to apply the runtime ruleset:

Note

Your file does not have to be named runtimeruleset.yaml.

kubectl apply -f runtimeruleset.yaml

The following is an example of a runtime ruleset file:

apiVersion: container-security.trendmicro.com/v1alpha1
kind: RuntimeRuleset
metadata:
  labels:
    app.kubernetes.io/name: init
    app.kubernetes.io/managed-by: kustomize
  name: trendmicro-ruleset-sample
spec:
  definition:
    labels:
      - key: "app"
        value: "nginx"
    rules:
      - ruleID: TM-00000001
        mitigation: log
      - ruleID: TM-00000002
        mitigation: log
      - ruleID: TM-00000003
        mitigation: isolate
      - ruleID: TM-00000004
        mitigation: terminate

Comments (0)