使用以下命令和範例來為您在容器清單中的叢集管理政策建立叢集政策和運行時規則集自訂資源。
叢集管理的政策預設未啟動。要啟動此政策類型,請將以下內容添加到您的
overrides.yaml文件中:cloudOne:
policyOperator:
enabled: true
clusterPolicyName: <name of your policy custom resource>
將政策應用於叢集
如需了解有關規則、例外和 XDR 啟用資源的資訊,您可以將其應用於叢集管理政策,請參閱 叢集管理政策的自訂資源。
使用以下命令將您的策略應用到叢集中:
 |
注意您的檔案不必命名為
policy.yaml。 |
kubectl apply -f policy.yaml
|
注意叢集政策自訂資源名稱必須與值或
overrides.yaml 檔案中指定的名稱相符。 |
以下是叢集管理的政策檔案範例:
apiVersion: visionone.trendmicro.com/v1alpha1
kind: ClusterPolicy
metadata:
name: trendmicro-cluster-policy
spec:
xdrEnabled: true
rules:
# Pod properties
- type: hostNetwork
action: log
mitigation: log
- type: hostIPC
action: log
mitigation: log
- type: hostPID
action: log
mitigation: log
# Container properties
- type: runAsNonRoot
action: log
mitigation: log
- type: privileged
action: log
mitigation: log
- type: privileged
action: log
mitigation: log
- type: allowPrivilegeEscalation
action: log
mitigation: log
- type: readOnlyRootFilesystem
action: log
mitigation: log
- type: containerCapabilities
properties:
capabilityRestriction: baseline
action: log
mitigation: log
# Image properties
- type: imageRegistry
properties:
operator: equals
values:
- 198890578717.dkr.ecr.us-east-1.amazonaws.com/sample-registry
action: log
mitigation: log
- type: imageName
properties:
operator: startsWith
values:
- nginx
- alpine
action: log
mitigation: log
- type: imageTag
properties:
operator: notEquals
values:
- latest
action: log
mitigation: log
- type: imagePath
properties:
operator: contains
values:
- example.com/org/repo
- example.com/image
action: log
mitigation: log
# Unscanned images
- type: imagesNotScanned
properties:
scanType: vulnerability
maxScanAge: 30
action: log
mitigation: log
- type: imagesNotScanned
properties:
scanType: malware
maxScanAge: 30
action: log
mitigation: log
- type: imagesNotScanned
properties:
scanType: secret
maxScanAge: 30
action: log
mitigation: log
# Artifact Scanner Scan results
- type: imagesWithMalware
action: log
mitigation: log
- type: imagesWithSecrets
action: log
mitigation: log
- type: imagesWithVulnerabilities
properties:
severity: critical
action: log
mitigation: log
- type: imagesWithCVSSAttackVector
properties:
attackVector: network
severity: high
action: log
mitigation: log
- type: imagesWithCVSSAttackComplexity
properties:
attackComplexity: high
severity: high
action: log
mitigation: log
- type: imagesWithCVSSAvailabilityImpact
properties:
availabilityImpact: low
severity: high
action: log
mitigation: log
# Kubectl Access
- type: podExec
action: log
mitigation: log
- type: podPortForward
action: log
mitigation: log
# Exceptions
exceptions:
- type: imageName
properties:
operator: equals
values:
- sampleImage
namespaces: # exclude to apply to all namespaces
- sample-namespace
- type: imageRegistry
properties:
operator: equals
values:
- 198890578717.dkr.ecr.us-east-1.amazonaws.com/sample-registry
自訂資源規則集
Runtime Ruleset 定義了執行時安全性的規則。這些 Falco 規則由趨勢科技管理,並以 ruleID 參考。
RuntimeRuleset 規範包含兩個欄位的執行時定義:labels 和 rules。labels:一組 Pod 標籤,使用標籤選擇器應用規則。若無標籤,則規則應用於所有 Pod。
- key:標籤鍵。
- value:標籤值。
rules:一組規則 ID 及觸發規則時應用的緩解措施。
- ruleID:趨勢科技執行時規則ID為
TM-{8 digit id}(例如:TM-00000001)。查看可用的預定義規則列表。 - mitigation:當規則匹配時採取的中毒處理行動。使用
log、isolate或terminate。
使用以下命令來應用執行時規則集:
|
注意您的檔案不必命名為
runtimeruleset.yaml。 |
kubectl apply -f runtimeruleset.yaml
以下是執行時規則集文件的範例:
apiVersion: visionone.trendmicro.com/v1alpha1
kind: RuntimeRuleset
metadata:
labels:
app.kubernetes.io/name: init
app.kubernetes.io/managed-by: kustomize
name: trendmicro-ruleset-sample
spec:
definition:
labels:
- key: "app"
value: "nginx"
rules:
- ruleID: TM-00000001
mitigation: log
- ruleID: TM-00000002
mitigation: log
- ruleID: TM-00000003
mitigation: isolate
- ruleID: TM-00000004
mitigation: terminate