使用以下命令和範例來為您在 Container Security 中的叢集管理政策建立叢集政策和執行時規則集自訂資源。
叢集管理的政策預設未啟動。要啟動此政策類型,請將以下內容添加到您的
overrides.yaml文件中:visionOne:
policyOperator:
enabled: true
clusterPolicyName: <name of your policy custom resource>
將政策應用於叢集
如需了解有關規則、例外和 XDR 啟用資源的資訊,您可以將其應用於叢集管理政策,請參閱 叢集管理政策的自訂資源。
使用以下命令將您的策略應用到叢集中:
 |
注意您的檔案不必命名為
policy.yaml。 |
kubectl apply -f policy.yaml
|
注意叢集政策自訂資源名稱必須與值或
overrides.yaml 檔案中指定的名稱相符。 |
以下是叢集管理的政策檔案範例:
apiVersion: container-security.trendmicro.com/v1alpha1
kind: ClusterPolicy
metadata:
name: trendmicro-cluster-policy
spec:
xdrEnabled: true
rules:
# Pod properties
- type: hostNetwork
action: log
mitigation: log
- type: hostIPC
action: log
mitigation: log
- type: hostPID
action: log
mitigation: log
# Container properties
- type: runAsNonRoot
action: log
mitigation: log
- type: privileged
action: log
mitigation: log
- type: privileged
action: log
mitigation: log
- type: allowPrivilegeEscalation
action: log
mitigation: log
- type: readOnlyRootFilesystem
action: log
mitigation: log
- type: containerCapabilities
properties:
capabilityRestriction: baseline
action: log
mitigation: log
# Image properties
- type: imageRegistry
properties:
operator: equals
values:
- 198890578717.dkr.ecr.us-east-1.amazonaws.com/sample-registry
action: log
mitigation: log
- type: imageName
properties:
operator: startsWith
values:
- nginx
- alpine
action: log
mitigation: log
- type: imageTag
properties:
operator: notEquals
values:
- latest
action: log
mitigation: log
- type: imagePath
properties:
operator: contains
values:
- example.com/org/repo
- example.com/image
action: log
mitigation: log
# Unscanned images
- type: imagesNotScanned
properties:
scanType: vulnerability
maxScanAge: 30
action: log
mitigation: log
- type: imagesNotScanned
properties:
scanType: malware
maxScanAge: 30
action: log
mitigation: log
- type: imagesNotScanned
properties:
scanType: secret
maxScanAge: 30
action: log
mitigation: log
# Artifact Scanner Scan results
- type: imagesWithMalware
action: log
mitigation: log
- type: imagesWithSecrets
action: log
mitigation: log
- type: imagesWithVulnerabilities
properties:
severity: critical
action: log
mitigation: log
- type: imagesWithCVSSAttackVector
properties:
attackVector: network
severity: high
action: log
mitigation: log
- type: imagesWithCVSSAttackComplexity
properties:
attackComplexity: high
severity: high
action: log
mitigation: log
- type: imagesWithCVSSAvailabilityImpact
properties:
availabilityImpact: low
severity: high
action: log
mitigation: log
# Kubectl Access
- type: podExec
action: log
mitigation: log
- type: podPortForward
action: log
mitigation: log
# Exceptions
exceptions:
- type: imageName
properties:
operator: equals
values:
- sampleImage
namespaces: # exclude to apply to all namespaces
- sample-namespace
- type: imageRegistry
properties:
operator: equals
values:
- 198890578717.dkr.ecr.us-east-1.amazonaws.com/sample-registry
自訂資源規則集
Runtime Ruleset 定義了執行時安全性的規則。這些 Falco 規則由趨勢科技管理,並以 ruleID 參考。
RuntimeRuleset 規範包含兩個欄位的執行時定義:labels 和 rules。labels:一組 Pod 標籤,使用標籤選擇器應用規則。若無標籤,則規則應用於所有 Pod。
- key:標籤鍵。
- value:標籤值。
rules:一組規則 ID 及觸發規則時應用的緩解措施。
- ruleID:趨勢科技執行時規則ID為
TM-{8 digit id}(例如:TM-00000001)。查看可用的預定義規則列表。 - mitigation:當規則匹配時採取的中毒處理行動。使用
log、isolate或terminate。
使用以下命令來應用執行時規則集:
|
注意您的檔案不必命名為
runtimeruleset.yaml。 |
kubectl apply -f runtimeruleset.yaml
以下是執行時規則集文件的範例:
apiVersion: container-security.trendmicro.com/v1alpha1
kind: RuntimeRuleset
metadata:
labels:
app.kubernetes.io/name: init
app.kubernetes.io/managed-by: kustomize
name: trendmicro-ruleset-sample
spec:
definition:
labels:
- key: "app"
value: "nginx"
rules:
- ruleID: TM-00000001
mitigation: log
- ruleID: TM-00000002
mitigation: log
- ruleID: TM-00000003
mitigation: isolate
- ruleID: TM-00000004
mitigation: terminate