OpenShift docs are moving and will soon only be available at docs.redhat.com, the home of all Red Hat product documentation. Explore the new docs experience today.
  1. Documentation
    2. history bug_report picture_as_pdf
×

About security policies

Red Hat Advanced Cluster Security for Kubernetes provides out-of-the-box default security policies that you can use to prevent high-risk service deployments in your environment and respond to runtime security incidents. You can also create custom multi-factor policies for your container environment.

Policy categories

RHACS uses policy categories to group policies by type and function. You can use these categories to organize and search for policies.

RHACS provides the following default policy categories:

  • Anomalous Activity

  • Cryptocurrency Mining

  • DevOps Best Practices

  • Docker Center for Internet Security (CIS)

  • Kubernetes

  • Kubernetes Events

  • Network Tools

  • Package Management

  • Privileges

  • Security Best Practices

  • Supply Chain Security

  • System Modification

  • Vulnerability Management

  • Zero Trust

You can view existing categories and create your own policy categories in the RHACS portal by using the Policy Categories tab in the Policy Management window.

Creating policy categories by using the Policy categories tab

Beginning with version 3.74, RHACS provides a new method to create and manage policy categories in Red Hat Advanced Cluster Security Cloud Service or in RHACS if you have the PostgreSQL database enabled. All policy workflows other than policy creation remain unchanged when using this feature.

You can also configure policy categories by using the PolicyCategoryService API object. For more information, go to HelpAPI reference in the RHACS portal.

Procedure

  1. In the RHACS portal, go to Platform ConfigurationPolicy Management.

  2. Click the Policy categories tab. This tab provides a list of existing categories and allows you to filter the list by category name. You can also click Show all categories and select the checkbox to remove default or custom categories from the displayed list.

  3. Click Create category.

  4. Enter a category name and click Create.

Modifying policy categories by using the Policy categories tab

Beginning with version 3.74, RHACS provides a new method to create and manage policy categories in Red Hat Advanced Cluster Security Cloud Service or in RHACS if you have the PostgreSQL database enabled. All policy workflows other than policy creation remain unchanged when using this feature.

You can also configure policy categories by using the PolicyCategoryService API object. For more information, go to HelpAPI reference in the RHACS portal.

Procedure

  1. In the RHACS portal, go to Platform ConfigurationPolicy Management.

  2. Click the Policy categories tab. This tab provides a list of existing categories and allows you to filter the list by category name. You can also click Show all categories and select the checkbox to remove default or custom categories from the displayed list.

  3. Click a policy name to edit or delete it. Default policy categories cannot be selected, edited, or deleted.

Understanding policies and lifecycle phases

When configuring policies, you can select the lifecycle stages that apply to your policy, and you can select more than one stage for a policy.

You can select from the following lifecycle stages:

  • Build phase policies: These policies apply to image fields such as CVEs and Dockerfile instructions.

  • Deploy phase policies: These policies can include all build-time policy criteria. They can also have data from your cluster configurations, such as running in privileged mode or mounting the Docker daemon socket.

  • Runtime policies: These policies scan include all build-time and deploy-time policy criteria, and data about process executions during runtime. You can further configure runtime policies to trigger policy violations based on the following events:

    • Deployments: RHACS triggers policy violations when event sources include process and network activity, such as executing a command in a pod and pod port forwarding.

    • Audit logs: RHACS triggers policy violations when event sources match Kubernetes audit log records.

Understanding rules and policy criteria

You can set up rules in RHACS and configure the data on which you want to trigger a policy. This data is also referred to as policy criteria or policy fields.

You can configure the policy based on the attributes listed in the following table.

In this table:

  • The Regular expressions, AND, OR, and NOT columns indicate whether you can use regular expressions and other logical operators along with the specific attribute.

    • ! for Regex (Regular expressions) indicates that you can only use regular expressions for the listed fields.

    • ! for AND, or OR indicates that you can only use the mentioned logical operator for the attribute.

    • ✕ in the Regex / NOT / AND, OR column indicates that the attribute does not support any of those (regex, negation, logical operators).

  • The RHACS version column indicates the version of Red Hat Advanced Cluster Security for Kubernetes that you must have to use the attribute.

  • You cannot use logical combination operators AND and OR for attributes that have:

    • Boolean values true and false

    • Minimum-value semantics, for example:

      • Minimum RBAC permissions

      • Days since image was created

  • You cannot use the NOT logical operator for attributes that have:

    • Boolean values true and false

    • Numeric values that already use comparison, such as the <, >, <=, >= operators.

    • Compound criteria that can have multiple values, for example:

      • Dockerfile Line, which includes both instructions and arguments.

      • Environment Variable, which consists of both name and value.

    • Other meanings, including Add Capabilities, Drop Capabilities, Days since image was created, and Days since image was last scanned.

Attribute Description JSON Attribute Allowed Values Regex, NOT, AND, OR Phase

Section: Image registry

Image Registry

The name of the image registry.

Image Registry

String

Regex,
NOT,
AND, OR

Build,
Deploy,
Runtime (when used with a Runtime criterion)

Image Name

The full name of the image in registry, for example library/nginx.

Image Remote

String

Regex,
NOT,
AND, OR

Build,
Deploy,
Runtime (when used with a Runtime criterion)

Image Tag

Identifier for an image.

Image Tag

String

Regex,
NOT,
AND, OR

Build,
Deploy,
Runtime (when used with a Runtime criterion)

Image Signature

The list of signature integrations you can use to verify an image’s signature. Create alerts on images that either do not have a signature or their signature is not verifiable by at least one of the provided signature integrations.

Image Signature Verified By

A valid ID of an already configured image signature integration

! OR only

Build,
Deploy,
Runtime (when used with a Runtime criterion)

Section: Image contents

The Common Vulnerabilities and Exposures (CVE) is fixable

This criterion results in a violation only if the image in the deployment you are evaluating has a fixable CVE.

Fixable

Boolean

Build,
Deploy,
Runtime (when used with a Runtime criterion)

Days Since CVE Was First Discovered In Image

This criterion results in a violation only if it has been more than a specified number of days since RHACS discovered the CVE in a specific image.

Days Since CVE Was First Discovered In Image

Integer

Build,
Deploy,
Runtime (when used with a Runtime criterion)

Days Since CVE Was First Discovered In System

This criterion results in a violation only if it has been more than a specified number of days since RHACS discovered the CVE across all deployed images in all clusters that RHACS monitors.

Days Since CVE Was First Discovered In System

Integer

Build,
Deploy,
Runtime (when used with a Runtime criterion)

Image age

The minimum number of days from image creation date.

Image Age

Integer

Build,
Deploy,
Runtime (when used with a Runtime criterion)

Image scan age

The minimum number of days since the image was last scanned.

Image Scan Age

Integer

Build,
Deploy,
Runtime (when used with a Runtime criterion)

Image User

Matches the USER directive in the Dockerfile. See https://docs.docker.com/engine/reference/builder/#user for details .

Image User

String

Regex,
NOT,
AND, OR

Build,
Deploy,
Runtime (when used with a Runtime criterion)

Dockerfile Line

A specific line in the Dockerfile, including both instructions and arguments.

Dockerfile Line

One of: LABEL, RUN, CMD, EXPOSE, ENV, ADD, COPY, ENTRYPOINT, VOLUME, USER, WORKDIR, ONBUILD

! Regex only for values,
AND, OR

Build,
Deploy,
Runtime (when used with a Runtime criterion)

Image scan status

Check if an image was scanned.

Unscanned Image

Boolean

Build,
Deploy,
Runtime (when used with a Runtime criterion)

Common Vulnerability Scoring System (CVSS)

CVSS: Use it to match images with vulnerabilities whose scores are greater than >, less than <, or equal to = the specified CVSS.

CVSS

<, >, <=, >= or nothing (which implies equal to)
 — and — 
a decimal (a number with an optional fractional value).

Examples:
>=5, or
9.5

AND, OR

Build,
Deploy,
Runtime (when used with a Runtime criterion)

Severity

The severity of the vulnerability based on the CVSS or the vendor. Can be one of Low, Moderate, Important or Critical.

Severity

<, >, ⇐, >= or nothing (which implies equal to)
 — and — 
One of:
UNKNOWN
LOW
MODERATE
IMPORTANT
CRITICAL

Examples:
>=IMPORTANT, or
CRITICAL

AND, OR

Build,
Deploy,
Runtime (when used with a Runtime criterion)

Fixed By

The version string of a package that fixes a flagged vulnerability in an image. This criterion may be used in addition to other criteria that identify a vulnerability, for example using the CVE criterion.

Fixed By

String

Regex,
NOT,
AND, OR

Build,
Deploy,
Runtime (when used with a Runtime criterion)

CVE

Common Vulnerabilities and Exposures, use it with specific CVE numbers.

CVE

String

Regex,
NOT,
AND, OR

Build,
Deploy,
Runtime (when used with a Runtime criterion)

Image Component

Name and version number of a specific software component present in an image.

Image Component

key=value

Value is optional.

If value is missing, it must be in format "key=".

Regex,
AND, OR

Build,
Deploy,
Runtime (when used with a Runtime criterion)

Image OS

Name and version number of the base operating system of the image. For example, alpine:3.17.3

Image OS

String

Regex,
NOT,
AND, OR

Build,
Deploy,
Runtime (when used with a Runtime criterion)

Require image label

Ensure the presence of a Docker image label. The policy triggers if any image in the deployment does not have the specified label. You can use regular expressions for both key and value fields to match labels. The Require Image Label policy criteria only works when you integrate with a Docker registry. For details about Docker labels see Docker documentation, https://docs.docker.com/config/labels-custom-metadata/.

Required Image Label

key=value

Value is optional.

If value is missing, it must be in format "key=".

Regex,
AND, OR

Build,
Deploy,
Runtime (when used with a Runtime criterion)

Disallow image label

Ensure that a particular Docker image label is NOT used. The policy triggers if any image in the deployment has the specified label. You can use regular expressions for both key and value fields to match labels. The 'Disallow Image Label policy' criteria only works when you integrate with a Docker registry. For details about Docker labels see Docker documentation, https://docs.docker.com/config/labels-custom-metadata/.

Disallowed Image Label

key=value

Value is optional.

If value is missing, it must be in format "key=".

Regex,
AND, OR

Build,
Deploy,
Runtime (when used with a Runtime criterion)

Section: Container configuration

Environment Variable

Check environment variables by name or value. When you create a policy that includes the environment variable attribute, you can choose which types of environment variables the policy should match. For example, you can specify raw values, which are provided directly in the deployment YAML, or you can specify references to values from config maps, secrets, fields, or resource requests or limits. For any type other than a raw value specified directly in the deployment YAML, the corresponding value attribute of the policy rule is ignored. In this case, the policy match is evaluated on the existence of the specified environment variable type. Additionally, this criteria disallows the creation of policies with a non-empty value attribute for types other than raw values.

Environment Variable

RAW=key=value to match an environment variable as directly specified in the deployment YAML with a specific key and value. You can omit the value attribute to match on only the key.

If the environment variable is not defined in the configuration YAML, then you can use the format SOURCE=KEY, where SOURCE is one of the following objects:

  • SECRET_KEY (SecretKeyRef)

  • CONFIG_MAP_KEY (ConfigMapRef)

  • FIELD (FieldRef)

  • RESOURCE_FIELD (ResourceFieldRef)

The preceding list provides the API object label first, and then provides the user interface label in parentheses.

! Regex only for key and value (if using RAW)
AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Container CPU Request

Check for the number of cores reserved for a given resource.

Container CPU Request

<, >, ⇐, >= or nothing (which implies equal to)
 — and — 
A decimal (a number with an optional fractional value)

Examples:
>=5, or
9.5

AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Container CPU Limit

Check for the maximum number of cores a resource is allowed to use.

Container CPU Limit

(Same as Container CPU Request)

AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Container Memory Request

Number, including fraction, of MB requested.

Container Memory Request

(Same as Container CPU Request)

AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Container Memory Limit

Check for the maximum amount of memory a resource is allowed to use.

Container Memory Limit

(Same as Container CPU Request)

AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Privileged container

Check if a deployment is configured in privileged mode. This criterion only checks the value of the privileged field in the respective Pod Security Context.

Privileged Container

Boolean: true when the value of the privileged field in the respective PodSecurityContext is set to true

Deploy,
Runtime (when used with a Runtime criterion)

Root filesystem writeability

Check if a deployment is configured in the readOnlyFilesystem mode.

Read-Only Root Filesystem

Boolean: true when the value of the readOnlyRootFilesystem field in the respective PodSecurityContext is set to true

Deploy,
Runtime (when used with a Runtime criterion)

Seccomp Profile Type

The type of seccomp profile defined for the deployment. If seccomp options are provided at both the pod and container level, the container options override the pod options. See Security Context.

Seccomp Profile Type

One of:

UNCONFINED
RUNTIME_DEFAULT
LOCALHOST

Deploy,
Runtime (when used with a Runtime criterion)

Privilege escalation

Provides alerts when a deployment allows a container process to gain more privileges than its parent process.

Allow Privilege Escalation

Boolean

Deploy,
Runtime (when used with a Runtime criterion)

Drop Capabilities

Linux capabilities that must be dropped from the container. Provides alerts when the specified capabilities are not dropped. For example, if configured with SYS_ADMIN AND SYS_BOOT, and the deployment drops only one or neither of these two capabilities, the alert occurs.

Drop Capabilities

One of:

ALL
AUDIT_CONTROL
AUDIT_READ
AUDIT_WRITE
BLOCK_SUSPEND
CHOWN
DAC_OVERRIDE
DAC_READ_SEARCH
FOWNER
FSETID
IPC_LOCK
IPC_OWNER
KILL
LEASE
LINUX_IMMUTABLE
MAC_ADMIN
MAC_OVERRIDE
MKNOD
NET_ADMIN
NET_BIND_SERVICE
NET_BROADCAST
NET_RAW
SETGID
SETFCAP
SETPCAP
SETUID
SYS_ADMIN
SYS_BOOT
SYS_CHROOT
SYS_MODULE
SYS_NICE
SYS_PACCT
SYS_PTRACE
SYS_RAWIO
SYS_RESOURCE
SYS_TIME
SYS_TTY_CONFIG
SYSLOG
WAKE_ALARM

AND

Deploy,
Runtime (when used with a Runtime criterion)

Add Capabilities

Linux capabilities that must not be added to the container, such as the ability to send raw packets or override file permissions. Provides alerts when the specified capabilities are added. For example, if configured with NET_ADMIN or NET_RAW, and the deployment manifest YAML file includes at least one of these two capabilities, the alert occurs.

Add Capabilities

AUDIT_CONTROL
AUDIT_READ
AUDIT_WRITE
BLOCK_SUSPEND
CHOWN
DAC_OVERRIDE
DAC_READ_SEARCH
FOWNER
FSETID
IPC_LOCK
IPC_OWNER
KILL
LEASE
LINUX_IMMUTABLE
MAC_ADMIN
MAC_OVERRIDE
MKNOD
NET_ADMIN
NET_BIND_SERVICE
NET_BROADCAST
NET_RAW
SETGID
SETFCAP
SETPCAP
SETUID
SYS_ADMIN
SYS_BOOT
SYS_CHROOT
SYS_MODULE
SYS_PACCT
SYS_PTRACE
SYS_RAWIO
SYS_RESOURCE
SYS_TIME
SYS_TTY_CONFIG
SYSLOG
WAKE_ALARM

OR

Deploy,
Runtime (when used with a Runtime criterion)

Container Name

The name of the container.

Container Name

String

Regex,
NOT,
AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

AppArmor Profile

The Application Armor ("AppArmor") profile used in the container.

AppArmor Profile

String

Regex,
NOT,
AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Liveness Probe

Whether the container defines a liveness probe.

Liveness Probe

Boolean

Deploy,
Runtime (when used with a Runtime criterion)

Readiness Probe

Whether the container defines a readiness probe.

Readiness Probe

Boolean

Deploy,
Runtime (when used with a Runtime criterion)

Section: Deployment metadata

Disallowed Annotation

An annotation which is not allowed to be present on Kubernetes resources in a specified environment.

Disallowed Annotation

key=value

Value is optional.

If value is missing, it must be in format "key=".

Regex,
AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Required Label

Check for the presence of a required label in Kubernetes.

Required Label

key=value

Value is optional.

If value is missing, it must be in format "key=".

Regex,
AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Required Annotation

Check for the presence of a required annotation in Kubernetes.

Required Annotation

key=value

Value is optional.

If value is missing, it must be in format "key=".

Regex,
AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Runtime Class

The RuntimeClass of the deployment.

Runtime Class

String

Regex,
NOT,
AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Host Network

Check if HostNetwork is enabled which means that the container is not placed inside a separate network stack (for example, the container’s networking is not containerized). This implies that the container has full access to the host’s network interfaces.

Host Network

Boolean

Deploy,
Runtime (when used with a Runtime criterion)

Host PID

Check if the Process ID (PID) namespace is isolated between the containers and the host. This allows for processes in different PID namespaces to have the same PID.

Host PID

Boolean

Deploy,
Runtime (when used with a Runtime criterion)

Host IPC

Check if the IPC (POSIX/SysV IPC) namespace (which provides separation of named shared memory segments, semaphores and message queues) on the host is shared with containers.

Host IPC

Boolean

Deploy,
Runtime (when used with a Runtime criterion)

Namespace

The name of the namespace the deployment belongs to.

Namespace

String

Regex,
NOT,
AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Replicas

The number of deployment replicas. If you use oc scale to scale the deployment replicas from 0 to a number, then the admission controller blocks this action if the deployment violates a policy.

Replicas

<, >, ⇐, >= or nothing (which implies equal to)
 — and — 
a decimal (a number with an optional fractional value).

Examples:
>=5, or
9.5

NOT,
AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Section: Storage

Volume Name

Name of the storage.

Volume Name

String

Regex,
NOT,
AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Volume Source

Indicates the form in which the volume is provisioned. For example, persistentVolumeClaim or hostPath.

Volume Source

String

Regex,
NOT,
AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Volume Destination

The path where the volume is mounted.

Volume Destination

String

Regex,
NOT,
AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Volume Type

The type of volume.

Volume Type

String

Regex,
NOT,
AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Mounted volume writability

Volumes that are mounted as writable.

Writable Mounted Volume

Boolean

Deploy,
Runtime (when used with a Runtime criterion)

Mount Propagation

Check if container is mounting volumes in Bidirectional, Host to Container, or None modes.

Mount Propagation

One of:

NONE
HOSTTOCONTAINER
BIDIRECTIONAL

NOT,
AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Host mount writability

Resource has mounted a path on the host with write permissions.

Writable Host Mount

Boolean

Deploy,
Runtime (when used with a Runtime criterion)

Section: Networking

Protocol

Protocol, such as, TCP or UDP, that is used by the exposed port.

Exposed Port Protocol

String

Regex,
NOT,
AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Port

Port numbers exposed by a deployment.

Exposed Port

<, >, ⇐, >= or nothing (which implies equal to)
 — and — 
an integer.

Examples:
>=1024, or
22

NOT,
AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Exposed Node Port

Port numbers exposed externally by a deployment.

Exposed Node Port

(Same as Exposed Port)

NOT,
AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Port Exposure

Exposure method of the service, for example, load balancer or node port.

Port Exposure Method

One of:

UNSET
EXTERNAL
NODE
HOST
INTERNAL
ROUTE

NOT,
AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Unexpected Network Flow Detected

Check if the detected network traffic is part of the network baseline for the deployment.

Unexpected Network Flow Detected

Boolean

Runtime ONLY - Network

Ingress Network Policy

Check the presence or absence of ingress Kubernetes network policies.

Has Ingress Network Policy

Boolean

Regex,
AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Egress Network Policy

Check the presence or absence of egress Kubernetes network policies.

Has Egress Network Policy

Boolean

Regex,
AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Section: Process activity

Process Name

Name of the process executed in a deployment.

Process Name

String

Regex,
NOT,
AND, OR

Runtime ONLY - Process

Process Ancestor

Name of any parent process for a process executed in a deployment.

Process Ancestor

String

Regex,
NOT,
AND, OR

Runtime ONLY - Process

Process Arguments

Command arguments for a process executed in a deployment.

Process Arguments

String

Regex,
NOT,
AND, OR

Runtime ONLY - Process

Process UID

Unix user ID for a process executed in a deployment.

Process UID

Integer

NOT,
AND, OR

Runtime ONLY - Process

Unexpected Process Executed

Check deployments for which process executions are not listed in the deployment’s locked process baseline.

Unexpected Process Executed

Boolean

Runtime ONLY - Process

Section: Kubernetes access

Service Account

The name of the service account.

Service Account

String

Regex,
NOT,
AND, OR

Deploy,
Runtime (when used with a Runtime criterion)

Automount Service Account Token

Check if the deployment configuration automatically mounts the service account token.

Automount Service Account Token

Boolean

Deploy,
Runtime (when used with a Runtime criterion)

Minimum RBAC Permissions

Match if the deployment’s Kubernetes service account has Kubernetes RBAC permission level equal to = or greater than > the specified level.

Minimum RBAC Permissions

One of:

DEFAULT
ELEVATED_IN_NAMESPACE
ELEVATED_CLUSTER_WIDE
CLUSTER_ADMIN

NOT

Deploy,
Runtime (when used with a Runtime criterion)

Section: Kubernetes events

Kubernetes Action

The name of the Kubernetes action, such as Pod Exec.

Kubernetes Resource

One of:

PODS_EXEC
PODS_PORTFORWARD

! OR only

Runtime ONLY - Kubernetes Events

Kubernetes User Name

The name of the user who accessed the resource.

Kubernetes User Name

Alphanumeric with hyphens (-) and colon (:) only

Regex,
NOT,
! OR only

Runtime ONLY - Kubernetes Events

Kubernetes User Group

The name of the group to which the user who accessed the resource belongs to.

Kubernetes User Groups

Alphanumeric with hyphens (-) and colon (:) only

Regex,
NOT,
! OR only

Runtime ONLY - Kubernetes Events

Kubernetes Resource Type

Type of the accessed Kubernetes resource.

Kubernetes Resource

One of:

Config maps
Secrets
ClusterRoles
ClusterRoleBindings
NetworkPolicies
SecurityContextConstraints
EgressFirewalls

! OR only

Runtime ONLY - Audit Log

Kubernetes API Verb

The Kubernetes API verb that is used to access the resource, such as GET or POST.

Kubernetes API Verb

One of:

CREATE
DELETE
GET
PATCH
UPDATE

! OR only

Runtime ONLY - Audit Log

Kubernetes Resource Name

The name of the accessed Kubernetes resource.

Kubernetes Resource Name

Alphanumeric with hyphens (-) and colon (:) only

Regex,
NOT,
! OR only

Runtime ONLY - Audit Log

User Agent

The user agent that the user used to access the resource. For example oc, or kubectl.

User Agent

String

Regex,
NOT,
! OR only

Runtime ONLY - Audit Log

Source IP Address

The IP address from which the user accessed the resource.

Source IP Address

IPV4 or IPV6 address

Regex,
NOT,
! OR only

Runtime ONLY - Audit Log

Is Impersonated User

Check if the request was made by a user that is impersonated by a service account or some other account.

Is Impersonated User

Boolean

Runtime ONLY - Audit Log

About policy enforcement

When you configure policies in RHACS, you can choose how RHACS responds when it detects a condition that violates a security policy.

RHACS can perform different types of policy enforcement, or actions that address a violation, depending on the phase in which the violation is discovered. When configuring policy enforcement, you can select multiple stages when configuring enforcement in the policy. For example, you can select Build and Deploy so that RHACS alerts the build pipeline to the problem, but if the developer allows the build to succeed, the deployment is prevented.

In build time enforcement, you can configure RHACS to fail your continuous integration (CI) builds when images match the criteria of the policy. This means that when there is a condition in the build which violates the policy, for example, if there is a fixable CVE of a severity level and you have configured a policy for that condition, the build should fail. As an example, if you have configured RHACS to check an image or deployment and you have integrated that check into a CI/CD pipeline, if RHACS detects a condition that means a policy should fail, the RHACS API returns a non-zero exit code. The pipeline then uses that code to fail the build.

In deploy time enforcement, RHACS works with Kubernetes admission controllers and OpenShift Container Platform admission plugins to allow you to enforce security policies. RHACS prevents Kubernetes or OpenShift Container Platform from creating or updating workloads, for example, deployments, daemon sets or jobs, that match the conditions of the policy. This is useful for shutting down deployments with serious problems even if the build was successful.

Security policy enforcement for the deploy stage

Red Hat Advanced Cluster Security for Kubernetes supports two forms of security policy enforcement for deploy-time policies: hard enforcement through the admission controller and soft enforcement by RHACS Sensor. The admission controller blocks creation or updating of deployments that violate policy. If the admission controller is disabled or unavailable, Sensor can perform enforcement by scaling down replicas for deployments that violate policy to 0.

Policy enforcement can impact running applications or development processes. Before you enable enforcement options, inform all stakeholders and plan how to respond to the automated enforcement actions.

Hard enforcement

Hard enforcement is performed by the RHACS admission controller. In clusters with admission controller enforcement, the Kubernetes or OpenShift Container Platform API server blocks all noncompliant deployments. The admission controller blocks CREATE and UPDATE operations. Any pod create or update request that satisfies a policy configured with deploy-time enforcement enabled will fail.

Kubernetes admission webhooks support only CREATE, UPDATE, DELETE, or CONNECT operations. The RHACS admission controller supports only CREATE and UPDATE operations. Operations such as kubectl patch, kubectl set, and kubectl scale are PATCH operations, not UPDATE operations. Because PATCH operations are not supported in Kubernetes, RHACS cannot perform enforcement on PATCH operations.

For blocking enforcement, you must enable the following settings for the cluster in RHACS:

  • Enforce on Object Creates: This toggle in the Dynamic Configuration section controls the behavior of the admission control service. You must have the Configure Admission Controller Webhook to listen on Object Creates toggle in the Static Configuration section turned on for this to work.

  • Enforce on Object Updates: This toggle in the Dynamic Configuration section controls the behavior of the admission control service. You must have the Configure Admission Controller Webhook to listen on Object Updates toggle in the Static Configuration section turned on for this to work.

If you make changes to settings in the Static Configuration setting, you must redeploy the secured cluster for those changes to take effect.

Soft enforcement

Soft enforcement is performed by RHACS Sensor. This enforcement prevents an operation from being initiated. With soft enforcement, Sensor scales the replicas to 0, and prevents pods from being scheduled. In this enforcement, a non-ready deployment is available in the cluster.

If soft enforcement is configured, and Sensor is down, then RHACS cannot perform enforcement.

Namespace exclusions

By default, RHACS excludes certain administrative namespaces, such as the stackrox, kube-system, and istio-system namespaces, from enforcement blocking. The reason for this is that some items in these namespaces must be deployed for RHACS to work correctly.

Enforcement on existing deployments

For existing deployments, policy changes only result in enforcement at the next detection of the criteria, when a Kubernetes event occurs. If you make changes to a policy, you must reassess policies by selecting Policy Management and clicking Reassess All. This action applies deploy policies on all existing deployments regardless of whether there are any new incoming Kubernetes events. If a policy is violated, then RHACS performs enforcement.

Sharing security policies

Beginning from Red Hat Advanced Cluster Security for Kubernetes version 3.0.44, you can share your security policies between different Central instances, by exporting and importing policies. Sharing policies helps you enforce the same standards for all your clusters. To share policies, you export them as JSON files, and then import them back into another Central instance.

Currently, you cannot export multiple security policies at once by using the RHACS portal. However, you can use the API for exporting multiple security policies. In the RHACS portal, go to HelpAPI reference to see the API reference.

Exporting a security policy

When you export a policy, it includes all the policy contents and also includes cluster scopes, cluster exclusions, and all configured notifications.

Procedure

  1. In the RHACS portal, go to Platform ConfigurationPolicy Management.

  2. From the Policies page, select the policy you want to edit.

  3. Select ActionsExport policy to JSON.

Importing a security policy

You can import a security policy from the System Policies view on the RHACS portal.

Procedure

  1. In the RHACS portal, go to Platform ConfigurationPolicy Management.

  2. Click Import policy.

  3. In the Import policy JSON dialog, click Upload and select the JSON file you want to upload.

  4. Click Begin import.

Each security policy in RHACS has a unique ID (UID) and a unique name. When you import a policy, RHACS handles the uploaded policy as follows:

  • If the imported policy UID and name do not match any existing policy, RHACS creates a new policy.

  • If the imported policy has the same UID as an existing policy, but a different name, you can either:

    • Keep both policies. RHACS saves the imported policy with a new UID.

    • Replace the existing policy with the imported policy.

  • If the imported policy has the same name as an existing policy, but a different UID, you can either:

    • Keep both policies by providing a new name for the imported policy.

    • Replace the existing policy with the imported policy.

  • If the imported policy has the same name and UID as an existing policy, the Red Hat Advanced Cluster Security for Kubernetes checks if the policy criteria match to the existing policy. If the policy criteria match, RHACS keeps the existing policy and shows a success message. If the policy criteria do not match, you can either:

    • Keep both policies by providing a new name for the imported policy.

    • Replace the existing policy with the imported policy.

  • If you import into the same Central instance, RHACS uses all the exported fields.

  • If you import into a different Central instance, RHACS omits certain fields, such as cluster scopes, cluster exclusions, and notifications. RHACS shows these omitted fields in a message. These fields vary for every installation, and you cannot migrate them from one Central instance to another.