Using Red Hat Advanced Cluster Security for Kubernetes you can view policy violations, drill down to the actual cause of the violation, and take corrective actions.

Red Hat Advanced Cluster Security for Kubernetes built-in policies identify a variety of security findings, including vulnerabilities (CVEs), violations of DevOps best practices, high-risk build and deployment practices, and suspicious runtime behaviors. Whether you use the default out-of-box security policies or use your own custom policies, Red Hat Advanced Cluster Security for Kubernetes reports a violation when an enabled policy fails.

Violations view

You can analyze all violations in the Violations view and take corrective action.

To see discovered violations, select Violations from the left-hand navigation menu on the RHACS portal.

The Violations view shows a list of violations with the following attributes for each row:

  • Deployment: The name of the deployment.

  • Cluster: The name of the cluster.

  • Namespace: The namespace for the deployment.

  • Policy: The name of the violated policy.

  • Enforced: Indicates if the policy was enforced when the violation occurred.

  • Severity: Indicates the severity as Low, Medium, High, or Critical.

  • Categories: The policy categories.

  • Lifecycle: The lifecycle stages to which the policy applies, Build, Deploy, or Runtime.

  • Time - The date and time when the violation occurred.

Similar to other views:

  • You can select a column heading to sort the violations in ascending or descending order.

  • Use the filter bar to filter violations. See the Searching and filtering section for more information.

  • Select a violation in the Violations view to see more details about the violation.

Viewing violation details

When you select a violation in the Violations view, the Violation Details panel opens on the right.

The Violation Details panel shows detailed information grouped by multiple tabs.

Violation tab

The Violation tab of the Violation Details panel explains how the policy was violated. If the policy targets deploy-phase attributes, you can view the specific values that violated the policies, such as violation names. If the policy targets runtime activity, you can view detailed information about the process that violated the policy, including its arguments and the ancestor processes that created it.

Using comments and tags

You can use tags and comments to specify what is happening with violations to keep your team up to date. Comments allow you to add text notes to violations and tags allow you to categorize your violations.

Adding comments

Comments allow you to add text notes to violations, so that everyone in the team can check what is happening with a violation.

Prerequisites
  • To add and remove comments, you need a role with write permission for the resource you are modifying. For example, to add comments on violations, your role must have write permission for the Alert resource.

  • To delete comments from other users, you need a role with write permission for the AllComments resource.

    You can edit and delete your own comments.

Procedure
  1. Click New in the Violations Comments section header.

  2. Enter your comment in the comment editor. You can also add links in the comment editor. When someone clicks on the link in a comment, the linked resource opens in a new tab in their browser.

  3. Click Save.

All comments are visible under the Violations Comments section, and you can edit and delete comments by selecting Edit or Delete icon for a specific comment.

Adding tags

You can use custom tags to categorize your violations. Then you can filter the Violations view to show violations for selected tags (Tag attribute).

Prerequisites
  • To add and remove tags, you need a role with write permission for the resource you are modifying. For example, to add tags on violations, your role must have write permission for the Alert resource.

  • To delete tags from other users, you need a role with write permission for the AllComments resource.

    You can edit and delete your own tags.

Procedure
  1. Select the drop-down menu in the Violation Tags section. Existing tags appear as a list (up to 10).

  2. Click on an existing tag or enter a new tag and then press Enter. As you enter your query, Red Hat Advanced Cluster Security for Kubernetes automatically displays relevant suggestions for the existing tags that match.

You can add more than one tag for a violation. All tags are visible under the Violation Tags section and you can remove tags by clicking on the Remove icon for a specific tag.

Enforcement tab

The Enforcement tab of the Details panel displays an explanation of the type of enforcement action that was taken in response to the selected policy violation

Deployment tab

The Deployment tab of the Details panel displays details of the deployment to which the violation applies.

Overview section

The overview section lists the following information:

  • Deployment ID: The alphanumeric identifier for the deployment.

  • Updated: The time and date when the deployment was updated.

  • Cluster: The name of the cluster where the container is deployed.

  • Namespace: The unique identifier for the deployed cluster.

  • Deployment Type: The type of the deployment.

  • Replicas: The number of the replicated deployments.

  • Labels: The labels that apply to the selected deployment.

  • Annotations: The annotations that apply to the selected deployment.

  • Service Account: The name of the service account for the selected deployment.

Container Configuration section

The container configuration section lists the following information:

  • Image Name: The name of the image for the selected deployment.

  • Resources:

    • CPU Request (cores): The number of cores requested by the container.

    • Memory Request (MB): The memory size requested by the container.

  • Volumes:

    • Name: The name of the location where the service will be mounted.

    • Source: The data source path.

    • Destination: The path where the data is stored.

    • Type: The type of the volume.

  • Secrets: Secrets associated with the selected deployment.

Security Context section

Lists whether the container is running as a privilaged container.

  • Privileged:

    • true if it is privileged.

    • false if it is not privileged.

Policy tab

The Policy tab of the Details panel displays details of the policy that caused the violation.

Policy Details section

The policy details section lists the following information:

  • Id: The numerical identifier for the policy.

  • Name: The name of the policy.

  • Description: A detailed explanation of what the policy alert is about.

  • Rationale: Information about the reasoning behind the establishment of the policy and why it matters.

  • Remediation: Suggestions on how to fix the violation.

  • Enabled: Indicates if the policy is enabled.

  • Categories: The policy category of the policy.

  • Lifecycle Stage: Lifecycle stages that the policy belongs to, Build, Deploy, or Runtime.

  • Severity - The risk level for the violation.

Policy Criteria section

Lists the policy criteria for the policy.