Enabling cluster-managed policies | Trend Micro Service Central

Views:

Use the following commands and examples to create the cluster policy and runtime ruleset custom resources for your cluster-managed policies in Container Inventory.

Cluster-managed policies are not enabled by default. To enable this policy type, add the following to your overrides.yaml file:

cloudOne:
  policyOperator:
    enabled: true
    clusterPolicyName: <name of your policy custom resource>

Apply policy to cluster

For information on the rules, exceptions, and XDR enablement resources that you can apply to your cluster managed policy, see Custom resources for cluster-managed policies.

Use the following command to apply your policy to a cluster:

kubectl apply -f policy.yaml

Note

The cluster policy custom resource name must match the name specified in the values or the overrides.yaml file.

The following is an example of a cluster-managed policy file:

apiVersion: visionone.trendmicro.com/v1alpha1
kind: ClusterPolicy
metadata:
  name: trendmicro-cluster-policy
spec:
  xdrEnabled: true
  rules:
    # Pod properties
    - type: hostNetwork
      action: log
      mitigation: log
    - type: hostIPC
      action: log
      mitigation: log
    - type: hostPID
      action: log
      mitigation: log

    # Container properties
    - type: runAsNonRoot
      action: log
      mitigation: log
    - type: privileged
      action: log
      mitigation: log
    - type: privileged
      action: log
      mitigation: log
    - type: allowPrivilegeEscalation
      action: log
      mitigation: log
    - type: readOnlyRootFilesystem
      action: log
      mitigation: log
    - type: containerCapabilities
      properties:
        capabilityRestriction: baseline
      action: log
      mitigation: log

    # Image properties
    - type: imageRegistry
      properties:
        operator: equals
        values:
          - 198890578717.dkr.ecr.us-east-1.amazonaws.com/sample-registry
      action: log
      mitigation: log
    - type: imageName
      properties:
        operator: startsWith
        values:
          - nginx
          - alpine
      action: log
      mitigation: log
    - type: imageTag
      properties:
        operator: notEquals
        values:
          - latest
      action: log
      mitigation: log
    - type: imagePath
      properties:
        operator: contains
        values:
          - example.com/org/repo
          - example.com/image
      action: log
      mitigation: log

    # Unscanned images
    - type: imagesNotScanned
      properties:
        scanType: vulnerability
        maxScanAge: 30
      action: log
      mitigation: log
    - type: imagesNotScanned
      properties:
        scanType: malware
        maxScanAge: 30
      action: log
      mitigation: log
    - type: imagesNotScanned
      properties:
        scanType: secret
        maxScanAge: 30
      action: log
      mitigation: log

    # Artifact Scanner Scan results
    - type: imagesWithMalware
      action: log
      mitigation: log
    - type: imagesWithSecrets
      action: log
      mitigation: log
    - type: imagesWithVulnerabilities
      properties:
        severity: critical
      action: log
      mitigation: log
    - type: imagesWithCVSSAttackVector
      properties:
        attackVector: network
        severity: high
      action: log
      mitigation: log
    - type: imagesWithCVSSAttackComplexity
      properties:
        attackComplexity: high
        severity: high
      action: log
      mitigation: log
    - type: imagesWithCVSSAvailabilityImpact
      properties:
        availabilityImpact: low
        severity: high
      action: log
      mitigation: log

    # Kubectl Access
    - type: podExec
      action: log
      mitigation: log
    - type: podPortForward
      action: log
      mitigation: log

  # Exceptions
  exceptions:
    - type: imageName
      properties:
        operator: equals
        values:
          - sampleImage
      namespaces: # exclude to apply to all namespaces
        - sample-namespace
    - type: imageRegistry
      properties:
        operator: equals
        values:
          - 198890578717.dkr.ecr.us-east-1.amazonaws.com/sample-registry

Custom resource ruleset

The runtime ruleset includes the runtime definition with two fields, labels and rules.

labels: The key-value map of pod labels where the rules are applied. Without labels, the rules are applied to all pods.

rules: An array of runtime rules. For each rule define the following:

ruleID: The Trend Micro runtime ruleID.
mitigation: The mitigation applied if the rule is matched. Use log, isolate, or terminate.

For information on the rules, exceptions, and XDR enablement resources that you can apply to your custom resource ruleset, see Custom resources for cluster-managed policies.

Use the following command to apply the runtime ruleset:

kubectl apply -f ruleset.yaml

The following is an example of a runtime ruleset file:

apiVersion: visionone.trendmicro.com/v1alpha1
kind: RuntimeRuleset
metadata:
  name: trendmicro-ruleset-sample
spec:
  definition:
    labels:
      app: sample-app
    rules:
      - ruleID: TM-00000001
        mitigation: log
      - ruleID: TM-00000002
        mitigation: log
      - ruleID: TM-00000003
        mitigation: isolate
      - ruleID: TM-00000004
        mitigation: terminate