Enabling cluster-managed policies

Views:

Use the following commands and examples to create the cluster policy and runtime ruleset custom resources for your cluster-managed policies in Container Security.

Cluster-managed policies are not enabled by default. To enable this policy type, add the following to your overrides.yaml file:

visionOne:
  policyOperator:
    enabled: true
    clusterPolicyName: <name of your policy custom resource>

Apply policy to cluster

For information on the rules, exceptions, and XDR enablement resources that you can apply to your cluster managed policy, see Custom resources for cluster-managed policies.

Use the following command to apply your policy to a cluster:

Note

Your file does not have to be named policy.yaml.

kubectl apply -f policy.yaml

Note

The cluster policy custom resource name must match the name specified in the values or the overrides.yaml file.

The following is an example of a cluster-managed policy file:

apiVersion: container-security.trendmicro.com/v1alpha1
kind: ClusterPolicy
metadata:
  name: trendmicro-cluster-policy
spec:
  xdrEnabled: true
  rules:
    # Pod properties
    - type: hostNetwork
      action: log
      mitigation: log
    - type: hostIPC
      action: log
      mitigation: log
    - type: hostPID
      action: log
      mitigation: log

    # Container properties
    - type: runAsNonRoot
      action: log
      mitigation: log
    - type: privileged
      action: log
      mitigation: log
    - type: privileged
      action: log
      mitigation: log
    - type: allowPrivilegeEscalation
      action: log
      mitigation: log
    - type: readOnlyRootFilesystem
      action: log
      mitigation: log
    - type: containerCapabilities
      properties:
        capabilityRestriction: baseline
      action: log
      mitigation: log

    # Image properties
    - type: imageRegistry
      properties:
        operator: equals
        values:
          - 198890578717.dkr.ecr.us-east-1.amazonaws.com/sample-registry
      action: log
      mitigation: log
    - type: imageName
      properties:
        operator: startsWith
        values:
          - nginx
          - alpine
      action: log
      mitigation: log
    - type: imageTag
      properties:
        operator: notEquals
        values:
          - latest
      action: log
      mitigation: log
    - type: imagePath
      properties:
        operator: contains
        values:
          - example.com/org/repo
          - example.com/image
      action: log
      mitigation: log

    # Unscanned images
    - type: imagesNotScanned
      properties:
        scanType: vulnerability
        maxScanAge: 30
      action: log
      mitigation: log
    - type: imagesNotScanned
      properties:
        scanType: malware
        maxScanAge: 30
      action: log
      mitigation: log
    - type: imagesNotScanned
      properties:
        scanType: secret
        maxScanAge: 30
      action: log
      mitigation: log

    # Artifact Scanner Scan results
    - type: imagesWithMalware
      action: log
      mitigation: log
    - type: imagesWithSecrets
      action: log
      mitigation: log
    - type: imagesWithVulnerabilities
      properties:
        severity: critical
      action: log
      mitigation: log
    - type: imagesWithCVSSAttackVector
      properties:
        attackVector: network
        severity: high
      action: log
      mitigation: log
    - type: imagesWithCVSSAttackComplexity
      properties:
        attackComplexity: high
        severity: high
      action: log
      mitigation: log
    - type: imagesWithCVSSAvailabilityImpact
      properties:
        availabilityImpact: low
        severity: high
      action: log
      mitigation: log

    # Kubectl Access
    - type: podExec
      action: log
      mitigation: log
    - type: podPortForward
      action: log
      mitigation: log

  # Exceptions
  exceptions:
    - type: imageName
      properties:
        operator: equals
        values:
          - sampleImage
      namespaces: # exclude to apply to all namespaces
        - sample-namespace
    - type: imageRegistry
      properties:
        operator: equals
        values:
          - 198890578717.dkr.ecr.us-east-1.amazonaws.com/sample-registry

Custom resource ruleset

The Runtime Ruleset defines the rules for runtime security. These Falco rules are managed by TrendAI™ and referenced with the ruleID. The RuntimeRuleset spec contains the runtime definition with two fields: labels and rules.

labels: An array of pod labels where the rules are applied using label selectors. Without the labels, the rules are applied to all pods.

key: Label key.
value: Label value.

rules: An array of rule IDs and the mitigation to apply when the rule is triggered.

ruleID: The TrendAI™ runtime ruleID as TM-{8 digit id} (example: TM-00000001). View the list of available, predefined rules.
mitigation: The action taken when a rule is matched. Use log, isolate, or terminate.

Use the following command to apply the runtime ruleset:

Note

Your file does not have to be named runtimeruleset.yaml.

kubectl apply -f runtimeruleset.yaml

The following is an example of a runtime ruleset file:

apiVersion: container-security.trendmicro.com/v1alpha1
kind: RuntimeRuleset
metadata:
  labels:
    app.kubernetes.io/name: init
    app.kubernetes.io/managed-by: kustomize
  name: trendmicro-ruleset-sample
spec:
  definition:
    labels:
      - key: "app"
        value: "nginx"
    rules:
      - ruleID: TM-00000001
        mitigation: log
      - ruleID: TM-00000002
        mitigation: log
      - ruleID: TM-00000003
        mitigation: isolate
      - ruleID: TM-00000004
        mitigation: terminate