Views:

Container Protection policies for Kubernetes clusters contain deployment, continuous, and runtime rules that you can apply to entire clusters and that you can apply directly to namespaces within clusters.

Important
Important
Policy configuration for Amazon ECS clusters differs greatly from a Kubernetes environment. To properly configure Amazon ECS protection policies, see Managing Amazon ECS policies.

Procedure

  1. Go to Cloud SecurityContainer SecurityContainer Protection.
  2. Click the Policies tab.
  3. Create, duplicate, or modify a policy.
    • To create a new policy, click New.
    • To duplicate an existing policy:
      1. Click to select the base policy from the policy list.
      2. Click Duplicate.
        Container Protection creates a copy of the existing policy and appends "Policy" to the policy name.
    • To modify an existing policy, click the policy in the policy list.
  4. For new and duplicated policies, specify a unique policy name.
    Note
    Note
    • Policy names must not contain spaces and only support alphanumeric characters, underscores (_), and periods (.).
    • You cannot modify the policy name after creating the policy.
  5. If you want to provide more details about the purpose for the policy, use the Description field.
    The description appears under the policy name in the policy list.
  6. To receive ASRM Risk Insights, Workbench alerts, and use the Search app to investigate security threats throughout your network environment, turn on XDR Telemetry.
    Trend Vision One can correlate and assess XDR telemetry data across all configured data sources to provide insights into your network's security and risk posture.
  7. Define the cluster-wide rules that apply before an image is deployed by clicking the Deployment tab and the cluster-wide rules that apply periodically while the cluster is running by clicking the Continuous tab.
    1. Select the rules that you want applied to the cluster.
    2. Select the action (Log/Block) to apply after a rule is triggered.
    3. If the rule provides additional parameters, define the values to check.
      Some rules allow you to define different actions depending on the parameter values. Click the add symbol (+) next to the rule to define more actions.
      For the Container properties rule [action] containers with capabilities that do not conform with a [predefined] policy, reference the following table for additional information.
      Predefined policy
      Description
      restrict-nondefaults
      Allows capabilities which are one of the [default Docker capabilities]
      For more information about default Docker policies, visit the Docker website at: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
      baseline
      Allows default capabilities but not the NET_RAW capability
      Note
      Note
      NET_RAW is a default capability that allows the use of RAW and PACKET sockets. With this capability, a malicious user may forge packets, execute MITM attacks, and perform other network exploits. This privilege is typically only used for specific networking needs, so dropping it should not have any effect on the majority of applications.
      restricted
      Allows only the NET_BIND_SERVICE capability
      Note
      Note
      NET_BIND_SERVICE is a default capability that allows the binding to internet domain privileged ports (port numbers less than 1024). It is often used by web servers and for giving non-root users access to these ports.
      restrict-all
      Allows no capability
      Note
      Note
      • The CIS Kubernetes Benchmarks advises to not add any new capabilities and to drop, at the very least, the NET_RAW capability.
      • Trend Micro recommends considering container needs and applying a capability policy in alignment with the principle of least privileges.
        For more information on capability policies and pod security best practices, see the pod security standards at: https://kubernetes.io/docs/concepts/security/pod-security-standards/
    4. Configure scan exceptions as required.
      Note
      Note
      An exception is automatically added to allow trusted images used by Container Security.
  8. Define the cluster-wide rules that apply while a pod is running by clicking the Runtime tab.
    The runtime policy consists of the rulesets you create on the Rulesets tab.
    1. Click Add Ruleset.
    2. Select the checkbox of the ruleset you want to apply to the policy.
    3. Click Submit.
  9. For users that need to configure special policies for specific namespaces within clusters, click the add symbol (+) next to the Cluster-wide Policy Definition header to define a NamespacedPolicyDefinition policy.
    1. Specify a name for the namespace-specific policy settings.
    2. Click Add.
    3. Specify the namespace within the cluster on which you want the policy to apply and press ENTER.
      Click Add again to specify multiple namespaces.
    4. Configure the Deployment and Continuous settings for the policy.
      Note
      Note
      You cannot configure specific runtime rulesets for namespaces.
    5. Define additional namespace policies by clicking the add symbol (+) next to the NamespacedPolicyDefinition headers.
  10. Click Create or Save.