Create a Kubernetes Runtime Policy

To create a Kubernetes runtime policy, perform the following procedure.

Prerequisites

All prerequisites are optional.

Read Runtime Policies Concepts and Terminology.
Create a Kubernetes scope to link to the Kubernetes runtime policy. To create a Kubernetes scope, see Kubernetes Scopes. If you do not create the scope in advance, you can do so when you create the Kubernetes runtime policy.

Procedure

On the left navigation pane, click Enforce > K8s Policies.
Click the Runtime Policies tab.
Click Add Policy.
On the Define Policy page, name the policy, select the scope from the list of available scopes, and click Next.

Note: If you have not configured a scope for use with this policy, click Add Scope. For detailed instructions, see Add a Kubernetes Applications Scope to Kubernetes Resources.
On the Add Rules page, select the rules to include in the policy.
You can add rules from the Basic, Moderate, and Strict templates. For more information about these templates, see Kubernetes Policy Templates.

Important: Carbon Black recommends that you start with the rules from the Basic template to provide alerts for issues that have the highest severity.

For example, to add all rules from the Basic template:
1. Select the Basic rule template on the left.
2. Select the type of alerting action (Monitor or Alert) at the top right. Alert is the default action.
3. Click Add all 5 rules at the top right.
You can add individual rules from templates instead of adding rules in bulk. To do so, click the arrow icon at the right of the rule.

After you have added rules, they display in the right pane of the page. From here, you can remove individual rules or all rules.

Note: You can create your own templates. See Create a Kubernetes Policy Template.
Click Next.
Review the policy settings. Set the learning period for the scope baseline. The default value is 7 days. To see the progress of the scope baseline during the learning period, see View a Kubernetes Scope Baseline for a Runtime Policy.
- Click Enable Policy to create and activate the policy.
- Click Save as Draft to save the policy in a draft state. In this case, Carbon Black Cloud saves the policy as Disabled. You can edit and enable the policy. See Edit a Kubernetes Runtime Policy and Enable a Kubernetes Runtime Policy Draft.

What to do next

After you configure your Kubernetes runtime policies and after the learning period ends, the behavioral baseline is established, and protection is active. All alerts that are caused by violations of the runtime policies display on the Alerts page. See Triaging Kubernetes Alerts.