You can enforce the values of selected resource properties to temporarily remediate an issue. When you set an Enforce action for a rule, the mutated value is considered and a violation alert displays. If a workload still violates the rule after remediation, it is blocked from deployment.
Note: In this context, mutation means that a policy changes Kubernetes resources based on new criteria. For example, allowing privilege escalation.
The rules for which you can apply an Enforce action are described in the following table.
Rules Category | Rules that Allow Enforce Action | Resource Field | Enforced Value |
---|---|---|---|
Workload Security | Access to host namespace | spec.hostNetwork spec.hostPID spec.hostIPC |
False |
Allow privilege escalation | spec.containers[*].securityContext.allowPrivilegeEscalation |
False | |
Allow privilege container | spec.containers[*].securityContext.privileged |
False | |
Writable file system | spec.containers[*].securityContext.readOnlyRootFilesystem |
True | |
SecComp profile | metadata.annotations['container.seccomp.security.alpha.kubernetes.io/*'] metadata.annotations['seccomp.security.alpha.kubernetes.io/pod*'] spec.securityContext.seccompProfile.type spec.containers[*].securityContext.seccompProfile |
User-Defined | |
Sysctl | spec.securityContext.sysctls |
User-Defined | |
Additional capabilities | spec.containers[*].securityContext.capabilities.add |
User-Defined | |
AppArmor | metadata.annotations['container.apparmor.security.beta.kubernetes.io/*'] |
User-Defined | |
Unmasked proc mount | spec.containers[*].securityContext.procMount |
Empty (removes the field) | |
Enforce not root | spec.securityContext.runAsNonRoot spec.containers[*].securityContext.runAsNonRoot spec.containers[*].securityContext.runAsGroup spec.containers[*].securityContext.runAsUser securityContext.runAsGroup securityContext.runAsUser |
User-Defined user and group ID | |
Quota | CPU limits | spec.containers[*].resources.limits.cpu spec.containers[*].resources.requests.cpu |
User-Defined |
Memory limits | spec.containers[*].resources.limits.memory spec.containers[*].resources.requests.memory |
User-Defined |