You can enforce the values of selected resource properties to temporarily remediate an issue. When you set an Enforce action for a rule, the mutated value is considered and a violation alert displays. If a workload still violates the rule after remediation, it is blocked from deployment.
Note: In this context, mutation means that a policy changes Kubernetes resources based on new criteria. For example, allowing privilege escalation.
The rules for which you can apply an Enforce action are described in the following table.
| Rules Category | Rules that Allow Enforce Action | Resource Field | Enforced Value |
|---|---|---|---|
| Workload Security | Access to host namespace | spec.hostNetwork spec.hostPID spec.hostIPC |
False |
| Allow privilege escalation | spec.containers[*].securityContext.allowPrivilegeEscalation |
False | |
| Allow privilege container | spec.containers[*].securityContext.privileged |
False | |
| Writable file system | spec.containers[*].securityContext.readOnlyRootFilesystem |
True | |
| SecComp profile | metadata.annotations['container.seccomp.security.alpha.kubernetes.io/*'] metadata.annotations['seccomp.security.alpha.kubernetes.io/pod*'] spec.securityContext.seccompProfile.type spec.containers[*].securityContext.seccompProfile |
User-Defined | |
| Sysctl | spec.securityContext.sysctls |
User-Defined | |
| Additional capabilities | spec.containers[*].securityContext.capabilities.add |
User-Defined | |
| AppArmor | metadata.annotations['container.apparmor.security.beta.kubernetes.io/*'] |
User-Defined | |
| Unmasked proc mount | spec.containers[*].securityContext.procMount |
Empty (removes the field) | |
| Enforce not root | spec.securityContext.runAsNonRoot spec.containers[*].securityContext.runAsNonRoot spec.containers[*].securityContext.runAsGroup spec.containers[*].securityContext.runAsUser securityContext.runAsGroup securityContext.runAsUser |
User-Defined user and group ID | |
| Quota | CPU limits | spec.containers[*].resources.limits.cpu spec.containers[*].resources.requests.cpu |
User-Defined |
| Memory limits | spec.containers[*].resources.limits.memory spec.containers[*].resources.requests.memory |
User-Defined |
