You can enforce the values of selected resource properties to temporarily remediate an issue. When you set an Enforce action for a rule, the mutated value is considered and a violation alert displays. If a workload still violates the rule after remediation, it is blocked from deployment.

Note: In this context, mutation means that a policy changes Kubernetes resources based on new criteria. For example, allowing privilege escalation.

The rules for which you can apply an Enforce action are described in the following table.

Rules Category Rules that Allow Enforce Action Resource Field Enforced Value
Workload Security Access to host namespace
spec.hostNetwork
spec.hostPID
spec.hostIPC
False
Allow privilege escalation
spec.containers[*].securityContext.allowPrivilegeEscalation
False
Allow privilege container
spec.containers[*].securityContext.privileged 
False
Writable file system
spec.containers[*].securityContext.readOnlyRootFilesystem
True
SecComp profile
metadata.annotations['container.seccomp.security.alpha.kubernetes.io/*']
metadata.annotations['seccomp.security.alpha.kubernetes.io/pod*'] 
spec.securityContext.seccompProfile.type 
spec.containers[*].securityContext.seccompProfile 
User-Defined
Sysctl
spec.securityContext.sysctls
User-Defined
Additional capabilities
spec.containers[*].securityContext.capabilities.add 
User-Defined
AppArmor
metadata.annotations['container.apparmor.security.beta.kubernetes.io/*']
User-Defined
Unmasked proc mount
spec.containers[*].securityContext.procMount
Empty (removes the field)
Enforce not root
spec.securityContext.runAsNonRoot
spec.containers[*].securityContext.runAsNonRoot
spec.containers[*].securityContext.runAsGroup
spec.containers[*].securityContext.runAsUser
securityContext.runAsGroup
securityContext.runAsUser
User-Defined user and group ID
Quota CPU limits
spec.containers[*].resources.limits.cpu
spec.containers[*].resources.requests.cpu
User-Defined
Memory limits
spec.containers[*].resources.limits.memory
spec.containers[*].resources.requests.memory
User-Defined