To create a Kubernetes runtime policy, perform the following procedure.

Prerequisites

All prerequisites are optional.

Procedure

  1. On the left navigation pane, click Enforce > K8s Policies.
  2. Click the Runtime Policies tab.
  3. Click Add Policy.
  4. On the Define Policy page, name the policy, select the scope from the list of available scopes, and click Next.
    Note: If you have not configured a scope for use with this policy, click Add Scope. For detailed instructions, see Add a Kubernetes Applications Scope to Kubernetes Resources.
  5. On the Add Rules page, select the rules to include in the policy.

    You can add rules from the Basic, Moderate, and Strict templates. For more information about these templates, see Kubernetes Policy Templates.

    Important: Carbon Black recommends that you start with the rules from the Basic template to provide alerts for issues that have the highest severity.

    For example, to add all rules from the Basic template:

    1. Select the Basic rule template on the left.
    2. Select the type of alerting action (Monitor or Alert) at the top right. Alert is the default action.
    3. Click Add all 5 rules at the top right.
    Image of adding all rules from the Basic template

    You can add individual rules from templates instead of adding rules in bulk. To do so, click the arrow Arrow (>) icon icon at the right of the rule.

    After you have added rules, they display in the right pane of the page. From here, you can remove individual rules or all rules.

    Note: You can create your own templates. See Create a Kubernetes Policy Template.
  6. Click Next.
  7. Review the policy settings. Set the learning period for the scope baseline. The default value is 7 days. To see the progress of the scope baseline during the learning period, see View a Kubernetes Scope Baseline for a Runtime Policy.

What to do next

After you configure your Kubernetes runtime policies and after the learning period ends, the behavioral baseline is established, and protection is active. All alerts that are caused by violations of the runtime policies display on the Alerts page. See Triaging Kubernetes Alerts.