You can use scopes to enforce policies on container images that are not yet deployed. The scope target is Build Phase.


Set up your Kubernetes clusters. See Adding Clusters and Installing Kubernetes Sensors.


  1. On the left navigation pane, do one of the following depending on your system configuration and role:
    • If you have the Kubernetes Security DevOps or SecOps role and your system has only the Container security feature, click Inventory > Scopes.
    • If you have any other role and your system has Container security and other Carbon Black Cloud features, click Inventory > Kubernetes > Scopes.
  2. Click Add Scope.
  3. Enter a Name for the scope.
  4. For target resources, select Container images. This scope will target specific container images. A policy can be enforced during the build phase.
  5. Click Next.
  6. Select the target criteria from the dropdown menus.
    Adding a container image scope to Kubernetes resources
    Option Description
    Apply only to specific build steps Harden images by assigning a policy and configuring CLI instances to perform validation during the build phase.
    Apply only to specific namespaces A scope can target images in particular namespaces; it will take precedence over generic scopes covering the same workloads.
  7. Click Save.
    The scope is ready for use in a Kubernetes Hardening Policy.

What to do next

Create a Kubernetes Hardening Policy