You can create Kubernetes hardening policies to enforce rules on your Kubernetes workloads and container images.

Prerequisites

All prerequisites are optional.

Procedure

  1. On the left navigation pane, click Enforce > K8s Policies.
  2. Click the Hardening Policies tab.
  3. Click Add Policy.
  4. On the Define Policy page:
    1. Name the policy.
    2. Select the scope from the list of available scopes or click Add Scope to configure a new scope for use with this policy. See Add a Kubernetes Applications Scope to Kubernetes Resources.
    3. To enable init containers, select the Include init containers text box.
      Init containers are special containers that run before app containers in a Kubernetes pod. Init containers can contain utilities or setup scripts that are not present in an application image. Init containers often have more privileges, but a shorter life span. They may have less impact on the overall security of your clusters.
    4. Ephemeral containers are selected by default.
      Ephemeral containers are a special type of container that are useful for debugging within pods. If you do not want ephemeral containers associated with this policy, deselect the Include ephemeral containers check box. For more information about ephemeral containers, see Ephemeral Containers.
    5. Click Next.
  5. On the Add Rules page, select the rules to include in the policy.
    • You can add all rules in a category or all rules from a template. All rules have the Alert action by default. You can reset the action to Block or Enforce.
      Important:
      • Enforcement rules do not operate on the kube-system namespace. In that namespace, they act as blocking rules to prevent unexpected changes to critical system resources.
      • When required, include a defined or add an enforcement preset for the Enforce action. The Enforcement preset drop-down menu displays if the rule requires user input. See Enforcement Presets.
    • You can add individual rules from templates instead of adding rules in bulk. To do so, click the arrow Arrow (>) icon icon at the right of the rule.
    • After you have added rules, they display in the right pane of the page. From there, you can remove individual rules or all rules.
  6. Click Next.
  7. On the Review Violations page, review the possible violations for which notifications are sent after you enable the policy.
    Review violations page during Add a hardening policy wizard
    Note: You can create exceptions: click the Exceptions tab and then click Add Criteria. See Create an Exception for a Kubernetes Hardening Policy Rule.
  8. Toggle rules On or Off to define the rules that are currently active in the hardening policy.
  9. Click Next.
  10. On the Confirm Policy page, click Enable Policy.

What to do next

After you configure your Kubernetes hardening policies, you can observe rule violations on the Workload Details pane of the Kubernetes Workloads page.