You can create Kubernetes hardening policies to enforce rules on your Kubernetes workloads and container images.
Prerequisites
All prerequisites are optional.
Procedure
- On the left navigation pane, click .
- Click the Hardening Policies tab.
- Click Add Policy.
- On the Define Policy page:
- Name the policy.
- Select the scope from the list of available scopes or click Add Scope to configure a new scope for use with this policy. See Add a Kubernetes Applications Scope to Kubernetes Resources.
- To enable init containers, select the Include init containers text box.
Init containers are special containers that run before app containers in a Kubernetes pod. Init containers can contain utilities or setup scripts that are not present in an application image. Init containers often have more privileges, but a shorter life span. They may have less impact on the overall security of your clusters.
- Ephemeral containers are selected by default.
Ephemeral containers are a special type of container that are useful for debugging within pods. If you do not want ephemeral containers associated with this policy, deselect the
Include ephemeral containers check box. For more information about ephemeral containers, see
Ephemeral Containers.
- Click Next.
- On the Add Rules page, select the rules to include in the policy.
- You can add all rules in a category or all rules from a template. All rules have the Alert action by default. You can reset the action to Block or Enforce.
Important:
- Enforcement rules do not operate on the
kube-system
namespace. In that namespace, they act as blocking rules to prevent unexpected changes to critical system resources.
- When required, include a defined or add an enforcement preset for the Enforce action. The Enforcement preset drop-down menu displays if the rule requires user input. See Enforcement Presets.
- You can add individual rules from templates instead of adding rules in bulk. To do so, click the arrow icon at the right of the rule.
- After you have added rules, they display in the right pane of the page. From there, you can remove individual rules or all rules.
- Click Next.
- On the Review Violations page, review the possible violations for which notifications are sent after you enable the policy.
- Toggle rules
On
or Off
to define the rules that are currently active in the hardening policy.
- Click Next.
- On the Confirm Policy page, click Enable Policy.
What to do next
After you configure your Kubernetes hardening policies, you can observe rule violations on the
Workload Details pane of the Kubernetes Workloads page.