Create a Kubernetes Hardening Policy

You can create Kubernetes hardening policies to enforce rules on your Kubernetes workloads and container images.

Prerequisites

All prerequisites are optional.

Read Hardening Policies Terminology and Concepts.
Create a Kubernetes scope to link to the Kubernetes hardening policy. See Add a Kubernetes Applications Scope to Kubernetes Resources. If you do not create the scope beforehand, you can perform this task when you create the Kubernetes hardening policy.
To use a custom rule in a Kubernetes hardening policy, you must create the custom rule before you create the hardening policy. See Custom Rules for Kubernetes Hardening Policies.
Create custom rule templates to apply to new policies. See Create a Kubernetes Policy Template.
To apply the Enforce action to a rule, you must add an enforcement preset. See Enforcement Presets.

Procedure

On the left navigation pane, click Enforce > K8s Policies.
Click the Hardening Policies tab.
Click Add Policy.
On the Define Policy page:
1. Name the policy.
2. Select the scope from the list of available scopes or click Add Scope to configure a new scope for use with this policy. See Add a Kubernetes Applications Scope to Kubernetes Resources.
3. To enable init containers, select the Include init containers text box.
  Init containers are special containers that run before app containers in a Kubernetes pod. Init containers can contain utilities or setup scripts that are not present in an application image. Init containers often have more privileges, but a shorter life span. They may have less impact on the overall security of your clusters.
4. Ephemeral containers are selected by default.
  Ephemeral containers are a special type of container that are useful for debugging within pods. If you do not want ephemeral containers associated with this policy, deselect the Include ephemeral containers check box. For more information about ephemeral containers, see Ephemeral Containers.
5. Click Next.
On the Add Rules page, select the rules to include in the policy.
- You can add all rules in a category or all rules from a template. All rules have the Alert action by default. You can reset the action to Block or Enforce.
  Important:
  - Enforcement rules do not operate on the kube-system namespace. In that namespace, they act as blocking rules to prevent unexpected changes to critical system resources.
  - When required, include a defined or add an enforcement preset for the Enforce action. The Enforcement preset drop-down menu displays if the rule requires user input. See Enforcement Presets.
- You can add individual rules from templates instead of adding rules in bulk. To do so, click the arrow icon at the right of the rule.
- After you have added rules, they display in the right pane of the page. From there, you can remove individual rules or all rules.
Click Next.
On the Review Violations page, review the possible violations for which notifications are sent after you enable the policy.

Note: You can create exceptions: click the Exceptions tab and then click Add Criteria. See Create an Exception for a Kubernetes Hardening Policy Rule.
Toggle rules On or Off to define the rules that are currently active in the hardening policy.
Click Next.
On the Confirm Policy page, click Enable Policy.
- Click Enable Policy to create and activate the policy.
- Click Save as Draft to save the policy in a draft state. In this case, Carbon Black Cloud saves the policy as Disabled. You can edit and enable the policy. See Edit a Kubernetes Hardening Policy and Enable a Kubernetes Hardening Policy Draft.

What to do next

After you configure your Kubernetes hardening policies, you can observe rule violations on the Workload Details pane of the Kubernetes Workloads page.