Scopes and enforcement of security policies

In Kaspersky Container Security, scopes are specified for all security policies. To ensure that all necessary resources are scanned, each policy can be assigned one or more scopes. Moreover, the same scope can be specified in multiple policies.

Regardless of the number of policies implemented in a scope (for example, when scanning an image or scanning a cluster in a runtime), all security policies are applied.

When multiple security policies and multiple scopes are applied simultaneously, the following rules apply:

• For scanner policies: scanning is performed using a cumulative list of settings that is obtained by combining all scanner policies in force within the scope.
• For assurance policies: when scanning images, all policies applicable to the scanned resources are applied, in line with specified scopes.
• For response policies: when events occur, the user is notified using the notification tools specified in all response policies applicable to resources specified in the assigned scopes.
• For runtime policies: containers are monitored and, if necessary, blocked from running in the runtime in accordance with all applicable policies assigned to the scope.