Creating a runtime policy

Rights to manage runtime policy settings are required to add a runtime policy in Kaspersky Container Security.

To add a runtime policy:

1. Under Policies → Runtime policies, select the Policies tab.
2. Click the Add policy button.

   The policy settings window opens.

3. Enter a policy name and, if required, policy description.
4. In the Scope field, select the scope for the runtime policy from the available options. Since runtime policies are only used for deployed and/or running containers, scopes containing resources across clusters can be selected.

   Scopes containing only registry resources are not available for selection. If necessary, you can specify individual images and pods for the runtime policy that you are creating in the Container runtime profiles section, as specified in step 11.

   If you plan to implement the policy with the global scope, one of your user roles must be granted the rights to view global scopes.

5. If necessary, select the Exclusions check box to define exclusions to which the runtime policy will not be applied. To do so, select the relevant objects in the drop-down list, specify their names, and then click Add.

   Existing exclusions in the policy are checked when deploying a container.

6. In the Mode section, select one of the following policy enforcement modes:
   • Audit. In this mode, a scan takes into account the contents of containers.
   • Enforce. In this mode, the solution blocks all objects that do not comply with the rules and criteria defined in the policy.
7. In the Best practice check section, use the Disabled / Enabled toggle switch to activate the scan for compliance with best security practices. From the list of settings, select the scan settings that guarantee that the correct image is run and that the CPU and RAM usage settings are correctly configured.
8. In the Block non-compliant images section, use the Disabled / Enabled toggle switch to prevent containers running from images that do not comply with the requirements. This check will be performed only for scanned images that are registered in the solution and have the Compliant status.
9. In the Block unregistered images section, use the Disabled / Enabled toggle switch to block image deployment if the image is unknown to Kaspersky Container Security. To deploy the image, you must register it in the solution and wait for it to appear in the registry.
10. In the Capabilities block section, use the Disabled / Enabled toggle switch to block the use of specified Unix functions. To do so, select specific system functions from the drop-down list. You can also lock the use of all Unix system functions by selecting ALL from the drop-down list.
11. In the Container runtime profiles section, use the Disabled / Enabled toggle switch to block processes inside containers and network connections for pods. To do this, perform the following actions:
    1. In the drop-down list, select an attribute to define the pods that the container runtime profiles will be applied to.
    2. Depending on the selected attribute, do the following:
       • If you selected By pod labels, enter the pod label key and the pod label value.

         You can add additional pod labels for pod selection by clicking the Add label pair button.

       • If you selected Image URL template, enter the template for the web address of the image registry.

         If the cluster contains images from the public Docker Hub registry, the solution equally considers the full path and the short path to the images. For example, if you specify the URL of the container image in the cluster as docker.io/library/ubuntu:focal, the solution accepts it equally as ubuntu: focal.

         You can add additional web addresses for pod selection by clicking the Add Image URL button.

    3. In the Container runtime profile field, specify one or more runtime profiles that will be applied to pods that match the attributes you defined.
    4. If necessary, you can add pods for mapping using the Add pod mapping button. Pods with different attributes or applied runtime profiles will be mapped under the same runtime policy.
12. Under File Threat Protection, use the Disabled / Enabled toggle to activate File Threat Protection. It is used to find and analyze potential file threats, and provides security for containerized objects, such as archives and email files.

    When a runtime policy is applied with the File Threat Protection component enabled, Kaspersky Container Security activates real-time file threat protection on all nodes within the scopes defined for that policy. The configuration of the deployed agents depends on the settings that you specify for File Threat Protection. You can configure the File Threat Protection settings by clicking Settings in the Policies tab under Policies → Runtime policies.

    File Threat Protection settings are applied to all active runtime policies.

13. In the Image content protection section, use the Disabled / Enabled toggle switch to enable verification of digital signatures that confirm the integrity and origin of images in the container. To do this, perform the following actions:
    1. In the Image registry URL template field, enter the template for the web address of the image registry in which you want to verify signatures.
    2. In the drop-down list, select Check to enable verification or Don't check to disable verification.
    3. In the drop-down list, select one of the configured image signature validators.
    4. If necessary, add signature verification rules by using the Add signature verification rule button. The solution will apply multiple signature verification rules under a single runtime policy.
14. In the Limit container privileges section, use the Disabled / Enabled toggle switch to block the start of containers with a specific set of rights and permissions. In the list of settings, select the rights and permissions configuration to block pod settings.
15. In the Registries allowed section, use the Disabled / Enabled toggle switch to allow deployment of containers in a cluster only from specific registries. To do so, select the relevant registries from the Registries drop-down list.
16. In the Volumes blocked section, use the Disabled / Enabled toggle switch to prevent the selected volumes from being mounted in containers. To do this, specify the volume mount points on the host system in the Volumes field.

    The Volumes field must begin with a forward slash ("/") because this represents the operating system path.

17. Click Save.

By default, the added policy is Enabled.