Book a DemoStart FreeContact Us

Rulesets

This section documents the various features of Spyderbat Rulesets. It explains how rules can be configured and scoped. It also details how rules are evaluated.

What Are Rulesets

For a summary of Rulesets and Ruleset Policies see Ruleset Policies Concepts

Rules

Rules are defined as a list in the rules field of a Ruleset's spec.

apiVersion: spyderbat/v1
kind: SpyderbatRuleset
metadata:
  createdBy: [email protected]
  creationTimestamp: 1712787972
  lastUpdatedBy: [email protected]
  lastUpdatedTimestamp: 1714162618
  name: demo-cluster-ruleset
  type: cluster
  uid: rs:xxxxxxxxxxxxxxxxxxxx
  version: 1
spec:
  rules: []

Each rule contains a target, verb, list of values, and optional selectors (for additional scoping).

  • Target: what the rule is referring to within the scope of the policy. Targets are RULE_TYPE::SELECTOR_FIELD.

    • ex. container::image this means that we are allowing or denying containers using images specified in the values field.

  • Verb: The currently available verbs for ruleset rules are allow or deny. Any object matching a deny rule will generate a Deviation.

  • Values: This is the set of values that are allowed or denied. If the target is container::image then the values should be container images that are either allowed or denied.

  • Selectors: Optional selectors that further define the scope of a single rule. For instance you may want a rule that defines allowed activity in a specific namespace within a cluster. Different rule types support different selectors.

For a full breakdown of the available selectors see the Selectors Reference Guide

namespaceSelector:
  matchExpressions:
  - {key: kubernetes.io/metadata.name, operator: In, values: [rsvp-svc-dev, rsvp-svc-prod]}
target: container::image
values:
- docker.io/guyduchatelet/spyderbat-demo:1
- docker.io/library/mongo:latest
verb: allow

Container Rules

Container rules define which containers are allowed or denied.

Supported Targets

container::image

container::imageID

container::containerName

container::containerID

Supported Selectors

Cluster

Machine

Namespace

Pod

Container

Supported Verbs

allow

deny

Examples:

Allow the latest apache image in production and staging

namespaceSelector:
  matchExpressions:
  - {key: kubernetes.io/metadata.name, operator: In, values: [staging, production]}
target: container::image
values:
- docker.io/apache:latest
verb: allow

Deny a specific image ID in production

namespaceSelector:
  matchLabels:
    kubernetes.io/metadata.name: production
target: container::imageID
values:
- sha256@XXXXXXXXXXXXXXXXXXXXXXXX
verb: deny

Last updated

Was this helpful?