Rulesets
Last updated
Was this helpful?
Last updated
Was this helpful?
This section documents the various features of Spyderbat Rulesets. It explains how rules can be configured and scoped. It also details how rules are evaluated.
For a summary of Rulesets and Ruleset Policies see
Rules are defined as a list in the rules
field of a Ruleset's spec
.
Each rule contains a target
, verb
, list of values
, and optional selectors (for additional scoping).
Target: what the rule is referring to within the scope of the policy. Targets are RULE_TYPE::SELECTOR_FIELD
.
ex. container::image
this means that we are allowing or denying containers using images specified in the values field.
Verb: The currently available verbs for ruleset rules are allow
or deny
. Any object matching a deny rule will generate a Deviation.
Values: This is the set of values that are allowed or denied. If the target is container::image
then the values should be container images that are either allowed or denied.
Selectors: Optional selectors that further define the scope of a single rule. For instance you may want a rule that defines allowed activity in a specific namespace within a cluster. Different rule types support different selectors.
Container rules define which containers are allowed or denied.
container::image
container::imageID
container::containerName
container::containerID
Cluster
Machine
Namespace
Pod
Container
allow
deny
Examples:
Allow the latest apache image in production and staging
Deny a specific image ID in production
For a full breakdown of the available selectors see the