Rulesets

This section documents the various features of Spyderbat Rulesets. It explains how rules can be configured and scoped. It also details how rules are evaluated.

What Are Rulesets

For a summary of Rulesets and Ruleset Policies see Ruleset Policies Concepts

Rules

Rules are defined as a list in the rules field of a Ruleset's spec.

apiVersion: spyderbat/v1
kind: SpyderbatRuleset
metadata:
  createdBy: [email protected]
  creationTimestamp: 1712787972
  lastUpdatedBy: [email protected]
  lastUpdatedTimestamp: 1714162618
  name: demo-cluster-ruleset
  type: cluster
  uid: rs:xxxxxxxxxxxxxxxxxxxx
  version: 1
spec:
  rules: []

Each rule contains a target, verb, list of values, and optional selectors (for additional scoping).

• Target: what the rule is referring to within the scope of the policy. Targets are RULE_TYPE::SELECTOR_FIELD.

  • ex. container::image this means that we are allowing or denying containers using images specified in the values field.

• Verb: The currently available verbs for ruleset rules are allow or deny. Any object matching a deny rule will generate a Deviation.

• Values: This is the set of values that are allowed or denied. If the target is container::image then the values should be container images that are either allowed or denied.

• Selectors: Optional selectors that further define the scope of a single rule. For instance you may want a rule that defines allowed activity in a specific namespace within a cluster. Different rule types support different selectors.

Container Rules

Container rules define which containers are allowed or denied.

Examples:

Allow the latest apache image in production and staging

Deny a specific image ID in production