# Rulesets This section documents the various features of Spyderbat Rulesets. It explains how rules can be configured and scoped. It also details how rules are evaluated. ## What Are Rulesets For a summary of Rulesets and Ruleset Policies see [Ruleset Policies Concepts](https://docs.spyderbat.com/concepts/guardian/ruleset_policies) ## Rules Rules are defined as a list in the `rules` field of a Ruleset's `spec`. ```yaml apiVersion: spyderbat/v1 kind: SpyderbatRuleset metadata: createdBy: demo.user@spyderbat.com creationTimestamp: 1712787972 lastUpdatedBy: demo.user@spyderbat.com lastUpdatedTimestamp: 1714162618 name: demo-cluster-ruleset type: cluster uid: rs:xxxxxxxxxxxxxxxxxxxx version: 1 spec: rules: [] ``` Each rule contains a `target`, `verb`, list of `values`, and optional selectors (for additional scoping). * Target: what the rule is referring to within the scope of the policy. Targets are `RULE_TYPE::SELECTOR_FIELD`. * ex. `container::image` this means that we are allowing or denying containers using images specified in the values field. * Verb: The currently available verbs for ruleset rules are `allow` or `deny`. Any object matching a deny rule will generate a Deviation. * Values: This is the set of values that are allowed or denied. If the target is `container::image` then the values should be container images that are either allowed or denied. * Selectors: Optional selectors that further define the scope of a single rule. For instance you may want a rule that defines allowed activity in a specific namespace within a cluster. *Different rule types support different selectors.* {% hint style="info" %} For a full breakdown of the available selectors see the [Selectors Reference Guide](https://docs.spyderbat.com/reference/selectors) {% endhint %} ```yaml namespaceSelector: matchExpressions: - {key: kubernetes.io/metadata.name, operator: In, values: [rsvp-svc-dev, rsvp-svc-prod]} target: container::image values: - docker.io/guyduchatelet/spyderbat-demo:1 - docker.io/library/mongo:latest verb: allow ``` ### Container Rules Container rules define which containers are allowed or denied. | Supported Targets | | ------------------------ | | container::image | | container::imageID | | container::containerName | | container::containerID | | Supported Selectors | | ------------------- | | Cluster | | Machine | | Namespace | | Pod | | Container | | Supported Verbs | | --------------- | | allow | | deny | Examples: Allow the latest apache image in production and staging ```yaml namespaceSelector: matchExpressions: - {key: kubernetes.io/metadata.name, operator: In, values: [staging, production]} target: container::image values: - docker.io/apache:latest verb: allow ``` Deny a specific image ID in production ```yaml namespaceSelector: matchLabels: kubernetes.io/metadata.name: production target: container::imageID values: - sha256@XXXXXXXXXXXXXXXXXXXXXXXX verb: deny ```