Rulesets

This section documents the various features of Spyderbat Rulesets. It explains how rules can be configured and scoped. It also details how rules are evaluated.

What Are Rulesets

For a summary of Rulesets and Ruleset Policies see Ruleset Policies Concepts

Rules

Rules are defined as a list in the rules field of a Ruleset's spec.

apiVersion: spyderbat/v1
kind: SpyderbatRuleset
metadata:
  createdBy: demo.user@spyderbat.com
  creationTimestamp: 1712787972
  lastUpdatedBy: demo.user@spyderbat.com
  lastUpdatedTimestamp: 1714162618
  name: demo-cluster-ruleset
  type: cluster
  uid: rs:xxxxxxxxxxxxxxxxxxxx
  version: 1
spec:
  rules: []

Each rule contains a target, verb, list of values, and optional selectors (for additional scoping).

Target: what the rule is referring to within the scope of the policy. Targets are RULE_TYPE::SELECTOR_FIELD.
- ex. container::image this means that we are allowing or denying containers using images specified in the values field.
Verb: The currently available verbs for ruleset rules are allow or deny. Any object matching a deny rule will generate a Deviation.
Values: This is the set of values that are allowed or denied. If the target is container::image then the values should be container images that are either allowed or denied.
Selectors: Optional selectors that further define the scope of a single rule. For instance you may want a rule that defines allowed activity in a specific namespace within a cluster. Different rule types support different selectors.

For a full breakdown of the available selectors see the Selectors Reference Guide

namespaceSelector:
  matchExpressions:
  - {key: kubernetes.io/metadata.name, operator: In, values: [rsvp-svc-dev, rsvp-svc-prod]}
target: container::image
values:
- docker.io/guyduchatelet/spyderbat-demo:1
- docker.io/library/mongo:latest
verb: allow

Container Rules

Container rules define which containers are allowed or denied.

Supported Targets

container::image

container::imageID

container::containerName

container::containerID

Supported Selectors

Cluster

Machine

Namespace

Pod

Container

Supported Verbs

allow

deny

Examples:

Allow the latest apache image in production and staging

namespaceSelector:
  matchExpressions:
  - {key: kubernetes.io/metadata.name, operator: In, values: [staging, production]}
target: container::image
values:
- docker.io/apache:latest
verb: allow

Deny a specific image ID in production

namespaceSelector:
  matchLabels:
    kubernetes.io/metadata.name: production
target: container::imageID
values:
- sha256@XXXXXXXXXXXXXXXXXXXXXXXX
verb: deny

Last updated 10 months ago

Was this helpful?

Rules

Rules are defined as a list in the rules field of a Ruleset's spec.

apiVersion: spyderbat/v1
kind: SpyderbatRuleset
metadata:
  createdBy: demo.user@spyderbat.com
  creationTimestamp: 1712787972
  lastUpdatedBy: demo.user@spyderbat.com
  lastUpdatedTimestamp: 1714162618
  name: demo-cluster-ruleset
  type: cluster
  uid: rs:xxxxxxxxxxxxxxxxxxxx
  version: 1
spec:
  rules: []

Each rule contains a target, verb, list of values, and optional selectors (for additional scoping).

Target: what the rule is referring to within the scope of the policy. Targets are RULE_TYPE::SELECTOR_FIELD.

ex. container::image this means that we are allowing or denying containers using images specified in the values field.

Verb: The currently available verbs for ruleset rules are allow or deny. Any object matching a deny rule will generate a Deviation.

Values: This is the set of values that are allowed or denied. If the target is container::image then the values should be container images that are either allowed or denied.

Selectors: Optional selectors that further define the scope of a single rule. For instance you may want a rule that defines allowed activity in a specific namespace within a cluster. Different rule types support different selectors.

For a full breakdown of the available selectors see the Selectors Reference Guide

namespaceSelector:
  matchExpressions:
  - {key: kubernetes.io/metadata.name, operator: In, values: [rsvp-svc-dev, rsvp-svc-prod]}
target: container::image
values:
- docker.io/guyduchatelet/spyderbat-demo:1
- docker.io/library/mongo:latest
verb: allow

Container Rules

Container rules define which containers are allowed or denied.

Supported Targets

container::image

container::imageID

container::containerName

container::containerID

Supported Selectors

Cluster

Machine

Namespace

Pod

Container

Supported Verbs

allow

deny

Examples:

Allow the latest apache image in production and staging

namespaceSelector:
  matchExpressions:
  - {key: kubernetes.io/metadata.name, operator: In, values: [staging, production]}
target: container::image
values:
- docker.io/apache:latest
verb: allow

Deny a specific image ID in production

namespaceSelector:
  matchLabels:
    kubernetes.io/metadata.name: production
target: container::imageID
values:
- sha256@XXXXXXXXXXXXXXXXXXXXXXXX
verb: deny