# Rulesets This section documents the various features of Spyderbat Rulesets. It explains how rules can be configured and scoped. It also details how rules are evaluated. ## What Are Rulesets For a summary of Rulesets and Ruleset Policies see [Ruleset Policies Concepts](/concepts/guardian/ruleset_policies.md) ## Rules Rules are defined as a list in the `rules` field of a Ruleset's `spec`. ```yaml apiVersion: spyderbat/v1 kind: SpyderbatRuleset metadata: createdBy: demo.user@spyderbat.com creationTimestamp: 1712787972 lastUpdatedBy: demo.user@spyderbat.com lastUpdatedTimestamp: 1714162618 name: demo-cluster-ruleset type: cluster uid: rs:xxxxxxxxxxxxxxxxxxxx version: 1 spec: rules: [] ``` Each rule contains a `target`, `verb`, list of `values`, and optional selectors (for additional scoping). * Target: what the rule is referring to within the scope of the policy. Targets are `RULE_TYPE::SELECTOR_FIELD`. * ex. `container::image` this means that we are allowing or denying containers using images specified in the values field. * Verb: The currently available verbs for ruleset rules are `allow` or `deny`. Any object matching a deny rule will generate a Deviation. * Values: This is the set of values that are allowed or denied. If the target is `container::image` then the values should be container images that are either allowed or denied. * Selectors: Optional selectors that further define the scope of a single rule. For instance you may want a rule that defines allowed activity in a specific namespace within a cluster. *Different rule types support different selectors.* {% hint style="info" %} For a full breakdown of the available selectors see the [Selectors Reference Guide](/reference/selectors.md) {% endhint %} ```yaml namespaceSelector: matchExpressions: - {key: kubernetes.io/metadata.name, operator: In, values: [rsvp-svc-dev, rsvp-svc-prod]} target: container::image values: - docker.io/guyduchatelet/spyderbat-demo:1 - docker.io/library/mongo:latest verb: allow ``` ### Container Rules Container rules define which containers are allowed or denied. | Supported Targets | | ------------------------ | | container::image | | container::imageID | | container::containerName | | container::containerID | | Supported Selectors | | ------------------- | | Cluster | | Machine | | Namespace | | Pod | | Container | | Supported Verbs | | --------------- | | allow | | deny | Examples: Allow the latest apache image in production and staging ```yaml namespaceSelector: matchExpressions: - {key: kubernetes.io/metadata.name, operator: In, values: [staging, production]} target: container::image values: - docker.io/apache:latest verb: allow ``` Deny a specific image ID in production ```yaml namespaceSelector: matchLabels: kubernetes.io/metadata.name: production target: container::imageID values: - sha256@XXXXXXXXXXXXXXXXXXXXXXXX verb: deny ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.spyderbat.com/reference/rulesets.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.