Rulesets
This section documents the various features of Spyderbat Rulesets. It explains how rules can be configured and scoped. It also details how rules are evaluated.
What Are Rulesets
For a summary of Rulesets and Ruleset Policies see Ruleset Policies Concepts
Rules
Rules are defined as a list in the rules field of a Ruleset's spec.
Each rule contains a target, verb, list of values, and optional selectors (for additional scoping).
Target: what the rule is referring to within the scope of the policy. Targets are
RULE_TYPE::SELECTOR_FIELD.ex.
container::imagethis means that we are allowing or denying containers using images specified in the values field.
Verb: The currently available verbs for ruleset rules are
allowordeny. Any object matching a deny rule will generate a Deviation.Values: This is the set of values that are allowed or denied. If the target is
container::imagethen the values should be container images that are either allowed or denied.Selectors: Optional selectors that further define the scope of a single rule. For instance you may want a rule that defines allowed activity in a specific namespace within a cluster. Different rule types support different selectors.
For a full breakdown of the available selectors see the Selectors Reference Guide
Container Rules
Container rules define which containers are allowed or denied.
| Supported Targets |
|---|
container::image |
container::imageID |
container::containerName |
container::containerID |
| Supported Selectors |
|---|
Cluster |
Machine |
Namespace |
Pod |
Container |
| Supported Verbs |
|---|
allow |
deny |
Examples:
Allow the latest apache image in production and staging
Deny a specific image ID in production
Last updated