Rulesets

This section documents the various features of Spyderbat Rulesets. It explains how rules can be configured and scoped. It also details how rules are evaluated.

What Are Rulesets

For a summary of Rulesets and Ruleset Policies see Ruleset Policies Concepts

Rules

Rules are defined as a list in the rules field of a Ruleset's spec.

apiVersion: spyderbat/v1
kind: SpyderbatRuleset
metadata:
  createdBy: demo.user@spyderbat.com
  creationTimestamp: 1712787972
  lastUpdatedBy: demo.user@spyderbat.com
  lastUpdatedTimestamp: 1714162618
  name: demo-cluster-ruleset
  type: cluster
  uid: rs:xxxxxxxxxxxxxxxxxxxx
  version: 1
spec:
  rules: []

Each rule contains a target, verb, list of values, and optional selectors (for additional scoping).

  • Target: what the rule is referring to within the scope of the policy. Targets are RULE_TYPE::SELECTOR_FIELD.

    • ex. container::image this means that we are allowing or denying containers using images specified in the values field.

  • Verb: The currently available verbs for ruleset rules are allow or deny. Any object matching a deny rule will generate a Deviation.

  • Values: This is the set of values that are allowed or denied. If the target is container::image then the values should be container images that are either allowed or denied.

  • Selectors: Optional selectors that further define the scope of a single rule. For instance you may want a rule that defines allowed activity in a specific namespace within a cluster. Different rule types support different selectors.

For a full breakdown of the available selectors see the Selectors Reference Guide

namespaceSelector:
  matchExpressions:
  - {key: kubernetes.io/metadata.name, operator: In, values: [rsvp-svc-dev, rsvp-svc-prod]}
target: container::image
values:
- docker.io/guyduchatelet/spyderbat-demo:1
- docker.io/library/mongo:latest
verb: allow

Container Rules

Container rules define which containers are allowed or denied.

Examples:

Allow the latest apache image in production and staging

namespaceSelector:
  matchExpressions:
  - {key: kubernetes.io/metadata.name, operator: In, values: [staging, production]}
target: container::image
values:
- docker.io/apache:latest
verb: allow

Deny a specific image ID in production

namespaceSelector:
  matchLabels:
    kubernetes.io/metadata.name: production
target: container::imageID
values:
- sha256@XXXXXXXXXXXXXXXXXXXXXXXX
verb: deny

Last updated

© SPYDERBAT, Inc., All Rights Reserved