Rulesets
This section documents the various features of Spyderbat Rulesets. It explains how rules can be configured and scoped. It also details how rules are evaluated.
What Are Rulesets
For a summary of Rulesets and Ruleset Policies see Ruleset Policies Concepts
Rules
Rules are defined as a list in the rules
field of a Ruleset's spec
.
Each rule contains a target
, verb
, list of values
, and optional selectors (for additional scoping).
Target: what the rule is referring to within the scope of the policy. Targets are
RULE_TYPE::SELECTOR_FIELD
.ex.
container::image
this means that we are allowing or denying containers using images specified in the values field.
Verb: The currently available verbs for ruleset rules are
allow
ordeny
. Any object matching a deny rule will generate a Deviation.Values: This is the set of values that are allowed or denied. If the target is
container::image
then the values should be container images that are either allowed or denied.Selectors: Optional selectors that further define the scope of a single rule. For instance you may want a rule that defines allowed activity in a specific namespace within a cluster. Different rule types support different selectors.
For a full breakdown of the available selectors see the Selectors Reference Guide
Container Rules
Container rules define which containers are allowed or denied.
container::image
container::imageID
container::containerName
container::containerID
Cluster
Machine
Namespace
Pod
Container
allow
deny
Examples:
Allow the latest apache image in production and staging
Deny a specific image ID in production
Last updated