Spyderbat
Book a DemoStart FreeContact Us
  • Spyderbat Product Docs
  • Getting Started
    • Create an Organization
    • Install the Nano Agent
    • Three Things to Try with Spyderbat Community Edition
    • Manage Users and Roles
  • Installation
    • Spyderbat Nano Agent
      • Kubernetes
        • Pre Deployment Environment Data Collection Script
      • Linux Standalone
      • AWS Unattended Install
        • Secure your Registration Code with AWS Secrets Manager
      • Create a Golden Image with the Nano Agent Pre-Installed
    • Spyderbat AWS Agent
      • AWS Linux VM
      • Kubernetes
      • Configuration Guide - AWS Linux VM
      • Configuration Guide - Kubernetes
    • Install Spyctl CLI
      • Initial Configuration
    • Install Spydertop CLI
    • Install the Spyderbat Event Forwarder
      • Helm Chart
      • Traditional Installer
  • Concepts
    • Guardian & Interceptor
      • Ruleset Policies
      • Workload Policies
    • Flashback (Go Back In Time)
      • Investigations
    • Search
      • Saved Searches
    • Summarize
      • Spydertrace Summarize
    • Dashboards
      • Dashboard Categories
    • Reports
    • Notifications
      • Notification Targets
      • Notification Templates
    • Actions
    • Integrations
      • AWS Integration
      • Spyderbat Event Forwarder
    • Suppression & Tuning
    • Scout (Detections)
      • Custom Flags
  • Tutorials
    • Flashback
      • How to Use the Investigations Feature in Spyderbat
    • Guardian
      • How to Lock Down Your Workloads With Guardian Policies Using Spyctl
      • How to Put Guardrails Around Your K8s Clusters Using Spyctl
    • Integrations
      • How to Configure Event Forwarder Webhook for Panther
      • How to Set Up Spyderbat to Ingest Falco Alerts
      • How to Create and Use a Spyderbat API Key
    • Notifications
      • How to Set Up Notifications Using Spyctl
      • How to Set up Agent-Health Notifications Using Spyctl
    • Dashboards
    • Miscellaneous
      • How to Set Up Spyderbat to Monitor Systems From vulnhub.com
    • Scout (Detections)
      • How to Set Up Custom Flags Using Spyctl CLI
  • Reference
    • Policies
      • Response Actions
    • Rulesets
    • Selectors
    • Notifications
    • Spyctl CLI
      • Spyctl Commands
      • Guardian Policy Management using Spyctl
      • Notification Template Management using Spyctl
      • Notification Target Management using Spyctl
    • Search
      • All Operators
      • All Fields
      • All Related Objects
  • Quick Links
    • Contact Us
    • Try Spyderbat for Free
    • Book a Demo
Powered by GitBook

© SPYDERBAT, Inc., All Rights Reserved

On this page
  • Selector Primitives
  • Expressions
  • Pod and Namespace Selectors
  • Other Selectors
  • Cluster Selector
  • Machine Selector
  • Container Selector
  • Service Selector
  • Trace Selector
  • User Selector
  • Process Selector

Was this helpful?

Export as PDF
  1. Reference

Selectors

Last updated 12 months ago

Was this helpful?

Selectors are used in various places to scope policies, rules, and actions. Spyderbat's selectors based on .

Selector Primitives

Spyderbat's selectors offer set-based selector primitives.

*matchLabels

user-defined key value pairs

*matchExpressions

contain a key, operator, and values

**matchFields

pre-defined key value pairs

**matchFieldsExpressions

key from pre-defined list, operator, and values

  • * Matches the syntax from Kubernetes

  • ** Unique to Spyderbat's Selectors

Expressions

Expressions have 3 fields: key, operator, and values. They allow you to define set-based groupings.

Example:

matchExpressions:
- key: app
  operator: In
  values: [apache, mysql]

In the example above whatever is being matched on, must have a label with a key app and the value of that label must be either apache or mysql.

Operators

Operators define how the set-based expression is to be evaluated.

In

The key must exist and the value must be in values

NotIn

The key must exists and the value must not be in values

Exists

The key must exist

DoesNotExist

The key must not exist

Pod and Namespace Selectors

Pod and Namespace selectors are defined the exact same way that Kubernetes Pod and Namespace selectors are. Both resources types can have user-defined labels that allow them to be grouped by selectors.

The labels are found within the Pod and Namespace object yaml.

Supported Primitives

matchLabels

matchExpressions

Examples:

podSelector:
  matchLabels:
    app: apache
  matchExpressions:
  - {key: tier, operator: In, values: [frontend, backend]}
  - {key: test, operator: DoesNotExist}
namespaceSelector:
  matchLabels:
    kubernetes.io/metadata.name: production
  matchExpressions:
  - {key: dedicated-node, operator: Exists}

Other Selectors

The following selectors are Custom to Spyderbat's environment. They add an additional level on granularity to scoping operations.

Supported Primitives

matchFields

matchFieldsExpressions

Cluster Selector

The Cluster Selector allows for scoping by Kubernetes Cluster. Field values may be wildcarded with an * character.

Supported Fields
Description

name

The name of the cluster as defined in Spyderbat

uid

The Spyderbat-provided uid of the cluster generally begins with clus:

Example:

clusterSelector:
  matchFields:
    name: demo-cluster

Machine Selector

The Machine Selector allows for scoping my Machine. A machine in this context is a device with the Spyderbat Nano Agent installed.

Supported Fields
Description

hostname

The hostname of a host on the network

uid

The Spyderbat-provided uid of the machine generally begins with mach:

Example:

machineSelector:
  matchFieldsExpressions:
  - {key: hostname, operator: In, values: [test_node, staging_node]}

Container Selector

The Container Selector allows for scoping by fields associated with containers.

Supported Fields
Description

image

The container's image name

imageID

The container's image hash

containerName

The name of a specific container instance (usually auto-generated)

containerID

The ID of a specific container instance (usually auto-generated)

Example:

containerSelector:
  matchFields:
    image: docker.io/apache

Service Selector

The Service Selector allows for scoping by fields associated with Linux Services

Supported Fields
Description

cgroup

The cgroup that every process within the service falls under. Ex. systemd:/system.slice/nano-agent.service

name

The simple name of the Linux service. Ex. nano-agent.service

Example:

serviceSelector:
  matchFields:
    cgroup: systemd:/system.slice/nano-agent.service

Trace Selector

The Trace Selector is used by Trace Suppression Policies to suppress Spydertraces within a specific scope.

Supported Fields
Description

triggerClass

The class of flag that triggered the Spydertrace

triggerAncestors

The names of the ancestor processes of the flag that triggered the Spydertrace

Example:

traceSelector:
  matchFields:
    triggerClass: redflag/proc/command/high_severity/suspicious/netcat

User Selector

The User Selector is used by Trace Suppression Policies to suppress Spydertraces triggered by a specific user or users.

Supported Fields
Description

user

The username of the offending user

Example:

userSelector:
  matchFieldsExpressions:
  - {key: user, operator: NotIn, values: [admin, root]}

Process Selector

The Process Selector is used to scope by fields associated with a Linux Process.

Supported Fields
Description

name

The name of the process

exe

The executable of the process

euser

The username of the process' effective user

processSelector:
  matchFields:
    exe: /bin/bash
Kubernetes Labels and Selectors