How to Put Guardrails Around Your K8s Clusters Using Spyctl
This tutorial will walk you through the creation, tuning, and management of Cluster Ruleset Policies.
Prerequisites
Install the Spyderbat Nano Agent on a cluster via helm install
What is a Cluster Ruleset Policy?
A Cluster Ruleset Policy is a special type of Ruleset Policy focused on establishing allowed or disallowed resources or activity within a Kubernetes Cluster. Through Cluster Ruleset Policies users can receive customized notifications when deviant activity occurs within your clusters. For example, users can specify the container images that are allowed to run within a namespace. Should a new image appear, a deviation is created, with a link to investigate the problem. Users can then take manual or automated actions to address the deviation.
Creating a Cluster Policy
Cluster Policies and their accompanying Cluster Rulesets are generated using the spyctl create
command. First, identify which cluster you wish to create a cluster policy for.
For example:
If the previous command does not return any results, follow the helm installation guide to install the Spyderbat Nano Agent in your K8s cluster.
Next, consider how you would like the auto-generated rules to be scoped. Certain rule types may be scoped specifically to namespaces.
Use the following command to generate a cluster policy and its ruleset(s).
For example:
By default, rules are generated using data from the last 1.5 hrs. You can use the -t
option to override that.
The file you just generated cluster-policy.yaml
now contains the Cluster Policy itself and any automatically generated rulesets the policy requires.
You can edit or add rules if you wish, or you can apply
the policy at this point. To apply this policy, run the following command:
For example:
To confirm that your policy applied successfully you can run the following command:
And to view your cluster-rulesets you can run the command:
For example:
[Optional] Adding "Interceptor" Response Actions
By default, Cluster Policies have a single response action makeRedFlag
this action generates a redflag that references a deviant object. For example, if a container violates one of the ruleset rules, a redflag will generate for that container object. Redflags are used to populate security dashboards within the Spyderbat Console, but may also be forwarded to a SIEM and/or used to trigger notifications.
Containers that violate a cluster policy rule can also be used to trigger the agentKillPod
response action. You can add a default action to kill the pod of any violating container by editing the policy yaml:
Then, under the response
section of the spec
you can add a new default action:
Alternatively, you can scope the kill pod action to a sensitive namespace:
Reviewing Policy Activity
Using the spyctl
logs command, you can see what sorts of activity are going on within the scope of your policy.
for example:
Summary and Next Steps
At this point you should have an applied Cluster Policy in audit
mode. This means that your policy is in a learning phase, it will generate logs and deviations, but will not take any response actions. After you feel the policy has stabilized (not generating deviations or generating them rarely) you can set the policy to enforce
mode.
You can create Cluster Policies for any other Kubernetes Clusters you manage.
For additional details on ruleset rules view the Ruleset Reference Guide. There you can find out additional scoping options and rule targets.
For additional details on managing policies (updating, disabling, deleting) see the Guardian Policy Management Reference Guide
Last updated