How to Put Guardrails Around Your K8s Clusters Using Spyctl
This tutorial will walk you through the creation, tuning, and management of Cluster Ruleset Policies.
Last updated
Was this helpful?
This tutorial will walk you through the creation, tuning, and management of Cluster Ruleset Policies.
Last updated
Was this helpful?
Install the on a cluster via helm install
A Cluster Ruleset Policy is a special type of focused on establishing allowed or disallowed resources or activity within a Kubernetes Cluster. Through Cluster Ruleset Policies users can receive customized notifications when deviant activity occurs within your clusters. For example, users can specify the container images that are allowed to run within a namespace. Should a new image appear, a deviation is created, with a link to investigate the problem. Users can then take manual or automated actions to address the deviation.
Cluster Policies and their accompanying Cluster Rulesets are generated using the spyctl create command. First, identify which cluster you wish to create a cluster policy for.
For example:
Next, consider how you would like the auto-generated rules to be scoped. Certain rule types may be scoped specifically to namespaces.
--namespace
Generate rules for all namespaces including namespace scope
--namespace NAMESPACE_NAME
Generate rules for a specific namespace including namespace scope
OMITTED
Generate rules for all namespaces scoped globally
Use the following command to generate a cluster policy and its ruleset(s).
For example:
The file you just generated cluster-policy.yaml now contains the Cluster Policy itself and any automatically generated rulesets the policy requires.
You can edit or add rules if you wish, or you can apply the policy at this point. To apply this policy, run the following command:
For example:
To confirm that your policy applied successfully you can run the following command:
And to view your cluster-rulesets you can run the command:
For example:
By default, Cluster Policies have a single response action makeRedFlag this action generates a redflag that references a deviant object. For example, if a container violates one of the ruleset rules, a redflag will generate for that container object. Redflags are used to populate security dashboards within the Spyderbat Console, but may also be forwarded to a SIEM and/or used to trigger notifications.
Containers that violate a cluster policy rule can also be used to trigger the agentKillPod response action. You can add a default action to kill the pod of any violating container by editing the policy yaml:
Then, under the response section of the spec you can add a new default action:
Alternatively, you can scope the kill pod action to a sensitive namespace:
Using the spyctl logs command, you can see what sorts of activity are going on within the scope of your policy.
for example:
At this point you should have an applied Cluster Policy in audit mode. This means that your policy is in a learning phase, it will generate logs and deviations, but will not take any response actions. After you feel the policy has stabilized (not generating deviations or generating them rarely) you can set the policy to enforce mode.
You can create Cluster Policies for any other Kubernetes Clusters you manage.
For additional details on ruleset rules view the . There you can find out additional scoping options and rule targets.
For additional details on managing policies (updating, disabling, deleting) see the