Alauda Container Security

Creating Custom Policies in Alauda Container Security

Alauda Container Security allows you to create custom security policies in addition to using the default ones. You can create and manage policies through the web portal or as code using Kubernetes custom resources (CRs).

TOC

Methods to Create Custom Policies

  • In the Alauda Container Security portal, go to Platform Configuration > Policy Management and click Create Policy.
  • In the Risk section, use filters to select criteria and click Create Policy.
  • Manage policies as code by saving them as Kubernetes CRs and applying them to clusters using tools like Argo CD.

Creating Policies via the Portal

Enter Policy Details

  • Name: Enter a name for the policy.
  • Severity: Select a severity level.
  • Category: Choose a policy category (required).
  • Description: Provide details about the policy.
  • Rationale: Explain the reason for the policy.
  • Guidance: Add steps to resolve violations.
  • MITRE ATT&CK: Select relevant tactics and techniques.

Configure Policy Lifecycle

  • Select applicable Lifecycle Stages: Build, Deploy, or Runtime.
  • For Runtime, choose an Event Source: Deployment or Audit logs.

Define Policy Rules and Criteria

  • In the Rules section, set conditions to trigger the policy.
  • Drag and drop policy fields to build rules. Available fields depend on the selected lifecycle stage.
  • Combine multiple values or rules using logical operators (AND/OR).

Set Policy Scope

  • Inclusion Scope: Restrict policy to specific clusters, namespaces, or deployment labels. Supports RE2 regex for namespaces and labels.
  • Exclusion Scope: Exclude specific deployments, clusters, namespaces, or labels. Regex supported for namespaces and labels (not for deployments).
  • For Build stage, you can exclude images from the policy.

Configure Policy Actions

  • Activation State: Set the policy as active or inactive.
  • Enforcement:
    • Inform: Only report violations.
    • Inform and enforce: Enforce actions based on lifecycle stage:
      • Build: Fails CI builds for noncompliant images.
      • Deploy: Blocks or edits noncompliant deployments if admission controller is enabled.
      • Runtime: Deletes pods matching policy criteria.
  • Notifiers: Attach notifiers to send alerts to email or external tools (e.g., Jira, Splunk, webhooks). Notifiers must be pre-configured in Platform Configuration > Integrations.

Review and Save Policy

  • Review all settings and preview potential violations.
  • Click Save to create the policy.

Editing and Managing Policies

  • To edit a policy, go to Platform Configuration > Policy Management, select a policy, and click Actions > Edit Policy.
  • Default policies cannot be edited directly; clone them first.