Alauda Container Security

Viewing and Managing Security Policies

Alauda Container Security offers both default and customizable security policies to help you prevent high-risk deployments and respond to runtime incidents in your container environment.

TOC

Policy Categories

Policies are organized by type and function for easier management and search. Default categories include:

  • Anomalous Activity
  • Cryptocurrency Mining
  • DevOps Best Practices
  • Docker CIS
  • Kubernetes
  • Kubernetes Events
  • Network Tools
  • Package Management
  • Privileges
  • Security Best Practices
  • Supply Chain Security
  • System Modification
  • Vulnerability Management
  • Zero Trust

To manage categories:

  1. Go to Platform Configuration > Policy Management.
  2. Click the Policy Categories tab.
  3. Create, view, or manage categories as needed.

Policy Lifecycle Stages

When creating or editing a policy, you can specify one or more lifecycle stages:

  • Build: Checks image fields (e.g. CVEs, Dockerfile instructions).
  • Deploy: Includes build-time checks and cluster configuration (e.g. privileged mode).
  • Runtime: Adds process execution and runtime event checks.

Policy Criteria and Attributes

Policies are triggered by specific criteria (attributes). The following tables summarize common attributes and their descriptions. For details on allowed values, operators, and applicable phases, see the notes below each table.

Image Registry and Contents

AttributeDescriptionAllowed Values
Image RegistryName of the image registryString
Image NameFull image name in registryString
Image TagImage identifierString
Image SignatureSignature integration for imageIntegration ID
FixableImage has fixable CVEBoolean
Days Since CVEDays since CVE discoveredInteger
Image AgeDays since image creationInteger
Image Scan AgeDays since last image scanInteger
Image UserUSER directive in DockerfileString
Dockerfile LineDockerfile instruction/argumentLABEL/RUN/etc.
Unscanned ImageImage scan statusBoolean
CVSSVulnerability scoreNumber
SeverityVulnerability severityLevel
Fixed ByVersion that fixes vulnerabilityString
CVESpecific CVE numberString
Image ComponentSoftware component in imagekey=value
Image OSBase OS of the imageString
Required Image LabelRequired Docker image labelkey=value
Disallowed Image LabelDisallowed Docker image labelkey=value

Operators: Regex, NOT, AND, OR, OR only, AND only, None, etc.
Phases: Build, Deploy, Runtime

Container Configuration

AttributeDescriptionAllowed Values
Environment VariableCheck environment variablesRAW=key=value
Container CPU RequestCPU cores requestedNumber
Container CPU LimitCPU cores limitNumber
Container Memory RequestMemory requested (MB)Number
Container Memory LimitMemory limit (MB)Number
Privileged ContainerPrivileged mode enabledBoolean
Read-Only Root FilesystemRoot filesystem is read-onlyBoolean
Seccomp Profile TypeSeccomp profile typeUNCONFINED/RUNTIME_DEFAULT/LOCALHOST
Allow Privilege EscalationPrivilege escalation allowedBoolean
Drop CapabilitiesLinux capabilities to dropList
Add CapabilitiesLinux capabilities not allowedList
Container NameName of the containerString
AppArmor ProfileAppArmor profile usedString
Liveness ProbeLiveness probe definedBoolean
Readiness ProbeReadiness probe definedBoolean

Operators: Regex, AND, OR, None, etc.
Phases: Deploy, Runtime

Deployment Metadata

AttributeDescriptionAllowed Values
Disallowed AnnotationAnnotation not allowedkey=value
Required LabelRequired Kubernetes labelkey=value
Required AnnotationRequired Kubernetes annotationkey=value
Runtime ClassRuntimeClass of the deploymentString
Host NetworkHost network enabledBoolean
Host PIDHost PID namespace sharedBoolean
Host IPCHost IPC namespace sharedBoolean
NamespaceNamespace of the deploymentString
ReplicasNumber of deployment replicasNumber

Operators: Regex, AND, OR, NOT, None, etc.
Phases: Deploy, Runtime

Storage and Networking

AttributeDescriptionAllowed Values
Volume NameName of the storageString
Volume SourceVolume provision typeString
Volume DestinationPath where volume is mountedString
Volume TypeType of volumeString
Writable Mounted VolumeVolume mounted as writableBoolean
Mount PropagationMount propagation modeNONE/HOSTTOCONTAINER/BIDIRECTIONAL
Writable Host MountHost path mounted writableBoolean
Exposed Port ProtocolProtocol used by exposed portString
Exposed PortPort numbers exposedNumber
Exposed Node PortNode port exposed externallyNumber
Port Exposure MethodService exposure methodUNSET/EXTERNAL/NODE/HOST/INTERNAL/ROUTE
Unexpected Network FlowDetected network traffic not in baselineBoolean
Has Ingress Network PolicyPresence of ingress network policyBoolean
Has Egress Network PolicyPresence of egress network policyBoolean

Operators: Regex, AND, OR, NOT, None, etc.
Phases: Deploy, Runtime, Runtime (Network)

Process Activity (Runtime Only)

AttributeDescriptionAllowed Values
Process NameName of executed processString
Process AncestorParent process nameString
Process ArgumentsCommand argumentsString
Process UIDUnix user IDInteger
Unexpected Process ExecutedNot in locked baselineBoolean

Operators: Regex, AND, OR, NOT, None, etc.
Phases: Runtime (Process)

Kubernetes Access and Events

AttributeDescriptionAllowed Values
Service AccountName of the service accountString
Automount Service Account TokenAuto-mount service account tokenBoolean
Minimum RBAC PermissionsMinimum RBAC permission levelDEFAULT/ELEVATED_IN_NAMESPACE/ELEVATED_CLUSTER_WIDE/CLUSTER_ADMIN
Kubernetes ActionName of Kubernetes actionPODS_EXEC/PODS_PORTFORWARD
Kubernetes User NameName of user accessing resourceString
Kubernetes User GroupsUser group nameString
Kubernetes Resource TypeType of accessed resourceString
Kubernetes API VerbAPI verb usedCREATE/DELETE/GET/PATCH/UPDATE
Kubernetes Resource NameName of accessed resourceString
User AgentUser agent usedString
Source IP AddressSource IP addressIPv4/IPv6
Is Impersonated UserRequest made by impersonated userBoolean

Operators: Regex, AND, OR, NOT, None, etc.
Phases: Deploy, Runtime, Runtime (K8s Events), Runtime (Audit Log)

Policy Enforcement

Alauda Container Security supports multiple enforcement types depending on the policy phase:

  • Build-time enforcement: Fails CI builds if images violate policy. The API returns a non-zero exit code, which can be used to fail the build pipeline.
  • Deploy-time enforcement: Integrates with Kubernetes admission controllers and Alauda Container Platform admission plugins to block noncompliant workloads. Enforcement can be:
    • Hard enforcement: Admission controller blocks creation or update of violating deployments.
    • Soft enforcement: Sensor scales violating deployments to zero replicas, preventing pods from being scheduled.
  • Runtime enforcement: When enabled, any runtime activity within a pod that violates this policy will cause the pod to be automatically deleted. Violations triggered via the API server will also be blocked.

Note: By default, administrative namespaces such as stackrox, kube-system, cpaas-system,and istio-system are excluded from enforcement blocking. Requests from service accounts in system namespaces are also bypassed.

To apply policy changes to existing deployments, use Policy Management > Reassess All to trigger enforcement on all deployments.

Exporting and Importing Policies

You can share security policies between different Central instances by exporting and importing policies as JSON files.

Exporting a Policy

  1. Go to Platform Configuration > Policy Management.
  2. Select the policy to export.
  3. Click Actions > Export policy to JSON.

Importing a Policy

  1. Go to Platform Configuration > Policy Management.
  2. Click Import Policy.
  3. Upload the JSON file and click Begin Import.

Import Handling:

  • If the imported policy UID and name are unique, a new policy is created.
  • If the UID matches but the name differs, you can keep both (new UID) or replace the existing policy.
  • If the name matches but the UID differs, you can keep both (rename) or replace the existing policy.
  • If both UID and name match, Alauda Container Security checks if the criteria match. If so, the existing policy is kept; otherwise, you can keep both (rename) or replace.

Important:

  • When importing into the same Central instance, all exported fields are used.
  • When importing into a different Central instance, certain fields (e.g. cluster scopes exclusions notifications) are omitted and cannot be migrated.