Alauda Security Service

Viewing and Managing Security Policies

Alauda Security Service offers both default and customizable security policies to help you prevent high-risk deployments and respond to runtime incidents in your container environment.

TOC

Policy Management PagePolicy CategoriesPolicy Lifecycle StagesCommon Policy Management TasksCreating PoliciesImporting PoliciesReassessing Existing DeploymentsPolicy EnforcementExporting and Importing PoliciesExporting a PolicyImporting a Policy

Policy Management Page

The main policy entry point is Platform Configuration > Policy Management. In the current UI, the page includes:

  • Create policy
  • Import policy
  • Bulk actions
  • Reassess all

The policy table includes fields such as:

  • Policy
  • Status
  • Origin
  • Notifiers
  • Severity
  • Lifecycle

Use this page to browse system and user-defined policies, filter the list, import JSON policy definitions, and trigger reassessment for existing deployments.

Policy Categories

Policies are organized by category to simplify filtering and management. Common categories in the current environment include:

  • Anomalous Activity
  • Cryptocurrency Mining
  • DevOps Best Practices
  • Docker CIS
  • Kubernetes
  • Kubernetes Events
  • Network Tools
  • Package Management
  • Privileges
  • Security Best Practices
  • Supply Chain Security
  • System Modification
  • Vulnerability Management
  • Zero Trust

Policy Lifecycle Stages

When creating or editing a policy, you can specify one or more lifecycle stages:

  • Build: Checks image fields such as CVEs and Dockerfile instructions
  • Deploy: Includes build-time checks plus cluster and workload configuration checks
  • Runtime: Adds process execution, runtime event, and runtime behavior checks

Common Policy Management Tasks

Creating Policies

Use Create policy to open the policy definition flow. In the current UI, that flow includes:

  • Details
  • Lifecycle
  • Rules
  • Policy behavior
  • Scope
  • Actions
  • Review

Importing Policies

Use Import policy to upload a JSON policy definition into the current Central instance.

Reassessing Existing Deployments

Use Reassess all after policy updates when you want the platform to reevaluate existing deployments against the current policy set.

Policy Enforcement

Alauda Security Service supports multiple enforcement types depending on the policy phase:

  • Build-time enforcement: Fails CI checks if images violate policy
  • Deploy-time enforcement: Uses admission enforcement to block or edit noncompliant workloads
  • Runtime enforcement: Responds when matching runtime activity occurs

Deploy-time enforcement can be:

  • Hard enforcement: Admission controller blocks creation or update of violating deployments
  • Soft enforcement: Sensor scales violating deployments to zero replicas

Note: By default, administrative namespaces such as stackrox, kube-system, cpaas-system, and istio-system are excluded from enforcement blocking. Requests from service accounts in system namespaces are also bypassed.

To apply policy changes to existing deployments, use Policy Management > Reassess all.

Exporting and Importing Policies

You can share policies between Central instances by exporting and importing JSON files.

Exporting a Policy

  1. Go to Platform Configuration > Policy Management
  2. Select the policy to export
  3. Open the available actions and export the policy as JSON

Importing a Policy

  1. Go to Platform Configuration > Policy Management
  2. Click Import policy
  3. Upload the JSON file and click Begin Import

Import handling depends on whether the incoming policy name and UID match an existing policy in the current Central instance.