Creating Security Policies
You can create policies in Container Security for managing configurations, vulnerability management, compliance, access, and auditing in containerized environments, thus automating the process of securing images and containers. Policies provide a combination of rules that assess specific artifacts such as images, and containers, and provide actions associated with the rules.
Currently, image assessment policies for CICD and Kubernetes Admission Controller are available. You can define rules for scanning container images for known vulnerabilities before deployment and specify the actions to be taken if the count of vulnerabilities of specific severity is exceeded.
Create a CI/CD Policy
With CICD policies, you can block a CICD build if the count of vulnerabilities of specific severity is exceeded.
- Go to Policies > Image Assessment, and click New Policy.
- On the Create New Policy page, enter the name and description for the policy.
- From the Type list, select CICD.
-
Under Policy Mode, specify whether to activate and enforce this policy or not.
-
In the Rules section, create policy rules.
Currently, only one image assessment rule is available, which lets you specify the action to be taken if the count of vulnerabilities of specific severity is exceeded.
- The rule name must be unique and comprised of more than one character.
- You can create a maximum of 100 rules.
- The rule name must not start with a numeral and must not contain only numerals.
- The rule name must not contain a special character other than "_".
-
In the Policy Assignment section, select a set of tags to apply the policy. Use the same tags while configuring your events or utilities. A policy that matches all the specified tags is evaluated during scanning. If the tags combination does not match, the default policy is applied.
For a CICD pipeline, use the same tags as parameters when configuring the pipeline using the QScanner Utility.
If a tag assigned to the policy is deleted from the platform, the policy mode is changed to Inactive.
-
To set this policy as the default, turn on the toggle.
The (Default) suffix is added to the name of the default policy.
To set the current policy as the default policy, you first need to unset the existing default policy. If there is a default policy already available, its name is displayed in the user interface.
-
Click Save.
If the given combination of tags already exists in another policy, an error message is displayed and the policy is not saved.
Create an Admission Controller Policy
With Admission Controller policies, you can allow or deny the CREATE and UPDATE request to the Kubernetes API server if the count of vulnerabilities of specific severity is exceeded for an image. This allows you to block vulnerable images from getting spawned. You can assign the policy to clusters or namespaces.
Before you begin: Install a Qualys Admission controller in your cluster. For more information about Qualys Admission Controller, see
- Repeat Steps 1 and 2 of the above task.
- From the Type list, select Admission Controller.
- Repeat Steps 4 and 5 of the above task.
- In the Policy Assignment section, select either of the following options to assign the policy:
- Organizational Level Policy: Sets the current policy as the default policy. This policy applies to the admission controller in your cluster by default. To set a new policy as the default policy, you first need to unset the existing default policy. If there is a default policy already available, its name is displayed in the user interface.
- Cluster Level Policy: Assigns the policy to the selected clusters.
- Namespace Level Policy: Applies the policy to the selected namespaces of clusters. Select a cluster and then specify a namespace in the cluster.
- Review the details and click Save.