Cisco Panoptica includes some built-in deployment and connection rules that are automatically applied to all workloads. The rules appear at the top of the list, so is applied ahead of all other rules, to all workloads.

You can choose whether the rule blocks or only detects violations. By default, the default rules detect violations, but do not block them.

Built-in Deployment Rules

Unidentified workloads

The text of the rule is: Unidentified workloads can't run on any environment.

This rule will detect or block any workload from running in a protected environment if it does not have a Panoptica identity. This includes, for example, workloads deployed from non-trusted registries.

Built-in Connection Rules

Connections through services

The text of the rule is Block communication not through Kubernetes service.

This rule will detect or block connections to or from a workload that do not use Kubernetes services (for example, use a direct socket connection). The recommended way to connect is with services.