Cisco Panoptica has a runtime policy that monitors activities on the control planes of your clusters, and enforces rules to permit or block specific types of actions. These can alert, or prevent, unwanted or suspicious actions on resources in your clusters.
You can use the Panoptica console to define readable plain-language rules to add to this policy, and apply them to specific clusters, and for specific types of users. These rules use Kubernetes-native RBAC controls for the control-plane, but take the complexity out of configuring it correctly.

You can configure rules for specific users and actions, and you can choose the enforcement action taken when the rule detects an event: to allow the action, block it, or simply record it as an event in the Audit.

Panoptica includes a set of predefined rules, that cover many common scenarios. These rules apply to all users, for specific actions. You can apply any or all of them to your clusters, and choose the specific conditions on which they will apply. You can also choose to exclude specific users from the rule.

Create Cluster Event Rule

You can configure a custom rule, or select a predefined rule, and configure the conditions on which it will apply.

Predefined rules

1. Navigate to the Policies page, and select the CLUSTER EVENTS RULES tab.
2. Click New Cluster Events Rule.
3. For STEP 1, select one of the predefined rules in the list, and then click NEXT.

4. In STEP 2, select users to be excluded from the rule. Actions initiated by them will be excluded. You can select more than one user. If there are no exclusions, leave blank.
   • Users - select the users, groups, or service accounts to exclude

5. Click NEXT.
6. In STEP 3, select the scope for the rule. This determines on which clusters or environments the rule will apply. For each option, there are additional qualifiers.

• For Clusters, select the name.
• For Environments, select whether they will be selected by name (and enter the name), by Risk level (and select the Risk level), or Any (all clusters are selected).

7. Click NEXT.
8. In STEP 4, select the action to be taken if the rule is triggered by a cluster event. The options are:
   • Allow kubernetes APIs to be invoked on the specified environments - the action is allowed, and no action is performed.
   • Detect kubernetes APIs invoked on the specified environments - the action is not blocked, but an event is recorded in the Audit log.
   • Block kubernetes APIs from being invoked on the specified environments - the action is blocked, an event is recorded in the Audit log.

9. Click FINISH.

Custom rules

Custom rules are similar to predefined rules, except that in this case, you select the action to be governed by the rule, and the users involved, in addition to the clusters or environments affected by it.

1. Navigate to the Policies page, and select the CLUSTER EVENTS RULES tab.
2. Click New Cluster Events Rule.
3. For STEP 1, select Custom, and then click NEXT.
4. In STEP 2, select the following for the rule:
   • Users - select the users, groups, or service accounts initiating the action; you can select more than one;
   • Resources - select the cluster resources affected by the action, from a list; you can select more than one resource;
   • API Actions - select the actions performed on the resource; here, too, you can select more than one action.

5. Click NEXT.
6. In STEP 3, select the scope for the rule. This is the same as for predefined rules, above. Click NEXT to move to STEP 4.
7. In STEP 4, select the action to be taken if the rule is triggered.

8. Click FINISH.

View Events in Audit

Events from Cluster Event rules are recorded in the Panoptica Audit log. To view them, navigate to the Audit page, and select the KUBERNETES AUDITS tab. The list can be filtered (for each column).