Deployment Policy

The Deployment policy controls which workloads can run on a Panoptica environment. It consists of rule statements of the form 'allow workload A in Environment B' or 'restrict workload C in Environment D'. When a workload is deployed to an environment, the Panoptica controller checks the identity, and then checks the policy rules for a rule that allows it to run. If one is found, the workload is allowed. If not, or if there is a rule which restricts it, it is not blocked from running.

Add a Deployment rule

The rule has three sections:

  • STEP 1 - select the Workloads that are affected by it
  • STEP 2 - select the Environments on which it applies
  • STEP 3 - select the Properties, or actions, that the rule will perform (detect, block, etc.)
  1. Navigate to the Policies page, and select DEPLOYMENT RULES.
  2. Click New Deployment Rule.
568
  1. For STEP 1, select the workloads that will be affected by the rule. Select the workloads according to these options:
    • By Name - select the workload by name; enter the names of the workloads
    • By Label - select the workload by labels attached to it; enter the label names and values
    • Any - select all workloads
  2. You can optionally filter the workloads selected in the previous step with these additional filters:
    • Vulnerability Level - select the maximum vulnerability level found in the image, when it was scanned
    • Pod Security Policy Profile - select pods according to Kubernetes properties, specified in a Pod Security Profile
  3. Click NEXT.
  4. In STEP 2, select the Panoptica environments on which the rule will apply. Select the environments according to these options:
    • By Name - select the environment by name, from a list
    • By Risk- select the environment by the risk level associated with the environment (this is the maximum risk level of a workload permitted in the environment)
    • Any - select all environments
633
  1. Click NEXT.
  2. In STEP 3, you will assign a name to the rule and select the actions the rule will perform.
    Enter a name for the rule, as it will appear in the Panoptica UI.
    Select the action from these options:
    - Allow pods to run only on the specified environments - workloads (pods) selected by the policy (in STEP 1) are allowed to run on the environments selected in STEP 2
    - Detect pods running on the specified environments - workloads selected by the policy are allowed to run on the selected environments, but an event is recorded in the Audit log.
    - Block pods from running on the specified environments - workloads selected by the policy are blocked from running on the selected environments (and an event is recorded in the Audit log).
719

For Allow actions, select the action to be taken if the Vulnerability or PSP profile conditions (selected in STEP 1) fail (that is, one or both of the conditions are not satisfied). Select either Detect or Block for each condition. The rule will then select both workloads that satisfy the condition, and workloads that do not satisfy these conditions. The Allow action will be applied if they are (both) satisfied. If one of the conditions is not satisfied, the action for the failed condition (Detect or Block) will be applied. If both conditions are not satisfied, the more stringent action will be applied (Block, if it is selected).

  1. Click FINISH. The new rule will be added to the list of rules in the Policies page.

Modify the Deployment Default Rule

  1. Navigate to the Policies page, and select DEPLOYMENT RULES.
  2. Click Edit default rule.
731
  1. Select the rule action:

    • Any workload can run on any environment unless specifically restricted by a previous rule - this permits all workloads on all environments, if no other rule (allowing or restricting) applies to the workload
    • A workload can't run on any environment unless specifically allowed in a previous rule - this restricts all workloads on all environments, if no other rule applies to it.
  2. In the On Detection section, select the action to be taken if the rule is violated, either Detect or Block.

  3. Click FINISH.