Section: Image registry |
Image Registry |
The name of the image registry. |
Image Registry |
String |
Regex,
NOT,
AND, OR |
Build,
Deploy,
Runtime (when used with a Runtime criterion) |
Image Name |
The full name of the image in registry, for example library/nginx . |
Image Remote |
String |
Regex,
NOT,
AND, OR |
Build,
Deploy,
Runtime (when used with a Runtime criterion) |
Image Tag |
Identifier for an image. |
Image Tag |
String |
Regex,
NOT,
AND, OR |
Build,
Deploy,
Runtime (when used with a Runtime criterion) |
Image Signature |
The list of signature integrations you can use to verify an image’s signature. Create alerts on images that either do not have a signature or their signature is not verifiable by at least one of the provided signature integrations. |
Image Signature Verified By |
A valid ID of an already configured image signature integration |
! OR only |
Build,
Deploy,
Runtime (when used with a Runtime criterion) |
Section: Image contents |
The Common Vulnerabilities and Exposures (CVE) is fixable |
This criterion results in a violation only if the image in the deployment you are evaluating has a fixable CVE. |
Fixable |
Boolean |
✕ |
Build,
Deploy,
Runtime (when used with a Runtime criterion) |
Days Since CVE Was First Discovered In Image |
This criterion results in a violation only if it has been more than a specified number of days since RHACS discovered the CVE in a specific image. |
Days Since CVE Was First Discovered In Image |
Integer |
✕ |
Build,
Deploy,
Runtime (when used with a Runtime criterion) |
Days Since CVE Was First Discovered In System |
This criterion results in a violation only if it has been more than a specified number of days since RHACS discovered the CVE across all deployed images in all clusters that RHACS monitors. |
Days Since CVE Was First Discovered In System |
Integer |
✕ |
Build,
Deploy,
Runtime (when used with a Runtime criterion) |
Image age |
The minimum number of days from image creation date. |
Image Age |
Integer |
✕ |
Build,
Deploy,
Runtime (when used with a Runtime criterion) |
Image scan age |
The minimum number of days since the image was last scanned. |
Image Scan Age |
Integer |
✕ |
Build,
Deploy,
Runtime (when used with a Runtime criterion) |
Image User |
Matches the USER directive in the Dockerfile. See https://docs.docker.com/engine/reference/builder/#user for details
. |
Image User |
String |
Regex,
NOT,
AND, OR |
Build,
Deploy,
Runtime (when used with a Runtime criterion) |
Dockerfile Line |
A specific line in the Dockerfile, including both instructions and arguments. |
Dockerfile Line |
One of: LABEL, RUN, CMD, EXPOSE, ENV, ADD, COPY, ENTRYPOINT, VOLUME, USER, WORKDIR, ONBUILD |
! Regex only for values,
AND, OR |
Build,
Deploy,
Runtime (when used with a Runtime criterion) |
Image scan status |
Check if an image was scanned. |
Unscanned Image |
Boolean |
✕ |
Build,
Deploy,
Runtime (when used with a Runtime criterion) |
Common Vulnerability Scoring System (CVSS) |
CVSS: Use it to match images with vulnerabilities whose scores are greater than > , less than < , or equal to = the specified CVSS. |
CVSS |
<, >, <=, >= or nothing (which implies equal to)
— and —
a decimal (a number with an optional fractional value).
Examples:
>=5, or
9.5 |
AND, OR |
Build,
Deploy,
Runtime (when used with a Runtime criterion) |
Severity |
The severity of the vulnerability based on the CVSS or the vendor. Can be one of Low, Moderate, Important or Critical. |
Severity |
<, >, ⇐, >= or nothing (which implies equal to)
— and —
One of:
UNKNOWN
LOW
MODERATE
IMPORTANT
CRITICAL
Examples:
>=IMPORTANT, or
CRITICAL |
AND, OR |
Build,
Deploy,
Runtime (when used with a Runtime criterion) |
Fixed By |
The version string of a package that fixes a flagged vulnerability in an image. This criterion may be used in addition to other criteria that identify a vulnerability, for example using the CVE criterion. |
Fixed By |
String |
Regex,
NOT,
AND, OR |
Build,
Deploy,
Runtime (when used with a Runtime criterion) |
CVE |
Common Vulnerabilities and Exposures, use it with specific CVE numbers. |
CVE |
String |
Regex,
NOT,
AND, OR |
Build,
Deploy,
Runtime (when used with a Runtime criterion) |
Image Component |
Name and version number of a specific software component present in an image. |
Image Component |
key=value
Value is optional.
If value is missing, it must be in format "key=". |
Regex,
AND, OR |
Build,
Deploy,
Runtime (when used with a Runtime criterion) |
Image OS |
Name and version number of the base operating system of the image. For example, alpine:3.17.3 |
Image OS |
String |
Regex,
NOT,
AND, OR |
Build,
Deploy,
Runtime (when used with a Runtime criterion) |
Require image label |
Ensure the presence of a Docker image label. The policy triggers if any image in the deployment does not have the specified label. You can use regular expressions for both key and value fields to match labels. The Require Image Label policy criteria only works when you integrate with a Docker registry. For details about Docker labels see Docker documentation, https://docs.docker.com/config/labels-custom-metadata/. |
Required Image Label |
key=value
Value is optional.
If value is missing, it must be in format "key=". |
Regex,
AND, OR |
Build,
Deploy,
Runtime (when used with a Runtime criterion) |
Disallow image label |
Ensure that a particular Docker image label is NOT used. The policy triggers if any image in the deployment has the specified label. You can use regular expressions for both key and value fields to match labels. The 'Disallow Image Label policy' criteria only works when you integrate with a Docker registry. For details about Docker labels see Docker documentation, https://docs.docker.com/config/labels-custom-metadata/. |
Disallowed Image Label |
key=value
Value is optional.
If value is missing, it must be in format "key=". |
Regex,
AND, OR |
Build,
Deploy,
Runtime (when used with a Runtime criterion) |
Section: Container configuration |
Environment Variable |
Check environment variables by name or value. When you create a policy that includes the environment variable attribute,
you can choose which types of environment variables the policy should match. For example, you can specify raw values, which are provided directly in the deployment YAML, or you can specify references to values from config maps, secrets, fields, or resource requests or limits.
For any type other than a raw value specified directly in the deployment YAML, the corresponding value attribute of the policy rule is ignored. In this case, the policy match is evaluated on the existence of the specified environment variable type. Additionally, this criteria disallows the creation of policies with a non-empty value attribute for types other than raw values. |
Environment Variable |
RAW=key=value to match an environment variable as directly specified in the deployment YAML with a specific key and value. You can omit the value attribute to match on only the key.
If the environment variable is not defined in the configuration YAML, then you can use the format SOURCE=KEY , where SOURCE is one of the following objects:
-
SECRET_KEY (SecretKeyRef)
-
CONFIG_MAP_KEY (ConfigMapRef)
-
FIELD (FieldRef)
-
RESOURCE_FIELD (ResourceFieldRef)
The preceding list provides the API object label first, and then provides the user interface label in parentheses.
|
! Regex only for key and value (if using RAW)
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Container CPU Request |
Check for the number of cores reserved for a given resource. |
Container CPU Request |
<, >, ⇐, >= or nothing (which implies equal to)
— and —
A decimal (a number with an optional fractional value)
Examples:
>=5, or
9.5 |
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Container CPU Limit |
Check for the maximum number of cores a resource is allowed to use. |
Container CPU Limit |
(Same as Container CPU Request) |
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Container Memory Request |
Number, including fraction, of MB requested. |
Container Memory Request |
(Same as Container CPU Request) |
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Container Memory Limit |
Check for the maximum amount of memory a resource is allowed to use. |
Container Memory Limit |
(Same as Container CPU Request) |
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Privileged container |
Check if a deployment is configured in privileged mode. This criterion only checks the value of the privileged field in the respective Pod Security Context. |
Privileged Container |
Boolean: true when the value of the privileged field in the respective PodSecurityContext is set to true |
✕ |
Deploy,
Runtime (when used with a Runtime criterion) |
Root filesystem writeability |
Check if a deployment is configured in the readOnlyFilesystem mode. |
Read-Only Root Filesystem |
Boolean: true when the value of the readOnlyRootFilesystem field in the respective PodSecurityContext is set to true |
✕ |
Deploy,
Runtime (when used with a Runtime criterion) |
Seccomp Profile Type |
The type of seccomp profile defined for the deployment. If seccomp options are provided at both the pod and container level, the container options override the pod options. See Security Context. |
Seccomp Profile Type |
One of:
UNCONFINED
RUNTIME_DEFAULT
LOCALHOST |
✕ |
Deploy,
Runtime (when used with a Runtime criterion) |
Privilege escalation |
Provides alerts when a deployment allows a container process to gain more privileges than its parent process. |
Allow Privilege Escalation |
Boolean |
✕ |
Deploy,
Runtime (when used with a Runtime criterion) |
Drop Capabilities |
Linux capabilities that must be dropped from the container. Provides alerts when the specified capabilities are not dropped.
For example, if configured with SYS_ADMIN AND SYS_BOOT , and the deployment drops only one or neither of these two capabilities, the alert occurs. |
Drop Capabilities
|
One of:
ALL
AUDIT_CONTROL
AUDIT_READ
AUDIT_WRITE
BLOCK_SUSPEND
CHOWN
DAC_OVERRIDE
DAC_READ_SEARCH
FOWNER
FSETID
IPC_LOCK
IPC_OWNER
KILL
LEASE
LINUX_IMMUTABLE
MAC_ADMIN
MAC_OVERRIDE
MKNOD
NET_ADMIN
NET_BIND_SERVICE
NET_BROADCAST
NET_RAW
SETGID
SETFCAP
SETPCAP
SETUID
SYS_ADMIN
SYS_BOOT
SYS_CHROOT
SYS_MODULE
SYS_NICE
SYS_PACCT
SYS_PTRACE
SYS_RAWIO
SYS_RESOURCE
SYS_TIME
SYS_TTY_CONFIG
SYSLOG
WAKE_ALARM
|
AND |
Deploy,
Runtime (when used with a Runtime criterion) |
Add Capabilities |
Linux capabilities that must not be added to the container, such as the ability to send raw packets or override file permissions. Provides alerts when the specified capabilities are added. For example, if configured with NET_ADMIN or NET_RAW , and the deployment manifest YAML file includes at least one of these two capabilities, the alert occurs. |
Add Capabilities |
AUDIT_CONTROL
AUDIT_READ
AUDIT_WRITE
BLOCK_SUSPEND
CHOWN
DAC_OVERRIDE
DAC_READ_SEARCH
FOWNER
FSETID
IPC_LOCK
IPC_OWNER
KILL
LEASE
LINUX_IMMUTABLE
MAC_ADMIN
MAC_OVERRIDE
MKNOD
NET_ADMIN
NET_BIND_SERVICE
NET_BROADCAST
NET_RAW
SETGID
SETFCAP
SETPCAP
SETUID
SYS_ADMIN
SYS_BOOT
SYS_CHROOT
SYS_MODULE
SYS_PACCT
SYS_PTRACE
SYS_RAWIO
SYS_RESOURCE
SYS_TIME
SYS_TTY_CONFIG
SYSLOG
WAKE_ALARM
|
OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Container Name |
The name of the container. |
Container Name |
String |
Regex,
NOT,
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
AppArmor Profile |
The Application Armor ("AppArmor") profile used in the container. |
AppArmor Profile |
String |
Regex,
NOT,
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Liveness Probe |
Whether the container defines a liveness probe. |
Liveness Probe |
Boolean |
✕ |
Deploy,
Runtime (when used with a Runtime criterion) |
Readiness Probe |
Whether the container defines a readiness probe. |
Readiness Probe |
Boolean |
✕ |
Deploy,
Runtime (when used with a Runtime criterion) |
Section: deployment metadata |
Disallowed Annotation |
An annotation which is not allowed to be present on Kubernetes resources in a specified environment. |
Disallowed Annotation |
key=value
Value is optional.
If value is missing, it must be in format "key=". |
Regex,
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Required Label |
Check for the presence of a required label in Kubernetes. |
Required Label |
key=value
Value is optional.
If value is missing, it must be in format "key=". |
Regex,
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Required Annotation |
Check for the presence of a required annotation in Kubernetes. |
Required Annotation |
key=value
Value is optional.
If value is missing, it must be in format "key=". |
Regex,
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Runtime Class |
The RuntimeClass of the deployment. |
Runtime Class |
String |
Regex,
NOT,
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Host Network |
Check if HostNetwork is enabled which means that the container is not placed inside a separate network stack (for example, the container’s networking is not containerized). This implies that the container has full access to the host’s network interfaces. |
Host Network |
Boolean |
✕ |
Deploy,
Runtime (when used with a Runtime criterion) |
Host PID |
Check if the Process ID (PID) namespace is isolated between the containers and the host. This allows for processes in different PID namespaces to have the same PID. |
Host PID |
Boolean |
✕ |
Deploy,
Runtime (when used with a Runtime criterion) |
Host IPC |
Check if the IPC (POSIX/SysV IPC) namespace (which provides separation of named shared memory segments, semaphores and message queues) on the host is shared with containers. |
Host IPC |
Boolean |
✕ |
Deploy,
Runtime (when used with a Runtime criterion) |
Namespace |
The name of the namespace the deployment belongs to. |
Namespace |
String |
Regex,
NOT,
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Replicas |
The number of deployment replicas. If you use oc scale to scale the deployment replicas from 0 to a number, then the admission controller blocks this action if the deployment violates a policy. |
Replicas |
<, >, ⇐, >= or nothing (which implies equal to)
— and —
a decimal (a number with an optional fractional value).
Examples:
>=5, or
9.5 |
NOT,
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Section: Storage |
Volume Name |
Name of the storage. |
Volume Name |
String |
Regex,
NOT,
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Volume Source |
Indicates the form in which the volume is provisioned. For example, persistentVolumeClaim or hostPath . |
Volume Source |
String |
Regex,
NOT,
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Volume Destination |
The path where the volume is mounted. |
Volume Destination |
String |
Regex,
NOT,
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Volume Type |
The type of volume. |
Volume Type |
String |
Regex,
NOT,
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Mounted volume writability |
Volumes that are mounted as writable. |
Writable Mounted Volume |
Boolean |
✕ |
Deploy,
Runtime (when used with a Runtime criterion) |
Mount Propagation |
Check if container is mounting volumes in Bidirectional , Host to Container , or None modes. |
Mount Propagation |
One of:
NONE
HOSTTOCONTAINER
BIDIRECTIONAL
|
NOT,
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Host mount writability |
Resource has mounted a path on the host with write permissions. |
Writable Host Mount |
Boolean |
✕ |
Deploy,
Runtime (when used with a Runtime criterion) |
Section: Networking |
Protocol |
Protocol, such as, TCP or UDP, that is used by the exposed port. |
Exposed Port Protocol |
String |
Regex,
NOT,
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Port |
Port numbers exposed by a deployment. |
Exposed Port |
<, >, ⇐, >= or nothing (which implies equal to)
— and —
an integer.
Examples:
>=1024, or
22 |
NOT,
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Exposed Node Port |
Port numbers exposed externally by a deployment. |
Exposed Node Port |
(Same as Exposed Port) |
NOT,
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Port Exposure |
Exposure method of the service, for example, load balancer or node port. |
Port Exposure Method |
One of:
UNSET
EXTERNAL
NODE
HOST
INTERNAL
ROUTE
|
NOT,
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Unexpected Network Flow Detected |
Check if the detected network traffic is part of the network baseline for the deployment. |
Unexpected Network Flow Detected |
Boolean |
✕ |
Runtime ONLY - Network |
Ingress Network Policy |
Check the presence or absence of ingress Kubernetes network policies. |
Has Ingress Network Policy |
Boolean |
Regex,
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Egress Network Policy |
Check the presence or absence of egress Kubernetes network policies. |
Has Egress Network Policy |
Boolean |
Regex,
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Section: Process activity |
Process Name |
Name of the process executed in a deployment. |
Process Name |
String |
Regex,
NOT,
AND, OR |
Runtime ONLY - Process |
Process Ancestor |
Name of any parent process for a process executed in a deployment. |
Process Ancestor |
String |
Regex,
NOT,
AND, OR |
Runtime ONLY - Process |
Process Arguments |
Command arguments for a process executed in a deployment. |
Process Arguments |
String |
Regex,
NOT,
AND, OR |
Runtime ONLY - Process |
Process UID |
Unix user ID for a process executed in a deployment. |
Process UID |
Integer |
NOT,
AND, OR |
Runtime ONLY - Process |
Unexpected Process Executed |
Check deployments for which process executions are not listed in the deployment’s locked process baseline. |
Unexpected Process Executed |
Boolean |
✕ |
Runtime ONLY - Process |
Section: Kubernetes access |
Service Account |
The name of the service account. |
Service Account |
String |
Regex,
NOT,
AND, OR |
Deploy,
Runtime (when used with a Runtime criterion) |
Automount Service Account Token |
Check if the deployment configuration automatically mounts the service account token. |
Automount Service Account Token |
Boolean |
✕ |
Deploy,
Runtime (when used with a Runtime criterion) |
Minimum RBAC Permissions |
Match if the deployment’s Kubernetes service account has Kubernetes RBAC permission level equal to = or greater than > the specified level. |
Minimum RBAC Permissions |
One of:
DEFAULT
ELEVATED_IN_NAMESPACE
ELEVATED_CLUSTER_WIDE
CLUSTER_ADMIN |
NOT |
Deploy,
Runtime (when used with a Runtime criterion) |
Section: Kubernetes events |
Kubernetes Action |
The name of the Kubernetes action, such as Pod Exec . |
Kubernetes Resource |
One of:
PODS_EXEC
PODS_PORTFORWARD
|
! OR only |
Runtime ONLY - Kubernetes Events |
Kubernetes User Name |
The name of the user who accessed the resource. |
Kubernetes User Name |
Alphanumeric with hyphens (-) and colon (:) only |
Regex,
NOT,
! OR only |
Runtime ONLY - Kubernetes Events |
Kubernetes User Group |
The name of the group to which the user who accessed the resource belongs to. |
Kubernetes User Groups |
Alphanumeric with hyphens (-) and colon (:) only |
Regex,
! OR only |
Runtime ONLY - Kubernetes Events |
Kubernetes Resource Type |
Type of the accessed Kubernetes resource. |
Kubernetes Resource |
One of:
Config maps
Secrets
ClusterRoles
ClusterRoleBindings
NetworkPolicies
SecurityContextConstraints
EgressFirewalls |
! OR only |
Runtime ONLY - Audit Log |
Kubernetes API Verb |
The Kubernetes API verb that is used to access the resource, such as GET or POST . |
Kubernetes API Verb |
One of:
CREATE
DELETE
GET
PATCH
UPDATE
|
! OR only |
Runtime ONLY - Audit Log |
Kubernetes Resource Name |
The name of the accessed Kubernetes resource. |
Kubernetes Resource Name |
Alphanumeric with hyphens (-) and colon (:) only |
Regex,
NOT,
! OR only |
Runtime ONLY - Audit Log |
User Agent |
The user agent that the user used to access the resource.
For example oc , or kubectl . |
User Agent |
String |
Regex,
NOT,
! OR only |
Runtime ONLY - Audit Log |
Source IP Address |
The IP address from which the user accessed the resource. |
Source IP Address |
IPV4 or IPV6 address |
Regex,
NOT,
! OR only |
Runtime ONLY - Audit Log |
Is Impersonated User |
Check if the request was made by a user that is impersonated by a service account or some other account. |
Is Impersonated User |
Boolean |
✕ |
Runtime ONLY - Audit Log |