-
The Policy categories option is only available if you use the following:
-
PostgreSQL as a backend database in Red Hat Advanced Cluster Security for Kubernetes (RHACS).
-
Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud service).
-
The ability to instantly find resources is important to safeguard your cluster. Use Red Hat Advanced Cluster Security for Kubernetes search feature to find relevant resources faster. For example, you can use it to find deployments that are exposed to a newly published CVE or find all deployments that have external network exposure.
A search query is made up of two parts:
An attribute that identifies the resource type you want to search for.
A search term that finds the matching resource.
For example, to find all violations in the visa-processor
deployment, the search query is deployment:visa-processor
. In this search query, deployment
is the attribute and visa-processor
is the search term.
You must select an attribute before you can use search terms. However, in some views, such as the Risk view and the Violations view, Red Hat Advanced Cluster Security for Kubernetes automatically applies the relevant attribute based on the search term you enter. |
You can use multiple attributes in your query. When you use more than one attribute, the results only include the items that match all attributes.
When you search for Namespace:frontend CVE:CVE-2018-11776
, it returns only those resources which violate CVE-2018-11776 in the frontend
namespace.
You can use more than one search term with each attribute. When you use more than one search term, the results include all items that match any of the search terms.
If you use the search query Namespace: frontend backend
, it returns matching results from the namespace frontend
or backend
.
You can combine multiple attribute and search term pairs.
The search query Cluster:production Namespace:frontend CVE:CVE-2018-11776
returns all resources which violate CVE-2018-11776 in the frontend
namespace in the production
cluster.
Search terms can be part of a word, in which case Red Hat Advanced Cluster Security for Kubernetes returns all matching results.
If you search for deployment:def
, the results include all deployments starting with def
.
To explicitly search for a specific term, use the search terms inside quotes.
When you search for deployment:"def"
, the results only include the deployment def
.
You can also use regular expressions by using r/
before your search term.
When you search for Namespace:r/st.*x
, the results include matches from namespace stackrox
and stix
.
Use !
to indicate the search terms that you do not want in results.
If you search for Namespace:!stackrox
, the results include matches from all namespaces except the stackrox
namespace.
Use the comparison operators >
, <
, =
, >=
, or <=
to match a specific value or range of values.
If you search for CVSS:>=6
, the results include all vulnerabilities with Common Vulnerability Scoring System (CVSS) score 6 or higher.
As you enter your query, Red Hat Advanced Cluster Security for Kubernetes automatically displays relevant suggestions for the attributes and the search terms.
By using global search you can search across all resources in your environment. Based on the resource type you use in your search query, the results are grouped in the following categories:
All results (Lists matching results across all categories)
Clusters
deployments
Images
Namespaces
Nodes
Policies
Policy categories [1]
Roles
Role bindings
Secrets
Service accounts
Users and groups
Violations
The Policy categories option is only available if you use the following:
PostgreSQL as a backend database in Red Hat Advanced Cluster Security for Kubernetes (RHACS).
Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud service).
These categories are listed as a table on the RHACS portal global search page and you can click on the category name to identify results belonging to the selected category.
To do a global search, in the RHACS portal, select Search on the top right side.
You can use local page filtering from within all views in the RHACS portal. Local page filtering works similar to the global search, but only relevant attributes are available. You can select the search bar to show all available attributes for a specific view.
Here are some common search queries you can run with Red Hat Advanced Cluster Security for Kubernetes.
Query | Example |
---|---|
|
|
Query | Example |
---|---|
|
|
Query | Example |
---|---|
|
|
Query | Example |
---|---|
|
|
Query | Example |
---|---|
|
|
Query | Example |
---|---|
|
|
Query | Example |
---|---|
|
|
Use Kubernetes Labels and Selectors, and Annotations to attach metadata to your deployments. You can then query based on the applied annotations and labels to identify individuals or groups.
Query | Example |
---|---|
|
|
Query | Example |
---|---|
|
|
Query | Example |
---|---|
|
|
Following is the list of search attributes that you can use while searching and filtering in Red Hat Advanced Cluster Security for Kubernetes.
Attribute | Description |
---|---|
Add Capabilities |
Provides the container with additional Linux capabilities, for instance the ability to modify files or perform network operations. |
Annotation |
Arbitrary non-identifying metadata attached to an orchestrator object. |
CPU Cores Limit |
Maximum number of cores that a resource is allowed to use. |
CPU Cores Request |
Minimum number of cores to be reserved for a given resource. |
CVE |
Common Vulnerabilities and Exposures, use it with specific CVE numbers. |
CVSS |
Common Vulnerability Scoring System, use it with the CVSS score and greater than ( > ), less than ( < ), or equal to ( = ) symbols. |
Category |
Policy categories include DevOps Best Practices, Security Best Practices, Privileges, Vulnerability Management, Multiple, and any custom policy categories that you create. |
Cert Expiration |
Certificate expiration date. |
Cluster |
Name of a Kubernetes or OpenShift Container Platform cluster. |
Cluster ID |
Unique ID for a Kubernetes or OpenShift Container Platform cluster. |
Cluster Role |
Use |
Component |
Software (daemond, docker), objects (images, containers, services), registries (repository for Docker images). |
Component Count |
Number of components in the image. |
Component version |
The version of software, objects, or registries. |
Created Time |
Time and date when the secret object was created. |
deployment |
Name of the deployment. |
deployment Type |
The type of Kubernetes controller on which the deployment is based. |
Description |
Description of the deployment. |
Dockerfile Instruction Keyword |
Keyword in the Dockerfile instructions in an image. |
Dockerfile Instruction Value |
Value in the Dockerfile instructions in an image. |
Drop Capabilities |
Linux capabilities that have been dropped from the container.
For example |
Enforcement |
Type of enforcement assigned to the deployment.
For example, |
Environment Key |
Key portion of a label key-value string that is metadata for further identifying and organizing the environment of a container. |
Environment Value |
Value portion of a label key-value string that is metadata for further identifying and organizing the environment of a container. |
Exposed Node Port |
Port number of the exposed node port. |
Exposing Service |
Name of the exposed service. |
Exposing Service Port |
Port number of the exposed service. |
Exposure Level |
The type of exposure for a deployment port, for example |
External Hostname |
The hostname for an external port exposure for a deployment. |
External IP |
The IP address for an external port exposure for a deployment. |
Fixable CVE Count |
Number of fixable CVEs on an image. |
Fixed By |
The version string of a package that fixes a flagged vulnerability in an image. |
Image |
The name of the image. |
Image Command |
The command specified in the image. |
Image Created Time |
The time and date when the image was created. |
Image Entrypoint |
The entrypoint command specified in the image. |
Image Pull Secret |
The name of the secret to use when pulling the image, as specified in the deployment. |
Image Pull Secret Registry |
The name of the registry for an image pull secret. |
Image Registry |
The name of the image registry. |
Image Remote |
Indication of an image that is remotely accessible. |
Image Scan Time |
The time and date when the image was last scanned. |
Image Tag |
Identifier for an image. |
Image Users |
Name of the user or group that a container image is configured to use when it runs. |
Image Volumes |
Names of the configured volumes in the container image. |
Inactive deployment |
Use |
Label |
The key portion of a label key-value string that is metadata for further identifying and organizing images, containers, daemons, volumes, networks, and other resources. |
Lifecycle Stage |
The type of lifecycle stage where this policy is configured or alert was triggered. |
Max Exposure Level |
For a deployment, the maximum level of network exposure for all given ports/services. |
Memory Limit (MB) |
Maximum amount of memory that a resource is allowed to use. |
Memory Request (MB) |
Minimum amount of memory to be reserved for a given resource. |
Namespace |
The name of the namespace. |
Namespace ID |
Unique ID for the containing namespace object on a deployment. |
Node |
Name of a node. |
Node ID |
Unique ID for a node. |
Pod Label |
Single piece of identifying metadata attached to an individual pod. |
Policy |
The name of the security policy. |
Port |
Port numbers exposed by a deployment. |
Port Protocol |
IP protocol such as TCP or UDP used by exposed port. |
Priority |
Risk priority for a deployment. (Only available in Risks view.) |
Privileged |
Use |
Process Ancestor |
Name of any parent process for a process indicator in a deployment. |
Process Arguments |
Command arguments for a process indicator in a deployment. |
Process Name |
Name of the process for a process indicator in a deployment. |
Process Path |
Path to the binary in the container for a process indicator in a deployment. |
Process UID |
Unix user ID for the process indicator in a deployment. |
Read Only Root Filesystem |
Use |
Role |
Name of a Kubernetes RBAC role. |
Role Binding |
Name of a Kubernetes RBAC role binding. |
Role ID |
Role ID to which a Kubernetes RBAC role binding is bound. |
Secret |
Name of the secret object that holds the sensitive information. |
Secret Path |
Path to the secret object in the file system. |
Secret Type |
Type of the secret, for example, certificate or RSA public key. |
Service Account |
Service account name for a service account or deployment. |
Severity |
Indication of level of importance of a violation: Critical, High, Medium, Low. |
Subject |
Name for a subject in Kubernetes RBAC. |
Subject Kind |
Type of subject in Kubernetes RBAC, such as |
Taint Effect |
Type of taint currently applied to a node. |
Taint Key |
Key for a taint currently applied to a node. |
Taint Value |
Allowed value for a taint currently applied to a node. |
Toleration Key |
Key for a toleration applied to a deployment. |
Toleration Value |
Value for a toleration applied to a deployment. |
Violation |
A notification displayed in the Violations page when the conditions specified by a policy have not been met. |
Violation State |
Use it to search for resolved violations. |
Violation Time |
Time and date that a violation first occurred. |
Volume Destination |
Mount path of the data volume. |
Volume Name |
Name of the storage. |
Volume ReadOnly |
Use |
Volume Source |
Indicates the form in which the volume is provisioned (for example, |
Volume Type |
The type of volume. |