Creating a runtime policy

To add a runtime policy:

1. In the Policies → Runtime policies section, click the Add policy button.

   The policy settings window opens.

2. Enter a policy name and, if required, policy description.
3. In the Mode section, select one of the following policy enforcement modes:
   • Audit. In this mode, a scan takes into account the contents of containers.
   • Enforce. In this mode, the solution blocks all objects that do not comply with the rules and criteria defined in the policy.
4. In the Scope section, define the policy enforcement scope. In the Clusters field, select the applicable group of clusters from the drop-down list.

   If necessary, define exclusions for which the runtime policy will not be applied. To do so, select the relevant objects from the drop-down list, specify their names, then click Add.

   Existing exclusions in the policy are checked when deploying a container.

5. In the Best practice check section, use the Disabled / Enabled toggle switch to activate the scan for compliance with best security practices. From the list of settings, select the scan settings that guarantee that the correct image is run and that the CPU and RAM usage settings are correctly configured.
6. In the Block non-compliant images section, use the Disabled / Enabled toggle switch to prevent containers running from images that do not comply with the requirements. This check will be performed only for scanned images that are registered in the solution and have the Compliant status.
7. In the Block unregistered images section, use the Disabled / Enabled toggle switch to block an image check if the image is unknown and has not been fully scanned by Kaspersky Container Security. To deploy the image, you must register it in the solution and wait for it to appear in the registry.
8. In the Capabilities block section, use the Disabled / Enabled toggle switch to activate a usage lock of defined system functions of Unix. To do so, select specific system functions from the drop-down list. You can also lock the use of all system functions of Unix by selecting ALL from the drop-down list.
9. In the Limit container privileges section, use the Disabled / Enabled toggle switch to activate blocked startup of containers with a specific set of rights and permissions. From the list of settings, select the settings of rights and permissions to lock the settings of pods.
10. In the Registries allowed section, use the Disabled / Enabled toggle switch to set the permission to deploy containers in a cluster only from specific registries. To do so, select the relevant registries from the Registries drop-down list.
11. In the Volumes blocked section, use the Disabled / Enabled toggle switch to prevent the selected volumes from being mounted in containers. To do so, specify the names of the relevant volumes in the Volumes field.
12. Click Save.

By default, the added policy is Enabled.