Creating a runtime profile

To add a container runtime profile:

1. Under Policies → Runtime → Container runtime profiles, click the Add profile button.

   The profile settings input window opens.

2. Enter a name for the runtime profile and, if necessary, a description.
3. In the Restrict container executable files section, use the Disabled / Enabled toggle switch to restrict executable files according to rules. In the list, select the blocking option that guarantees optimal container performance:
   • Block process from all executable files - application blocks all executable files from starting while the container is running.
   • Block specified executable files - application blocks the executable files that you select in the Block the specified executable files field. You can block all executable files or a list of specific executable files. You can also use an * mask (for example, /bin/*) to apply a rule to an entire directory and its subdirectories.

     You can fine-tune the list of allowed and blocked executable files by specifying exclusions for blocking rules. For example, you can specifically exclude the path /bin/cat for a rule applied to /bin/*. In this case, all executable files from the directory /bin/ will be blocked from running except the /bin/cat application.

     Example path to executable files

     Specifying the direct path to executable binary files:

     /bin/bash

     Specifying a directory using a * mask:

     /bin/*

     In this example, all executable files from subdirectories of the /bin/ directory are allowed to run.

     If you select the Allow exclusions check box, the application will block all executable files except those specified in the Allow exclusions field when a container is started and running.

4. In the Restrict ingress container connections section, use the Disabled / Enabled toggle switch to activate the capability to restrict inbound connections of a container. When this restriction is active, Kaspersky Container Security will block all sources of inbound connections except those that you specified as exclusions.

   If you select the Allow exclusions check box, you can specify the parameters of one or more allowed sources of inbound network connections. To define exclusions, you must specify at least one of the following parameters:

   • Sources. In the Sources field, enter an IP address or a range of IP addresses for the inbound connection source in CIDR4 or CIDR6 notation.
   • In the TCP ports field and in the UDP ports field, enter a specific port or range of ports for the connection.

     If you need to specify multiple ports, use a comma, e.g. 8080, 8082.

     If you do not specify a value for the ports, the application will allow a connection over all ports.

5. In the Restrict egress container connections section, use the Disabled / Enabled toggle switch to activate the capability to restrict outbound connections for defined destinations.

   If you select the Allow exclusions check box, you can specify the parameters of one or more allowed destinations for outbound network connections. To define exclusions, you must specify at least one of the following parameters:

   • Destinations. In the Destinations field, enter an IP address or a range of IP addresses for an outbound connection destination in CIDR4 or CIDR6 notation, or the web address (URL) of a destination.
   • In the TCP ports field and in the UDP ports field, enter a specific port or range of ports for the connection.

     If you need to specify multiple ports, use a comma, e.g. 8080, 8082.

     If you do not specify a value for the ports, the application will allow a connection over all ports.

6. Click Save.

The added runtime profile is displayed in the Policies → Runtime → Container runtime profiles section.