Application scopes and enforcement of security policies

In Kaspersky Container Security, application scopes are specified for all security policies. To ensure that all necessary resources are scanned, each policy can be assigned one or more application scopes. Moreover, the same application scope can be specified in multiple policies.

Regardless of the number of policies implemented in an application scope (for example, when scanning an image or scanning a cluster in a runtime), all security policies are applied.

When multiple security policies and multiple application scopes are applied simultaneously, the following rules apply:

• For scanner policies: scanning is performed using a cumulative list of settings that is obtained by combining all scanner policies in force within the application scope.
• For assurance policies: when scanning images, all policies applicable to the scanned resources are applied, in line with specified application scopes.
• For response policies: when events occur, the user is notified using the notification tools specified in all response policies applicable to resources specified in the assigned application scopes.
• For runtime policies: containers are monitored and, if necessary, blocked from running in the runtime in accordance with all applicable policies assigned to the application scope.