Getting Started with Admission Control Policy

Container Admission Control is a CloudGuard-Managed ruleset that contains the best practice rules for KubernetesClosed Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. Admission Control. You can find this ruleset if you navigate to Workload Protection > Admission Control Rulesets and filter on the CloudGuard-Managed Type.

The default Admission Control policy uses this ruleset. When you onboard a new cluster to CloudGuard (or enable the Admission Control feature) and associate it with an Organizational Unit, the cluster obtains the Admission Control policy configured for this Organizational Unit. If no such policy exists, a new policy is created to associate the new cluster with the default ruleset.

To provide the security solution, CloudGuard agents sometimes need elevated permissions that must be restricted for most workloads. To address this requirement, the default policy has preconfigured exclusions to streamline the CloudGuard solution.

Configuring Admission Control in CloudGuard

Follow these steps to configure a GSL policy on the cluster:

  1. Creating an Admission Control Ruleset.

  2. Adding rules to the Ruleset.

  3. Creating an Admission Control Policy that binds the Ruleset to the cluster.

  1. Navigate to Workload Protection > Admission Control Rulesets and click Add Ruleset.

  2. In the Create New Ruleset window, enter the Ruleset name and the description.

  3. Click Create. The new Ruleset page opens.

Best Practice - The Use Case option covers the most popular scenarios for the Admission Control Ruleset creation. Click the New Rule button only if you do not find an applicable Use Case.

  1. In the newly created Ruleset page, click New Use Case. The Edit Rule GSL window opens with the default Use Case option selected.

  2. Select the desired Use Case from the list. Some parameters appear configured automatically in part of the fields.

  3. Enter missing information in the available fields to configure the GSL.

  4. As an alternative, you can configure the GSL with the Builder or Free text options.

    1. To use the GSL Builder, select Builder. When you select an object to configure the rule on, the Builder provides a context and helps you set up the rule.

    2. If it is necessary for you to configure the rule, select Free text and start to write it.

  5. Below Test Rule, select an Environment from the list and click Verify to test the rule.

  6. If the verification result is correct, click Done. The rule page opens.

    As an alternative, you can open this page when you click New Rule on the Ruleset page. When you click in the GSL field, the Edit Rule GSL window opens again.

  7. Enter the Title, select the Severity and, optionally, enter Description, Remediation, Compliance Section, and Category.

  8. Click Save to save the new rule.

Note - Rules on Kubernetes Pod are enforced on all workload resources.

The Admission Control Policy binds the Ruleset to a cluster and configures how to create notifications.

  1. Navigate to Workload Protection > Admission Control Policies. This page shows all Admission Control Policies available for your assets.

  2. Click Add Policy and select:

    • Environment Policy if it is necessary to apply this policy on a cluster

    • Organizational Unit Policy if it is necessary to apply it on the OI to which the cluster belongs

  3. In the Create New Policy window, select one or more Environments or Organizational Units on which the policy applies. Click Next.

  4. Select one or more Rulesets configured in Step 2 above.

  5. Select one of two actions when the Rule(s) is violated:

    • Detection Mode - The policy does not block events on the cluster, but only sends an alert notification with severity configured in the violated rule.

    • Prevention Mode - The policy blocks an event that violates it on the cluster and sends an alert notification with severity configured in the violated rule.

    Note - You can configure multiple policies on the same cluster with different Action configurations.

    Best Practice - Before you use the Prevention mode, validate new policies in the Detection mode.

  6. Click Next.

  7. Select one or more Notifications to receive when the policy is violated. You can click Add Notification to configure a new notification.

  8. Click Save. CloudGuard Admission Control protects your cluster.

More Links