Policies
Last updated
Last updated
Users can create policies using Ozone's Security Policies functionality according to the Critical, High, Medium, and Low vulnerability severity categories. You have the flexibility to stop pipelines from further executing once a vulnerability is found which violates the policy With this feature, users can specify their desired actions for each severity level. For example, they can choose to block any container image with Critical and High vulnerabilities, while allowing container images with Medium and Low vulnerabilities to be deployed.
Examples of Defining a Policy:
Users can block all vulnerabilities
Users can block Critical and High vulnerabilities and allow medium and low vulnerabilities
Users can block all vulnerabilities for one application and can block only critical vulnerabilities for other applications
Users can block those vulnerabilities for which a fix is already available
However, if you define policies at more than one level, the order of precedence would be as follows:
Microservices (highest priority)
Cluster
Environments
Global
Configure Global Security Policy: Within The Global Security Policies ,there are two options available:
If critical vulnerabilities are blocked in the Global Security Policy, the same blocking will be applied to the Cluster Security Policy. Likewise, allowing critical levels in the global policy automatically allows them in Cluster Security Policies.
Users have the flexibility to explicitly modify these policies as desired.
Configure Cluster Security Policy:
With Cluster security policy we can block critical vulnerabilities globally but allow them in specific clusters:
Select the desired cluster.
Change the critical setting to allow. This change only affects the policy of the selected cluster without impacting others or the global policy
Cluster Security Policies offer the same two options as Global Security Policies for handling vulnerabilities. However, an extra option called Inherit is available too. When Inherit is selected, the policy adopts settings from higher-level options. For example, if critical severity levels are blocked globally, they will also be blocked in Cluster Security Policies. Changing the global policy to allow critical levels will also allow them in Cluster Security Policies. Configure Environment Security Policy: Select the environment where you want to execute the policy, it automatically adopts the policy of the associated cluster.
For example, if critical-level vulnerabilities are blocked globally but allowed in the Cluster Security Policy, the Environment Security Policy will inherit this allowance. Consequently, critical-level vulnerabilities will also be allowed in the Environment Security Policy.
However, this policy empowers you to customize the policy to align with specific requirements or preferences.
Any changes made to the environment policy settings will be reflected uniformly in all of the environment's corresponding applications. Configure Microservice Security Policy: Choose the specific microservice to implement the Microservice Security policy
You can either allow, block or inherit the vulnerabilities just by selecting from the drop-down
Allow or Block Vulnerability Policies: To block or allow specific Common Vulnerabilities and Exposures (CVE) policies, simply click on Add Vulnerability Policy.
A screen will appear where you can enter the CVE ID, GHSA, and CWE ID. Then Select whether to allow or block it.
This action will check for vulnerabilities matching specific IDs to determine whether to block or allow image deployment.
Option | Description |
---|---|
Block
Allow
Images with security flaws won't be allowed to be deployed.
Images with vulnerabilities will be permitted to be deployed.