Container Image Control policies allow you to specify which containers are allowed to run on your infrastructure. These containers can run on Virtual Machines or clusters.
- In Observe Mode, user activities generate events if a disallowed container runs on the VM.
- In Enforce Mode, user activities generate events, and containers that are not allowed are also terminated and blocked.
To create a policy, perform the following steps:
- Go to Policy > Container Image Control.
- Click Actions > Create Policy.
- Name. Enter a unique name for the policy and an optional description.
- Available for Continuous Evaluation. The Continuous Evaluation checkbox is activated by default. The policy is available in Continuous Evaluation mode for Security Configuration Audit.
- Policy Mode. Select Observe or Enforce.
- Observe. In Observe Mode, all containers are allowed. Activities are reported when the containers that are not specifically selected as part of the policy are executed. You can notify users about the status of the container without preventing them from using it.
- Enforce. In Enforce Mode, all containers that are not selected as part of your policy are blocked from users executing them. All activities are reported for the blocked containers.
- VMs. Select if your policy applies to Virtual Machines.
- Platform. Currently, only Linux is supported.
- Accounts. Click to select the accounts that your policy will apply to. You can select a whole service instance, or select just a specific account under that service. If you select the whole service instance, accounts added later are selected by default. Click Done when finished.
- Additional Scoping Criteria. Select any tags you want to use for your rule, and enter one or more key-value pairs.
- Click Next.
- On the Rules page, select Container Images you want your policy to apply to and create your rule.
- Click Next.
- On the Review page, review your policy and click Save.