Managing exceptions from KSPM security control rules
Note
This feature is at the Preview stage.
You can use the KSPM module's exceptions to specify objects you want excluded from the control rules in place: all Kubernetes resources within the workspace or specific objects.
Viewing the list of exceptions from the rules
To view the list of exceptions from the Kubernetes security control rules applicable to the workspace:
-
Go to Yandex Security Deck.
-
In the left-hand panel, select Rules and exceptions.
-
At the top of the window, select the workspace for which you want to view the info on control rule exceptions.
-
On the Security control rules page that opens, go to the Exceptions tab.
The list of exceptions for the Kubernetes rules is provided under Kubernetes® Security Posture Management and contains the following fields:
- Exception: Reason for exception.
- Status: Active or inactive.
- Rules: List of rules subject to exception.
- Author: User who created the exception.
- Date created: Exception creation date and time.
Creating an exception
To create a new exception for the Kubernetes control rules:
- Go to Yandex Security Deck.
- In the left-hand panel, select Rules and exceptions.
- At the top of the window, select the workspace in which you want to create an exception from the control rules.
- On the Security control rules page that opens, go to the Exceptions tab.
- In the top-right corner, click Create exception and select
Kubernetes® Security Posture Management. On the page that opens:-
Under Scope, specify the resources you want to exclude when checking the Kubernetes control rules:
-
All workspace resources: To exclude all resources controlled in the workspace. -
Resources selected: To exclude only some resources. To select resources excluded from the check:- Click Select resources.
- In the window that opens, select the resources to exclude from the rule and click Apply.
-
-
Under Rules, select the Kubernetes control rules the selected resources should not be checked against:
-
All rules: To exclude the selected resources from the check for compliance with all the Kubernetes control rules. -
Selected rules: To exclude the selected resources from the check for compliance with a given set of rules. To select rules whose compliance checks will be disabled based on the exception you are creating:- Click Select rules.
- In the window that opens, select the rules you want to exclude from compliance checks. If required, use the filter or search at the top of the window.
- Click Save selection.
-
-
Optionally, under Objects (optional), use a namespace to specify the objects to exclude from the check:
-
Enable Namespaces.
-
Enter the object name from the namespace. Follow these naming requirements:
- Length: between 3 and 63 characters.
- It can only contain lowercase Latin letters, numbers, and hyphens.
- It must start with a letter and cannot end with a hyphen.
To exclude multiple objects at once, use wildcards. For example, a pattern like
*-nswill exclude objects with thenssuffix, such asprod-nsandtest-ns. -
-
Under Reason for exclusion, give in any format the reason why you are creating an exception.
-
Select Activate exception.
-
Click Create exception.
-
The new exception will now be displayed under Kubernetes® Security Posture Management on the Exceptions tab of the Security control rules page.
You can also create an exception on the alert page. For more information, see Creating an alert exception.
Deleting an exception
To delete an exception for the Kubernetes control rules:
- Go to Yandex Security Deck.
- In the left-hand panel, select Rules and exceptions.
- At the top of the window, select the workspace in which you want to delete an exception from the control rules.
- On the Security control rules page that opens, go to the Exceptions tab.
- Under Configuration control, in the row with the exception you want to delete, click and select Delete.
This will remove the exception from the workspace and cancel the restrictions it imposed on rule checks.