``` cluster onboarding prod-abc stage-123 PSA default configuration add default policy with exemptions 1. Namespace --- apiVersion: "accuknox.com/v1" kind: AccuKnoxPolicyConfig metadata: name: "global-policy-1" spec: selector: - clustername: "*" - namespace: "workloads-*" exemption-selector: - clustername: "prod-management" exemption-selector: - namespace: "kube-system" securityPosture: fileProcess: audit processBasedNetwork: block visibility: process: true file: false network: true podSecurityAdmission: mode: audit level: baseline --- apiVersion: "accuknox.com/v2" kind: AccuKnoxClusterWidePolicy metadata: name: "global-policy-1" spec: - cluster: selector: - name: "stage-*" - namespace: "*" exemption-selector: - namespace: "kube-system" securityPosture: fileProcess: block processBasedNetwork: block podSecurityAdmission: --- Namespace | mode | level kube-system | NA | NA workloads-* | enforce | baseline VM / ECS / ... ``` - PSA - mode - level - set default kubearmor hardening policies - mitre/cis/nist - select individual policies - exclude kube-system - exclude kube-system - include - UI Under Policies->Hardening - Deployment ABC - Show the Policy - Deployment XYZ - Warn user that Deployment is in exclude list/not in include it - set default network policies - set default visibility for KubeArmor - set default posture for KubeArmor - create admission controller hardening policies - allow images from a specific sources - only allow images which don't have critical vulnerabilities - hardening operator - stig/cis/k8tls/kiem - - Priority Handling - Default Config for Tenant - Cluster Specific Config - Support Regex? Because Clusters can be ephemeral GitOps vs Admission Controller? - What if resources are strictly controlled through GitOps