Skip to main content
Version: 0.18.0

PolicySet Enterprise

This is an optional resource. It is used to select group of policies to work in specific modes.

In each mode, The agent will list all the PolicySets of this mode and check which policies match any of those policysets, Then validate the resources against them.

If there is no policy set found all policies will work on all modes.

Note: Tenant Policies is always active in the Admission mode, event if it is not selected in the admission policysets

Example

apiVersion: pac.weave.works/v2beta2
kind: PolicySet
metadata:
  name: my-policy-set
spec:
  mode: admission
  filters:
    ids:
      - weave.policies.containers-minimum-replica-count
    categories:
      - security
    severities:
      - high
      - medium
    standards:
      - pci-dss
    tags:
      - tag-1

Modes

Audit

This mode performs the audit functionality. It triggers per the specified interval (by default every 24 hour) and then lists all the resources in the cluster which the agent has access to read and validates those resources against the audit policies.

Works with policies of provider kubernetes

Admission

This contains the admission module that enforces policies. It uses the controller-runtime Kubernetes package to register a callback that will be called when the agent receives an admission request. Once called, the agent will validate the received resource against the admission and tenant policies and k8s will use the result of this validation to either allow or reject the creation/update of said resource.

Works with policies of provider kubernetes

Terraform Admission

This is a webhook used to validate terraform plans. It is mainly used by the TF-Controller to enforce policies on terraform plans

Works with policies of provider terraform

Grouping Policies

Policies can be grouped by their ids, categories, severities, standards and tags

The policy will be matched if any of the filters are matched.

Migration from v2beta1 to v2beta2

New fields

  • New required field spec.mode is added. PolicySets should be updated to set the mode

Previously the agent was configured with which policysets to use in each mode. Now we removed this argument from the agent's configuration and add the mode to the Policyset itself.

Example of the agent configuration in versions older than v2.0.0

# config.yaml
admission:
   enabled: true
   policySet: admission-policy-set
   sinks:
      filesystemSink:
         fileName: admission.txt

Example of current PolicySet with mode field

apiVersion: pac.weave.works/v2beta2
kind: PolicySet
metadata:
  name: admission-policy-set
spec:
  mode: admission
  filters:
    ids:
      - weave.policies.containers-minimum-replica-count

Updated fields

  • Field spec.name became optional.

Deprecate fields

  • Field spec.id is deprecated.