About Container Security Config
Container Security Config rules help an organization define how it intends to operate its containerized workloads, and then enforce those intentions.
Cloud Guard Container Security Config provides:
- A secure and governed container runtime environment, such as Kubernetes.
- Audit for Kubernetes policy management for Kubernetes security and compliance.
The scope of containerized workloads that Container Security Config rules can monitor includes security, regulatory, business continuity, operational, and any other organization-specific policies or standards.
To configure Container Security Config in Cloud Guard, you:
- Define targets that cover compartment hierarchies in which you want to monitor your organization's containerized workloads to monitor.
You can enable Container Security Config for existing targets, or you can create new targets specifically for Container Security Config to use.
- Attach a Container Security Config detector recipe to each target.
You can use the default, Oracle-managed Container Security Config detector recipe. or you can create different custom versions of that recipe to use with different targets.
Concepts and Terminology
These terms are important for you to understand as you work with Container Security Config in Cloud Guard:
- Container Security Config
-
Set of policies and procedures that determine how an organization intends to operate their containerized workloads. This includes security, regulatory, business continuity, operational and any other organization specific policies or standards.
- Containerized workload
- A collection of containers providing a specific function.
- Target
- Defines the scope of what Cloud Guard is to monitor. This scope is defined by the compartment where the target is defined and all the child compartments from that point down, until another target is encountered.
- Container Security Config detector recipe
- Provides the baselines for examining the resources and activities in the target.
- Container Security Config detector rule
- Provides a specific definition of a class of resources, with specific actions or configurations, that cause a detector to report a problem. A detector recipe consists of multiple detector rules. If any one rule is triggered, it causes the detector to report a problem. Each rule in a detector recipe can be configured individually.
- Problem
- Any action or setting on a resource that could potentially cause a security issue.
- Responder
- An action that Cloud Guard can take to remediate a problem that's been identified by a detector. The available actions are resource-specific.