Oracle Cloud Infrastructure Documentation

Configuring Container Security Config

Enable Container Security Config, configure targets and recipes, and track problems that are reported.

Prerequisites

Before you can configure Container Security Config, you must:

  1. First enable Cloud Guard.
  2. Then allowlist your tenancy.

    Contact your Oracle account manager, or Oracle Support to request allowlisting.

About Container Security Config provides an introduction to concepts that are useful to understand when you are working with Container Security Config in Cloud Guard.

You can perform the following tasks for Container Security Config:

  • Add a Container Security Config detector recipe to an existing Cloud Guard target.

    See Editing an OCI Target and Its Attached Recipes.

    You can add other types of detector recipes as well, but to support Container Security Config, you must add a Container Security Config detector recipe.

  • Add a Container Security Config detector recipe to a new Cloud Guard target that you create.

    See Creating an OCI Target.

    You can add other types of detector recipes as well while creating a Cloud Guard target, but to support Container Security Config, you must add a Container Security Config detector recipe.

  • Create customized versions of the Oracle-managed Container Security Config detector recipe.

    See Cloning an OCI Detector Recipe.

  • Clone rules within a cloned Container Security Config detector recipe.

    See Editing Rule Settings in an OCI Detector Recipe.

    Note

    Not all Container Security Config detector recipe rules can be cloned:
    • Cloning of rules is only allowed in a cloned copy of the Oracle-managed Container Security Config.
    • On the Recipe details page, the Cloned column indicated the rule's cloning status:
      • Can't be cloned means you are not allowed to clone the rule.
      • Yes means that the rule can be cloned, but it has not yet been cloned.
      • No means that the rule can be cloned, and it has been cloned at least once.
  • Customize Container Security Config detector recipe rule settings globally.

    See Editing Rule Settings in an OCI Detector Recipe.

    The settings you change in detector rules at the recipe level apply globally, to all targets where the recipe is attached.

  • Customize Container Security Config detector recipe rule settings differently for different targets.

    See Editing Detector Rule Settings in an OCI Target's Recipes.

  • View problems generated by Container Security Config.

    See Listing Problems and Getting Their Details.

    Look for problems where Detector Type is Container Security Config.