Try Devtron Enterprise!
Start Free Trial
LogoLogo
WebsiteDevtron demoGithub RepoJoin Discord
v0.6
v0.6
  • Introduction
  • Getting Started
  • Install Devtron
    • Install Devtron with CI/CD
    • Install Devtron with CI/CD and GitOps (Argo CD)
    • Install Devtron without Integrations
    • Install Devtron on Minikube, Microk8s, K3s, Kind, Cloud VMs
    • Demo on Popular Cloud Providers
    • Backup for Disaster Recovery
    • Uninstall Devtron
    • FAQs
  • Devtron Kubernetes Client
  • Configurations
    • Installation Configurations
    • Override Configurations
    • Ingress Setup
  • Global Configurations
    • Host URL
    • GitOps
    • Projects
    • Clusters & Environments
    • Git Accounts
    • Container/OCI Registry
    • Chart Repositories
    • Custom Charts
    • Authorization
      • SSO Login Services
        • Google
        • GitHub
        • GitLab
        • Microsoft
        • LDAP
        • OIDC
        • OpenShift
        • Example - Okta SSO
      • User Permissions
      • Permission Groups
      • API Tokens
    • Notifications
    • External Links
    • Catalog Framework
    • Scoped Variables
    • Pull Image Digest
    • Tags Policy
    • Lock Deployment Configuration
    • Image Promotion Policy
    • Filter Condition
    • Build Infra
  • Devtron Upgrade
    • Update Devtron from Devtron UI
    • 0.5.x-0.6.x
    • 0.4.x-0.5.x
    • 0.4.x-0.4.x
    • 0.3.x-0.4.x
    • 0.3.x-0.3.x
    • 0.2.x-0.3.x
  • Usage
    • Applications
      • Create a New Application
      • Clone an Existing Application
      • Deploy a Sample Application
      • App Configuration
        • Git Repository
        • Build Configuration
        • Base Deployment Template
          • Deployment
          • Rollout Deployment
          • Job and Cronjob
          • StatefulSets
        • GitOps Configuration
        • Workflow Editor
          • CI Pipeline
            • Pre-Build/Post-Build Stages
            • Override Build Configuration
          • CI Pipeline (Legacy)
          • CD Pipeline
        • ConfigMaps
        • Secrets
          • External Secret Operator (ESO)
            • AWS Secrets Manager
            • Google Secrets Manager
            • HashiCorp Vault
        • Protect Configuration
        • Environment Overrides
        • Deleting Application
      • Build and Deploy
        • Triggering CI
        • Triggering CD
        • Rollback Deployment
      • App Details
        • Debugging Deployment And Monitoring
        • Using Ephemeral Containers
        • Application Metrics
      • Overview
    • Jobs
      • Create a new job
      • Configurations
      • Workflow Editor
      • Trigger Job
      • Overview
    • Application Groups
    • Resource Browser
    • Charts
      • Charts Overview
      • Deploy & Observe
      • Examples
        • Deploying Mysql Helm Chart
        • Deploying MongoDB Helm Chart
      • Chart Group
    • Security
      • Security Scans
      • Security Policies
    • Bulk Edit
    • Integrations
      • Build and Deploy (CI/CD)
      • GitOps (Argo CD)
      • Vulnerability Scanning (Clair)
      • Notifications
      • Monitoring (Grafana)
    • Pipeline Plugins
      • Codacy
      • Copy Container Image
      • Dependency track - Maven & Gradle
      • Dependency track - NodeJS
      • Dependency track - Python
      • K6 Load Testing
      • Semgrep
      • SonarQube
      • SonarQube v1.1.0
  • Resources
    • Glossary
    • Troubleshooting
    • Use Cases
      • Devtron Generic Helm Chart To Run CronJob Or One Time Job
      • Connect SpringBoot with Mysql Database
      • Connect Expressjs With Mongodb Database
      • Connect Django With Mysql Database
      • Pull Helm Charts from OCI Registry
    • Telemetry Overview
    • Devtron on Graviton
    • Release Notes
Powered by GitBook
On this page
  • Configuring Security Policies
  • Examples of Defining a Policy
  • Configure Global Security Policy
  • Configure Cluster Security Policy
  • Configure Environment Security Policy
  • Configure Application Security Policy
  • Example
  • Block or Allow Specific CVE Policies

Was this helpful?

Export as PDF
  1. Usage
  2. Security

Security Policies

PreviousSecurity ScansNextBulk Edit

Last updated 10 months ago

Was this helpful?

Prerequisite

Install any one of the following integrations for scanning vulnerabilities:

  • Trivy

Devtron's Security Policies feature allows users to define policies based on the severity levels of vulnerabilities, which include Critical, Moderate, and Low. Users have the flexibility to set policies that either block the deployment of container images with vulnerabilities or allow their deployment.

With this feature, users can specify their desired actions for each severity level. For example, they can choose to block any container image with Critical vulnerabilities, while allowing container images with Moderate or Low vulnerabilities to be deployed.

For in-depth instructions, refer to the section.

Who Can Perform This Action?

Users need to have super-admin permission to define or modify security policies.


Configuring Security Policies

You can establish security policies for their vulnerabilities through the Security Policies tab, which can be accessed from the left pane by navigating to Security and selecting Security Policies.

You can define policies at the following levels:

However, if you define policies at more than one level, the order of precedence would be as follows:

  • Application + Environment (highest priority)

  • Environment

  • Cluster

  • Global

Examples of Defining a Policy

  • Users can block all vulnerabilities

  • Users can block critical vulnerabilities and allow moderate and low vulnerabilities

  • Users can block all vulnerabilities for one application and can block only critical vulnerabilities for other applications

  • Users can block those vulnerabilities for which a fix is already available


Configure Global Security Policy

Within the Global Security Policies, there are three options available:

Option
Description

Block always

Images containing vulnerabilities will be blocked from deployment

Block if fix is available

Images containing vulnerabilities will be blocked if a fix is available and has not been applied

Allow

Images containing vulnerabilities will be allowed to be deployed regardless of whether a fix is available or not

If critical severity levels are blocked in the Global Security Policy, the same blocking will be applied to the Cluster Security Policy. Likewise, allowing critical levels in the global policy automatically allows them in Cluster Security Policies.

However, users have the flexibility to explicitly modify these policies as desired.


Configure Cluster Security Policy

When Inherit is selected, the policy adopts settings from higher-level options. For example, if critical severity levels are blocked globally, they will also be blocked in Cluster Security Policies. Changing the global policy to allow critical levels will also allow them in Cluster Security Policies. Explicit changes can be made to these policies.

To block critical vulnerabilities globally but allow them in specific clusters:

  1. Select the desired cluster.

  2. Change the critical setting to allow.

  3. This change only affects the policy of the selected cluster without impacting others or the global policy.


Configure Environment Security Policy

  • Block always

  • Block if fix is available

  • Allow

  • Inherit

The Environment Security Policy inherits its settings from the Cluster Security Policy, following a hierarchical structure where each level inherits the policy from its upper level.

When you select an environment, it automatically adopts the policy of the associated cluster. For example, if critical-level vulnerabilities are blocked globally but allowed in the Cluster Security Policy, the Environment Security Policy will inherit this allowance. Consequently, critical-level vulnerabilities will also be allowed in the Environment Security Policy.

However, you have the flexibility to make explicit changes to the policy if needed. This empowers you to customize the policy to align with specific requirements or preferences. Any adjustments made to the environment policy settings will be consistently applied across all applications associated with that environment.


Configure Application Security Policy

The Application Security Policy operates on a similar principle as other policies and offers four options:

  • Block always

  • Block if fix is available

  • Allow

  • Inherit

However, in the Application Security Policy, the policy is determined by both: Application and Environment

First, choose an application from the list.

Next, configure a security policy for that application in the intended environment.


Example

  1. Let's say, you have defined a policy to block the deployment if critical vulnerabilities are found in a given application.

  2. Now, go to the Build & Deploy tab of that application to select an image.

  3. As you can see, security issues were found in the scanned image, hence it is not available for selection. Click Show Source Info.

  4. The Security tab shows the critical vulnerabilities and the policy enforced to prevent deployment.


Block or Allow Specific CVE Policies

To block or allow specific Common Vulnerabilities and Exposures (CVE) policies, simply click Add CVE Policy.

A window will appear where you can enter the CVE ID and select whether to allow or block it.

This action will determine whether image deployment is allowed or blocked based on the presence of vulnerabilities matching that particular CVE ID. Any other deployment decisions will be made according to the policies set previously.

Figure 1: Security Policies
Figure 2: Configuring Global Security Policy

Cluster Security Policies offer the same three options as for handling vulnerabilities. However, an extra option called Inherit is available too.

Figure 3: Configuring Cluster Security Policy

Environment Security Policies, like , offer four options:

Figure 4: Configuring Environment Security Policy
Figure 5a: Configuring Application Security Policy - Choosing an App
Figure 5b: Configuring Application Security Policy - Choosing an Env
Figure 6: Defining a Block Policy
Figure 7: Selecting an Image
Figure 8: Blocked Deployment of Image
Figure 9: Detected Vulnerabilities
Figure 10: Adding CVE Policy
Figure 11: Allowing/Blocking a CVE ID
Clair
Configure Security Policies
Global
Cluster
Environment
Application
Global Security Policies
Cluster Security Policies