Table of contents

Configure a policy for DaemonSet

Policies are a collection of rules applied to your group and, therefore, your application. When runtime protection is added to a Kubernetes cluster from the Container Security dashboard, three things happen:

  • A group is automatically created in Application Security
  • A default set of rules is configured as the initial policy (with rules for Illegal File Access and Remote Command Execution adapted for Kubernetes clusters)
  • The group policy is set to learning mode

Once the learning phase is completed, the group's protection settings can be set to Report mode, which enforces the rules and reports anomalies.

Even though Container Security enables runtime protection on the Kubernetes cluster, the actual runtime protection is provided by Application Security.

For DaemonSet, only two security policies are available: - Illegal file access - Remote command execution

Learning mode

When a group is first created by adding runtime protection to a Kubernetes cluster, the group policy is set in learning mode.

While in learning mode, the security events generated by the DaemonSet augment the policy rules allowing the command execution or file access. In addition, the security events don't result in alerts being generated.

The group's policy view in the dashboard visually indicates when a group is in learning mode.


While in learning mode, the policy rules can be viewed and consulted but cannot be modified.

Once the learning period is stopped, the protection settings are set to Report, at which time the policy rules are enforced and alerts are raised when policy rules are triggered.

Learning vs. Report

Currently Learning and Report are the two states that, while set to ON, a security feature can be designated to run in.

Currently Learning: Security events reported contribute to augment the policy rules.

Report: Reports events with the feature's current configuration but does not protect application.

Configure a policy

In the left pane menu, click Group Policy icon.


On the left side of the page, the security feature names and their respective ON/OFF power buttons are listed.


Select the ON/OFF power button to display a confirmation dialog. Upon confirmation, the feature will be disabled and grayed out in the dashboard:

The Currently Learning and Report buttons, as well as the Configure Policy button, are on the right side of the page.

Select Stop to stop the Learning mode. Once the learning mode is stopped, the protection moves to Report mode.

Manage a policy configuration

To open the policy configuration window of a security feature, select Configure Policy on the right side of the desired security feature.

Each security feature has different configuration possibilities. For more information about how to configure the security features, see: