Out-of-the-Box Rules

Infrastructure Rules
The rules in this section are designed to facilitate the creation of rulesets that control network services.
DHCP Rule - Allows processing units in the namespace where it was activated (and children namespaces) to allocate dynamic IP addresses from the selected DHCP Server.
DNS Rule - Allows processing units in the namespace where it was activated (and children namespaces) to use the selected DNS Server.
NTP Rule - Allows processing units in the namespace where it was activated (and children namespaces) to use the selected NTP Server.
Metadata Service - This ruleset allows processing units in the namespace where it was activated (and children namespaces) to contact the selected metadata service.
RDP Management Rule - This ruleset allows RDP traffic from authorized networks.
SSH Management Rule - This ruleset allows SSH traffic from authorized networks.
System Update Rules
The rules in this section are designed to facilitate the creation of rulesets that allow operational system updates.
Windows Update Rule - This ruleset is designed to allow Windows OSs to run System/Security Updates from the Microsoft Update service. You can modify the allowed destinations during or post rule creation.
Debian/Ubuntu Update Rule - This ruleset is designed to allow Debian based OSs to run update/upgrade commands successfully. You can modify the allowed destinations during or post rule creation.
RedHat Update Rule - This ruleset is designed to allow RedHat based OSs to run update/upgrade commands successfully. You can modify the allowed destinations during or post rule creation.
SUSE Update Rule - This ruleset is designed to allow SUSE based OSs to run update/upgrade commands successfully. You can modify the allowed destinations during or post rule creation.
Oracle Linux Update Rule - This ruleset is designed to allow Oracle Linux based OSs to run update/upgrade commands successfully. You can modify the allowed destinations during or post rule creation.
Amazon Linux Update Rule - This ruleset is designed to allow Amazon Linux based OSs to run update/upgrade commands successfully. You can modify the allowed destinations during or post rule creation.
K8s Rules
The rules in this section are designed to facilitate the creation of rulesets that allow a Kubernetes cluster to properly operate.
K8s Container Mode - Create Kubelet Rule - This ruleset allows pods to run readiness/liveness probes. It’s used when the Enforcer is not installed with Host Mode protection enabled. You need to specify the K8s Nodes of the protected cluster (using CIDR or FQDN)
To get the nodes IP addresses, you can execute the command "kubectl get nodes -o wide" and copy the internal IP address. Remember to account for autoscaling nodes, if needed.
K8s Host Mode - Create API Server Rule - This ruleset allows the K8s pods to communicate with the API Server. It’s used when the Enforcer is installed with Host Mode protection enabled.
To get the kube-api server private IP - execute kubectl get services and get the Cluster IP address of the kubernetes service. To get the kube-api server public IP - execute kubectl cluster-info and get the kubernetes master IP.
K8s Host Mode - Allow Liveness/Readiness Probes from Nodes - This ruleset is used to authorize Nodes to run readiness/liveness probes. It’s used when the Enforcer is installed with Host Mode protection enabled. You can customize the rulesets post-creation to allow only the specific ports you want your probes to run.
K8s Host Mode - Allow Liveness/Readiness Probes to Pods - The two rulesets are used to authorize pods to run readiness/liveness probes. It’s used when the Enforcer is installed with Host Mode protection enabled. You can customize the rulesets post-creation to allow only the specific ports you want your probes to run.
K8s Host Mode - Allow Nodes to Pull Images from authorized registries - This ruleset allows the K8s Nodes to pull images from the authorized registries. It’s used when the Enforcer is installed with Host Mode protection enabled. You must provide the list of authorized registries to activate this rule.
K8s Host Mode - Allow NodePort Services - This ruleset allows the K8s Nodes to accept traffic on Node Ports. It’s used when the Enforcer is installed with Host Mode protection enabled and you’re using NodePort to expose your applications (not recommended if this is a production cluster).
K8s Host Mode - Allow SSH Access to Nodes - This ruleset allows the K8s Nodes to accept SSH traffic from allowed IP address ranges or FQDNs. It’s used when the Enforcer is installed with Host Mode protection enabled. You can modify the allowed sources during or post rule creation.
K8s Host Mode (EKS Cluster only) - Create clients to Node rule - This ruleset allows the K8s pods to reach the Nodes on port TCP/10250 which will allow users to get pods logs or connect to the pod for debugging. It’s used when the Enforcer is installed with Host Mode protection enabled.
Auto-Secure Rules
The rules in this section are designed to segment applications based on the namespace they are deployed.
Auto-secure intra-VM groups - This ruleset allows you to segment Virtual Machine based applications. The rule will allow all traffic between the VMs inside the same microsegmentation namespace, but not between namespaces. You can modify the ports and protocols post rule creation.
Auto-secure intra-K8s-namespaces - This ruleset allows you to segment container based applications. The rule will allow all traffic between the pods inside the same microsegmentation namespace, but not between namespaces. You can modify the ports and protocols post rule creation.
Auto-secure inter-namespaces - This ruleset allows you to establish communication between different namespaces. You can modify the ports and protocols post rule creation.