Working with Policies

Introduction

Policies are central to the concept of Anchore Enterprise, this article provides information on how to create, delete, update, and describe policies using the Anchore CLI to interact with a running Anchore Enterprise deployment.

At a high-level Anchore Enterprise consumes policies store in a Policy Bundle that contain:

  • Policies
  • Allowlists
  • Mappings
  • Allowlisted Images
  • Denylisted Images

Anchore Enterprise can store multiple policy bundles for each account, but only one bundle can be active at any point in time. All users within an account share the same set of bundles. It is common to store historic bundles to allow previous policies and evaluations to be inspected. The active bundle is the one used for evaluation for notifications, incoming kubernetes webhooks (unless configured otherwise), and other automatic system functions, but a user may request evaluation of any bundle stored in the system using that bundle’s id.

For more information on the content and semantics of policy bundles see: Policy Bundles and Evaluation

Creating Policies

Policy bundles are just JSON documents. Anchore Enterprise includes a default policy configured at installation that performs basic CVE checks as well as some Dockerfile checks.

To create custom polices, you may:

  • Edit JSON manually and upload a file
  • Use the Anchore Enterprise UI to edit policies

Managing Policies

Policies can be managed directly using the REST API or the anchorectl policy command.

Adding Policies from the CLI

The anchorectl tool allows you to upload policy bundles to Anchore Enterprise.

# anchorectl policy add --input /path/to/policy/bundle.json

Note: Adding a policy bundle will not automatically set the bundle to be active, you will need to activate the bundle using the activate command.

Listing Policies

Anchore Enterprise may store multiple policy bundles however at a given time only one bundle may be active. Policy bundles can be listed using the policy list command.


# anchorectl policy list
 ✔ Fetched policies
┌────────────────┬──────────────────────────────────────┬────────┬──────────────────────┐
│ NAME           │ POLICY ID                            │ ACTIVE │ UPDATED              │
├────────────────┼──────────────────────────────────────┼────────┼──────────────────────┤
│ Default bundle │ 2c53a13c-1765-11e8-82ef-23527761d060 │ true   │ 2022-08-25T20:39:28Z │
│ devteam1bundle │ da8208a2-c8ae-4cf2-a25b-a52b0cdcd789 │ false  │ 2022-08-25T20:47:16Z │
└────────────────┴──────────────────────────────────────┴────────┴──────────────────────┘

Each policy has a unique ID that will be reference in policy evaluation reports.

Note: Times are reported in UTC.

Viewing Policies

Using the policy get command, summary or detailed information about a policy can be retrieved. The policy is referenced using its unique id.


# anchorectl policy get 2c53a13c-1765-11e8-82ef-23527761d060
 ✔ Fetched policy
Name: Default bundle
ID: 2c53a13c-1765-11e8-82ef-23527761d060
Comment: Default bundle
Policies:
  - artifactType: image
    comment: System default policy
    id: 48e6f7d6-1765-11e8-b5f9-8b6f228548b6
    name: DefaultPolicy
    rules:
      - action: STOP
        gate: dockerfile
        id: ce7b8000-829b-4c27-8122-69cd59018400
        params:
          - name: ports
            value: "22"
          - name: type
            value: blacklist
        trigger: exposed_ports
...
...


The policy bundle can be downloaded in JSON format by passing the --detail parameter.

# anchorectl policy get 2c53a13c-1765-11e8-82ef-23527761d060 --detail -o json-raw > policybundle.json
 ✔ Fetched policy

Activating Policies

The policy activate command can be used to activate a policy bundle. The policy bundle is referenced using its unique id which can be retrieved using the policy list command.


# anchorectl policy activate 2c53a13c-1765-11e8-82ef-23527761d061
 ✔ Activate policy
┌─────────────────┬──────────────────────────────────────┬────────┬──────────────────────┐
│ NAME            │ POLICY ID                            │ ACTIVE │ UPDATED              │
├─────────────────┼──────────────────────────────────────┼────────┼──────────────────────┤
│ Default bundle  │ 2c53a13c-1765-11e8-82ef-23527761d061 │ true   │ 2022-08-25T20:50:17Z │
└─────────────────┴──────────────────────────────────────┴────────┴──────────────────────┘

Note: If Anchore Enterprise has been configured to automatically synchronize policy bundles from the Anchore Cloud then the active policy may be overridden automatically during the next sync.

Deleting Policies

Policies can be deleted from Anchore Enterprise using the policy del command The policy is referenced using its unique id. A policy marked as active cannot be deleted, another policy has to be marked active before deleting the currently active policy.


# anchorectl policy delete 2c53a13c-1765-11e8-82ef-23527761d061
 ✔ Deleted policy
No results

See Anchore Policy Checks for information about available policy gates and triggers in Anchore Enterprise.

Last modified August 26, 2022