Home | CRS Home

Set policy enforcement

We provide three policy enforcement options, which determine whether or not the policy rules will be enforced on the containers that are spawned from the image. When testing new policies, we recommend you set the policy to Permissive mode, which allows you to see the rule hits without actually enforcing the rules.

Go to Configurations > Runtime Policies. You'll see all the policies currently available in your subscription, including sample policies and user-created policies.

List of runtime policies

Identify a policy in the list and choose from these policy enforcement options on the Quick Actions menu:

Activate - Activate the policy on all images that have the policy applied. The policy gets enforced on all containers spawned from that image.

Deactivate - Deactivate the policy on all images/containers where its been applied. This may be needed if you are troubleshooting an issue and want to stop policy enforcement.

Permissive - Put the policy in permissive mode. When in permissive mode, the rules in the policy will not be enforced but all activity is logged for rule hits. This is recommended when starting out with a new policy so you can get an idea of the rule hits which will allow you to go back and fine tune the policy to make sure it's working as you expected.