Chapter 17. Searching and filtering
The ability to instantly find resources is important to safeguard your cluster. Use Red Hat Advanced Cluster Security for Kubernetes search feature to find relevant resources faster. For example, you can use it to find deployments that are exposed to a newly published CVE or find all deployments that have external network exposure.
17.1. Search syntax
A search query is made up of two parts:
- An attribute that identifies the resource type you want to search for.
- A search term that finds the matching resource.
For example, to find all violations in the visa-processor
deployment, the search query is Deployment:visa-processor
. In this search query, Deployment
is the attribute and visa-processor
is the search term.
You must select an attribute before you can use search terms. However, in some views, such as the Risk view and the Violations view, Red Hat Advanced Cluster Security for Kubernetes automatically applies the relevant attribute based on the search term you enter.
You can use multiple attributes in your query. When you use more than one attribute, the results only include the items that match all attributes.
Example
When you search for
Namespace:frontend CVE:CVE-2018-11776
, it returns only those resources which violate CVE-2018-11776 in thefrontend
namespace.You can use more than one search term with each attribute. When you use more than one search term, the results include all items that match any of the search terms.
Example
If you use the search query
Namespace: frontend backend
, it returns matching results from the namespacefrontend
orbackend
.You can combine multiple attribute and search term pairs.
Example
The search query
Cluster:production Namespace:frontend CVE:CVE-2018-11776
returns all resources which violate CVE-2018-11776 in thefrontend
namespace in theproduction
cluster.Search terms can be part of a word, in which case Red Hat Advanced Cluster Security for Kubernetes returns all matching results.
Example
If you search for
Deployment:def
, the results include all deployments starting withdef
.To explicitly search for a specific term, use the search terms inside quotes.
Example
When you search for
Deployment:"def"
, the results only include the deploymentdef
.You can also use regular expressions by using
r/
before your search term.Example
When you search for
Namespace:r/st.*x
, the results include matches from namespacestackrox
andstix
.Use
!
to indicate the search terms that you do not want in results.Example
If you search for
Namespace:!stackrox
, the results include matches from all namespaces except thestackrox
namespace.Use the comparison operators
>
,<
,=
,>=
, or<=
to match a specific value or range of values.Example
If you search for
CVSS:>=6
, the results include all vulnerabilities with Common Vulnerability Scoring System (CVSS) score 6 or higher.
17.2. Search autocomplete
As you enter your query, Red Hat Advanced Cluster Security for Kubernetes automatically displays relevant suggestions for the attributes and the search terms.
17.3. Using global search
By using global search you can search across all resources in your environment. Based on the resource type you use in your search query, the results are grouped in the following categories:
- All results (Lists matching results across all categories)
- Clusters
- Deployments
- Images
- Namespaces
- Nodes
- Policies
- Policy categories [1]
- Roles
- Role bindings
- Secrets
- Service accounts
- Users and groups
- Violations
The Policy categories option is only available if you use the following:
- PostgreSQL as a backend database in Red Hat Advanced Cluster Security for Kubernetes (RHACS).
- Red Hat Advanced Cluster Security Cloud Service (RHACS Cloud Service).
These categories are listed as a table on the RHACS portal global search page and you can click on the category name to identify results belonging to the selected category.
To do a global search, in the RHACS portal, select Search.
17.4. Using local page filtering
You can use local page filtering from within all views in the RHACS portal. Local page filtering works similar to the global search, but only relevant attributes are available. You can select the search bar to show all available attributes for a specific view.
17.5. Common search queries
Here are some common search queries you can run with Red Hat Advanced Cluster Security for Kubernetes.
Finding deployments that are affected by a specific CVE
Query | Example |
---|---|
|
|
Finding privileged running deployments
Query | Example |
---|---|
|
|
Finding deployments that have external network exposure
Query | Example |
---|---|
|
|
Finding deployments that are running specific processes
Query | Example |
---|---|
|
|
Finding deployments that have serious but fixable vulnerabilities
Query | Example |
---|---|
|
|
Finding deployments that use passwords exposed through environment variables
Query | Example |
---|---|
|
|
Finding running deployments that have particular software components in them
Query | Example |
---|---|
|
|
Finding users or groups
Use Kubernetes Labels and Selectors, and Annotations to attach metadata to your deployments. You can then query based on the applied annotations and labels to identify individuals or groups.
Finding who owns a particular deployment
Query | Example |
---|---|
|
|
Finding who is deploying images from public registries
Query | Example |
---|---|
|
|
Finding who is deploying into the default namespace
Query | Example |
---|---|
|
|
17.6. Search attributes
Following is the list of search attributes that you can use while searching and filtering in Red Hat Advanced Cluster Security for Kubernetes.
Attribute | Description |
---|---|
Add Capabilities | Provides the container with additional Linux capabilities, for instance the ability to modify files or perform network operations. |
Annotation | Arbitrary non-identifying metadata attached to an orchestrator object. |
CPU Cores Limit | Maximum number of cores that a resource is allowed to use. |
CPU Cores Request | Minimum number of cores to be reserved for a given resource. |
CVE | Common Vulnerabilities and Exposures, use it with specific CVE numbers. |
CVSS | Common Vulnerability Scoring System, use it with the CVSS score and greater than ( > ), less than ( < ), or equal to ( = ) symbols. |
Category | Policy categories include DevOps Best Practices, Security Best Practices, Privileges, Vulnerability Management, Multiple, and any custom policy categories that you create. |
Cert Expiration | Certificate expiration date. |
Cluster | Name of a Kubernetes or OpenShift Container Platform cluster. |
Cluster ID | Unique ID for a Kubernetes or OpenShift Container Platform cluster. |
Cluster Role |
Use |
Component | Software (daemond, docker), objects (images, containers, services), registries (repository for Docker images). |
Component Count | Number of components in the image. |
Component version | The version of software, objects, or registries. |
Created Time | Time and date when the secret object was created. |
Deployment | Name of the deployment. |
Deployment Type | The type of Kubernetes controller on which the deployment is based. |
Description | Description of the deployment. |
Dockerfile Instruction Keyword | Keyword in the Dockerfile instructions in an image. |
Dockerfile Instruction Value | Value in the Dockerfile instructions in an image. |
Drop Capabilities |
Linux capabilities that have been dropped from the container. For example |
Enforcement |
Type of enforcement assigned to the deployment. For example, |
Environment Key | Key portion of a label key-value string that is metadata for further identifying and organizing the environment of a container. |
Environment Value | Value portion of a label key-value string that is metadata for further identifying and organizing the environment of a container. |
Exposed Node Port | Port number of the exposed node port. |
Exposing Service | Name of the exposed service. |
Exposing Service Port | Port number of the exposed service. |
Exposure Level |
The type of exposure for a deployment port, for example |
External Hostname | The hostname for an external port exposure for a deployment. |
External IP | The IP address for an external port exposure for a deployment. |
Fixable CVE Count | Number of fixable CVEs on an image. |
Fixed By | The version string of a package that fixes a flagged vulnerability in an image. |
Image | The name of the image. |
Image Command | The command specified in the image. |
Image Created Time | The time and date when the image was created. |
Image Entrypoint | The entrypoint command specified in the image. |
Image Pull Secret | The name of the secret to use when pulling the image, as specified in the deployment. |
Image Pull Secret Registry | The name of the registry for an image pull secret. |
Image Registry | The name of the image registry. |
Image Remote | Indication of an image that is remotely accessible. |
Image Scan Time | The time and date when the image was last scanned. |
Image Tag | Identifier for an image. |
Image Users | Name of the user or group that a container image is configured to use when it runs. |
Image Volumes | Names of the configured volumes in the container image. |
Inactive Deployment |
Use |
Label | The key portion of a label key-value string that is metadata for further identifying and organizing images, containers, daemons, volumes, networks, and other resources. |
Lifecycle Stage | The type of lifecycle stage where this policy is configured or alert was triggered. |
Max Exposure Level | For a deployment, the maximum level of network exposure for all given ports/services. |
Memory Limit (MB) | Maximum amount of memory that a resource is allowed to use. |
Memory Request (MB) | Minimum amount of memory to be reserved for a given resource. |
Namespace | The name of the namespace. |
Namespace ID | Unique ID for the containing namespace object on a deployment. |
Node | Name of a node. |
Node ID | Unique ID for a node. |
Pod Label | Single piece of identifying metadata attached to an individual pod. |
Policy | The name of the security policy. |
Port | Port numbers exposed by a deployment. |
Port Protocol | IP protocol such as TCP or UDP used by exposed port. |
Priority | Risk priority for a deployment. (Only available in Risks view.) |
Privileged |
Use |
Process Ancestor | Name of any parent process for a process indicator in a deployment. |
Process Arguments | Command arguments for a process indicator in a deployment. |
Process Name | Name of the process for a process indicator in a deployment. |
Process Path | Path to the binary in the container for a process indicator in a deployment. |
Process UID | Unix user ID for the process indicator in a deployment. |
Read Only Root Filesystem |
Use |
Role | Name of a Kubernetes RBAC role. |
Role Binding | Name of a Kubernetes RBAC role binding. |
Role ID | Role ID to which a Kubernetes RBAC role binding is bound. |
Secret | Name of the secret object that holds the sensitive information. |
Secret Path | Path to the secret object in the file system. |
Secret Type | Type of the secret, for example, certificate or RSA public key. |
Service Account | Service account name for a service account or deployment. |
Severity | Indication of level of importance of a violation: Critical, High, Medium, Low. |
Subject | Name for a subject in Kubernetes RBAC. |
Subject Kind |
Type of subject in Kubernetes RBAC, such as |
Taint Effect | Type of taint currently applied to a node. |
Taint Key | Key for a taint currently applied to a node. |
Taint Value | Allowed value for a taint currently applied to a node. |
Toleration Key | Key for a toleration applied to a deployment. |
Toleration Value | Value for a toleration applied to a deployment. |
Violation | A notification displayed in the Violations page when the conditions specified by a policy have not been met. |
Violation State | Use it to search for resolved violations. |
Violation Time | Time and date that a violation first occurred. |
Volume Destination | Mount path of the data volume. |
Volume Name | Name of the storage. |
Volume ReadOnly |
Use |
Volume Source |
Indicates the form in which the volume is provisioned (for example, |
Volume Type | The type of volume. |