Share security policies

Learn how to share your security policies between Central instances.

2 minute read

Beginning from the StackRox Kubernetes Security Platform version 3.0.44, you can share your security policies between different Central instances, by exporting and importing policies. It helps you enforce the same standards for all your clusters. To share policies, you export them as JSON files, and then import them back into another Central instance.

Currently, you can’t export multiple security policies at once by using the StackRox portal. However, you can use the API for exporting multiple security policies. On the StackRox portal, navigate to Help > API reference to see the API reference.

Export a policy

To export a policy:

  1. Navigate to Platform Configuration > System policies.

  2. Select a policy you want to export.

  3. Select Export (Download icon) on the Policy Details panel.

    Policy Export
    Policy Export

When you export a policy, it includes all the policy contents and also includes cluster scopes, cluster exclusions, and all configured notifications.

Import a policy

To import a policy:

  1. Navigate to Platform Configuration > System policies.

  2. On the Policies view header, select Import Policy.

    Policy Import
    Policy Import

Each security policy in the StackRox Kubernetes Security Platform has a unique ID (UID) and a unique name. When you import a policy, the StackRox Kubernetes Security Platform handles the uploaded policy as follows:

  1. If the imported policy UID and name don’t match any existing policy, the system creates a new policy.
  2. If the imported policy has the same UID as an existing policy, but a different name, you can either:
    • Keep both policies. The StackRox Kubernetes Security Platform saves the imported policy with a new UID.
    • Replace the existing policy with the imported policy.
  3. If the imported policy has the same name as an existing policy, but a different UID, you can either:
    • Keep both policies by providing a new name for the imported policy.
    • Replace the existing policy with the imported policy.
  4. If the imported policy has the same name and UID as an existing policy, the StackRox Kubernetes Security Platform checks if the policy criteria match to the existing policy. If the policy criteria match, the StackRox Kubernetes Security Platform keeps the existing policy and shows a success message. If the policy criteria don’t match, you can either:
    • Keep both policies by providing a new name for the imported policy.
    • Replace the existing policy with the imported policy.
  • If you import into the same Central instance, the StackRox Kubernetes Security Platform uses all exported fields.
  • If you import into a different Central instance, the StackRox Kubernetes Security Platform omits certain fields, such as cluster scopes, cluster exclusions, and notifications. The StackRox Kubernetes Security Platform shows these omitted fields in a message. These fields vary for every installation, and you can’t migrate them from one Central instance to another.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.