Policy Examples Real-world policy configurations for common use cases.
Allow Corporate Domains name : "Corporate internal services" type : allow scope : global rules : - pattern : "*.internal.corp.example.com" comment : "Internal APIs and services" - pattern : "*.vpn.corp.example.com" comment : "VPN endpoints" - pattern : "artifactory.corp.example.com" comment : "Internal artifact registry" Block Known Malicious Domains name : "Known malicious infrastructure" type : block scope : global rules : - pattern : "*.malicious-cdn.com" comment : "Known malware distribution" - pattern : "192.0.2.0/24" comment : "Malicious IP range" - pattern : "cryptopool.example.com" comment : "Crypto mining pool" GitHub Actions: Allow Package Registries name : "Package manager allowlist" type : allow scope : platform : github_actions rules : # npm - pattern : "registry.npmjs.org" - pattern : "*.npmjs.com" # PyPI - pattern : "pypi.org" - pattern : "files.pythonhosted.org" # Maven Central - pattern : "repo.maven.apache.org" - pattern : "repo1.maven.org" # RubyGems - pattern : "rubygems.org" - pattern : "*.rubygems.org" # Cargo (Rust) - pattern : "crates.io" - pattern : "static.crates.io" # Go modules - pattern : "proxy.golang.org" - pattern : "sum.golang.org" Kubernetes: Production Zero Trust name : "Production zero trust egress" type : allow scope : platform : kubernetes cluster : "production" rules : # Internal services - pattern : "*.svc.cluster.local" comment : "Kubernetes internal services" - pattern : "*.internal.example.com" comment : "Internal corporate services" # AWS services - pattern : "*.amazonaws.com" comment : "AWS APIs" - pattern : "*.s3.amazonaws.com" comment : "S3 buckets" # Approved SaaS - pattern : "api.stripe.com" comment : "Payment processing" - pattern : "api.twilio.com" comment : "SMS/voice services" - pattern : "api.sendgrid.com" comment : "Email delivery" # Monitoring & Observability - pattern : "api.datadoghq.com" comment : "Datadog metrics" - pattern : "*.newrelic.com" comment : "New Relic APM" # CDNs for static assets - pattern : "*.cloudfront.net" comment : "CloudFront CDN" - pattern : "*.fastly.net" comment : "Fastly CDN" Combine with strict baseline mode: Dashboard → Settings → Baselining → Baseline Mode: Strict
This ensures only domains in this policy or the baseline are allowed.
GitHub Actions: Block Untrusted Registries name : "Block untrusted package sources" type : block scope : platform : github_actions rules : - pattern : "*.unofficial-npm-mirror.com" comment : "Unofficial npm mirrors" - pattern : "free-pypi-proxy.net" comment : "Untrusted PyPI proxy" - pattern : "*.torrent-tracker.com" comment : "P2P distribution networks" Allow CDNs and Cloud Providers name : "Trusted CDNs and cloud infrastructure" type : allow scope : global rules : # Major CDNs - pattern : "*.cloudflare.com" - pattern : "*.cloudflare.net" - pattern : "*.akamai.net" - pattern : "*.fastly.net" # AWS - pattern : "*.amazonaws.com" - pattern : "*.aws.amazon.com" # Google Cloud - pattern : "*.googleapis.com" - pattern : "*.gstatic.com" # Azure - pattern : "*.azure.com" - pattern : "*.microsoft.com" # Vercel - pattern : "*.vercel.com" - pattern : "*.vercel.app" # Netlify - pattern : "*.netlify.com" - pattern : "*.netlify.app" Workflow-Specific: Deploy to AWS name : "AWS deployment allowlist" type : allow scope : platform : github_actions workflow : "Deploy to AWS" rules : - pattern : "*.amazonaws.com" - pattern : "*.cloudfront.net" - pattern : "s3.us-east-1.amazonaws.com" - pattern : "ecr.us-east-1.amazonaws.com" Block Crypto Mining name : "Block cryptocurrency mining" type : block scope : global rules : # Mining pools - pattern : "*.pool.minergate.com" - pattern : "*.nanopool.org" - pattern : "*.ethermine.org" - pattern : "*.f2pool.com" # Monero pools - pattern : "*.supportxmr.com" - pattern : "*.minexmr.com" # IP ranges (example) - pattern : "51.79.175.0/24" comment : "Known mining pool IPs" Allow GitHub Services name : "GitHub platform services" type : allow scope : platform : github_actions rules : - pattern : "github.com" - pattern : "*.github.com" - pattern : "api.github.com" - pattern : "raw.githubusercontent.com" - pattern : "objects.githubusercontent.com" - pattern : "ghcr.io" comment : "GitHub Container Registry" Development vs Production Development (Permissive) name : "Development cluster allowlist" type : allow scope : platform : kubernetes cluster : "development" rules : - pattern : "*" comment : "Allow all egress in dev (for testing)" Only use wildcard * in non-production environments!
Production (Restrictive) name : "Production cluster - strict" type : allow scope : platform : kubernetes cluster : "production" rules : # Explicitly list every allowed domain - pattern : "api.stripe.com" - pattern : "*.internal.corp" - pattern : "*.amazonaws.com" # No wildcards Temporary Allowlist For temporary access (e.g., during migration):
name : "Temporary: Legacy API migration" type : allow scope : platform : kubernetes cluster : "production" rules : - pattern : "legacy-api.old-vendor.com" comment : "TEMP: Remove after migration to new-vendor.com completes (ETA: 2024-04-01)" Recommendation: Add expiry date in comment and set calendar reminder to remove.Next Steps
Policy Schema Complete YAML reference
