1. Packages
  2. Aquasec
  3. API Docs
  4. ContainerRuntimePolicy
Aquasec v0.8.27 published on Monday, Jan 29, 2024 by Pulumiverse

aquasec.ContainerRuntimePolicy

Explore with Pulumi AI

aquasec logo
Aquasec v0.8.27 published on Monday, Jan 29, 2024 by Pulumiverse

    Example Usage

    Coming soon!

    Coming soon!

    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aquasec.ContainerRuntimePolicy;
    import com.pulumi.aquasec.ContainerRuntimePolicyArgs;
    import com.pulumi.aquasec.inputs.ContainerRuntimePolicyFileIntegrityMonitoringArgs;
    import com.pulumi.aquasec.inputs.ContainerRuntimePolicyMalwareScanOptionsArgs;
    import com.pulumi.aquasec.inputs.ContainerRuntimePolicyScopeVariableArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var containerRuntimePolicy = new ContainerRuntimePolicy("containerRuntimePolicy", ContainerRuntimePolicyArgs.builder()        
                .allowedExecutables(            
                    "exe",
                    "bin")
                .allowedRegistries(            
                    "registry1",
                    "registry2")
                .applicationScopes("Global")
                .auditAllNetworkActivity(true)
                .auditAllProcessesActivity(true)
                .auditFullCommandArguments(true)
                .blockAccessHostNetwork(true)
                .blockAddingCapabilities(true)
                .blockContainerExec(true)
                .blockCryptocurrencyMining(true)
                .blockFilelessExec(true)
                .blockLowPortBinding(true)
                .blockNonCompliantImages(true)
                .blockNonCompliantWorkloads(true)
                .blockNonK8sContainers(true)
                .blockPrivilegedContainers(true)
                .blockReverseShell(true)
                .blockRootUser(true)
                .blockUnregisteredImages(true)
                .blockUseIpcNamespace(true)
                .blockUsePidNamespace(true)
                .blockUseUserNamespace(true)
                .blockUseUtsNamespace(true)
                .blockedCapabilities(            
                    "AUDIT_CONTROL",
                    "AUDIT_WRITE")
                .blockedExecutables(            
                    "exe1",
                    "exe2")
                .blockedFiles(            
                    "test1",
                    "test2")
                .blockedInboundPorts(            
                    "80",
                    "8080")
                .blockedOutboundPorts(            
                    "90",
                    "9090")
                .blockedPackages(            
                    "pkg",
                    "pkg2")
                .blockedVolumes(            
                    "blocked",
                    "vol")
                .containerExecAllowedProcesses(            
                    "proc1",
                    "proc2")
                .description("container_runtime_policy")
                .enableDriftPrevention(true)
                .enableForkGuard(true)
                .enableIpReputationSecurity(true)
                .enablePortScanDetection(true)
                .enabled(true)
                .enforce(false)
                .exceptionalReadonlyFilesAndDirectories(            
                    "readonly2",
                    "/dir2/")
                .fileIntegrityMonitoring(ContainerRuntimePolicyFileIntegrityMonitoringArgs.builder()
                    .excludedPaths("expaths")
                    .excludedProcesses("exprocess")
                    .excludedUsers("expuser")
                    .monitorAttributes(true)
                    .monitorCreate(true)
                    .monitorDelete(true)
                    .monitorModify(true)
                    .monitorRead(true)
                    .monitoredPaths("paths")
                    .monitoredProcesses("process")
                    .monitoredUsers("user")
                    .build())
                .forkGuardProcessLimit(13)
                .limitNewPrivileges(true)
                .malwareScanOptions(ContainerRuntimePolicyMalwareScanOptionsArgs.builder()
                    .action("alert")
                    .enabled(true)
                    .build())
                .monitorSystemTimeChanges("true")
                .readonlyFilesAndDirectories(            
                    "readonly",
                    "/dir/")
                .reverseShellAllowedIps(            
                    "ip1",
                    "ip2")
                .reverseShellAllowedProcesses(            
                    "proc1",
                    "proc2")
                .scopeExpression("v1 || v2")
                .scopeVariables(            
                    ContainerRuntimePolicyScopeVariableArgs.builder()
                        .attribute("kubernetes.cluster")
                        .value("default")
                        .build(),
                    ContainerRuntimePolicyScopeVariableArgs.builder()
                        .attribute("kubernetes.label")
                        .name("app")
                        .value("aqua")
                        .build())
                .build());
    
        }
    }
    

    Coming soon!

    Coming soon!

    resources:
      containerRuntimePolicy:
        type: aquasec:ContainerRuntimePolicy
        properties:
          allowedExecutables:
            - exe
            - bin
          allowedRegistries:
            - registry1
            - registry2
          applicationScopes:
            - Global
          auditAllNetworkActivity: true
          auditAllProcessesActivity: true
          auditFullCommandArguments: true
          blockAccessHostNetwork: true
          blockAddingCapabilities: true
          blockContainerExec: true
          blockCryptocurrencyMining: true
          blockFilelessExec: true
          blockLowPortBinding: true
          blockNonCompliantImages: true
          blockNonCompliantWorkloads: true
          blockNonK8sContainers: true
          blockPrivilegedContainers: true
          blockReverseShell: true
          blockRootUser: true
          blockUnregisteredImages: true
          blockUseIpcNamespace: true
          blockUsePidNamespace: true
          blockUseUserNamespace: true
          blockUseUtsNamespace: true
          blockedCapabilities:
            - AUDIT_CONTROL
            - AUDIT_WRITE
          blockedExecutables:
            - exe1
            - exe2
          blockedFiles:
            - test1
            - test2
          blockedInboundPorts:
            - '80'
            - '8080'
          blockedOutboundPorts:
            - '90'
            - '9090'
          blockedPackages:
            - pkg
            - pkg2
          blockedVolumes:
            - blocked
            - vol
          containerExecAllowedProcesses:
            - proc1
            - proc2
          description: container_runtime_policy
          enableDriftPrevention: true
          enableForkGuard: true
          enableIpReputationSecurity: true
          enablePortScanDetection: true
          enabled: true
          enforce: false
          exceptionalReadonlyFilesAndDirectories:
            - readonly2
            - /dir2/
          fileIntegrityMonitoring:
            excludedPaths:
              - expaths
            excludedProcesses:
              - exprocess
            excludedUsers:
              - expuser
            monitorAttributes: true
            monitorCreate: true
            monitorDelete: true
            monitorModify: true
            monitorRead: true
            monitoredPaths:
              - paths
            monitoredProcesses:
              - process
            monitoredUsers:
              - user
          forkGuardProcessLimit: 13
          limitNewPrivileges: true
          malwareScanOptions:
            action: alert
            enabled: true
          monitorSystemTimeChanges: 'true'
          readonlyFilesAndDirectories:
            - readonly
            - /dir/
          reverseShellAllowedIps:
            - ip1
            - ip2
          reverseShellAllowedProcesses:
            - proc1
            - proc2
          scopeExpression: v1 || v2
          scopeVariables:
            - attribute: kubernetes.cluster
              value: default
            - attribute: kubernetes.label
              name: app
              value: aqua
    

    Create ContainerRuntimePolicy Resource

    new ContainerRuntimePolicy(name: string, args?: ContainerRuntimePolicyArgs, opts?: CustomResourceOptions);
    @overload
    def ContainerRuntimePolicy(resource_name: str,
                               opts: Optional[ResourceOptions] = None,
                               allowed_executables: Optional[Sequence[ContainerRuntimePolicyAllowedExecutableArgs]] = None,
                               allowed_registries: Optional[Sequence[ContainerRuntimePolicyAllowedRegistryArgs]] = None,
                               application_scopes: Optional[Sequence[str]] = None,
                               audit_all_network_activity: Optional[bool] = None,
                               audit_all_processes_activity: Optional[bool] = None,
                               audit_brute_force_login: Optional[bool] = None,
                               audit_full_command_arguments: Optional[bool] = None,
                               auditing: Optional[ContainerRuntimePolicyAuditingArgs] = None,
                               author: Optional[str] = None,
                               blacklisted_os_users: Optional[ContainerRuntimePolicyBlacklistedOsUsersArgs] = None,
                               block_access_host_network: Optional[bool] = None,
                               block_adding_capabilities: Optional[bool] = None,
                               block_container_exec: Optional[bool] = None,
                               block_cryptocurrency_mining: Optional[bool] = None,
                               block_disallowed_images: Optional[bool] = None,
                               block_fileless_exec: Optional[bool] = None,
                               block_low_port_binding: Optional[bool] = None,
                               block_non_compliant_workloads: Optional[bool] = None,
                               block_non_k8s_containers: Optional[bool] = None,
                               block_privileged_containers: Optional[bool] = None,
                               block_root_user: Optional[bool] = None,
                               block_use_ipc_namespace: Optional[bool] = None,
                               block_use_pid_namespace: Optional[bool] = None,
                               block_use_user_namespace: Optional[bool] = None,
                               block_use_uts_namespace: Optional[bool] = None,
                               blocked_capabilities: Optional[Sequence[str]] = None,
                               blocked_executables: Optional[Sequence[str]] = None,
                               blocked_files: Optional[Sequence[str]] = None,
                               blocked_inbound_ports: Optional[Sequence[str]] = None,
                               blocked_outbound_ports: Optional[Sequence[str]] = None,
                               blocked_packages: Optional[Sequence[str]] = None,
                               blocked_volumes: Optional[Sequence[str]] = None,
                               bypass_scopes: Optional[Sequence[ContainerRuntimePolicyBypassScopeArgs]] = None,
                               container_exec: Optional[ContainerRuntimePolicyContainerExecArgs] = None,
                               container_exec_allowed_processes: Optional[Sequence[str]] = None,
                               created: Optional[str] = None,
                               cve: Optional[str] = None,
                               default_security_profile: Optional[str] = None,
                               description: Optional[str] = None,
                               digest: Optional[str] = None,
                               drift_preventions: Optional[Sequence[ContainerRuntimePolicyDriftPreventionArgs]] = None,
                               enable_crypto_mining_dns: Optional[bool] = None,
                               enable_fork_guard: Optional[bool] = None,
                               enable_ip_reputation: Optional[bool] = None,
                               enable_port_scan_protection: Optional[bool] = None,
                               enabled: Optional[bool] = None,
                               enforce: Optional[bool] = None,
                               enforce_after_days: Optional[int] = None,
                               enforce_scheduler_added_on: Optional[int] = None,
                               exclude_application_scopes: Optional[Sequence[str]] = None,
                               executable_blacklists: Optional[Sequence[ContainerRuntimePolicyExecutableBlacklistArgs]] = None,
                               failed_kubernetes_checks: Optional[ContainerRuntimePolicyFailedKubernetesChecksArgs] = None,
                               file_block: Optional[ContainerRuntimePolicyFileBlockArgs] = None,
                               file_integrity_monitoring: Optional[ContainerRuntimePolicyFileIntegrityMonitoringArgs] = None,
                               fork_guard_process_limit: Optional[int] = None,
                               image_name: Optional[str] = None,
                               is_audit_checked: Optional[bool] = None,
                               is_auto_generated: Optional[bool] = None,
                               is_ootb_policy: Optional[bool] = None,
                               lastupdate: Optional[int] = None,
                               limit_container_privileges: Optional[Sequence[ContainerRuntimePolicyLimitContainerPrivilegeArgs]] = None,
                               limit_new_privileges: Optional[bool] = None,
                               linux_capabilities: Optional[ContainerRuntimePolicyLinuxCapabilitiesArgs] = None,
                               malware_scan_options: Optional[ContainerRuntimePolicyMalwareScanOptionsArgs] = None,
                               monitor_system_time_changes: Optional[bool] = None,
                               name: Optional[str] = None,
                               no_new_privileges: Optional[bool] = None,
                               only_registered_images: Optional[bool] = None,
                               package_block: Optional[ContainerRuntimePolicyPackageBlockArgs] = None,
                               permission: Optional[str] = None,
                               port_block: Optional[ContainerRuntimePolicyPortBlockArgs] = None,
                               readonly_files: Optional[ContainerRuntimePolicyReadonlyFilesArgs] = None,
                               readonly_registry: Optional[ContainerRuntimePolicyReadonlyRegistryArgs] = None,
                               registry: Optional[str] = None,
                               registry_access_monitoring: Optional[ContainerRuntimePolicyRegistryAccessMonitoringArgs] = None,
                               repo_name: Optional[str] = None,
                               resource_name_: Optional[str] = None,
                               resource_type: Optional[str] = None,
                               restricted_volumes: Optional[Sequence[ContainerRuntimePolicyRestrictedVolumeArgs]] = None,
                               reverse_shell: Optional[ContainerRuntimePolicyReverseShellArgs] = None,
                               runtime_mode: Optional[int] = None,
                               runtime_type: Optional[str] = None,
                               scope_expression: Optional[str] = None,
                               scope_variables: Optional[Sequence[ContainerRuntimePolicyScopeVariableArgs]] = None,
                               scopes: Optional[Sequence[ContainerRuntimePolicyScopeArgs]] = None,
                               system_integrity_protection: Optional[ContainerRuntimePolicySystemIntegrityProtectionArgs] = None,
                               tripwire: Optional[ContainerRuntimePolicyTripwireArgs] = None,
                               type: Optional[str] = None,
                               updated: Optional[str] = None,
                               version: Optional[str] = None,
                               vpatch_version: Optional[str] = None,
                               whitelisted_os_users: Optional[ContainerRuntimePolicyWhitelistedOsUsersArgs] = None)
    @overload
    def ContainerRuntimePolicy(resource_name: str,
                               args: Optional[ContainerRuntimePolicyArgs] = None,
                               opts: Optional[ResourceOptions] = None)
    func NewContainerRuntimePolicy(ctx *Context, name string, args *ContainerRuntimePolicyArgs, opts ...ResourceOption) (*ContainerRuntimePolicy, error)
    public ContainerRuntimePolicy(string name, ContainerRuntimePolicyArgs? args = null, CustomResourceOptions? opts = null)
    public ContainerRuntimePolicy(String name, ContainerRuntimePolicyArgs args)
    public ContainerRuntimePolicy(String name, ContainerRuntimePolicyArgs args, CustomResourceOptions options)
    
    type: aquasec:ContainerRuntimePolicy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args ContainerRuntimePolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args ContainerRuntimePolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args ContainerRuntimePolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args ContainerRuntimePolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args ContainerRuntimePolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    ContainerRuntimePolicy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The ContainerRuntimePolicy resource accepts the following input properties:

    AllowedExecutables List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyAllowedExecutable>
    Allowed executables configuration.
    AllowedRegistries List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyAllowedRegistry>
    List of allowed registries.
    ApplicationScopes List<string>
    Indicates the application scope of the service.
    AuditAllNetworkActivity bool
    If true, all network activity will be audited.
    AuditAllProcessesActivity bool
    If true, all process activity will be audited.
    AuditBruteForceLogin bool
    Detects brute force login attempts
    AuditFullCommandArguments bool
    If true, full command arguments will be audited.
    Auditing Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyAuditing
    Author string
    Username of the account that created the service.
    BlacklistedOsUsers Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyBlacklistedOsUsers
    BlockAccessHostNetwork bool
    If true, prevent containers from running with access to host network.
    BlockAddingCapabilities bool
    If true, prevent containers from running with adding capabilities with --cap-add privilege.
    BlockContainerExec bool
    If true, exec into a container is prevented.
    BlockCryptocurrencyMining bool
    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
    BlockDisallowedImages bool
    BlockFilelessExec bool
    Detect and prevent running in-memory execution
    BlockLowPortBinding bool
    If true, prevent containers from running with the capability to bind in port lower than 1024.
    BlockNonCompliantWorkloads bool
    If true, running containers in non-compliant pods is prevented.
    BlockNonK8sContainers bool
    If true, running non-kubernetes containers is prevented.
    BlockPrivilegedContainers bool
    If true, prevent containers from running with privileged container capability.
    BlockRootUser bool
    If true, prevent containers from running with root user.
    BlockUseIpcNamespace bool
    If true, prevent containers from running with the privilege to use the IPC namespace.
    BlockUsePidNamespace bool
    If true, prevent containers from running with the privilege to use the PID namespace.
    BlockUseUserNamespace bool
    If true, prevent containers from running with the privilege to use the user namespace.
    BlockUseUtsNamespace bool
    If true, prevent containers from running with the privilege to use the UTS namespace.
    BlockedCapabilities List<string>
    If true, prevents containers from using specific Unix capabilities.
    BlockedExecutables List<string>
    List of executables that are prevented from running in containers.
    BlockedFiles List<string>
    List of files that are prevented from being read, modified and executed in the containers.
    BlockedInboundPorts List<string>
    List of blocked inbound ports.
    BlockedOutboundPorts List<string>
    List of blocked outbound ports.
    BlockedPackages List<string>
    Prevent containers from reading, writing, or executing all files in the list of packages.
    BlockedVolumes List<string>
    List of volumes that are prevented from being mounted in the containers.
    BypassScopes List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyBypassScope>
    Bypass scope configuration.
    ContainerExec Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyContainerExec
    ContainerExecAllowedProcesses List<string>
    List of processes that will be allowed.
    Created string
    Cve string
    DefaultSecurityProfile string
    Description string
    The description of the container runtime policy
    Digest string
    DriftPreventions List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyDriftPrevention>
    Drift prevention configuration.
    EnableCryptoMiningDns bool
    EnableForkGuard bool
    If true, fork bombs are prevented in the containers.
    EnableIpReputation bool
    EnablePortScanProtection bool
    Enabled bool
    Whether allowed executables configuration is enabled.
    Enforce bool
    Indicates that policy should effect container execution (not just for audit).
    EnforceAfterDays int
    Indicates the number of days after which the runtime policy will be changed to enforce mode.
    EnforceSchedulerAddedOn int
    ExcludeApplicationScopes List<string>
    List of excluded application scopes.
    ExecutableBlacklists List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyExecutableBlacklist>
    Executable blacklist configuration.
    FailedKubernetesChecks Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyFailedKubernetesChecks
    FileBlock Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyFileBlock
    FileIntegrityMonitoring Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyFileIntegrityMonitoring
    Configuration for file integrity monitoring.
    ForkGuardProcessLimit int
    Process limit for the fork guard.
    ImageName string
    IsAuditChecked bool
    IsAutoGenerated bool
    IsOotbPolicy bool
    Lastupdate int
    LimitContainerPrivileges List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyLimitContainerPrivilege>
    Container privileges configuration.
    LimitNewPrivileges bool
    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
    LinuxCapabilities Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyLinuxCapabilities
    MalwareScanOptions Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyMalwareScanOptions
    Configuration for Real-Time Malware Protection.
    MonitorSystemTimeChanges bool
    If true, system time changes will be monitored.
    Name string
    Name assigned to the attribute.
    NoNewPrivileges bool
    OnlyRegisteredImages bool
    PackageBlock Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyPackageBlock
    Permission string
    PortBlock Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyPortBlock
    ReadonlyFiles Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyReadonlyFiles
    ReadonlyRegistry Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyReadonlyRegistry
    Registry string
    RegistryAccessMonitoring Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyRegistryAccessMonitoring
    RepoName string
    ResourceName string
    ResourceType string
    RestrictedVolumes List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyRestrictedVolume>
    Restricted volumes configuration.
    ReverseShell Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyReverseShell
    RuntimeMode int
    RuntimeType string
    ScopeExpression string
    Logical expression of how to compute the dependency of the scope variables.
    ScopeVariables List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyScopeVariable>
    List of scope attributes.
    Scopes List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyScope>
    Scope configuration.
    SystemIntegrityProtection Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicySystemIntegrityProtection
    Tripwire Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyTripwire
    Type string
    Updated string
    Version string
    VpatchVersion string
    WhitelistedOsUsers Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyWhitelistedOsUsers
    AllowedExecutables []ContainerRuntimePolicyAllowedExecutableArgs
    Allowed executables configuration.
    AllowedRegistries []ContainerRuntimePolicyAllowedRegistryArgs
    List of allowed registries.
    ApplicationScopes []string
    Indicates the application scope of the service.
    AuditAllNetworkActivity bool
    If true, all network activity will be audited.
    AuditAllProcessesActivity bool
    If true, all process activity will be audited.
    AuditBruteForceLogin bool
    Detects brute force login attempts
    AuditFullCommandArguments bool
    If true, full command arguments will be audited.
    Auditing ContainerRuntimePolicyAuditingArgs
    Author string
    Username of the account that created the service.
    BlacklistedOsUsers ContainerRuntimePolicyBlacklistedOsUsersArgs
    BlockAccessHostNetwork bool
    If true, prevent containers from running with access to host network.
    BlockAddingCapabilities bool
    If true, prevent containers from running with adding capabilities with --cap-add privilege.
    BlockContainerExec bool
    If true, exec into a container is prevented.
    BlockCryptocurrencyMining bool
    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
    BlockDisallowedImages bool
    BlockFilelessExec bool
    Detect and prevent running in-memory execution
    BlockLowPortBinding bool
    If true, prevent containers from running with the capability to bind in port lower than 1024.
    BlockNonCompliantWorkloads bool
    If true, running containers in non-compliant pods is prevented.
    BlockNonK8sContainers bool
    If true, running non-kubernetes containers is prevented.
    BlockPrivilegedContainers bool
    If true, prevent containers from running with privileged container capability.
    BlockRootUser bool
    If true, prevent containers from running with root user.
    BlockUseIpcNamespace bool
    If true, prevent containers from running with the privilege to use the IPC namespace.
    BlockUsePidNamespace bool
    If true, prevent containers from running with the privilege to use the PID namespace.
    BlockUseUserNamespace bool
    If true, prevent containers from running with the privilege to use the user namespace.
    BlockUseUtsNamespace bool
    If true, prevent containers from running with the privilege to use the UTS namespace.
    BlockedCapabilities []string
    If true, prevents containers from using specific Unix capabilities.
    BlockedExecutables []string
    List of executables that are prevented from running in containers.
    BlockedFiles []string
    List of files that are prevented from being read, modified and executed in the containers.
    BlockedInboundPorts []string
    List of blocked inbound ports.
    BlockedOutboundPorts []string
    List of blocked outbound ports.
    BlockedPackages []string
    Prevent containers from reading, writing, or executing all files in the list of packages.
    BlockedVolumes []string
    List of volumes that are prevented from being mounted in the containers.
    BypassScopes []ContainerRuntimePolicyBypassScopeArgs
    Bypass scope configuration.
    ContainerExec ContainerRuntimePolicyContainerExecArgs
    ContainerExecAllowedProcesses []string
    List of processes that will be allowed.
    Created string
    Cve string
    DefaultSecurityProfile string
    Description string
    The description of the container runtime policy
    Digest string
    DriftPreventions []ContainerRuntimePolicyDriftPreventionArgs
    Drift prevention configuration.
    EnableCryptoMiningDns bool
    EnableForkGuard bool
    If true, fork bombs are prevented in the containers.
    EnableIpReputation bool
    EnablePortScanProtection bool
    Enabled bool
    Whether allowed executables configuration is enabled.
    Enforce bool
    Indicates that policy should effect container execution (not just for audit).
    EnforceAfterDays int
    Indicates the number of days after which the runtime policy will be changed to enforce mode.
    EnforceSchedulerAddedOn int
    ExcludeApplicationScopes []string
    List of excluded application scopes.
    ExecutableBlacklists []ContainerRuntimePolicyExecutableBlacklistArgs
    Executable blacklist configuration.
    FailedKubernetesChecks ContainerRuntimePolicyFailedKubernetesChecksArgs
    FileBlock ContainerRuntimePolicyFileBlockArgs
    FileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs
    Configuration for file integrity monitoring.
    ForkGuardProcessLimit int
    Process limit for the fork guard.
    ImageName string
    IsAuditChecked bool
    IsAutoGenerated bool
    IsOotbPolicy bool
    Lastupdate int
    LimitContainerPrivileges []ContainerRuntimePolicyLimitContainerPrivilegeArgs
    Container privileges configuration.
    LimitNewPrivileges bool
    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
    LinuxCapabilities ContainerRuntimePolicyLinuxCapabilitiesArgs
    MalwareScanOptions ContainerRuntimePolicyMalwareScanOptionsArgs
    Configuration for Real-Time Malware Protection.
    MonitorSystemTimeChanges bool
    If true, system time changes will be monitored.
    Name string
    Name assigned to the attribute.
    NoNewPrivileges bool
    OnlyRegisteredImages bool
    PackageBlock ContainerRuntimePolicyPackageBlockArgs
    Permission string
    PortBlock ContainerRuntimePolicyPortBlockArgs
    ReadonlyFiles ContainerRuntimePolicyReadonlyFilesArgs
    ReadonlyRegistry ContainerRuntimePolicyReadonlyRegistryArgs
    Registry string
    RegistryAccessMonitoring ContainerRuntimePolicyRegistryAccessMonitoringArgs
    RepoName string
    ResourceName string
    ResourceType string
    RestrictedVolumes []ContainerRuntimePolicyRestrictedVolumeArgs
    Restricted volumes configuration.
    ReverseShell ContainerRuntimePolicyReverseShellArgs
    RuntimeMode int
    RuntimeType string
    ScopeExpression string
    Logical expression of how to compute the dependency of the scope variables.
    ScopeVariables []ContainerRuntimePolicyScopeVariableArgs
    List of scope attributes.
    Scopes []ContainerRuntimePolicyScopeArgs
    Scope configuration.
    SystemIntegrityProtection ContainerRuntimePolicySystemIntegrityProtectionArgs
    Tripwire ContainerRuntimePolicyTripwireArgs
    Type string
    Updated string
    Version string
    VpatchVersion string
    WhitelistedOsUsers ContainerRuntimePolicyWhitelistedOsUsersArgs
    allowedExecutables List<ContainerRuntimePolicyAllowedExecutable>
    Allowed executables configuration.
    allowedRegistries List<ContainerRuntimePolicyAllowedRegistry>
    List of allowed registries.
    applicationScopes List<String>
    Indicates the application scope of the service.
    auditAllNetworkActivity Boolean
    If true, all network activity will be audited.
    auditAllProcessesActivity Boolean
    If true, all process activity will be audited.
    auditBruteForceLogin Boolean
    Detects brute force login attempts
    auditFullCommandArguments Boolean
    If true, full command arguments will be audited.
    auditing ContainerRuntimePolicyAuditing
    author String
    Username of the account that created the service.
    blacklistedOsUsers ContainerRuntimePolicyBlacklistedOsUsers
    blockAccessHostNetwork Boolean
    If true, prevent containers from running with access to host network.
    blockAddingCapabilities Boolean
    If true, prevent containers from running with adding capabilities with --cap-add privilege.
    blockContainerExec Boolean
    If true, exec into a container is prevented.
    blockCryptocurrencyMining Boolean
    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
    blockDisallowedImages Boolean
    blockFilelessExec Boolean
    Detect and prevent running in-memory execution
    blockLowPortBinding Boolean
    If true, prevent containers from running with the capability to bind in port lower than 1024.
    blockNonCompliantWorkloads Boolean
    If true, running containers in non-compliant pods is prevented.
    blockNonK8sContainers Boolean
    If true, running non-kubernetes containers is prevented.
    blockPrivilegedContainers Boolean
    If true, prevent containers from running with privileged container capability.
    blockRootUser Boolean
    If true, prevent containers from running with root user.
    blockUseIpcNamespace Boolean
    If true, prevent containers from running with the privilege to use the IPC namespace.
    blockUsePidNamespace Boolean
    If true, prevent containers from running with the privilege to use the PID namespace.
    blockUseUserNamespace Boolean
    If true, prevent containers from running with the privilege to use the user namespace.
    blockUseUtsNamespace Boolean
    If true, prevent containers from running with the privilege to use the UTS namespace.
    blockedCapabilities List<String>
    If true, prevents containers from using specific Unix capabilities.
    blockedExecutables List<String>
    List of executables that are prevented from running in containers.
    blockedFiles List<String>
    List of files that are prevented from being read, modified and executed in the containers.
    blockedInboundPorts List<String>
    List of blocked inbound ports.
    blockedOutboundPorts List<String>
    List of blocked outbound ports.
    blockedPackages List<String>
    Prevent containers from reading, writing, or executing all files in the list of packages.
    blockedVolumes List<String>
    List of volumes that are prevented from being mounted in the containers.
    bypassScopes List<ContainerRuntimePolicyBypassScope>
    Bypass scope configuration.
    containerExec ContainerRuntimePolicyContainerExec
    containerExecAllowedProcesses List<String>
    List of processes that will be allowed.
    created String
    cve String
    defaultSecurityProfile String
    description String
    The description of the container runtime policy
    digest String
    driftPreventions List<ContainerRuntimePolicyDriftPrevention>
    Drift prevention configuration.
    enableCryptoMiningDns Boolean
    enableForkGuard Boolean
    If true, fork bombs are prevented in the containers.
    enableIpReputation Boolean
    enablePortScanProtection Boolean
    enabled Boolean
    Whether allowed executables configuration is enabled.
    enforce Boolean
    Indicates that policy should effect container execution (not just for audit).
    enforceAfterDays Integer
    Indicates the number of days after which the runtime policy will be changed to enforce mode.
    enforceSchedulerAddedOn Integer
    excludeApplicationScopes List<String>
    List of excluded application scopes.
    executableBlacklists List<ContainerRuntimePolicyExecutableBlacklist>
    Executable blacklist configuration.
    failedKubernetesChecks ContainerRuntimePolicyFailedKubernetesChecks
    fileBlock ContainerRuntimePolicyFileBlock
    fileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoring
    Configuration for file integrity monitoring.
    forkGuardProcessLimit Integer
    Process limit for the fork guard.
    imageName String
    isAuditChecked Boolean
    isAutoGenerated Boolean
    isOotbPolicy Boolean
    lastupdate Integer
    limitContainerPrivileges List<ContainerRuntimePolicyLimitContainerPrivilege>
    Container privileges configuration.
    limitNewPrivileges Boolean
    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
    linuxCapabilities ContainerRuntimePolicyLinuxCapabilities
    malwareScanOptions ContainerRuntimePolicyMalwareScanOptions
    Configuration for Real-Time Malware Protection.
    monitorSystemTimeChanges Boolean
    If true, system time changes will be monitored.
    name String
    Name assigned to the attribute.
    noNewPrivileges Boolean
    onlyRegisteredImages Boolean
    packageBlock ContainerRuntimePolicyPackageBlock
    permission String
    portBlock ContainerRuntimePolicyPortBlock
    readonlyFiles ContainerRuntimePolicyReadonlyFiles
    readonlyRegistry ContainerRuntimePolicyReadonlyRegistry
    registry String
    registryAccessMonitoring ContainerRuntimePolicyRegistryAccessMonitoring
    repoName String
    resourceName String
    resourceType String
    restrictedVolumes List<ContainerRuntimePolicyRestrictedVolume>
    Restricted volumes configuration.
    reverseShell ContainerRuntimePolicyReverseShell
    runtimeMode Integer
    runtimeType String
    scopeExpression String
    Logical expression of how to compute the dependency of the scope variables.
    scopeVariables List<ContainerRuntimePolicyScopeVariable>
    List of scope attributes.
    scopes List<ContainerRuntimePolicyScope>
    Scope configuration.
    systemIntegrityProtection ContainerRuntimePolicySystemIntegrityProtection
    tripwire ContainerRuntimePolicyTripwire
    type String
    updated String
    version String
    vpatchVersion String
    whitelistedOsUsers ContainerRuntimePolicyWhitelistedOsUsers
    allowedExecutables ContainerRuntimePolicyAllowedExecutable[]
    Allowed executables configuration.
    allowedRegistries ContainerRuntimePolicyAllowedRegistry[]
    List of allowed registries.
    applicationScopes string[]
    Indicates the application scope of the service.
    auditAllNetworkActivity boolean
    If true, all network activity will be audited.
    auditAllProcessesActivity boolean
    If true, all process activity will be audited.
    auditBruteForceLogin boolean
    Detects brute force login attempts
    auditFullCommandArguments boolean
    If true, full command arguments will be audited.
    auditing ContainerRuntimePolicyAuditing
    author string
    Username of the account that created the service.
    blacklistedOsUsers ContainerRuntimePolicyBlacklistedOsUsers
    blockAccessHostNetwork boolean
    If true, prevent containers from running with access to host network.
    blockAddingCapabilities boolean
    If true, prevent containers from running with adding capabilities with --cap-add privilege.
    blockContainerExec boolean
    If true, exec into a container is prevented.
    blockCryptocurrencyMining boolean
    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
    blockDisallowedImages boolean
    blockFilelessExec boolean
    Detect and prevent running in-memory execution
    blockLowPortBinding boolean
    If true, prevent containers from running with the capability to bind in port lower than 1024.
    blockNonCompliantWorkloads boolean
    If true, running containers in non-compliant pods is prevented.
    blockNonK8sContainers boolean
    If true, running non-kubernetes containers is prevented.
    blockPrivilegedContainers boolean
    If true, prevent containers from running with privileged container capability.
    blockRootUser boolean
    If true, prevent containers from running with root user.
    blockUseIpcNamespace boolean
    If true, prevent containers from running with the privilege to use the IPC namespace.
    blockUsePidNamespace boolean
    If true, prevent containers from running with the privilege to use the PID namespace.
    blockUseUserNamespace boolean
    If true, prevent containers from running with the privilege to use the user namespace.
    blockUseUtsNamespace boolean
    If true, prevent containers from running with the privilege to use the UTS namespace.
    blockedCapabilities string[]
    If true, prevents containers from using specific Unix capabilities.
    blockedExecutables string[]
    List of executables that are prevented from running in containers.
    blockedFiles string[]
    List of files that are prevented from being read, modified and executed in the containers.
    blockedInboundPorts string[]
    List of blocked inbound ports.
    blockedOutboundPorts string[]
    List of blocked outbound ports.
    blockedPackages string[]
    Prevent containers from reading, writing, or executing all files in the list of packages.
    blockedVolumes string[]
    List of volumes that are prevented from being mounted in the containers.
    bypassScopes ContainerRuntimePolicyBypassScope[]
    Bypass scope configuration.
    containerExec ContainerRuntimePolicyContainerExec
    containerExecAllowedProcesses string[]
    List of processes that will be allowed.
    created string
    cve string
    defaultSecurityProfile string
    description string
    The description of the container runtime policy
    digest string
    driftPreventions ContainerRuntimePolicyDriftPrevention[]
    Drift prevention configuration.
    enableCryptoMiningDns boolean
    enableForkGuard boolean
    If true, fork bombs are prevented in the containers.
    enableIpReputation boolean
    enablePortScanProtection boolean
    enabled boolean
    Whether allowed executables configuration is enabled.
    enforce boolean
    Indicates that policy should effect container execution (not just for audit).
    enforceAfterDays number
    Indicates the number of days after which the runtime policy will be changed to enforce mode.
    enforceSchedulerAddedOn number
    excludeApplicationScopes string[]
    List of excluded application scopes.
    executableBlacklists ContainerRuntimePolicyExecutableBlacklist[]
    Executable blacklist configuration.
    failedKubernetesChecks ContainerRuntimePolicyFailedKubernetesChecks
    fileBlock ContainerRuntimePolicyFileBlock
    fileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoring
    Configuration for file integrity monitoring.
    forkGuardProcessLimit number
    Process limit for the fork guard.
    imageName string
    isAuditChecked boolean
    isAutoGenerated boolean
    isOotbPolicy boolean
    lastupdate number
    limitContainerPrivileges ContainerRuntimePolicyLimitContainerPrivilege[]
    Container privileges configuration.
    limitNewPrivileges boolean
    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
    linuxCapabilities ContainerRuntimePolicyLinuxCapabilities
    malwareScanOptions ContainerRuntimePolicyMalwareScanOptions
    Configuration for Real-Time Malware Protection.
    monitorSystemTimeChanges boolean
    If true, system time changes will be monitored.
    name string
    Name assigned to the attribute.
    noNewPrivileges boolean
    onlyRegisteredImages boolean
    packageBlock ContainerRuntimePolicyPackageBlock
    permission string
    portBlock ContainerRuntimePolicyPortBlock
    readonlyFiles ContainerRuntimePolicyReadonlyFiles
    readonlyRegistry ContainerRuntimePolicyReadonlyRegistry
    registry string
    registryAccessMonitoring ContainerRuntimePolicyRegistryAccessMonitoring
    repoName string
    resourceName string
    resourceType string
    restrictedVolumes ContainerRuntimePolicyRestrictedVolume[]
    Restricted volumes configuration.
    reverseShell ContainerRuntimePolicyReverseShell
    runtimeMode number
    runtimeType string
    scopeExpression string
    Logical expression of how to compute the dependency of the scope variables.
    scopeVariables ContainerRuntimePolicyScopeVariable[]
    List of scope attributes.
    scopes ContainerRuntimePolicyScope[]
    Scope configuration.
    systemIntegrityProtection ContainerRuntimePolicySystemIntegrityProtection
    tripwire ContainerRuntimePolicyTripwire
    type string
    updated string
    version string
    vpatchVersion string
    whitelistedOsUsers ContainerRuntimePolicyWhitelistedOsUsers
    allowed_executables Sequence[ContainerRuntimePolicyAllowedExecutableArgs]
    Allowed executables configuration.
    allowed_registries Sequence[ContainerRuntimePolicyAllowedRegistryArgs]
    List of allowed registries.
    application_scopes Sequence[str]
    Indicates the application scope of the service.
    audit_all_network_activity bool
    If true, all network activity will be audited.
    audit_all_processes_activity bool
    If true, all process activity will be audited.
    audit_brute_force_login bool
    Detects brute force login attempts
    audit_full_command_arguments bool
    If true, full command arguments will be audited.
    auditing ContainerRuntimePolicyAuditingArgs
    author str
    Username of the account that created the service.
    blacklisted_os_users ContainerRuntimePolicyBlacklistedOsUsersArgs
    block_access_host_network bool
    If true, prevent containers from running with access to host network.
    block_adding_capabilities bool
    If true, prevent containers from running with adding capabilities with --cap-add privilege.
    block_container_exec bool
    If true, exec into a container is prevented.
    block_cryptocurrency_mining bool
    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
    block_disallowed_images bool
    block_fileless_exec bool
    Detect and prevent running in-memory execution
    block_low_port_binding bool
    If true, prevent containers from running with the capability to bind in port lower than 1024.
    block_non_compliant_workloads bool
    If true, running containers in non-compliant pods is prevented.
    block_non_k8s_containers bool
    If true, running non-kubernetes containers is prevented.
    block_privileged_containers bool
    If true, prevent containers from running with privileged container capability.
    block_root_user bool
    If true, prevent containers from running with root user.
    block_use_ipc_namespace bool
    If true, prevent containers from running with the privilege to use the IPC namespace.
    block_use_pid_namespace bool
    If true, prevent containers from running with the privilege to use the PID namespace.
    block_use_user_namespace bool
    If true, prevent containers from running with the privilege to use the user namespace.
    block_use_uts_namespace bool
    If true, prevent containers from running with the privilege to use the UTS namespace.
    blocked_capabilities Sequence[str]
    If true, prevents containers from using specific Unix capabilities.
    blocked_executables Sequence[str]
    List of executables that are prevented from running in containers.
    blocked_files Sequence[str]
    List of files that are prevented from being read, modified and executed in the containers.
    blocked_inbound_ports Sequence[str]
    List of blocked inbound ports.
    blocked_outbound_ports Sequence[str]
    List of blocked outbound ports.
    blocked_packages Sequence[str]
    Prevent containers from reading, writing, or executing all files in the list of packages.
    blocked_volumes Sequence[str]
    List of volumes that are prevented from being mounted in the containers.
    bypass_scopes Sequence[ContainerRuntimePolicyBypassScopeArgs]
    Bypass scope configuration.
    container_exec ContainerRuntimePolicyContainerExecArgs
    container_exec_allowed_processes Sequence[str]
    List of processes that will be allowed.
    created str
    cve str
    default_security_profile str
    description str
    The description of the container runtime policy
    digest str
    drift_preventions Sequence[ContainerRuntimePolicyDriftPreventionArgs]
    Drift prevention configuration.
    enable_crypto_mining_dns bool
    enable_fork_guard bool
    If true, fork bombs are prevented in the containers.
    enable_ip_reputation bool
    enable_port_scan_protection bool
    enabled bool
    Whether allowed executables configuration is enabled.
    enforce bool
    Indicates that policy should effect container execution (not just for audit).
    enforce_after_days int
    Indicates the number of days after which the runtime policy will be changed to enforce mode.
    enforce_scheduler_added_on int
    exclude_application_scopes Sequence[str]
    List of excluded application scopes.
    executable_blacklists Sequence[ContainerRuntimePolicyExecutableBlacklistArgs]
    Executable blacklist configuration.
    failed_kubernetes_checks ContainerRuntimePolicyFailedKubernetesChecksArgs
    file_block ContainerRuntimePolicyFileBlockArgs
    file_integrity_monitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs
    Configuration for file integrity monitoring.
    fork_guard_process_limit int
    Process limit for the fork guard.
    image_name str
    is_audit_checked bool
    is_auto_generated bool
    is_ootb_policy bool
    lastupdate int
    limit_container_privileges Sequence[ContainerRuntimePolicyLimitContainerPrivilegeArgs]
    Container privileges configuration.
    limit_new_privileges bool
    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
    linux_capabilities ContainerRuntimePolicyLinuxCapabilitiesArgs
    malware_scan_options ContainerRuntimePolicyMalwareScanOptionsArgs
    Configuration for Real-Time Malware Protection.
    monitor_system_time_changes bool
    If true, system time changes will be monitored.
    name str
    Name assigned to the attribute.
    no_new_privileges bool
    only_registered_images bool
    package_block ContainerRuntimePolicyPackageBlockArgs
    permission str
    port_block ContainerRuntimePolicyPortBlockArgs
    readonly_files ContainerRuntimePolicyReadonlyFilesArgs
    readonly_registry ContainerRuntimePolicyReadonlyRegistryArgs
    registry str
    registry_access_monitoring ContainerRuntimePolicyRegistryAccessMonitoringArgs
    repo_name str
    resource_name str
    resource_type str
    restricted_volumes Sequence[ContainerRuntimePolicyRestrictedVolumeArgs]
    Restricted volumes configuration.
    reverse_shell ContainerRuntimePolicyReverseShellArgs
    runtime_mode int
    runtime_type str
    scope_expression str
    Logical expression of how to compute the dependency of the scope variables.
    scope_variables Sequence[ContainerRuntimePolicyScopeVariableArgs]
    List of scope attributes.
    scopes Sequence[ContainerRuntimePolicyScopeArgs]
    Scope configuration.
    system_integrity_protection ContainerRuntimePolicySystemIntegrityProtectionArgs
    tripwire ContainerRuntimePolicyTripwireArgs
    type str
    updated str
    version str
    vpatch_version str
    whitelisted_os_users ContainerRuntimePolicyWhitelistedOsUsersArgs
    allowedExecutables List<Property Map>
    Allowed executables configuration.
    allowedRegistries List<Property Map>
    List of allowed registries.
    applicationScopes List<String>
    Indicates the application scope of the service.
    auditAllNetworkActivity Boolean
    If true, all network activity will be audited.
    auditAllProcessesActivity Boolean
    If true, all process activity will be audited.
    auditBruteForceLogin Boolean
    Detects brute force login attempts
    auditFullCommandArguments Boolean
    If true, full command arguments will be audited.
    auditing Property Map
    author String
    Username of the account that created the service.
    blacklistedOsUsers Property Map
    blockAccessHostNetwork Boolean
    If true, prevent containers from running with access to host network.
    blockAddingCapabilities Boolean
    If true, prevent containers from running with adding capabilities with --cap-add privilege.
    blockContainerExec Boolean
    If true, exec into a container is prevented.
    blockCryptocurrencyMining Boolean
    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
    blockDisallowedImages Boolean
    blockFilelessExec Boolean
    Detect and prevent running in-memory execution
    blockLowPortBinding Boolean
    If true, prevent containers from running with the capability to bind in port lower than 1024.
    blockNonCompliantWorkloads Boolean
    If true, running containers in non-compliant pods is prevented.
    blockNonK8sContainers Boolean
    If true, running non-kubernetes containers is prevented.
    blockPrivilegedContainers Boolean
    If true, prevent containers from running with privileged container capability.
    blockRootUser Boolean
    If true, prevent containers from running with root user.
    blockUseIpcNamespace Boolean
    If true, prevent containers from running with the privilege to use the IPC namespace.
    blockUsePidNamespace Boolean
    If true, prevent containers from running with the privilege to use the PID namespace.
    blockUseUserNamespace Boolean
    If true, prevent containers from running with the privilege to use the user namespace.
    blockUseUtsNamespace Boolean
    If true, prevent containers from running with the privilege to use the UTS namespace.
    blockedCapabilities List<String>
    If true, prevents containers from using specific Unix capabilities.
    blockedExecutables List<String>
    List of executables that are prevented from running in containers.
    blockedFiles List<String>
    List of files that are prevented from being read, modified and executed in the containers.
    blockedInboundPorts List<String>
    List of blocked inbound ports.
    blockedOutboundPorts List<String>
    List of blocked outbound ports.
    blockedPackages List<String>
    Prevent containers from reading, writing, or executing all files in the list of packages.
    blockedVolumes List<String>
    List of volumes that are prevented from being mounted in the containers.
    bypassScopes List<Property Map>
    Bypass scope configuration.
    containerExec Property Map
    containerExecAllowedProcesses List<String>
    List of processes that will be allowed.
    created String
    cve String
    defaultSecurityProfile String
    description String
    The description of the container runtime policy
    digest String
    driftPreventions List<Property Map>
    Drift prevention configuration.
    enableCryptoMiningDns Boolean
    enableForkGuard Boolean
    If true, fork bombs are prevented in the containers.
    enableIpReputation Boolean
    enablePortScanProtection Boolean
    enabled Boolean
    Whether allowed executables configuration is enabled.
    enforce Boolean
    Indicates that policy should effect container execution (not just for audit).
    enforceAfterDays Number
    Indicates the number of days after which the runtime policy will be changed to enforce mode.
    enforceSchedulerAddedOn Number
    excludeApplicationScopes List<String>
    List of excluded application scopes.
    executableBlacklists List<Property Map>
    Executable blacklist configuration.
    failedKubernetesChecks Property Map
    fileBlock Property Map
    fileIntegrityMonitoring Property Map
    Configuration for file integrity monitoring.
    forkGuardProcessLimit Number
    Process limit for the fork guard.
    imageName String
    isAuditChecked Boolean
    isAutoGenerated Boolean
    isOotbPolicy Boolean
    lastupdate Number
    limitContainerPrivileges List<Property Map>
    Container privileges configuration.
    limitNewPrivileges Boolean
    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
    linuxCapabilities Property Map
    malwareScanOptions Property Map
    Configuration for Real-Time Malware Protection.
    monitorSystemTimeChanges Boolean
    If true, system time changes will be monitored.
    name String
    Name assigned to the attribute.
    noNewPrivileges Boolean
    onlyRegisteredImages Boolean
    packageBlock Property Map
    permission String
    portBlock Property Map
    readonlyFiles Property Map
    readonlyRegistry Property Map
    registry String
    registryAccessMonitoring Property Map
    repoName String
    resourceName String
    resourceType String
    restrictedVolumes List<Property Map>
    Restricted volumes configuration.
    reverseShell Property Map
    runtimeMode Number
    runtimeType String
    scopeExpression String
    Logical expression of how to compute the dependency of the scope variables.
    scopeVariables List<Property Map>
    List of scope attributes.
    scopes List<Property Map>
    Scope configuration.
    systemIntegrityProtection Property Map
    tripwire Property Map
    type String
    updated String
    version String
    vpatchVersion String
    whitelistedOsUsers Property Map

    Outputs

    All input properties are implicitly available as output properties. Additionally, the ContainerRuntimePolicy resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing ContainerRuntimePolicy Resource

    Get an existing ContainerRuntimePolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: ContainerRuntimePolicyState, opts?: CustomResourceOptions): ContainerRuntimePolicy
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            allowed_executables: Optional[Sequence[ContainerRuntimePolicyAllowedExecutableArgs]] = None,
            allowed_registries: Optional[Sequence[ContainerRuntimePolicyAllowedRegistryArgs]] = None,
            application_scopes: Optional[Sequence[str]] = None,
            audit_all_network_activity: Optional[bool] = None,
            audit_all_processes_activity: Optional[bool] = None,
            audit_brute_force_login: Optional[bool] = None,
            audit_full_command_arguments: Optional[bool] = None,
            auditing: Optional[ContainerRuntimePolicyAuditingArgs] = None,
            author: Optional[str] = None,
            blacklisted_os_users: Optional[ContainerRuntimePolicyBlacklistedOsUsersArgs] = None,
            block_access_host_network: Optional[bool] = None,
            block_adding_capabilities: Optional[bool] = None,
            block_container_exec: Optional[bool] = None,
            block_cryptocurrency_mining: Optional[bool] = None,
            block_disallowed_images: Optional[bool] = None,
            block_fileless_exec: Optional[bool] = None,
            block_low_port_binding: Optional[bool] = None,
            block_non_compliant_workloads: Optional[bool] = None,
            block_non_k8s_containers: Optional[bool] = None,
            block_privileged_containers: Optional[bool] = None,
            block_root_user: Optional[bool] = None,
            block_use_ipc_namespace: Optional[bool] = None,
            block_use_pid_namespace: Optional[bool] = None,
            block_use_user_namespace: Optional[bool] = None,
            block_use_uts_namespace: Optional[bool] = None,
            blocked_capabilities: Optional[Sequence[str]] = None,
            blocked_executables: Optional[Sequence[str]] = None,
            blocked_files: Optional[Sequence[str]] = None,
            blocked_inbound_ports: Optional[Sequence[str]] = None,
            blocked_outbound_ports: Optional[Sequence[str]] = None,
            blocked_packages: Optional[Sequence[str]] = None,
            blocked_volumes: Optional[Sequence[str]] = None,
            bypass_scopes: Optional[Sequence[ContainerRuntimePolicyBypassScopeArgs]] = None,
            container_exec: Optional[ContainerRuntimePolicyContainerExecArgs] = None,
            container_exec_allowed_processes: Optional[Sequence[str]] = None,
            created: Optional[str] = None,
            cve: Optional[str] = None,
            default_security_profile: Optional[str] = None,
            description: Optional[str] = None,
            digest: Optional[str] = None,
            drift_preventions: Optional[Sequence[ContainerRuntimePolicyDriftPreventionArgs]] = None,
            enable_crypto_mining_dns: Optional[bool] = None,
            enable_fork_guard: Optional[bool] = None,
            enable_ip_reputation: Optional[bool] = None,
            enable_port_scan_protection: Optional[bool] = None,
            enabled: Optional[bool] = None,
            enforce: Optional[bool] = None,
            enforce_after_days: Optional[int] = None,
            enforce_scheduler_added_on: Optional[int] = None,
            exclude_application_scopes: Optional[Sequence[str]] = None,
            executable_blacklists: Optional[Sequence[ContainerRuntimePolicyExecutableBlacklistArgs]] = None,
            failed_kubernetes_checks: Optional[ContainerRuntimePolicyFailedKubernetesChecksArgs] = None,
            file_block: Optional[ContainerRuntimePolicyFileBlockArgs] = None,
            file_integrity_monitoring: Optional[ContainerRuntimePolicyFileIntegrityMonitoringArgs] = None,
            fork_guard_process_limit: Optional[int] = None,
            image_name: Optional[str] = None,
            is_audit_checked: Optional[bool] = None,
            is_auto_generated: Optional[bool] = None,
            is_ootb_policy: Optional[bool] = None,
            lastupdate: Optional[int] = None,
            limit_container_privileges: Optional[Sequence[ContainerRuntimePolicyLimitContainerPrivilegeArgs]] = None,
            limit_new_privileges: Optional[bool] = None,
            linux_capabilities: Optional[ContainerRuntimePolicyLinuxCapabilitiesArgs] = None,
            malware_scan_options: Optional[ContainerRuntimePolicyMalwareScanOptionsArgs] = None,
            monitor_system_time_changes: Optional[bool] = None,
            name: Optional[str] = None,
            no_new_privileges: Optional[bool] = None,
            only_registered_images: Optional[bool] = None,
            package_block: Optional[ContainerRuntimePolicyPackageBlockArgs] = None,
            permission: Optional[str] = None,
            port_block: Optional[ContainerRuntimePolicyPortBlockArgs] = None,
            readonly_files: Optional[ContainerRuntimePolicyReadonlyFilesArgs] = None,
            readonly_registry: Optional[ContainerRuntimePolicyReadonlyRegistryArgs] = None,
            registry: Optional[str] = None,
            registry_access_monitoring: Optional[ContainerRuntimePolicyRegistryAccessMonitoringArgs] = None,
            repo_name: Optional[str] = None,
            resource_name: Optional[str] = None,
            resource_type: Optional[str] = None,
            restricted_volumes: Optional[Sequence[ContainerRuntimePolicyRestrictedVolumeArgs]] = None,
            reverse_shell: Optional[ContainerRuntimePolicyReverseShellArgs] = None,
            runtime_mode: Optional[int] = None,
            runtime_type: Optional[str] = None,
            scope_expression: Optional[str] = None,
            scope_variables: Optional[Sequence[ContainerRuntimePolicyScopeVariableArgs]] = None,
            scopes: Optional[Sequence[ContainerRuntimePolicyScopeArgs]] = None,
            system_integrity_protection: Optional[ContainerRuntimePolicySystemIntegrityProtectionArgs] = None,
            tripwire: Optional[ContainerRuntimePolicyTripwireArgs] = None,
            type: Optional[str] = None,
            updated: Optional[str] = None,
            version: Optional[str] = None,
            vpatch_version: Optional[str] = None,
            whitelisted_os_users: Optional[ContainerRuntimePolicyWhitelistedOsUsersArgs] = None) -> ContainerRuntimePolicy
    func GetContainerRuntimePolicy(ctx *Context, name string, id IDInput, state *ContainerRuntimePolicyState, opts ...ResourceOption) (*ContainerRuntimePolicy, error)
    public static ContainerRuntimePolicy Get(string name, Input<string> id, ContainerRuntimePolicyState? state, CustomResourceOptions? opts = null)
    public static ContainerRuntimePolicy get(String name, Output<String> id, ContainerRuntimePolicyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AllowedExecutables List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyAllowedExecutable>
    Allowed executables configuration.
    AllowedRegistries List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyAllowedRegistry>
    List of allowed registries.
    ApplicationScopes List<string>
    Indicates the application scope of the service.
    AuditAllNetworkActivity bool
    If true, all network activity will be audited.
    AuditAllProcessesActivity bool
    If true, all process activity will be audited.
    AuditBruteForceLogin bool
    Detects brute force login attempts
    AuditFullCommandArguments bool
    If true, full command arguments will be audited.
    Auditing Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyAuditing
    Author string
    Username of the account that created the service.
    BlacklistedOsUsers Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyBlacklistedOsUsers
    BlockAccessHostNetwork bool
    If true, prevent containers from running with access to host network.
    BlockAddingCapabilities bool
    If true, prevent containers from running with adding capabilities with --cap-add privilege.
    BlockContainerExec bool
    If true, exec into a container is prevented.
    BlockCryptocurrencyMining bool
    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
    BlockDisallowedImages bool
    BlockFilelessExec bool
    Detect and prevent running in-memory execution
    BlockLowPortBinding bool
    If true, prevent containers from running with the capability to bind in port lower than 1024.
    BlockNonCompliantWorkloads bool
    If true, running containers in non-compliant pods is prevented.
    BlockNonK8sContainers bool
    If true, running non-kubernetes containers is prevented.
    BlockPrivilegedContainers bool
    If true, prevent containers from running with privileged container capability.
    BlockRootUser bool
    If true, prevent containers from running with root user.
    BlockUseIpcNamespace bool
    If true, prevent containers from running with the privilege to use the IPC namespace.
    BlockUsePidNamespace bool
    If true, prevent containers from running with the privilege to use the PID namespace.
    BlockUseUserNamespace bool
    If true, prevent containers from running with the privilege to use the user namespace.
    BlockUseUtsNamespace bool
    If true, prevent containers from running with the privilege to use the UTS namespace.
    BlockedCapabilities List<string>
    If true, prevents containers from using specific Unix capabilities.
    BlockedExecutables List<string>
    List of executables that are prevented from running in containers.
    BlockedFiles List<string>
    List of files that are prevented from being read, modified and executed in the containers.
    BlockedInboundPorts List<string>
    List of blocked inbound ports.
    BlockedOutboundPorts List<string>
    List of blocked outbound ports.
    BlockedPackages List<string>
    Prevent containers from reading, writing, or executing all files in the list of packages.
    BlockedVolumes List<string>
    List of volumes that are prevented from being mounted in the containers.
    BypassScopes List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyBypassScope>
    Bypass scope configuration.
    ContainerExec Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyContainerExec
    ContainerExecAllowedProcesses List<string>
    List of processes that will be allowed.
    Created string
    Cve string
    DefaultSecurityProfile string
    Description string
    The description of the container runtime policy
    Digest string
    DriftPreventions List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyDriftPrevention>
    Drift prevention configuration.
    EnableCryptoMiningDns bool
    EnableForkGuard bool
    If true, fork bombs are prevented in the containers.
    EnableIpReputation bool
    EnablePortScanProtection bool
    Enabled bool
    Whether allowed executables configuration is enabled.
    Enforce bool
    Indicates that policy should effect container execution (not just for audit).
    EnforceAfterDays int
    Indicates the number of days after which the runtime policy will be changed to enforce mode.
    EnforceSchedulerAddedOn int
    ExcludeApplicationScopes List<string>
    List of excluded application scopes.
    ExecutableBlacklists List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyExecutableBlacklist>
    Executable blacklist configuration.
    FailedKubernetesChecks Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyFailedKubernetesChecks
    FileBlock Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyFileBlock
    FileIntegrityMonitoring Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyFileIntegrityMonitoring
    Configuration for file integrity monitoring.
    ForkGuardProcessLimit int
    Process limit for the fork guard.
    ImageName string
    IsAuditChecked bool
    IsAutoGenerated bool
    IsOotbPolicy bool
    Lastupdate int
    LimitContainerPrivileges List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyLimitContainerPrivilege>
    Container privileges configuration.
    LimitNewPrivileges bool
    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
    LinuxCapabilities Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyLinuxCapabilities
    MalwareScanOptions Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyMalwareScanOptions
    Configuration for Real-Time Malware Protection.
    MonitorSystemTimeChanges bool
    If true, system time changes will be monitored.
    Name string
    Name assigned to the attribute.
    NoNewPrivileges bool
    OnlyRegisteredImages bool
    PackageBlock Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyPackageBlock
    Permission string
    PortBlock Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyPortBlock
    ReadonlyFiles Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyReadonlyFiles
    ReadonlyRegistry Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyReadonlyRegistry
    Registry string
    RegistryAccessMonitoring Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyRegistryAccessMonitoring
    RepoName string
    ResourceName string
    ResourceType string
    RestrictedVolumes List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyRestrictedVolume>
    Restricted volumes configuration.
    ReverseShell Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyReverseShell
    RuntimeMode int
    RuntimeType string
    ScopeExpression string
    Logical expression of how to compute the dependency of the scope variables.
    ScopeVariables List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyScopeVariable>
    List of scope attributes.
    Scopes List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyScope>
    Scope configuration.
    SystemIntegrityProtection Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicySystemIntegrityProtection
    Tripwire Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyTripwire
    Type string
    Updated string
    Version string
    VpatchVersion string
    WhitelistedOsUsers Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyWhitelistedOsUsers
    AllowedExecutables []ContainerRuntimePolicyAllowedExecutableArgs
    Allowed executables configuration.
    AllowedRegistries []ContainerRuntimePolicyAllowedRegistryArgs
    List of allowed registries.
    ApplicationScopes []string
    Indicates the application scope of the service.
    AuditAllNetworkActivity bool
    If true, all network activity will be audited.
    AuditAllProcessesActivity bool
    If true, all process activity will be audited.
    AuditBruteForceLogin bool
    Detects brute force login attempts
    AuditFullCommandArguments bool
    If true, full command arguments will be audited.
    Auditing ContainerRuntimePolicyAuditingArgs
    Author string
    Username of the account that created the service.
    BlacklistedOsUsers ContainerRuntimePolicyBlacklistedOsUsersArgs
    BlockAccessHostNetwork bool
    If true, prevent containers from running with access to host network.
    BlockAddingCapabilities bool
    If true, prevent containers from running with adding capabilities with --cap-add privilege.
    BlockContainerExec bool
    If true, exec into a container is prevented.
    BlockCryptocurrencyMining bool
    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
    BlockDisallowedImages bool
    BlockFilelessExec bool
    Detect and prevent running in-memory execution
    BlockLowPortBinding bool
    If true, prevent containers from running with the capability to bind in port lower than 1024.
    BlockNonCompliantWorkloads bool
    If true, running containers in non-compliant pods is prevented.
    BlockNonK8sContainers bool
    If true, running non-kubernetes containers is prevented.
    BlockPrivilegedContainers bool
    If true, prevent containers from running with privileged container capability.
    BlockRootUser bool
    If true, prevent containers from running with root user.
    BlockUseIpcNamespace bool
    If true, prevent containers from running with the privilege to use the IPC namespace.
    BlockUsePidNamespace bool
    If true, prevent containers from running with the privilege to use the PID namespace.
    BlockUseUserNamespace bool
    If true, prevent containers from running with the privilege to use the user namespace.
    BlockUseUtsNamespace bool
    If true, prevent containers from running with the privilege to use the UTS namespace.
    BlockedCapabilities []string
    If true, prevents containers from using specific Unix capabilities.
    BlockedExecutables []string
    List of executables that are prevented from running in containers.
    BlockedFiles []string
    List of files that are prevented from being read, modified and executed in the containers.
    BlockedInboundPorts []string
    List of blocked inbound ports.
    BlockedOutboundPorts []string
    List of blocked outbound ports.
    BlockedPackages []string
    Prevent containers from reading, writing, or executing all files in the list of packages.
    BlockedVolumes []string
    List of volumes that are prevented from being mounted in the containers.
    BypassScopes []ContainerRuntimePolicyBypassScopeArgs
    Bypass scope configuration.
    ContainerExec ContainerRuntimePolicyContainerExecArgs
    ContainerExecAllowedProcesses []string
    List of processes that will be allowed.
    Created string
    Cve string
    DefaultSecurityProfile string
    Description string
    The description of the container runtime policy
    Digest string
    DriftPreventions []ContainerRuntimePolicyDriftPreventionArgs
    Drift prevention configuration.
    EnableCryptoMiningDns bool
    EnableForkGuard bool
    If true, fork bombs are prevented in the containers.
    EnableIpReputation bool
    EnablePortScanProtection bool
    Enabled bool
    Whether allowed executables configuration is enabled.
    Enforce bool
    Indicates that policy should effect container execution (not just for audit).
    EnforceAfterDays int
    Indicates the number of days after which the runtime policy will be changed to enforce mode.
    EnforceSchedulerAddedOn int
    ExcludeApplicationScopes []string
    List of excluded application scopes.
    ExecutableBlacklists []ContainerRuntimePolicyExecutableBlacklistArgs
    Executable blacklist configuration.
    FailedKubernetesChecks ContainerRuntimePolicyFailedKubernetesChecksArgs
    FileBlock ContainerRuntimePolicyFileBlockArgs
    FileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs
    Configuration for file integrity monitoring.
    ForkGuardProcessLimit int
    Process limit for the fork guard.
    ImageName string
    IsAuditChecked bool
    IsAutoGenerated bool
    IsOotbPolicy bool
    Lastupdate int
    LimitContainerPrivileges []ContainerRuntimePolicyLimitContainerPrivilegeArgs
    Container privileges configuration.
    LimitNewPrivileges bool
    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
    LinuxCapabilities ContainerRuntimePolicyLinuxCapabilitiesArgs
    MalwareScanOptions ContainerRuntimePolicyMalwareScanOptionsArgs
    Configuration for Real-Time Malware Protection.
    MonitorSystemTimeChanges bool
    If true, system time changes will be monitored.
    Name string
    Name assigned to the attribute.
    NoNewPrivileges bool
    OnlyRegisteredImages bool
    PackageBlock ContainerRuntimePolicyPackageBlockArgs
    Permission string
    PortBlock ContainerRuntimePolicyPortBlockArgs
    ReadonlyFiles ContainerRuntimePolicyReadonlyFilesArgs
    ReadonlyRegistry ContainerRuntimePolicyReadonlyRegistryArgs
    Registry string
    RegistryAccessMonitoring ContainerRuntimePolicyRegistryAccessMonitoringArgs
    RepoName string
    ResourceName string
    ResourceType string
    RestrictedVolumes []ContainerRuntimePolicyRestrictedVolumeArgs
    Restricted volumes configuration.
    ReverseShell ContainerRuntimePolicyReverseShellArgs
    RuntimeMode int
    RuntimeType string
    ScopeExpression string
    Logical expression of how to compute the dependency of the scope variables.
    ScopeVariables []ContainerRuntimePolicyScopeVariableArgs
    List of scope attributes.
    Scopes []ContainerRuntimePolicyScopeArgs
    Scope configuration.
    SystemIntegrityProtection ContainerRuntimePolicySystemIntegrityProtectionArgs
    Tripwire ContainerRuntimePolicyTripwireArgs
    Type string
    Updated string
    Version string
    VpatchVersion string
    WhitelistedOsUsers ContainerRuntimePolicyWhitelistedOsUsersArgs
    allowedExecutables List<ContainerRuntimePolicyAllowedExecutable>
    Allowed executables configuration.
    allowedRegistries List<ContainerRuntimePolicyAllowedRegistry>
    List of allowed registries.
    applicationScopes List<String>
    Indicates the application scope of the service.
    auditAllNetworkActivity Boolean
    If true, all network activity will be audited.
    auditAllProcessesActivity Boolean
    If true, all process activity will be audited.
    auditBruteForceLogin Boolean
    Detects brute force login attempts
    auditFullCommandArguments Boolean
    If true, full command arguments will be audited.
    auditing ContainerRuntimePolicyAuditing
    author String
    Username of the account that created the service.
    blacklistedOsUsers ContainerRuntimePolicyBlacklistedOsUsers
    blockAccessHostNetwork Boolean
    If true, prevent containers from running with access to host network.
    blockAddingCapabilities Boolean
    If true, prevent containers from running with adding capabilities with --cap-add privilege.
    blockContainerExec Boolean
    If true, exec into a container is prevented.
    blockCryptocurrencyMining Boolean
    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
    blockDisallowedImages Boolean
    blockFilelessExec Boolean
    Detect and prevent running in-memory execution
    blockLowPortBinding Boolean
    If true, prevent containers from running with the capability to bind in port lower than 1024.
    blockNonCompliantWorkloads Boolean
    If true, running containers in non-compliant pods is prevented.
    blockNonK8sContainers Boolean
    If true, running non-kubernetes containers is prevented.
    blockPrivilegedContainers Boolean
    If true, prevent containers from running with privileged container capability.
    blockRootUser Boolean
    If true, prevent containers from running with root user.
    blockUseIpcNamespace Boolean
    If true, prevent containers from running with the privilege to use the IPC namespace.
    blockUsePidNamespace Boolean
    If true, prevent containers from running with the privilege to use the PID namespace.
    blockUseUserNamespace Boolean
    If true, prevent containers from running with the privilege to use the user namespace.
    blockUseUtsNamespace Boolean
    If true, prevent containers from running with the privilege to use the UTS namespace.
    blockedCapabilities List<String>
    If true, prevents containers from using specific Unix capabilities.
    blockedExecutables List<String>
    List of executables that are prevented from running in containers.
    blockedFiles List<String>
    List of files that are prevented from being read, modified and executed in the containers.
    blockedInboundPorts List<String>
    List of blocked inbound ports.
    blockedOutboundPorts List<String>
    List of blocked outbound ports.
    blockedPackages List<String>
    Prevent containers from reading, writing, or executing all files in the list of packages.
    blockedVolumes List<String>
    List of volumes that are prevented from being mounted in the containers.
    bypassScopes List<ContainerRuntimePolicyBypassScope>
    Bypass scope configuration.
    containerExec ContainerRuntimePolicyContainerExec
    containerExecAllowedProcesses List<String>
    List of processes that will be allowed.
    created String
    cve String
    defaultSecurityProfile String
    description String
    The description of the container runtime policy
    digest String
    driftPreventions List<ContainerRuntimePolicyDriftPrevention>
    Drift prevention configuration.
    enableCryptoMiningDns Boolean
    enableForkGuard Boolean
    If true, fork bombs are prevented in the containers.
    enableIpReputation Boolean
    enablePortScanProtection Boolean
    enabled Boolean
    Whether allowed executables configuration is enabled.
    enforce Boolean
    Indicates that policy should effect container execution (not just for audit).
    enforceAfterDays Integer
    Indicates the number of days after which the runtime policy will be changed to enforce mode.
    enforceSchedulerAddedOn Integer
    excludeApplicationScopes List<String>
    List of excluded application scopes.
    executableBlacklists List<ContainerRuntimePolicyExecutableBlacklist>
    Executable blacklist configuration.
    failedKubernetesChecks ContainerRuntimePolicyFailedKubernetesChecks
    fileBlock ContainerRuntimePolicyFileBlock
    fileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoring
    Configuration for file integrity monitoring.
    forkGuardProcessLimit Integer
    Process limit for the fork guard.
    imageName String
    isAuditChecked Boolean
    isAutoGenerated Boolean
    isOotbPolicy Boolean
    lastupdate Integer
    limitContainerPrivileges List<ContainerRuntimePolicyLimitContainerPrivilege>
    Container privileges configuration.
    limitNewPrivileges Boolean
    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
    linuxCapabilities ContainerRuntimePolicyLinuxCapabilities
    malwareScanOptions ContainerRuntimePolicyMalwareScanOptions
    Configuration for Real-Time Malware Protection.
    monitorSystemTimeChanges Boolean
    If true, system time changes will be monitored.
    name String
    Name assigned to the attribute.
    noNewPrivileges Boolean
    onlyRegisteredImages Boolean
    packageBlock ContainerRuntimePolicyPackageBlock
    permission String
    portBlock ContainerRuntimePolicyPortBlock
    readonlyFiles ContainerRuntimePolicyReadonlyFiles
    readonlyRegistry ContainerRuntimePolicyReadonlyRegistry
    registry String
    registryAccessMonitoring ContainerRuntimePolicyRegistryAccessMonitoring
    repoName String
    resourceName String
    resourceType String
    restrictedVolumes List<ContainerRuntimePolicyRestrictedVolume>
    Restricted volumes configuration.
    reverseShell ContainerRuntimePolicyReverseShell
    runtimeMode Integer
    runtimeType String
    scopeExpression String
    Logical expression of how to compute the dependency of the scope variables.
    scopeVariables List<ContainerRuntimePolicyScopeVariable>
    List of scope attributes.
    scopes List<ContainerRuntimePolicyScope>
    Scope configuration.
    systemIntegrityProtection ContainerRuntimePolicySystemIntegrityProtection
    tripwire ContainerRuntimePolicyTripwire
    type String
    updated String
    version String
    vpatchVersion String
    whitelistedOsUsers ContainerRuntimePolicyWhitelistedOsUsers
    allowedExecutables ContainerRuntimePolicyAllowedExecutable[]
    Allowed executables configuration.
    allowedRegistries ContainerRuntimePolicyAllowedRegistry[]
    List of allowed registries.
    applicationScopes string[]
    Indicates the application scope of the service.
    auditAllNetworkActivity boolean
    If true, all network activity will be audited.
    auditAllProcessesActivity boolean
    If true, all process activity will be audited.
    auditBruteForceLogin boolean
    Detects brute force login attempts
    auditFullCommandArguments boolean
    If true, full command arguments will be audited.
    auditing ContainerRuntimePolicyAuditing
    author string
    Username of the account that created the service.
    blacklistedOsUsers ContainerRuntimePolicyBlacklistedOsUsers
    blockAccessHostNetwork boolean
    If true, prevent containers from running with access to host network.
    blockAddingCapabilities boolean
    If true, prevent containers from running with adding capabilities with --cap-add privilege.
    blockContainerExec boolean
    If true, exec into a container is prevented.
    blockCryptocurrencyMining boolean
    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
    blockDisallowedImages boolean
    blockFilelessExec boolean
    Detect and prevent running in-memory execution
    blockLowPortBinding boolean
    If true, prevent containers from running with the capability to bind in port lower than 1024.
    blockNonCompliantWorkloads boolean
    If true, running containers in non-compliant pods is prevented.
    blockNonK8sContainers boolean
    If true, running non-kubernetes containers is prevented.
    blockPrivilegedContainers boolean
    If true, prevent containers from running with privileged container capability.
    blockRootUser boolean
    If true, prevent containers from running with root user.
    blockUseIpcNamespace boolean
    If true, prevent containers from running with the privilege to use the IPC namespace.
    blockUsePidNamespace boolean
    If true, prevent containers from running with the privilege to use the PID namespace.
    blockUseUserNamespace boolean
    If true, prevent containers from running with the privilege to use the user namespace.
    blockUseUtsNamespace boolean
    If true, prevent containers from running with the privilege to use the UTS namespace.
    blockedCapabilities string[]
    If true, prevents containers from using specific Unix capabilities.
    blockedExecutables string[]
    List of executables that are prevented from running in containers.
    blockedFiles string[]
    List of files that are prevented from being read, modified and executed in the containers.
    blockedInboundPorts string[]
    List of blocked inbound ports.
    blockedOutboundPorts string[]
    List of blocked outbound ports.
    blockedPackages string[]
    Prevent containers from reading, writing, or executing all files in the list of packages.
    blockedVolumes string[]
    List of volumes that are prevented from being mounted in the containers.
    bypassScopes ContainerRuntimePolicyBypassScope[]
    Bypass scope configuration.
    containerExec ContainerRuntimePolicyContainerExec
    containerExecAllowedProcesses string[]
    List of processes that will be allowed.
    created string
    cve string
    defaultSecurityProfile string
    description string
    The description of the container runtime policy
    digest string
    driftPreventions ContainerRuntimePolicyDriftPrevention[]
    Drift prevention configuration.
    enableCryptoMiningDns boolean
    enableForkGuard boolean
    If true, fork bombs are prevented in the containers.
    enableIpReputation boolean
    enablePortScanProtection boolean
    enabled boolean
    Whether allowed executables configuration is enabled.
    enforce boolean
    Indicates that policy should effect container execution (not just for audit).
    enforceAfterDays number
    Indicates the number of days after which the runtime policy will be changed to enforce mode.
    enforceSchedulerAddedOn number
    excludeApplicationScopes string[]
    List of excluded application scopes.
    executableBlacklists ContainerRuntimePolicyExecutableBlacklist[]
    Executable blacklist configuration.
    failedKubernetesChecks ContainerRuntimePolicyFailedKubernetesChecks
    fileBlock ContainerRuntimePolicyFileBlock
    fileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoring
    Configuration for file integrity monitoring.
    forkGuardProcessLimit number
    Process limit for the fork guard.
    imageName string
    isAuditChecked boolean
    isAutoGenerated boolean
    isOotbPolicy boolean
    lastupdate number
    limitContainerPrivileges ContainerRuntimePolicyLimitContainerPrivilege[]
    Container privileges configuration.
    limitNewPrivileges boolean
    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
    linuxCapabilities ContainerRuntimePolicyLinuxCapabilities
    malwareScanOptions ContainerRuntimePolicyMalwareScanOptions
    Configuration for Real-Time Malware Protection.
    monitorSystemTimeChanges boolean
    If true, system time changes will be monitored.
    name string
    Name assigned to the attribute.
    noNewPrivileges boolean
    onlyRegisteredImages boolean
    packageBlock ContainerRuntimePolicyPackageBlock
    permission string
    portBlock ContainerRuntimePolicyPortBlock
    readonlyFiles ContainerRuntimePolicyReadonlyFiles
    readonlyRegistry ContainerRuntimePolicyReadonlyRegistry
    registry string
    registryAccessMonitoring ContainerRuntimePolicyRegistryAccessMonitoring
    repoName string
    resourceName string
    resourceType string
    restrictedVolumes ContainerRuntimePolicyRestrictedVolume[]
    Restricted volumes configuration.
    reverseShell ContainerRuntimePolicyReverseShell
    runtimeMode number
    runtimeType string
    scopeExpression string
    Logical expression of how to compute the dependency of the scope variables.
    scopeVariables ContainerRuntimePolicyScopeVariable[]
    List of scope attributes.
    scopes ContainerRuntimePolicyScope[]
    Scope configuration.
    systemIntegrityProtection ContainerRuntimePolicySystemIntegrityProtection
    tripwire ContainerRuntimePolicyTripwire
    type string
    updated string
    version string
    vpatchVersion string
    whitelistedOsUsers ContainerRuntimePolicyWhitelistedOsUsers
    allowed_executables Sequence[ContainerRuntimePolicyAllowedExecutableArgs]
    Allowed executables configuration.
    allowed_registries Sequence[ContainerRuntimePolicyAllowedRegistryArgs]
    List of allowed registries.
    application_scopes Sequence[str]
    Indicates the application scope of the service.
    audit_all_network_activity bool
    If true, all network activity will be audited.
    audit_all_processes_activity bool
    If true, all process activity will be audited.
    audit_brute_force_login bool
    Detects brute force login attempts
    audit_full_command_arguments bool
    If true, full command arguments will be audited.
    auditing ContainerRuntimePolicyAuditingArgs
    author str
    Username of the account that created the service.
    blacklisted_os_users ContainerRuntimePolicyBlacklistedOsUsersArgs
    block_access_host_network bool
    If true, prevent containers from running with access to host network.
    block_adding_capabilities bool
    If true, prevent containers from running with adding capabilities with --cap-add privilege.
    block_container_exec bool
    If true, exec into a container is prevented.
    block_cryptocurrency_mining bool
    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
    block_disallowed_images bool
    block_fileless_exec bool
    Detect and prevent running in-memory execution
    block_low_port_binding bool
    If true, prevent containers from running with the capability to bind in port lower than 1024.
    block_non_compliant_workloads bool
    If true, running containers in non-compliant pods is prevented.
    block_non_k8s_containers bool
    If true, running non-kubernetes containers is prevented.
    block_privileged_containers bool
    If true, prevent containers from running with privileged container capability.
    block_root_user bool
    If true, prevent containers from running with root user.
    block_use_ipc_namespace bool
    If true, prevent containers from running with the privilege to use the IPC namespace.
    block_use_pid_namespace bool
    If true, prevent containers from running with the privilege to use the PID namespace.
    block_use_user_namespace bool
    If true, prevent containers from running with the privilege to use the user namespace.
    block_use_uts_namespace bool
    If true, prevent containers from running with the privilege to use the UTS namespace.
    blocked_capabilities Sequence[str]
    If true, prevents containers from using specific Unix capabilities.
    blocked_executables Sequence[str]
    List of executables that are prevented from running in containers.
    blocked_files Sequence[str]
    List of files that are prevented from being read, modified and executed in the containers.
    blocked_inbound_ports Sequence[str]
    List of blocked inbound ports.
    blocked_outbound_ports Sequence[str]
    List of blocked outbound ports.
    blocked_packages Sequence[str]
    Prevent containers from reading, writing, or executing all files in the list of packages.
    blocked_volumes Sequence[str]
    List of volumes that are prevented from being mounted in the containers.
    bypass_scopes Sequence[ContainerRuntimePolicyBypassScopeArgs]
    Bypass scope configuration.
    container_exec ContainerRuntimePolicyContainerExecArgs
    container_exec_allowed_processes Sequence[str]
    List of processes that will be allowed.
    created str
    cve str
    default_security_profile str
    description str
    The description of the container runtime policy
    digest str
    drift_preventions Sequence[ContainerRuntimePolicyDriftPreventionArgs]
    Drift prevention configuration.
    enable_crypto_mining_dns bool
    enable_fork_guard bool
    If true, fork bombs are prevented in the containers.
    enable_ip_reputation bool
    enable_port_scan_protection bool
    enabled bool
    Whether allowed executables configuration is enabled.
    enforce bool
    Indicates that policy should effect container execution (not just for audit).
    enforce_after_days int
    Indicates the number of days after which the runtime policy will be changed to enforce mode.
    enforce_scheduler_added_on int
    exclude_application_scopes Sequence[str]
    List of excluded application scopes.
    executable_blacklists Sequence[ContainerRuntimePolicyExecutableBlacklistArgs]
    Executable blacklist configuration.
    failed_kubernetes_checks ContainerRuntimePolicyFailedKubernetesChecksArgs
    file_block ContainerRuntimePolicyFileBlockArgs
    file_integrity_monitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs
    Configuration for file integrity monitoring.
    fork_guard_process_limit int
    Process limit for the fork guard.
    image_name str
    is_audit_checked bool
    is_auto_generated bool
    is_ootb_policy bool
    lastupdate int
    limit_container_privileges Sequence[ContainerRuntimePolicyLimitContainerPrivilegeArgs]
    Container privileges configuration.
    limit_new_privileges bool
    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
    linux_capabilities ContainerRuntimePolicyLinuxCapabilitiesArgs
    malware_scan_options ContainerRuntimePolicyMalwareScanOptionsArgs
    Configuration for Real-Time Malware Protection.
    monitor_system_time_changes bool
    If true, system time changes will be monitored.
    name str
    Name assigned to the attribute.
    no_new_privileges bool
    only_registered_images bool
    package_block ContainerRuntimePolicyPackageBlockArgs
    permission str
    port_block ContainerRuntimePolicyPortBlockArgs
    readonly_files ContainerRuntimePolicyReadonlyFilesArgs
    readonly_registry ContainerRuntimePolicyReadonlyRegistryArgs
    registry str
    registry_access_monitoring ContainerRuntimePolicyRegistryAccessMonitoringArgs
    repo_name str
    resource_name str
    resource_type str
    restricted_volumes Sequence[ContainerRuntimePolicyRestrictedVolumeArgs]
    Restricted volumes configuration.
    reverse_shell ContainerRuntimePolicyReverseShellArgs
    runtime_mode int
    runtime_type str
    scope_expression str
    Logical expression of how to compute the dependency of the scope variables.
    scope_variables Sequence[ContainerRuntimePolicyScopeVariableArgs]
    List of scope attributes.
    scopes Sequence[ContainerRuntimePolicyScopeArgs]
    Scope configuration.
    system_integrity_protection ContainerRuntimePolicySystemIntegrityProtectionArgs
    tripwire ContainerRuntimePolicyTripwireArgs
    type str
    updated str
    version str
    vpatch_version str
    whitelisted_os_users ContainerRuntimePolicyWhitelistedOsUsersArgs
    allowedExecutables List<Property Map>
    Allowed executables configuration.
    allowedRegistries List<Property Map>
    List of allowed registries.
    applicationScopes List<String>
    Indicates the application scope of the service.
    auditAllNetworkActivity Boolean
    If true, all network activity will be audited.
    auditAllProcessesActivity Boolean
    If true, all process activity will be audited.
    auditBruteForceLogin Boolean
    Detects brute force login attempts
    auditFullCommandArguments Boolean
    If true, full command arguments will be audited.
    auditing Property Map
    author String
    Username of the account that created the service.
    blacklistedOsUsers Property Map
    blockAccessHostNetwork Boolean
    If true, prevent containers from running with access to host network.
    blockAddingCapabilities Boolean
    If true, prevent containers from running with adding capabilities with --cap-add privilege.
    blockContainerExec Boolean
    If true, exec into a container is prevented.
    blockCryptocurrencyMining Boolean
    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
    blockDisallowedImages Boolean
    blockFilelessExec Boolean
    Detect and prevent running in-memory execution
    blockLowPortBinding Boolean
    If true, prevent containers from running with the capability to bind in port lower than 1024.
    blockNonCompliantWorkloads Boolean
    If true, running containers in non-compliant pods is prevented.
    blockNonK8sContainers Boolean
    If true, running non-kubernetes containers is prevented.
    blockPrivilegedContainers Boolean
    If true, prevent containers from running with privileged container capability.
    blockRootUser Boolean
    If true, prevent containers from running with root user.
    blockUseIpcNamespace Boolean
    If true, prevent containers from running with the privilege to use the IPC namespace.
    blockUsePidNamespace Boolean
    If true, prevent containers from running with the privilege to use the PID namespace.
    blockUseUserNamespace Boolean
    If true, prevent containers from running with the privilege to use the user namespace.
    blockUseUtsNamespace Boolean
    If true, prevent containers from running with the privilege to use the UTS namespace.
    blockedCapabilities List<String>
    If true, prevents containers from using specific Unix capabilities.
    blockedExecutables List<String>
    List of executables that are prevented from running in containers.
    blockedFiles List<String>
    List of files that are prevented from being read, modified and executed in the containers.
    blockedInboundPorts List<String>
    List of blocked inbound ports.
    blockedOutboundPorts List<String>
    List of blocked outbound ports.
    blockedPackages List<String>
    Prevent containers from reading, writing, or executing all files in the list of packages.
    blockedVolumes List<String>
    List of volumes that are prevented from being mounted in the containers.
    bypassScopes List<Property Map>
    Bypass scope configuration.
    containerExec Property Map
    containerExecAllowedProcesses List<String>
    List of processes that will be allowed.
    created String
    cve String
    defaultSecurityProfile String
    description String
    The description of the container runtime policy
    digest String
    driftPreventions List<Property Map>
    Drift prevention configuration.
    enableCryptoMiningDns Boolean
    enableForkGuard Boolean
    If true, fork bombs are prevented in the containers.
    enableIpReputation Boolean
    enablePortScanProtection Boolean
    enabled Boolean
    Whether allowed executables configuration is enabled.
    enforce Boolean
    Indicates that policy should effect container execution (not just for audit).
    enforceAfterDays Number
    Indicates the number of days after which the runtime policy will be changed to enforce mode.
    enforceSchedulerAddedOn Number
    excludeApplicationScopes List<String>
    List of excluded application scopes.
    executableBlacklists List<Property Map>
    Executable blacklist configuration.
    failedKubernetesChecks Property Map
    fileBlock Property Map
    fileIntegrityMonitoring Property Map
    Configuration for file integrity monitoring.
    forkGuardProcessLimit Number
    Process limit for the fork guard.
    imageName String
    isAuditChecked Boolean
    isAutoGenerated Boolean
    isOotbPolicy Boolean
    lastupdate Number
    limitContainerPrivileges List<Property Map>
    Container privileges configuration.
    limitNewPrivileges Boolean
    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
    linuxCapabilities Property Map
    malwareScanOptions Property Map
    Configuration for Real-Time Malware Protection.
    monitorSystemTimeChanges Boolean
    If true, system time changes will be monitored.
    name String
    Name assigned to the attribute.
    noNewPrivileges Boolean
    onlyRegisteredImages Boolean
    packageBlock Property Map
    permission String
    portBlock Property Map
    readonlyFiles Property Map
    readonlyRegistry Property Map
    registry String
    registryAccessMonitoring Property Map
    repoName String
    resourceName String
    resourceType String
    restrictedVolumes List<Property Map>
    Restricted volumes configuration.
    reverseShell Property Map
    runtimeMode Number
    runtimeType String
    scopeExpression String
    Logical expression of how to compute the dependency of the scope variables.
    scopeVariables List<Property Map>
    List of scope attributes.
    scopes List<Property Map>
    Scope configuration.
    systemIntegrityProtection Property Map
    tripwire Property Map
    type String
    updated String
    version String
    vpatchVersion String
    whitelistedOsUsers Property Map

    Supporting Types

    ContainerRuntimePolicyAllowedExecutable, ContainerRuntimePolicyAllowedExecutableArgs

    AllowExecutables List<string>
    List of allowed executables.
    AllowRootExecutables List<string>
    List of allowed root executables.
    Enabled bool
    Whether allowed executables configuration is enabled.
    SeparateExecutables bool
    Whether to treat executables separately.
    AllowExecutables []string
    List of allowed executables.
    AllowRootExecutables []string
    List of allowed root executables.
    Enabled bool
    Whether allowed executables configuration is enabled.
    SeparateExecutables bool
    Whether to treat executables separately.
    allowExecutables List<String>
    List of allowed executables.
    allowRootExecutables List<String>
    List of allowed root executables.
    enabled Boolean
    Whether allowed executables configuration is enabled.
    separateExecutables Boolean
    Whether to treat executables separately.
    allowExecutables string[]
    List of allowed executables.
    allowRootExecutables string[]
    List of allowed root executables.
    enabled boolean
    Whether allowed executables configuration is enabled.
    separateExecutables boolean
    Whether to treat executables separately.
    allow_executables Sequence[str]
    List of allowed executables.
    allow_root_executables Sequence[str]
    List of allowed root executables.
    enabled bool
    Whether allowed executables configuration is enabled.
    separate_executables bool
    Whether to treat executables separately.
    allowExecutables List<String>
    List of allowed executables.
    allowRootExecutables List<String>
    List of allowed root executables.
    enabled Boolean
    Whether allowed executables configuration is enabled.
    separateExecutables Boolean
    Whether to treat executables separately.

    ContainerRuntimePolicyAllowedRegistry, ContainerRuntimePolicyAllowedRegistryArgs

    AllowedRegistries List<string>
    List of allowed registries.
    Enabled bool
    Whether allowed registries are enabled.
    AllowedRegistries []string
    List of allowed registries.
    Enabled bool
    Whether allowed registries are enabled.
    allowedRegistries List<String>
    List of allowed registries.
    enabled Boolean
    Whether allowed registries are enabled.
    allowedRegistries string[]
    List of allowed registries.
    enabled boolean
    Whether allowed registries are enabled.
    allowed_registries Sequence[str]
    List of allowed registries.
    enabled bool
    Whether allowed registries are enabled.
    allowedRegistries List<String>
    List of allowed registries.
    enabled Boolean
    Whether allowed registries are enabled.

    ContainerRuntimePolicyAuditing, ContainerRuntimePolicyAuditingArgs

    ContainerRuntimePolicyBlacklistedOsUsers, ContainerRuntimePolicyBlacklistedOsUsersArgs

    Enabled bool
    GroupBlackLists List<string>
    UserBlackLists List<string>
    enabled Boolean
    groupBlackLists List<String>
    userBlackLists List<String>
    enabled boolean
    groupBlackLists string[]
    userBlackLists string[]
    enabled bool
    group_black_lists Sequence[str]
    user_black_lists Sequence[str]
    enabled Boolean
    groupBlackLists List<String>
    userBlackLists List<String>

    ContainerRuntimePolicyBypassScope, ContainerRuntimePolicyBypassScopeArgs

    Enabled bool
    Whether bypassing the scope is enabled.
    Scopes List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyBypassScopeScope>
    Scope configuration.
    Enabled bool
    Whether bypassing the scope is enabled.
    Scopes []ContainerRuntimePolicyBypassScopeScope
    Scope configuration.
    enabled Boolean
    Whether bypassing the scope is enabled.
    scopes List<ContainerRuntimePolicyBypassScopeScope>
    Scope configuration.
    enabled boolean
    Whether bypassing the scope is enabled.
    scopes ContainerRuntimePolicyBypassScopeScope[]
    Scope configuration.
    enabled bool
    Whether bypassing the scope is enabled.
    scopes Sequence[ContainerRuntimePolicyBypassScopeScope]
    Scope configuration.
    enabled Boolean
    Whether bypassing the scope is enabled.
    scopes List<Property Map>
    Scope configuration.

    ContainerRuntimePolicyBypassScopeScope, ContainerRuntimePolicyBypassScopeScopeArgs

    Expression string
    Scope expression.
    Variables []ContainerRuntimePolicyBypassScopeScopeVariable
    List of variables in the scope.
    expression String
    Scope expression.
    variables List<ContainerRuntimePolicyBypassScopeScopeVariable>
    List of variables in the scope.
    expression string
    Scope expression.
    variables ContainerRuntimePolicyBypassScopeScopeVariable[]
    List of variables in the scope.
    expression str
    Scope expression.
    variables Sequence[ContainerRuntimePolicyBypassScopeScopeVariable]
    List of variables in the scope.
    expression String
    Scope expression.
    variables List<Property Map>
    List of variables in the scope.

    ContainerRuntimePolicyBypassScopeScopeVariable, ContainerRuntimePolicyBypassScopeScopeVariableArgs

    Attribute string
    Variable attribute.
    Value string
    Variable value.
    Attribute string
    Variable attribute.
    Value string
    Variable value.
    attribute String
    Variable attribute.
    value String
    Variable value.
    attribute string
    Variable attribute.
    value string
    Variable value.
    attribute str
    Variable attribute.
    value str
    Variable value.
    attribute String
    Variable attribute.
    value String
    Variable value.

    ContainerRuntimePolicyContainerExec, ContainerRuntimePolicyContainerExecArgs

    ContainerRuntimePolicyDriftPrevention, ContainerRuntimePolicyDriftPreventionArgs

    Enabled bool
    Whether drift prevention is enabled.
    ExecLockdown bool
    Whether to lockdown execution drift.
    ExecLockdownWhiteLists List<string>
    List of items in the execution lockdown white list.
    ImageLockdown bool
    Whether to lockdown image drift.
    Enabled bool
    Whether drift prevention is enabled.
    ExecLockdown bool
    Whether to lockdown execution drift.
    ExecLockdownWhiteLists []string
    List of items in the execution lockdown white list.
    ImageLockdown bool
    Whether to lockdown image drift.
    enabled Boolean
    Whether drift prevention is enabled.
    execLockdown Boolean
    Whether to lockdown execution drift.
    execLockdownWhiteLists List<String>
    List of items in the execution lockdown white list.
    imageLockdown Boolean
    Whether to lockdown image drift.
    enabled boolean
    Whether drift prevention is enabled.
    execLockdown boolean
    Whether to lockdown execution drift.
    execLockdownWhiteLists string[]
    List of items in the execution lockdown white list.
    imageLockdown boolean
    Whether to lockdown image drift.
    enabled bool
    Whether drift prevention is enabled.
    exec_lockdown bool
    Whether to lockdown execution drift.
    exec_lockdown_white_lists Sequence[str]
    List of items in the execution lockdown white list.
    image_lockdown bool
    Whether to lockdown image drift.
    enabled Boolean
    Whether drift prevention is enabled.
    execLockdown Boolean
    Whether to lockdown execution drift.
    execLockdownWhiteLists List<String>
    List of items in the execution lockdown white list.
    imageLockdown Boolean
    Whether to lockdown image drift.

    ContainerRuntimePolicyExecutableBlacklist, ContainerRuntimePolicyExecutableBlacklistArgs

    Enabled bool
    Whether the executable blacklist is enabled.
    Executables List<string>
    List of blacklisted executables.
    Enabled bool
    Whether the executable blacklist is enabled.
    Executables []string
    List of blacklisted executables.
    enabled Boolean
    Whether the executable blacklist is enabled.
    executables List<String>
    List of blacklisted executables.
    enabled boolean
    Whether the executable blacklist is enabled.
    executables string[]
    List of blacklisted executables.
    enabled bool
    Whether the executable blacklist is enabled.
    executables Sequence[str]
    List of blacklisted executables.
    enabled Boolean
    Whether the executable blacklist is enabled.
    executables List<String>
    List of blacklisted executables.

    ContainerRuntimePolicyFailedKubernetesChecks, ContainerRuntimePolicyFailedKubernetesChecksArgs

    Enabled bool
    FailedChecks List<string>
    Enabled bool
    FailedChecks []string
    enabled Boolean
    failedChecks List<String>
    enabled boolean
    failedChecks string[]
    enabled bool
    failed_checks Sequence[str]
    enabled Boolean
    failedChecks List<String>

    ContainerRuntimePolicyFileBlock, ContainerRuntimePolicyFileBlockArgs

    ContainerRuntimePolicyFileIntegrityMonitoring, ContainerRuntimePolicyFileIntegrityMonitoringArgs

    Enabled bool
    If true, file integrity monitoring is enabled.
    ExceptionalMonitoredFiles List<string>
    List of paths to be excluded from monitoring.
    ExceptionalMonitoredFilesProcesses List<string>
    List of processes to be excluded from monitoring.
    ExceptionalMonitoredFilesUsers List<string>
    List of users to be excluded from monitoring.
    MonitoredFiles List<string>
    List of paths to be monitored.
    MonitoredFilesAttributes bool
    Whether to monitor file attribute operations.
    MonitoredFilesCreate bool
    Whether to monitor file create operations.
    MonitoredFilesDelete bool
    Whether to monitor file delete operations.
    MonitoredFilesModify bool
    Whether to monitor file modify operations.
    MonitoredFilesProcesses List<string>
    List of processes associated with monitored files.
    MonitoredFilesRead bool
    Whether to monitor file read operations.
    MonitoredFilesUsers List<string>
    List of users associated with monitored files.
    Enabled bool
    If true, file integrity monitoring is enabled.
    ExceptionalMonitoredFiles []string
    List of paths to be excluded from monitoring.
    ExceptionalMonitoredFilesProcesses []string
    List of processes to be excluded from monitoring.
    ExceptionalMonitoredFilesUsers []string
    List of users to be excluded from monitoring.
    MonitoredFiles []string
    List of paths to be monitored.
    MonitoredFilesAttributes bool
    Whether to monitor file attribute operations.
    MonitoredFilesCreate bool
    Whether to monitor file create operations.
    MonitoredFilesDelete bool
    Whether to monitor file delete operations.
    MonitoredFilesModify bool
    Whether to monitor file modify operations.
    MonitoredFilesProcesses []string
    List of processes associated with monitored files.
    MonitoredFilesRead bool
    Whether to monitor file read operations.
    MonitoredFilesUsers []string
    List of users associated with monitored files.
    enabled Boolean
    If true, file integrity monitoring is enabled.
    exceptionalMonitoredFiles List<String>
    List of paths to be excluded from monitoring.
    exceptionalMonitoredFilesProcesses List<String>
    List of processes to be excluded from monitoring.
    exceptionalMonitoredFilesUsers List<String>
    List of users to be excluded from monitoring.
    monitoredFiles List<String>
    List of paths to be monitored.
    monitoredFilesAttributes Boolean
    Whether to monitor file attribute operations.
    monitoredFilesCreate Boolean
    Whether to monitor file create operations.
    monitoredFilesDelete Boolean
    Whether to monitor file delete operations.
    monitoredFilesModify Boolean
    Whether to monitor file modify operations.
    monitoredFilesProcesses List<String>
    List of processes associated with monitored files.
    monitoredFilesRead Boolean
    Whether to monitor file read operations.
    monitoredFilesUsers List<String>
    List of users associated with monitored files.
    enabled boolean
    If true, file integrity monitoring is enabled.
    exceptionalMonitoredFiles string[]
    List of paths to be excluded from monitoring.
    exceptionalMonitoredFilesProcesses string[]
    List of processes to be excluded from monitoring.
    exceptionalMonitoredFilesUsers string[]
    List of users to be excluded from monitoring.
    monitoredFiles string[]
    List of paths to be monitored.
    monitoredFilesAttributes boolean
    Whether to monitor file attribute operations.
    monitoredFilesCreate boolean
    Whether to monitor file create operations.
    monitoredFilesDelete boolean
    Whether to monitor file delete operations.
    monitoredFilesModify boolean
    Whether to monitor file modify operations.
    monitoredFilesProcesses string[]
    List of processes associated with monitored files.
    monitoredFilesRead boolean
    Whether to monitor file read operations.
    monitoredFilesUsers string[]
    List of users associated with monitored files.
    enabled bool
    If true, file integrity monitoring is enabled.
    exceptional_monitored_files Sequence[str]
    List of paths to be excluded from monitoring.
    exceptional_monitored_files_processes Sequence[str]
    List of processes to be excluded from monitoring.
    exceptional_monitored_files_users Sequence[str]
    List of users to be excluded from monitoring.
    monitored_files Sequence[str]
    List of paths to be monitored.
    monitored_files_attributes bool
    Whether to monitor file attribute operations.
    monitored_files_create bool
    Whether to monitor file create operations.
    monitored_files_delete bool
    Whether to monitor file delete operations.
    monitored_files_modify bool
    Whether to monitor file modify operations.
    monitored_files_processes Sequence[str]
    List of processes associated with monitored files.
    monitored_files_read bool
    Whether to monitor file read operations.
    monitored_files_users Sequence[str]
    List of users associated with monitored files.
    enabled Boolean
    If true, file integrity monitoring is enabled.
    exceptionalMonitoredFiles List<String>
    List of paths to be excluded from monitoring.
    exceptionalMonitoredFilesProcesses List<String>
    List of processes to be excluded from monitoring.
    exceptionalMonitoredFilesUsers List<String>
    List of users to be excluded from monitoring.
    monitoredFiles List<String>
    List of paths to be monitored.
    monitoredFilesAttributes Boolean
    Whether to monitor file attribute operations.
    monitoredFilesCreate Boolean
    Whether to monitor file create operations.
    monitoredFilesDelete Boolean
    Whether to monitor file delete operations.
    monitoredFilesModify Boolean
    Whether to monitor file modify operations.
    monitoredFilesProcesses List<String>
    List of processes associated with monitored files.
    monitoredFilesRead Boolean
    Whether to monitor file read operations.
    monitoredFilesUsers List<String>
    List of users associated with monitored files.

    ContainerRuntimePolicyLimitContainerPrivilege, ContainerRuntimePolicyLimitContainerPrivilegeArgs

    BlockAddCapabilities bool
    Whether to block adding capabilities.
    Enabled bool
    Whether container privilege limitations are enabled.
    Ipcmode bool
    Whether to limit IPC-related capabilities.
    Netmode bool
    Whether to limit network-related capabilities.
    Pidmode bool
    Whether to limit process-related capabilities.
    PreventLowPortBinding bool
    Whether to prevent low port binding.
    PreventRootUser bool
    Whether to prevent the use of the root user.
    Privileged bool
    Whether the container is run in privileged mode.
    UseHostUser bool
    Whether to use the host user.
    Usermode bool
    Whether to limit user-related capabilities.
    Utsmode bool
    Whether to limit UTS-related capabilities.
    BlockAddCapabilities bool
    Whether to block adding capabilities.
    Enabled bool
    Whether container privilege limitations are enabled.
    Ipcmode bool
    Whether to limit IPC-related capabilities.
    Netmode bool
    Whether to limit network-related capabilities.
    Pidmode bool
    Whether to limit process-related capabilities.
    PreventLowPortBinding bool
    Whether to prevent low port binding.
    PreventRootUser bool
    Whether to prevent the use of the root user.
    Privileged bool
    Whether the container is run in privileged mode.
    UseHostUser bool
    Whether to use the host user.
    Usermode bool
    Whether to limit user-related capabilities.
    Utsmode bool
    Whether to limit UTS-related capabilities.
    blockAddCapabilities Boolean
    Whether to block adding capabilities.
    enabled Boolean
    Whether container privilege limitations are enabled.
    ipcmode Boolean
    Whether to limit IPC-related capabilities.
    netmode Boolean
    Whether to limit network-related capabilities.
    pidmode Boolean
    Whether to limit process-related capabilities.
    preventLowPortBinding Boolean
    Whether to prevent low port binding.
    preventRootUser Boolean
    Whether to prevent the use of the root user.
    privileged Boolean
    Whether the container is run in privileged mode.
    useHostUser Boolean
    Whether to use the host user.
    usermode Boolean
    Whether to limit user-related capabilities.
    utsmode Boolean
    Whether to limit UTS-related capabilities.
    blockAddCapabilities boolean
    Whether to block adding capabilities.
    enabled boolean
    Whether container privilege limitations are enabled.
    ipcmode boolean
    Whether to limit IPC-related capabilities.
    netmode boolean
    Whether to limit network-related capabilities.
    pidmode boolean
    Whether to limit process-related capabilities.
    preventLowPortBinding boolean
    Whether to prevent low port binding.
    preventRootUser boolean
    Whether to prevent the use of the root user.
    privileged boolean
    Whether the container is run in privileged mode.
    useHostUser boolean
    Whether to use the host user.
    usermode boolean
    Whether to limit user-related capabilities.
    utsmode boolean
    Whether to limit UTS-related capabilities.
    block_add_capabilities bool
    Whether to block adding capabilities.
    enabled bool
    Whether container privilege limitations are enabled.
    ipcmode bool
    Whether to limit IPC-related capabilities.
    netmode bool
    Whether to limit network-related capabilities.
    pidmode bool
    Whether to limit process-related capabilities.
    prevent_low_port_binding bool
    Whether to prevent low port binding.
    prevent_root_user bool
    Whether to prevent the use of the root user.
    privileged bool
    Whether the container is run in privileged mode.
    use_host_user bool
    Whether to use the host user.
    usermode bool
    Whether to limit user-related capabilities.
    utsmode bool
    Whether to limit UTS-related capabilities.
    blockAddCapabilities Boolean
    Whether to block adding capabilities.
    enabled Boolean
    Whether container privilege limitations are enabled.
    ipcmode Boolean
    Whether to limit IPC-related capabilities.
    netmode Boolean
    Whether to limit network-related capabilities.
    pidmode Boolean
    Whether to limit process-related capabilities.
    preventLowPortBinding Boolean
    Whether to prevent low port binding.
    preventRootUser Boolean
    Whether to prevent the use of the root user.
    privileged Boolean
    Whether the container is run in privileged mode.
    useHostUser Boolean
    Whether to use the host user.
    usermode Boolean
    Whether to limit user-related capabilities.
    utsmode Boolean
    Whether to limit UTS-related capabilities.

    ContainerRuntimePolicyLinuxCapabilities, ContainerRuntimePolicyLinuxCapabilitiesArgs

    enabled Boolean
    removeLinuxCapabilities List<String>
    enabled Boolean
    removeLinuxCapabilities List<String>

    ContainerRuntimePolicyMalwareScanOptions, ContainerRuntimePolicyMalwareScanOptionsArgs

    Action string
    Set Action, Defaults to 'Alert' when empty
    Enabled bool
    Defines if enabled or not
    ExcludeDirectories List<string>
    List of registry paths to be excluded from being protected.
    ExcludeProcesses List<string>
    List of registry processes to be excluded from being protected.
    IncludeDirectories List<string>
    List of registry paths to be excluded from being protected.
    Action string
    Set Action, Defaults to 'Alert' when empty
    Enabled bool
    Defines if enabled or not
    ExcludeDirectories []string
    List of registry paths to be excluded from being protected.
    ExcludeProcesses []string
    List of registry processes to be excluded from being protected.
    IncludeDirectories []string
    List of registry paths to be excluded from being protected.
    action String
    Set Action, Defaults to 'Alert' when empty
    enabled Boolean
    Defines if enabled or not
    excludeDirectories List<String>
    List of registry paths to be excluded from being protected.
    excludeProcesses List<String>
    List of registry processes to be excluded from being protected.
    includeDirectories List<String>
    List of registry paths to be excluded from being protected.
    action string
    Set Action, Defaults to 'Alert' when empty
    enabled boolean
    Defines if enabled or not
    excludeDirectories string[]
    List of registry paths to be excluded from being protected.
    excludeProcesses string[]
    List of registry processes to be excluded from being protected.
    includeDirectories string[]
    List of registry paths to be excluded from being protected.
    action str
    Set Action, Defaults to 'Alert' when empty
    enabled bool
    Defines if enabled or not
    exclude_directories Sequence[str]
    List of registry paths to be excluded from being protected.
    exclude_processes Sequence[str]
    List of registry processes to be excluded from being protected.
    include_directories Sequence[str]
    List of registry paths to be excluded from being protected.
    action String
    Set Action, Defaults to 'Alert' when empty
    enabled Boolean
    Defines if enabled or not
    excludeDirectories List<String>
    List of registry paths to be excluded from being protected.
    excludeProcesses List<String>
    List of registry processes to be excluded from being protected.
    includeDirectories List<String>
    List of registry paths to be excluded from being protected.

    ContainerRuntimePolicyPackageBlock, ContainerRuntimePolicyPackageBlockArgs

    ContainerRuntimePolicyPortBlock, ContainerRuntimePolicyPortBlockArgs

    BlockInboundPorts List<string>
    BlockOutboundPorts List<string>
    Enabled bool
    blockInboundPorts List<String>
    blockOutboundPorts List<String>
    enabled Boolean
    block_inbound_ports Sequence[str]
    block_outbound_ports Sequence[str]
    enabled bool
    blockInboundPorts List<String>
    blockOutboundPorts List<String>
    enabled Boolean

    ContainerRuntimePolicyReadonlyFiles, ContainerRuntimePolicyReadonlyFilesArgs

    ContainerRuntimePolicyReadonlyRegistry, ContainerRuntimePolicyReadonlyRegistryArgs

    ContainerRuntimePolicyRegistryAccessMonitoring, ContainerRuntimePolicyRegistryAccessMonitoringArgs

    ContainerRuntimePolicyRestrictedVolume, ContainerRuntimePolicyRestrictedVolumeArgs

    Enabled bool
    Whether restricted volumes are enabled.
    Volumes List<string>
    List of restricted volumes.
    Enabled bool
    Whether restricted volumes are enabled.
    Volumes []string
    List of restricted volumes.
    enabled Boolean
    Whether restricted volumes are enabled.
    volumes List<String>
    List of restricted volumes.
    enabled boolean
    Whether restricted volumes are enabled.
    volumes string[]
    List of restricted volumes.
    enabled bool
    Whether restricted volumes are enabled.
    volumes Sequence[str]
    List of restricted volumes.
    enabled Boolean
    Whether restricted volumes are enabled.
    volumes List<String>
    List of restricted volumes.

    ContainerRuntimePolicyReverseShell, ContainerRuntimePolicyReverseShellArgs

    ContainerRuntimePolicyScope, ContainerRuntimePolicyScopeArgs

    Expression string
    Scope expression.
    Variables []ContainerRuntimePolicyScopeVariable
    List of variables in the scope.
    expression String
    Scope expression.
    variables List<ContainerRuntimePolicyScopeVariable>
    List of variables in the scope.
    expression string
    Scope expression.
    variables ContainerRuntimePolicyScopeVariable[]
    List of variables in the scope.
    expression str
    Scope expression.
    variables Sequence[ContainerRuntimePolicyScopeVariable]
    List of variables in the scope.
    expression String
    Scope expression.
    variables List<Property Map>
    List of variables in the scope.

    ContainerRuntimePolicyScopeVariable, ContainerRuntimePolicyScopeVariableArgs

    Attribute string
    Class of supported scope.
    Value string
    Value assigned to the attribute.
    Name string
    Name assigned to the attribute.
    Attribute string
    Class of supported scope.
    Value string
    Value assigned to the attribute.
    Name string
    Name assigned to the attribute.
    attribute String
    Class of supported scope.
    value String
    Value assigned to the attribute.
    name String
    Name assigned to the attribute.
    attribute string
    Class of supported scope.
    value string
    Value assigned to the attribute.
    name string
    Name assigned to the attribute.
    attribute str
    Class of supported scope.
    value str
    Value assigned to the attribute.
    name str
    Name assigned to the attribute.
    attribute String
    Class of supported scope.
    value String
    Value assigned to the attribute.
    name String
    Name assigned to the attribute.

    ContainerRuntimePolicySystemIntegrityProtection, ContainerRuntimePolicySystemIntegrityProtectionArgs

    ContainerRuntimePolicyTripwire, ContainerRuntimePolicyTripwireArgs

    ApplyOns List<string>
    Enabled bool
    ServerlessApp string
    UserId string
    UserPassword string
    ApplyOns []string
    Enabled bool
    ServerlessApp string
    UserId string
    UserPassword string
    applyOns List<String>
    enabled Boolean
    serverlessApp String
    userId String
    userPassword String
    applyOns string[]
    enabled boolean
    serverlessApp string
    userId string
    userPassword string
    applyOns List<String>
    enabled Boolean
    serverlessApp String
    userId String
    userPassword String

    ContainerRuntimePolicyWhitelistedOsUsers, ContainerRuntimePolicyWhitelistedOsUsersArgs

    Enabled bool
    GroupWhiteLists List<string>
    UserWhiteLists List<string>
    enabled Boolean
    groupWhiteLists List<String>
    userWhiteLists List<String>
    enabled boolean
    groupWhiteLists string[]
    userWhiteLists string[]
    enabled bool
    group_white_lists Sequence[str]
    user_white_lists Sequence[str]
    enabled Boolean
    groupWhiteLists List<String>
    userWhiteLists List<String>

    Package Details

    Repository
    aquasec pulumiverse/pulumi-aquasec
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aquasec Terraform Provider.
    aquasec logo
    Aquasec v0.8.27 published on Monday, Jan 29, 2024 by Pulumiverse