aquasec.ContainerRuntimePolicy
Example Usage
using System.Collections.Generic;
using Pulumi;
using Aquasec = Pulumiverse.Aquasec;
return await Deployment.RunAsync(() =>
{
var containerRuntimePolicy = new Aquasec.ContainerRuntimePolicy("containerRuntimePolicy", new()
{
AllowedExecutables = new[]
{
"exe",
"bin",
},
AllowedRegistries = new[]
{
"registry1",
"registry2",
},
ApplicationScopes = new[]
{
"Global",
},
AuditAllNetworkActivity = true,
AuditAllProcessesActivity = true,
AuditFullCommandArguments = true,
BlockAccessHostNetwork = true,
BlockAddingCapabilities = true,
BlockContainerExec = true,
BlockCryptocurrencyMining = true,
BlockFilelessExec = true,
BlockLowPortBinding = true,
BlockNonCompliantImages = true,
BlockNonCompliantWorkloads = true,
BlockNonK8sContainers = true,
BlockPrivilegedContainers = true,
BlockReverseShell = true,
BlockRootUser = true,
BlockUnregisteredImages = true,
BlockUseIpcNamespace = true,
BlockUsePidNamespace = true,
BlockUseUserNamespace = true,
BlockUseUtsNamespace = true,
BlockedCapabilities = new[]
{
"AUDIT_CONTROL",
"AUDIT_WRITE",
},
BlockedExecutables = new[]
{
"exe1",
"exe2",
},
BlockedFiles = new[]
{
"test1",
"test2",
},
BlockedInboundPorts = new[]
{
"80",
"8080",
},
BlockedOutboundPorts = new[]
{
"90",
"9090",
},
BlockedPackages = new[]
{
"pkg",
"pkg2",
},
BlockedVolumes = new[]
{
"blocked",
"vol",
},
ContainerExecAllowedProcesses = new[]
{
"proc1",
"proc2",
},
Description = "container_runtime_policy",
EnableDriftPrevention = true,
EnableForkGuard = true,
EnableIpReputationSecurity = true,
EnablePortScanDetection = true,
Enabled = true,
Enforce = false,
ExceptionalReadonlyFilesAndDirectories = new[]
{
"readonly2",
"/dir2/",
},
FileIntegrityMonitoring = new Aquasec.Inputs.ContainerRuntimePolicyFileIntegrityMonitoringArgs
{
ExcludedPaths = new[]
{
"expaths",
},
ExcludedProcesses = new[]
{
"exprocess",
},
ExcludedUsers = new[]
{
"expuser",
},
MonitorAttributes = true,
MonitorCreate = true,
MonitorDelete = true,
MonitorModify = true,
MonitorRead = true,
MonitoredPaths = new[]
{
"paths",
},
MonitoredProcesses = new[]
{
"process",
},
MonitoredUsers = new[]
{
"user",
},
},
ForkGuardProcessLimit = 13,
LimitNewPrivileges = true,
MalwareScanOptions = new Aquasec.Inputs.ContainerRuntimePolicyMalwareScanOptionsArgs
{
Action = "alert",
Enabled = true,
},
MonitorSystemTimeChanges = true,
ReadonlyFilesAndDirectories = new[]
{
"readonly",
"/dir/",
},
ReverseShellAllowedIps = new[]
{
"ip1",
"ip2",
},
ReverseShellAllowedProcesses = new[]
{
"proc1",
"proc2",
},
ScopeExpression = "v1 || v2",
ScopeVariables = new[]
{
new Aquasec.Inputs.ContainerRuntimePolicyScopeVariableArgs
{
Attribute = "kubernetes.cluster",
Value = "default",
},
new Aquasec.Inputs.ContainerRuntimePolicyScopeVariableArgs
{
Attribute = "kubernetes.label",
Name = "app",
Value = "aqua",
},
},
});
});
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-aquasec/sdk/go/aquasec"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := aquasec.NewContainerRuntimePolicy(ctx, "containerRuntimePolicy", &aquasec.ContainerRuntimePolicyArgs{
AllowedExecutables: pulumi.StringArray{
pulumi.String("exe"),
pulumi.String("bin"),
},
AllowedRegistries: pulumi.StringArray{
pulumi.String("registry1"),
pulumi.String("registry2"),
},
ApplicationScopes: pulumi.StringArray{
pulumi.String("Global"),
},
AuditAllNetworkActivity: pulumi.Bool(true),
AuditAllProcessesActivity: pulumi.Bool(true),
AuditFullCommandArguments: pulumi.Bool(true),
BlockAccessHostNetwork: pulumi.Bool(true),
BlockAddingCapabilities: pulumi.Bool(true),
BlockContainerExec: pulumi.Bool(true),
BlockCryptocurrencyMining: pulumi.Bool(true),
BlockFilelessExec: pulumi.Bool(true),
BlockLowPortBinding: pulumi.Bool(true),
BlockNonCompliantImages: pulumi.Bool(true),
BlockNonCompliantWorkloads: pulumi.Bool(true),
BlockNonK8sContainers: pulumi.Bool(true),
BlockPrivilegedContainers: pulumi.Bool(true),
BlockReverseShell: pulumi.Bool(true),
BlockRootUser: pulumi.Bool(true),
BlockUnregisteredImages: pulumi.Bool(true),
BlockUseIpcNamespace: pulumi.Bool(true),
BlockUsePidNamespace: pulumi.Bool(true),
BlockUseUserNamespace: pulumi.Bool(true),
BlockUseUtsNamespace: pulumi.Bool(true),
BlockedCapabilities: pulumi.StringArray{
pulumi.String("AUDIT_CONTROL"),
pulumi.String("AUDIT_WRITE"),
},
BlockedExecutables: pulumi.StringArray{
pulumi.String("exe1"),
pulumi.String("exe2"),
},
BlockedFiles: pulumi.StringArray{
pulumi.String("test1"),
pulumi.String("test2"),
},
BlockedInboundPorts: pulumi.StringArray{
pulumi.String("80"),
pulumi.String("8080"),
},
BlockedOutboundPorts: pulumi.StringArray{
pulumi.String("90"),
pulumi.String("9090"),
},
BlockedPackages: pulumi.StringArray{
pulumi.String("pkg"),
pulumi.String("pkg2"),
},
BlockedVolumes: pulumi.StringArray{
pulumi.String("blocked"),
pulumi.String("vol"),
},
ContainerExecAllowedProcesses: pulumi.StringArray{
pulumi.String("proc1"),
pulumi.String("proc2"),
},
Description: pulumi.String("container_runtime_policy"),
EnableDriftPrevention: pulumi.Bool(true),
EnableForkGuard: pulumi.Bool(true),
EnableIpReputationSecurity: pulumi.Bool(true),
EnablePortScanDetection: pulumi.Bool(true),
Enabled: pulumi.Bool(true),
Enforce: pulumi.Bool(false),
ExceptionalReadonlyFilesAndDirectories: pulumi.StringArray{
pulumi.String("readonly2"),
pulumi.String("/dir2/"),
},
FileIntegrityMonitoring: &aquasec.ContainerRuntimePolicyFileIntegrityMonitoringArgs{
ExcludedPaths: pulumi.StringArray{
pulumi.String("expaths"),
},
ExcludedProcesses: pulumi.StringArray{
pulumi.String("exprocess"),
},
ExcludedUsers: pulumi.StringArray{
pulumi.String("expuser"),
},
MonitorAttributes: pulumi.Bool(true),
MonitorCreate: pulumi.Bool(true),
MonitorDelete: pulumi.Bool(true),
MonitorModify: pulumi.Bool(true),
MonitorRead: pulumi.Bool(true),
MonitoredPaths: pulumi.StringArray{
pulumi.String("paths"),
},
MonitoredProcesses: pulumi.StringArray{
pulumi.String("process"),
},
MonitoredUsers: pulumi.StringArray{
pulumi.String("user"),
},
},
ForkGuardProcessLimit: pulumi.Int(13),
LimitNewPrivileges: pulumi.Bool(true),
MalwareScanOptions: &aquasec.ContainerRuntimePolicyMalwareScanOptionsArgs{
Action: pulumi.String("alert"),
Enabled: pulumi.Bool(true),
},
MonitorSystemTimeChanges: pulumi.Bool(true),
ReadonlyFilesAndDirectories: pulumi.StringArray{
pulumi.String("readonly"),
pulumi.String("/dir/"),
},
ReverseShellAllowedIps: pulumi.StringArray{
pulumi.String("ip1"),
pulumi.String("ip2"),
},
ReverseShellAllowedProcesses: pulumi.StringArray{
pulumi.String("proc1"),
pulumi.String("proc2"),
},
ScopeExpression: pulumi.String("v1 || v2"),
ScopeVariables: aquasec.ContainerRuntimePolicyScopeVariableArray{
&aquasec.ContainerRuntimePolicyScopeVariableArgs{
Attribute: pulumi.String("kubernetes.cluster"),
Value: pulumi.String("default"),
},
&aquasec.ContainerRuntimePolicyScopeVariableArgs{
Attribute: pulumi.String("kubernetes.label"),
Name: pulumi.String("app"),
Value: pulumi.String("aqua"),
},
},
})
if err != nil {
return err
}
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aquasec.ContainerRuntimePolicy;
import com.pulumi.aquasec.ContainerRuntimePolicyArgs;
import com.pulumi.aquasec.inputs.ContainerRuntimePolicyFileIntegrityMonitoringArgs;
import com.pulumi.aquasec.inputs.ContainerRuntimePolicyMalwareScanOptionsArgs;
import com.pulumi.aquasec.inputs.ContainerRuntimePolicyScopeVariableArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var containerRuntimePolicy = new ContainerRuntimePolicy("containerRuntimePolicy", ContainerRuntimePolicyArgs.builder()
.allowedExecutables(
"exe",
"bin")
.allowedRegistries(
"registry1",
"registry2")
.applicationScopes("Global")
.auditAllNetworkActivity(true)
.auditAllProcessesActivity(true)
.auditFullCommandArguments(true)
.blockAccessHostNetwork(true)
.blockAddingCapabilities(true)
.blockContainerExec(true)
.blockCryptocurrencyMining(true)
.blockFilelessExec(true)
.blockLowPortBinding(true)
.blockNonCompliantImages(true)
.blockNonCompliantWorkloads(true)
.blockNonK8sContainers(true)
.blockPrivilegedContainers(true)
.blockReverseShell(true)
.blockRootUser(true)
.blockUnregisteredImages(true)
.blockUseIpcNamespace(true)
.blockUsePidNamespace(true)
.blockUseUserNamespace(true)
.blockUseUtsNamespace(true)
.blockedCapabilities(
"AUDIT_CONTROL",
"AUDIT_WRITE")
.blockedExecutables(
"exe1",
"exe2")
.blockedFiles(
"test1",
"test2")
.blockedInboundPorts(
"80",
"8080")
.blockedOutboundPorts(
"90",
"9090")
.blockedPackages(
"pkg",
"pkg2")
.blockedVolumes(
"blocked",
"vol")
.containerExecAllowedProcesses(
"proc1",
"proc2")
.description("container_runtime_policy")
.enableDriftPrevention(true)
.enableForkGuard(true)
.enableIpReputationSecurity(true)
.enablePortScanDetection(true)
.enabled(true)
.enforce(false)
.exceptionalReadonlyFilesAndDirectories(
"readonly2",
"/dir2/")
.fileIntegrityMonitoring(ContainerRuntimePolicyFileIntegrityMonitoringArgs.builder()
.excludedPaths("expaths")
.excludedProcesses("exprocess")
.excludedUsers("expuser")
.monitorAttributes(true)
.monitorCreate(true)
.monitorDelete(true)
.monitorModify(true)
.monitorRead(true)
.monitoredPaths("paths")
.monitoredProcesses("process")
.monitoredUsers("user")
.build())
.forkGuardProcessLimit(13)
.limitNewPrivileges(true)
.malwareScanOptions(ContainerRuntimePolicyMalwareScanOptionsArgs.builder()
.action("alert")
.enabled(true)
.build())
.monitorSystemTimeChanges("true")
.readonlyFilesAndDirectories(
"readonly",
"/dir/")
.reverseShellAllowedIps(
"ip1",
"ip2")
.reverseShellAllowedProcesses(
"proc1",
"proc2")
.scopeExpression("v1 || v2")
.scopeVariables(
ContainerRuntimePolicyScopeVariableArgs.builder()
.attribute("kubernetes.cluster")
.value("default")
.build(),
ContainerRuntimePolicyScopeVariableArgs.builder()
.attribute("kubernetes.label")
.name("app")
.value("aqua")
.build())
.build());
}
}
import pulumi
import pulumiverse_aquasec as aquasec
container_runtime_policy = aquasec.ContainerRuntimePolicy("containerRuntimePolicy",
allowed_executables=[
"exe",
"bin",
],
allowed_registries=[
"registry1",
"registry2",
],
application_scopes=["Global"],
audit_all_network_activity=True,
audit_all_processes_activity=True,
audit_full_command_arguments=True,
block_access_host_network=True,
block_adding_capabilities=True,
block_container_exec=True,
block_cryptocurrency_mining=True,
block_fileless_exec=True,
block_low_port_binding=True,
block_non_compliant_images=True,
block_non_compliant_workloads=True,
block_non_k8s_containers=True,
block_privileged_containers=True,
block_reverse_shell=True,
block_root_user=True,
block_unregistered_images=True,
block_use_ipc_namespace=True,
block_use_pid_namespace=True,
block_use_user_namespace=True,
block_use_uts_namespace=True,
blocked_capabilities=[
"AUDIT_CONTROL",
"AUDIT_WRITE",
],
blocked_executables=[
"exe1",
"exe2",
],
blocked_files=[
"test1",
"test2",
],
blocked_inbound_ports=[
"80",
"8080",
],
blocked_outbound_ports=[
"90",
"9090",
],
blocked_packages=[
"pkg",
"pkg2",
],
blocked_volumes=[
"blocked",
"vol",
],
container_exec_allowed_processes=[
"proc1",
"proc2",
],
description="container_runtime_policy",
enable_drift_prevention=True,
enable_fork_guard=True,
enable_ip_reputation_security=True,
enable_port_scan_detection=True,
enabled=True,
enforce=False,
exceptional_readonly_files_and_directories=[
"readonly2",
"/dir2/",
],
file_integrity_monitoring=aquasec.ContainerRuntimePolicyFileIntegrityMonitoringArgs(
excluded_paths=["expaths"],
excluded_processes=["exprocess"],
excluded_users=["expuser"],
monitor_attributes=True,
monitor_create=True,
monitor_delete=True,
monitor_modify=True,
monitor_read=True,
monitored_paths=["paths"],
monitored_processes=["process"],
monitored_users=["user"],
),
fork_guard_process_limit=13,
limit_new_privileges=True,
malware_scan_options=aquasec.ContainerRuntimePolicyMalwareScanOptionsArgs(
action="alert",
enabled=True,
),
monitor_system_time_changes=True,
readonly_files_and_directories=[
"readonly",
"/dir/",
],
reverse_shell_allowed_ips=[
"ip1",
"ip2",
],
reverse_shell_allowed_processes=[
"proc1",
"proc2",
],
scope_expression="v1 || v2",
scope_variables=[
aquasec.ContainerRuntimePolicyScopeVariableArgs(
attribute="kubernetes.cluster",
value="default",
),
aquasec.ContainerRuntimePolicyScopeVariableArgs(
attribute="kubernetes.label",
name="app",
value="aqua",
),
])
import * as pulumi from "@pulumi/pulumi";
import * as aquasec from "@pulumiverse/aquasec";
const containerRuntimePolicy = new aquasec.ContainerRuntimePolicy("containerRuntimePolicy", {
allowedExecutables: [
"exe",
"bin",
],
allowedRegistries: [
"registry1",
"registry2",
],
applicationScopes: ["Global"],
auditAllNetworkActivity: true,
auditAllProcessesActivity: true,
auditFullCommandArguments: true,
blockAccessHostNetwork: true,
blockAddingCapabilities: true,
blockContainerExec: true,
blockCryptocurrencyMining: true,
blockFilelessExec: true,
blockLowPortBinding: true,
blockNonCompliantImages: true,
blockNonCompliantWorkloads: true,
blockNonK8sContainers: true,
blockPrivilegedContainers: true,
blockReverseShell: true,
blockRootUser: true,
blockUnregisteredImages: true,
blockUseIpcNamespace: true,
blockUsePidNamespace: true,
blockUseUserNamespace: true,
blockUseUtsNamespace: true,
blockedCapabilities: [
"AUDIT_CONTROL",
"AUDIT_WRITE",
],
blockedExecutables: [
"exe1",
"exe2",
],
blockedFiles: [
"test1",
"test2",
],
blockedInboundPorts: [
"80",
"8080",
],
blockedOutboundPorts: [
"90",
"9090",
],
blockedPackages: [
"pkg",
"pkg2",
],
blockedVolumes: [
"blocked",
"vol",
],
containerExecAllowedProcesses: [
"proc1",
"proc2",
],
description: "container_runtime_policy",
enableDriftPrevention: true,
enableForkGuard: true,
enableIpReputationSecurity: true,
enablePortScanDetection: true,
enabled: true,
enforce: false,
exceptionalReadonlyFilesAndDirectories: [
"readonly2",
"/dir2/",
],
fileIntegrityMonitoring: {
excludedPaths: ["expaths"],
excludedProcesses: ["exprocess"],
excludedUsers: ["expuser"],
monitorAttributes: true,
monitorCreate: true,
monitorDelete: true,
monitorModify: true,
monitorRead: true,
monitoredPaths: ["paths"],
monitoredProcesses: ["process"],
monitoredUsers: ["user"],
},
forkGuardProcessLimit: 13,
limitNewPrivileges: true,
malwareScanOptions: {
action: "alert",
enabled: true,
},
monitorSystemTimeChanges: true,
readonlyFilesAndDirectories: [
"readonly",
"/dir/",
],
reverseShellAllowedIps: [
"ip1",
"ip2",
],
reverseShellAllowedProcesses: [
"proc1",
"proc2",
],
scopeExpression: "v1 || v2",
scopeVariables: [
{
attribute: "kubernetes.cluster",
value: "default",
},
{
attribute: "kubernetes.label",
name: "app",
value: "aqua",
},
],
});
resources:
containerRuntimePolicy:
type: aquasec:ContainerRuntimePolicy
properties:
allowedExecutables:
- exe
- bin
allowedRegistries:
- registry1
- registry2
applicationScopes:
- Global
auditAllNetworkActivity: true
auditAllProcessesActivity: true
auditFullCommandArguments: true
blockAccessHostNetwork: true
blockAddingCapabilities: true
blockContainerExec: true
blockCryptocurrencyMining: true
blockFilelessExec: true
blockLowPortBinding: true
blockNonCompliantImages: true
blockNonCompliantWorkloads: true
blockNonK8sContainers: true
blockPrivilegedContainers: true
blockReverseShell: true
blockRootUser: true
blockUnregisteredImages: true
blockUseIpcNamespace: true
blockUsePidNamespace: true
blockUseUserNamespace: true
blockUseUtsNamespace: true
blockedCapabilities:
- AUDIT_CONTROL
- AUDIT_WRITE
blockedExecutables:
- exe1
- exe2
blockedFiles:
- test1
- test2
blockedInboundPorts:
- '80'
- '8080'
blockedOutboundPorts:
- '90'
- '9090'
blockedPackages:
- pkg
- pkg2
blockedVolumes:
- blocked
- vol
containerExecAllowedProcesses:
- proc1
- proc2
description: container_runtime_policy
enableDriftPrevention: true
enableForkGuard: true
enableIpReputationSecurity: true
enablePortScanDetection: true
enabled: true
enforce: false
exceptionalReadonlyFilesAndDirectories:
- readonly2
- /dir2/
fileIntegrityMonitoring:
excludedPaths:
- expaths
excludedProcesses:
- exprocess
excludedUsers:
- expuser
monitorAttributes: true
monitorCreate: true
monitorDelete: true
monitorModify: true
monitorRead: true
monitoredPaths:
- paths
monitoredProcesses:
- process
monitoredUsers:
- user
forkGuardProcessLimit: 13
limitNewPrivileges: true
malwareScanOptions:
action: alert
enabled: true
monitorSystemTimeChanges: 'true'
readonlyFilesAndDirectories:
- readonly
- /dir/
reverseShellAllowedIps:
- ip1
- ip2
reverseShellAllowedProcesses:
- proc1
- proc2
scopeExpression: v1 || v2
scopeVariables:
- attribute: kubernetes.cluster
value: default
- attribute: kubernetes.label
name: app
value: aqua
Create ContainerRuntimePolicy Resource
new ContainerRuntimePolicy(name: string, args?: ContainerRuntimePolicyArgs, opts?: CustomResourceOptions);@overload
def ContainerRuntimePolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
allowed_executables: Optional[Sequence[str]] = None,
allowed_registries: Optional[Sequence[str]] = None,
application_scopes: Optional[Sequence[str]] = None,
audit_all_network_activity: Optional[bool] = None,
audit_all_processes_activity: Optional[bool] = None,
audit_full_command_arguments: Optional[bool] = None,
block_access_host_network: Optional[bool] = None,
block_adding_capabilities: Optional[bool] = None,
block_container_exec: Optional[bool] = None,
block_cryptocurrency_mining: Optional[bool] = None,
block_fileless_exec: Optional[bool] = None,
block_low_port_binding: Optional[bool] = None,
block_non_compliant_images: Optional[bool] = None,
block_non_compliant_workloads: Optional[bool] = None,
block_non_k8s_containers: Optional[bool] = None,
block_privileged_containers: Optional[bool] = None,
block_reverse_shell: Optional[bool] = None,
block_root_user: Optional[bool] = None,
block_unregistered_images: Optional[bool] = None,
block_use_ipc_namespace: Optional[bool] = None,
block_use_pid_namespace: Optional[bool] = None,
block_use_user_namespace: Optional[bool] = None,
block_use_uts_namespace: Optional[bool] = None,
blocked_capabilities: Optional[Sequence[str]] = None,
blocked_executables: Optional[Sequence[str]] = None,
blocked_files: Optional[Sequence[str]] = None,
blocked_inbound_ports: Optional[Sequence[str]] = None,
blocked_outbound_ports: Optional[Sequence[str]] = None,
blocked_packages: Optional[Sequence[str]] = None,
blocked_volumes: Optional[Sequence[str]] = None,
container_exec_allowed_processes: Optional[Sequence[str]] = None,
description: Optional[str] = None,
enable_drift_prevention: Optional[bool] = None,
enable_fork_guard: Optional[bool] = None,
enable_ip_reputation_security: Optional[bool] = None,
enable_port_scan_detection: Optional[bool] = None,
enabled: Optional[bool] = None,
enforce: Optional[bool] = None,
enforce_after_days: Optional[int] = None,
exceptional_readonly_files_and_directories: Optional[Sequence[str]] = None,
exec_lockdown_white_lists: Optional[Sequence[str]] = None,
file_integrity_monitoring: Optional[ContainerRuntimePolicyFileIntegrityMonitoringArgs] = None,
fork_guard_process_limit: Optional[int] = None,
limit_new_privileges: Optional[bool] = None,
malware_scan_options: Optional[ContainerRuntimePolicyMalwareScanOptionsArgs] = None,
monitor_system_time_changes: Optional[bool] = None,
name: Optional[str] = None,
readonly_files_and_directories: Optional[Sequence[str]] = None,
reverse_shell_allowed_ips: Optional[Sequence[str]] = None,
reverse_shell_allowed_processes: Optional[Sequence[str]] = None,
scope_expression: Optional[str] = None,
scope_variables: Optional[Sequence[ContainerRuntimePolicyScopeVariableArgs]] = None)
@overload
def ContainerRuntimePolicy(resource_name: str,
args: Optional[ContainerRuntimePolicyArgs] = None,
opts: Optional[ResourceOptions] = None)func NewContainerRuntimePolicy(ctx *Context, name string, args *ContainerRuntimePolicyArgs, opts ...ResourceOption) (*ContainerRuntimePolicy, error)public ContainerRuntimePolicy(string name, ContainerRuntimePolicyArgs? args = null, CustomResourceOptions? opts = null)
public ContainerRuntimePolicy(String name, ContainerRuntimePolicyArgs args)
public ContainerRuntimePolicy(String name, ContainerRuntimePolicyArgs args, CustomResourceOptions options)
type: aquasec:ContainerRuntimePolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ContainerRuntimePolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ContainerRuntimePolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ContainerRuntimePolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ContainerRuntimePolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ContainerRuntimePolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
ContainerRuntimePolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The ContainerRuntimePolicy resource accepts the following input properties:
- Allowed
Executables List<string> List of executables that are allowed for the user.
- Allowed
Registries List<string> List of registries that allowed for running containers.
- Application
Scopes List<string> Indicates the application scope of the service.
- Audit
All boolNetwork Activity If true, all network activity will be audited.
- Audit
All boolProcesses Activity If true, all process activity will be audited.
- Audit
Full boolCommand Arguments If true, full command arguments will be audited.
- Block
Access boolHost Network If true, prevent containers from running with access to host network.
- Block
Adding boolCapabilities If true, prevent containers from running with adding capabilities with
--cap-addprivilege.- Block
Container boolExec If true, exec into a container is prevented.
- Block
Cryptocurrency boolMining Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- Block
Fileless boolExec Detect and prevent running in-memory execution
- Block
Low boolPort Binding If true, prevent containers from running with the capability to bind in port lower than 1024.
- Block
Non boolCompliant Images If true, running non-compliant image in the container is prevented.
- Block
Non boolCompliant Workloads If true, running containers in non-compliant pods is prevented.
- Block
Non boolK8s Containers If true, running non-kubernetes containers is prevented.
- Block
Privileged boolContainers If true, prevent containers from running with privileged container capability.
- Block
Reverse boolShell If true, reverse shell is prevented.
- Block
Root boolUser If true, prevent containers from running with root user.
- Block
Unregistered boolImages If true, running images in the container that are not registered in Aqua is prevented.
- Block
Use boolIpc Namespace If true, prevent containers from running with the privilege to use the IPC namespace.
- Block
Use boolPid Namespace If true, prevent containers from running with the privilege to use the PID namespace.
- Block
Use boolUser Namespace If true, prevent containers from running with the privilege to use the user namespace.
- Block
Use boolUts Namespace If true, prevent containers from running with the privilege to use the UTS namespace.
- Blocked
Capabilities List<string> If true, prevents containers from using specific Unix capabilities.
- Blocked
Executables List<string> List of executables that are prevented from running in containers.
- Blocked
Files List<string> List of files that are prevented from being read, modified and executed in the containers.
- Blocked
Inbound List<string>Ports List of blocked inbound ports.
- Blocked
Outbound List<string>Ports List of blocked outbound ports.
- Blocked
Packages List<string> Prevent containers from reading, writing, or executing all files in the list of packages.
- Blocked
Volumes List<string> List of volumes that are prevented from being mounted in the containers.
- Container
Exec List<string>Allowed Processes List of processes that will be allowed.
- Description string
The description of the container runtime policy
- Enable
Drift boolPrevention If true, executables that are not in the original image is prevented from running.
- Enable
Fork boolGuard If true, fork bombs are prevented in the containers.
- Enable
Ip boolReputation Security If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- Enable
Port boolScan Detection If true, detects port scanning behavior in the container.
- Enabled bool
Indicates if the runtime policy is enabled or not.
- Enforce bool
Indicates that policy should effect container execution (not just for audit).
- Enforce
After intDays Indicates the number of days after which the runtime policy will be changed to enforce mode.
- Exceptional
Readonly List<string>Files And Directories List of files and directories to be excluded from the read-only list.
- Exec
Lockdown List<string>White Lists Specify processes that will be allowed
- File
Integrity Pulumiverse.Monitoring Aquasec. Inputs. Container Runtime Policy File Integrity Monitoring Args Configuration for file integrity monitoring.
- Fork
Guard intProcess Limit Process limit for the fork guard.
- Limit
New boolPrivileges If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- Malware
Scan Pulumiverse.Options Aquasec. Inputs. Container Runtime Policy Malware Scan Options Args Configuration for Real-Time Malware Protection.
- Monitor
System boolTime Changes If true, system time changes will be monitored.
- Name string
Name of the container runtime policy
- Readonly
Files List<string>And Directories List of files and directories to be restricted as read-only
- Reverse
Shell List<string>Allowed Ips List of IPs/ CIDRs that will be allowed
- Reverse
Shell List<string>Allowed Processes List of processes that will be allowed
- Scope
Expression string Logical expression of how to compute the dependency of the scope variables.
- Scope
Variables List<Pulumiverse.Aquasec. Inputs. Container Runtime Policy Scope Variable Args> List of scope attributes.
- Allowed
Executables []string List of executables that are allowed for the user.
- Allowed
Registries []string List of registries that allowed for running containers.
- Application
Scopes []string Indicates the application scope of the service.
- Audit
All boolNetwork Activity If true, all network activity will be audited.
- Audit
All boolProcesses Activity If true, all process activity will be audited.
- Audit
Full boolCommand Arguments If true, full command arguments will be audited.
- Block
Access boolHost Network If true, prevent containers from running with access to host network.
- Block
Adding boolCapabilities If true, prevent containers from running with adding capabilities with
--cap-addprivilege.- Block
Container boolExec If true, exec into a container is prevented.
- Block
Cryptocurrency boolMining Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- Block
Fileless boolExec Detect and prevent running in-memory execution
- Block
Low boolPort Binding If true, prevent containers from running with the capability to bind in port lower than 1024.
- Block
Non boolCompliant Images If true, running non-compliant image in the container is prevented.
- Block
Non boolCompliant Workloads If true, running containers in non-compliant pods is prevented.
- Block
Non boolK8s Containers If true, running non-kubernetes containers is prevented.
- Block
Privileged boolContainers If true, prevent containers from running with privileged container capability.
- Block
Reverse boolShell If true, reverse shell is prevented.
- Block
Root boolUser If true, prevent containers from running with root user.
- Block
Unregistered boolImages If true, running images in the container that are not registered in Aqua is prevented.
- Block
Use boolIpc Namespace If true, prevent containers from running with the privilege to use the IPC namespace.
- Block
Use boolPid Namespace If true, prevent containers from running with the privilege to use the PID namespace.
- Block
Use boolUser Namespace If true, prevent containers from running with the privilege to use the user namespace.
- Block
Use boolUts Namespace If true, prevent containers from running with the privilege to use the UTS namespace.
- Blocked
Capabilities []string If true, prevents containers from using specific Unix capabilities.
- Blocked
Executables []string List of executables that are prevented from running in containers.
- Blocked
Files []string List of files that are prevented from being read, modified and executed in the containers.
- Blocked
Inbound []stringPorts List of blocked inbound ports.
- Blocked
Outbound []stringPorts List of blocked outbound ports.
- Blocked
Packages []string Prevent containers from reading, writing, or executing all files in the list of packages.
- Blocked
Volumes []string List of volumes that are prevented from being mounted in the containers.
- Container
Exec []stringAllowed Processes List of processes that will be allowed.
- Description string
The description of the container runtime policy
- Enable
Drift boolPrevention If true, executables that are not in the original image is prevented from running.
- Enable
Fork boolGuard If true, fork bombs are prevented in the containers.
- Enable
Ip boolReputation Security If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- Enable
Port boolScan Detection If true, detects port scanning behavior in the container.
- Enabled bool
Indicates if the runtime policy is enabled or not.
- Enforce bool
Indicates that policy should effect container execution (not just for audit).
- Enforce
After intDays Indicates the number of days after which the runtime policy will be changed to enforce mode.
- Exceptional
Readonly []stringFiles And Directories List of files and directories to be excluded from the read-only list.
- Exec
Lockdown []stringWhite Lists Specify processes that will be allowed
- File
Integrity ContainerMonitoring Runtime Policy File Integrity Monitoring Args Configuration for file integrity monitoring.
- Fork
Guard intProcess Limit Process limit for the fork guard.
- Limit
New boolPrivileges If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- Malware
Scan ContainerOptions Runtime Policy Malware Scan Options Args Configuration for Real-Time Malware Protection.
- Monitor
System boolTime Changes If true, system time changes will be monitored.
- Name string
Name of the container runtime policy
- Readonly
Files []stringAnd Directories List of files and directories to be restricted as read-only
- Reverse
Shell []stringAllowed Ips List of IPs/ CIDRs that will be allowed
- Reverse
Shell []stringAllowed Processes List of processes that will be allowed
- Scope
Expression string Logical expression of how to compute the dependency of the scope variables.
- Scope
Variables []ContainerRuntime Policy Scope Variable Args List of scope attributes.
- allowed
Executables List<String> List of executables that are allowed for the user.
- allowed
Registries List<String> List of registries that allowed for running containers.
- application
Scopes List<String> Indicates the application scope of the service.
- audit
All BooleanNetwork Activity If true, all network activity will be audited.
- audit
All BooleanProcesses Activity If true, all process activity will be audited.
- audit
Full BooleanCommand Arguments If true, full command arguments will be audited.
- block
Access BooleanHost Network If true, prevent containers from running with access to host network.
- block
Adding BooleanCapabilities If true, prevent containers from running with adding capabilities with
--cap-addprivilege.- block
Container BooleanExec If true, exec into a container is prevented.
- block
Cryptocurrency BooleanMining Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block
Fileless BooleanExec Detect and prevent running in-memory execution
- block
Low BooleanPort Binding If true, prevent containers from running with the capability to bind in port lower than 1024.
- block
Non BooleanCompliant Images If true, running non-compliant image in the container is prevented.
- block
Non BooleanCompliant Workloads If true, running containers in non-compliant pods is prevented.
- block
Non BooleanK8s Containers If true, running non-kubernetes containers is prevented.
- block
Privileged BooleanContainers If true, prevent containers from running with privileged container capability.
- block
Reverse BooleanShell If true, reverse shell is prevented.
- block
Root BooleanUser If true, prevent containers from running with root user.
- block
Unregistered BooleanImages If true, running images in the container that are not registered in Aqua is prevented.
- block
Use BooleanIpc Namespace If true, prevent containers from running with the privilege to use the IPC namespace.
- block
Use BooleanPid Namespace If true, prevent containers from running with the privilege to use the PID namespace.
- block
Use BooleanUser Namespace If true, prevent containers from running with the privilege to use the user namespace.
- block
Use BooleanUts Namespace If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked
Capabilities List<String> If true, prevents containers from using specific Unix capabilities.
- blocked
Executables List<String> List of executables that are prevented from running in containers.
- blocked
Files List<String> List of files that are prevented from being read, modified and executed in the containers.
- blocked
Inbound List<String>Ports List of blocked inbound ports.
- blocked
Outbound List<String>Ports List of blocked outbound ports.
- blocked
Packages List<String> Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked
Volumes List<String> List of volumes that are prevented from being mounted in the containers.
- container
Exec List<String>Allowed Processes List of processes that will be allowed.
- description String
The description of the container runtime policy
- enable
Drift BooleanPrevention If true, executables that are not in the original image is prevented from running.
- enable
Fork BooleanGuard If true, fork bombs are prevented in the containers.
- enable
Ip BooleanReputation Security If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- enable
Port BooleanScan Detection If true, detects port scanning behavior in the container.
- enabled Boolean
Indicates if the runtime policy is enabled or not.
- enforce Boolean
Indicates that policy should effect container execution (not just for audit).
- enforce
After IntegerDays Indicates the number of days after which the runtime policy will be changed to enforce mode.
- exceptional
Readonly List<String>Files And Directories List of files and directories to be excluded from the read-only list.
- exec
Lockdown List<String>White Lists Specify processes that will be allowed
- file
Integrity ContainerMonitoring Runtime Policy File Integrity Monitoring Args Configuration for file integrity monitoring.
- fork
Guard IntegerProcess Limit Process limit for the fork guard.
- limit
New BooleanPrivileges If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- malware
Scan ContainerOptions Runtime Policy Malware Scan Options Args Configuration for Real-Time Malware Protection.
- monitor
System BooleanTime Changes If true, system time changes will be monitored.
- name String
Name of the container runtime policy
- readonly
Files List<String>And Directories List of files and directories to be restricted as read-only
- reverse
Shell List<String>Allowed Ips List of IPs/ CIDRs that will be allowed
- reverse
Shell List<String>Allowed Processes List of processes that will be allowed
- scope
Expression String Logical expression of how to compute the dependency of the scope variables.
- scope
Variables List<ContainerRuntime Policy Scope Variable Args> List of scope attributes.
- allowed
Executables string[] List of executables that are allowed for the user.
- allowed
Registries string[] List of registries that allowed for running containers.
- application
Scopes string[] Indicates the application scope of the service.
- audit
All booleanNetwork Activity If true, all network activity will be audited.
- audit
All booleanProcesses Activity If true, all process activity will be audited.
- audit
Full booleanCommand Arguments If true, full command arguments will be audited.
- block
Access booleanHost Network If true, prevent containers from running with access to host network.
- block
Adding booleanCapabilities If true, prevent containers from running with adding capabilities with
--cap-addprivilege.- block
Container booleanExec If true, exec into a container is prevented.
- block
Cryptocurrency booleanMining Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block
Fileless booleanExec Detect and prevent running in-memory execution
- block
Low booleanPort Binding If true, prevent containers from running with the capability to bind in port lower than 1024.
- block
Non booleanCompliant Images If true, running non-compliant image in the container is prevented.
- block
Non booleanCompliant Workloads If true, running containers in non-compliant pods is prevented.
- block
Non booleanK8s Containers If true, running non-kubernetes containers is prevented.
- block
Privileged booleanContainers If true, prevent containers from running with privileged container capability.
- block
Reverse booleanShell If true, reverse shell is prevented.
- block
Root booleanUser If true, prevent containers from running with root user.
- block
Unregistered booleanImages If true, running images in the container that are not registered in Aqua is prevented.
- block
Use booleanIpc Namespace If true, prevent containers from running with the privilege to use the IPC namespace.
- block
Use booleanPid Namespace If true, prevent containers from running with the privilege to use the PID namespace.
- block
Use booleanUser Namespace If true, prevent containers from running with the privilege to use the user namespace.
- block
Use booleanUts Namespace If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked
Capabilities string[] If true, prevents containers from using specific Unix capabilities.
- blocked
Executables string[] List of executables that are prevented from running in containers.
- blocked
Files string[] List of files that are prevented from being read, modified and executed in the containers.
- blocked
Inbound string[]Ports List of blocked inbound ports.
- blocked
Outbound string[]Ports List of blocked outbound ports.
- blocked
Packages string[] Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked
Volumes string[] List of volumes that are prevented from being mounted in the containers.
- container
Exec string[]Allowed Processes List of processes that will be allowed.
- description string
The description of the container runtime policy
- enable
Drift booleanPrevention If true, executables that are not in the original image is prevented from running.
- enable
Fork booleanGuard If true, fork bombs are prevented in the containers.
- enable
Ip booleanReputation Security If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- enable
Port booleanScan Detection If true, detects port scanning behavior in the container.
- enabled boolean
Indicates if the runtime policy is enabled or not.
- enforce boolean
Indicates that policy should effect container execution (not just for audit).
- enforce
After numberDays Indicates the number of days after which the runtime policy will be changed to enforce mode.
- exceptional
Readonly string[]Files And Directories List of files and directories to be excluded from the read-only list.
- exec
Lockdown string[]White Lists Specify processes that will be allowed
- file
Integrity ContainerMonitoring Runtime Policy File Integrity Monitoring Args Configuration for file integrity monitoring.
- fork
Guard numberProcess Limit Process limit for the fork guard.
- limit
New booleanPrivileges If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- malware
Scan ContainerOptions Runtime Policy Malware Scan Options Args Configuration for Real-Time Malware Protection.
- monitor
System booleanTime Changes If true, system time changes will be monitored.
- name string
Name of the container runtime policy
- readonly
Files string[]And Directories List of files and directories to be restricted as read-only
- reverse
Shell string[]Allowed Ips List of IPs/ CIDRs that will be allowed
- reverse
Shell string[]Allowed Processes List of processes that will be allowed
- scope
Expression string Logical expression of how to compute the dependency of the scope variables.
- scope
Variables ContainerRuntime Policy Scope Variable Args[] List of scope attributes.
- allowed_
executables Sequence[str] List of executables that are allowed for the user.
- allowed_
registries Sequence[str] List of registries that allowed for running containers.
- application_
scopes Sequence[str] Indicates the application scope of the service.
- audit_
all_ boolnetwork_ activity If true, all network activity will be audited.
- audit_
all_ boolprocesses_ activity If true, all process activity will be audited.
- audit_
full_ boolcommand_ arguments If true, full command arguments will be audited.
- block_
access_ boolhost_ network If true, prevent containers from running with access to host network.
- block_
adding_ boolcapabilities If true, prevent containers from running with adding capabilities with
--cap-addprivilege.- block_
container_ boolexec If true, exec into a container is prevented.
- block_
cryptocurrency_ boolmining Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block_
fileless_ boolexec Detect and prevent running in-memory execution
- block_
low_ boolport_ binding If true, prevent containers from running with the capability to bind in port lower than 1024.
- block_
non_ boolcompliant_ images If true, running non-compliant image in the container is prevented.
- block_
non_ boolcompliant_ workloads If true, running containers in non-compliant pods is prevented.
- block_
non_ boolk8s_ containers If true, running non-kubernetes containers is prevented.
- block_
privileged_ boolcontainers If true, prevent containers from running with privileged container capability.
- block_
reverse_ boolshell If true, reverse shell is prevented.
- block_
root_ booluser If true, prevent containers from running with root user.
- block_
unregistered_ boolimages If true, running images in the container that are not registered in Aqua is prevented.
- block_
use_ boolipc_ namespace If true, prevent containers from running with the privilege to use the IPC namespace.
- block_
use_ boolpid_ namespace If true, prevent containers from running with the privilege to use the PID namespace.
- block_
use_ booluser_ namespace If true, prevent containers from running with the privilege to use the user namespace.
- block_
use_ booluts_ namespace If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked_
capabilities Sequence[str] If true, prevents containers from using specific Unix capabilities.
- blocked_
executables Sequence[str] List of executables that are prevented from running in containers.
- blocked_
files Sequence[str] List of files that are prevented from being read, modified and executed in the containers.
- blocked_
inbound_ Sequence[str]ports List of blocked inbound ports.
- blocked_
outbound_ Sequence[str]ports List of blocked outbound ports.
- blocked_
packages Sequence[str] Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked_
volumes Sequence[str] List of volumes that are prevented from being mounted in the containers.
- container_
exec_ Sequence[str]allowed_ processes List of processes that will be allowed.
- description str
The description of the container runtime policy
- enable_
drift_ boolprevention If true, executables that are not in the original image is prevented from running.
- enable_
fork_ boolguard If true, fork bombs are prevented in the containers.
- enable_
ip_ boolreputation_ security If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- enable_
port_ boolscan_ detection If true, detects port scanning behavior in the container.
- enabled bool
Indicates if the runtime policy is enabled or not.
- enforce bool
Indicates that policy should effect container execution (not just for audit).
- enforce_
after_ intdays Indicates the number of days after which the runtime policy will be changed to enforce mode.
- exceptional_
readonly_ Sequence[str]files_ and_ directories List of files and directories to be excluded from the read-only list.
- exec_
lockdown_ Sequence[str]white_ lists Specify processes that will be allowed
- file_
integrity_ Containermonitoring Runtime Policy File Integrity Monitoring Args Configuration for file integrity monitoring.
- fork_
guard_ intprocess_ limit Process limit for the fork guard.
- limit_
new_ boolprivileges If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- malware_
scan_ Containeroptions Runtime Policy Malware Scan Options Args Configuration for Real-Time Malware Protection.
- monitor_
system_ booltime_ changes If true, system time changes will be monitored.
- name str
Name of the container runtime policy
- readonly_
files_ Sequence[str]and_ directories List of files and directories to be restricted as read-only
- reverse_
shell_ Sequence[str]allowed_ ips List of IPs/ CIDRs that will be allowed
- reverse_
shell_ Sequence[str]allowed_ processes List of processes that will be allowed
- scope_
expression str Logical expression of how to compute the dependency of the scope variables.
- scope_
variables Sequence[ContainerRuntime Policy Scope Variable Args] List of scope attributes.
- allowed
Executables List<String> List of executables that are allowed for the user.
- allowed
Registries List<String> List of registries that allowed for running containers.
- application
Scopes List<String> Indicates the application scope of the service.
- audit
All BooleanNetwork Activity If true, all network activity will be audited.
- audit
All BooleanProcesses Activity If true, all process activity will be audited.
- audit
Full BooleanCommand Arguments If true, full command arguments will be audited.
- block
Access BooleanHost Network If true, prevent containers from running with access to host network.
- block
Adding BooleanCapabilities If true, prevent containers from running with adding capabilities with
--cap-addprivilege.- block
Container BooleanExec If true, exec into a container is prevented.
- block
Cryptocurrency BooleanMining Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block
Fileless BooleanExec Detect and prevent running in-memory execution
- block
Low BooleanPort Binding If true, prevent containers from running with the capability to bind in port lower than 1024.
- block
Non BooleanCompliant Images If true, running non-compliant image in the container is prevented.
- block
Non BooleanCompliant Workloads If true, running containers in non-compliant pods is prevented.
- block
Non BooleanK8s Containers If true, running non-kubernetes containers is prevented.
- block
Privileged BooleanContainers If true, prevent containers from running with privileged container capability.
- block
Reverse BooleanShell If true, reverse shell is prevented.
- block
Root BooleanUser If true, prevent containers from running with root user.
- block
Unregistered BooleanImages If true, running images in the container that are not registered in Aqua is prevented.
- block
Use BooleanIpc Namespace If true, prevent containers from running with the privilege to use the IPC namespace.
- block
Use BooleanPid Namespace If true, prevent containers from running with the privilege to use the PID namespace.
- block
Use BooleanUser Namespace If true, prevent containers from running with the privilege to use the user namespace.
- block
Use BooleanUts Namespace If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked
Capabilities List<String> If true, prevents containers from using specific Unix capabilities.
- blocked
Executables List<String> List of executables that are prevented from running in containers.
- blocked
Files List<String> List of files that are prevented from being read, modified and executed in the containers.
- blocked
Inbound List<String>Ports List of blocked inbound ports.
- blocked
Outbound List<String>Ports List of blocked outbound ports.
- blocked
Packages List<String> Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked
Volumes List<String> List of volumes that are prevented from being mounted in the containers.
- container
Exec List<String>Allowed Processes List of processes that will be allowed.
- description String
The description of the container runtime policy
- enable
Drift BooleanPrevention If true, executables that are not in the original image is prevented from running.
- enable
Fork BooleanGuard If true, fork bombs are prevented in the containers.
- enable
Ip BooleanReputation Security If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- enable
Port BooleanScan Detection If true, detects port scanning behavior in the container.
- enabled Boolean
Indicates if the runtime policy is enabled or not.
- enforce Boolean
Indicates that policy should effect container execution (not just for audit).
- enforce
After NumberDays Indicates the number of days after which the runtime policy will be changed to enforce mode.
- exceptional
Readonly List<String>Files And Directories List of files and directories to be excluded from the read-only list.
- exec
Lockdown List<String>White Lists Specify processes that will be allowed
- file
Integrity Property MapMonitoring Configuration for file integrity monitoring.
- fork
Guard NumberProcess Limit Process limit for the fork guard.
- limit
New BooleanPrivileges If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- malware
Scan Property MapOptions Configuration for Real-Time Malware Protection.
- monitor
System BooleanTime Changes If true, system time changes will be monitored.
- name String
Name of the container runtime policy
- readonly
Files List<String>And Directories List of files and directories to be restricted as read-only
- reverse
Shell List<String>Allowed Ips List of IPs/ CIDRs that will be allowed
- reverse
Shell List<String>Allowed Processes List of processes that will be allowed
- scope
Expression String Logical expression of how to compute the dependency of the scope variables.
- scope
Variables List<Property Map> List of scope attributes.
Outputs
All input properties are implicitly available as output properties. Additionally, the ContainerRuntimePolicy resource produces the following output properties:
- string
Username of the account that created the service.
- Id string
The provider-assigned unique ID for this managed resource.
- string
Username of the account that created the service.
- Id string
The provider-assigned unique ID for this managed resource.
- String
Username of the account that created the service.
- id String
The provider-assigned unique ID for this managed resource.
- string
Username of the account that created the service.
- id string
The provider-assigned unique ID for this managed resource.
- str
Username of the account that created the service.
- id str
The provider-assigned unique ID for this managed resource.
- String
Username of the account that created the service.
- id String
The provider-assigned unique ID for this managed resource.
Look up Existing ContainerRuntimePolicy Resource
Get an existing ContainerRuntimePolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ContainerRuntimePolicyState, opts?: CustomResourceOptions): ContainerRuntimePolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
allowed_executables: Optional[Sequence[str]] = None,
allowed_registries: Optional[Sequence[str]] = None,
application_scopes: Optional[Sequence[str]] = None,
audit_all_network_activity: Optional[bool] = None,
audit_all_processes_activity: Optional[bool] = None,
audit_full_command_arguments: Optional[bool] = None,
author: Optional[str] = None,
block_access_host_network: Optional[bool] = None,
block_adding_capabilities: Optional[bool] = None,
block_container_exec: Optional[bool] = None,
block_cryptocurrency_mining: Optional[bool] = None,
block_fileless_exec: Optional[bool] = None,
block_low_port_binding: Optional[bool] = None,
block_non_compliant_images: Optional[bool] = None,
block_non_compliant_workloads: Optional[bool] = None,
block_non_k8s_containers: Optional[bool] = None,
block_privileged_containers: Optional[bool] = None,
block_reverse_shell: Optional[bool] = None,
block_root_user: Optional[bool] = None,
block_unregistered_images: Optional[bool] = None,
block_use_ipc_namespace: Optional[bool] = None,
block_use_pid_namespace: Optional[bool] = None,
block_use_user_namespace: Optional[bool] = None,
block_use_uts_namespace: Optional[bool] = None,
blocked_capabilities: Optional[Sequence[str]] = None,
blocked_executables: Optional[Sequence[str]] = None,
blocked_files: Optional[Sequence[str]] = None,
blocked_inbound_ports: Optional[Sequence[str]] = None,
blocked_outbound_ports: Optional[Sequence[str]] = None,
blocked_packages: Optional[Sequence[str]] = None,
blocked_volumes: Optional[Sequence[str]] = None,
container_exec_allowed_processes: Optional[Sequence[str]] = None,
description: Optional[str] = None,
enable_drift_prevention: Optional[bool] = None,
enable_fork_guard: Optional[bool] = None,
enable_ip_reputation_security: Optional[bool] = None,
enable_port_scan_detection: Optional[bool] = None,
enabled: Optional[bool] = None,
enforce: Optional[bool] = None,
enforce_after_days: Optional[int] = None,
exceptional_readonly_files_and_directories: Optional[Sequence[str]] = None,
exec_lockdown_white_lists: Optional[Sequence[str]] = None,
file_integrity_monitoring: Optional[ContainerRuntimePolicyFileIntegrityMonitoringArgs] = None,
fork_guard_process_limit: Optional[int] = None,
limit_new_privileges: Optional[bool] = None,
malware_scan_options: Optional[ContainerRuntimePolicyMalwareScanOptionsArgs] = None,
monitor_system_time_changes: Optional[bool] = None,
name: Optional[str] = None,
readonly_files_and_directories: Optional[Sequence[str]] = None,
reverse_shell_allowed_ips: Optional[Sequence[str]] = None,
reverse_shell_allowed_processes: Optional[Sequence[str]] = None,
scope_expression: Optional[str] = None,
scope_variables: Optional[Sequence[ContainerRuntimePolicyScopeVariableArgs]] = None) -> ContainerRuntimePolicyfunc GetContainerRuntimePolicy(ctx *Context, name string, id IDInput, state *ContainerRuntimePolicyState, opts ...ResourceOption) (*ContainerRuntimePolicy, error)public static ContainerRuntimePolicy Get(string name, Input<string> id, ContainerRuntimePolicyState? state, CustomResourceOptions? opts = null)public static ContainerRuntimePolicy get(String name, Output<String> id, ContainerRuntimePolicyState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Allowed
Executables List<string> List of executables that are allowed for the user.
- Allowed
Registries List<string> List of registries that allowed for running containers.
- Application
Scopes List<string> Indicates the application scope of the service.
- Audit
All boolNetwork Activity If true, all network activity will be audited.
- Audit
All boolProcesses Activity If true, all process activity will be audited.
- Audit
Full boolCommand Arguments If true, full command arguments will be audited.
- string
Username of the account that created the service.
- Block
Access boolHost Network If true, prevent containers from running with access to host network.
- Block
Adding boolCapabilities If true, prevent containers from running with adding capabilities with
--cap-addprivilege.- Block
Container boolExec If true, exec into a container is prevented.
- Block
Cryptocurrency boolMining Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- Block
Fileless boolExec Detect and prevent running in-memory execution
- Block
Low boolPort Binding If true, prevent containers from running with the capability to bind in port lower than 1024.
- Block
Non boolCompliant Images If true, running non-compliant image in the container is prevented.
- Block
Non boolCompliant Workloads If true, running containers in non-compliant pods is prevented.
- Block
Non boolK8s Containers If true, running non-kubernetes containers is prevented.
- Block
Privileged boolContainers If true, prevent containers from running with privileged container capability.
- Block
Reverse boolShell If true, reverse shell is prevented.
- Block
Root boolUser If true, prevent containers from running with root user.
- Block
Unregistered boolImages If true, running images in the container that are not registered in Aqua is prevented.
- Block
Use boolIpc Namespace If true, prevent containers from running with the privilege to use the IPC namespace.
- Block
Use boolPid Namespace If true, prevent containers from running with the privilege to use the PID namespace.
- Block
Use boolUser Namespace If true, prevent containers from running with the privilege to use the user namespace.
- Block
Use boolUts Namespace If true, prevent containers from running with the privilege to use the UTS namespace.
- Blocked
Capabilities List<string> If true, prevents containers from using specific Unix capabilities.
- Blocked
Executables List<string> List of executables that are prevented from running in containers.
- Blocked
Files List<string> List of files that are prevented from being read, modified and executed in the containers.
- Blocked
Inbound List<string>Ports List of blocked inbound ports.
- Blocked
Outbound List<string>Ports List of blocked outbound ports.
- Blocked
Packages List<string> Prevent containers from reading, writing, or executing all files in the list of packages.
- Blocked
Volumes List<string> List of volumes that are prevented from being mounted in the containers.
- Container
Exec List<string>Allowed Processes List of processes that will be allowed.
- Description string
The description of the container runtime policy
- Enable
Drift boolPrevention If true, executables that are not in the original image is prevented from running.
- Enable
Fork boolGuard If true, fork bombs are prevented in the containers.
- Enable
Ip boolReputation Security If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- Enable
Port boolScan Detection If true, detects port scanning behavior in the container.
- Enabled bool
Indicates if the runtime policy is enabled or not.
- Enforce bool
Indicates that policy should effect container execution (not just for audit).
- Enforce
After intDays Indicates the number of days after which the runtime policy will be changed to enforce mode.
- Exceptional
Readonly List<string>Files And Directories List of files and directories to be excluded from the read-only list.
- Exec
Lockdown List<string>White Lists Specify processes that will be allowed
- File
Integrity Pulumiverse.Monitoring Aquasec. Inputs. Container Runtime Policy File Integrity Monitoring Args Configuration for file integrity monitoring.
- Fork
Guard intProcess Limit Process limit for the fork guard.
- Limit
New boolPrivileges If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- Malware
Scan Pulumiverse.Options Aquasec. Inputs. Container Runtime Policy Malware Scan Options Args Configuration for Real-Time Malware Protection.
- Monitor
System boolTime Changes If true, system time changes will be monitored.
- Name string
Name of the container runtime policy
- Readonly
Files List<string>And Directories List of files and directories to be restricted as read-only
- Reverse
Shell List<string>Allowed Ips List of IPs/ CIDRs that will be allowed
- Reverse
Shell List<string>Allowed Processes List of processes that will be allowed
- Scope
Expression string Logical expression of how to compute the dependency of the scope variables.
- Scope
Variables List<Pulumiverse.Aquasec. Inputs. Container Runtime Policy Scope Variable Args> List of scope attributes.
- Allowed
Executables []string List of executables that are allowed for the user.
- Allowed
Registries []string List of registries that allowed for running containers.
- Application
Scopes []string Indicates the application scope of the service.
- Audit
All boolNetwork Activity If true, all network activity will be audited.
- Audit
All boolProcesses Activity If true, all process activity will be audited.
- Audit
Full boolCommand Arguments If true, full command arguments will be audited.
- string
Username of the account that created the service.
- Block
Access boolHost Network If true, prevent containers from running with access to host network.
- Block
Adding boolCapabilities If true, prevent containers from running with adding capabilities with
--cap-addprivilege.- Block
Container boolExec If true, exec into a container is prevented.
- Block
Cryptocurrency boolMining Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- Block
Fileless boolExec Detect and prevent running in-memory execution
- Block
Low boolPort Binding If true, prevent containers from running with the capability to bind in port lower than 1024.
- Block
Non boolCompliant Images If true, running non-compliant image in the container is prevented.
- Block
Non boolCompliant Workloads If true, running containers in non-compliant pods is prevented.
- Block
Non boolK8s Containers If true, running non-kubernetes containers is prevented.
- Block
Privileged boolContainers If true, prevent containers from running with privileged container capability.
- Block
Reverse boolShell If true, reverse shell is prevented.
- Block
Root boolUser If true, prevent containers from running with root user.
- Block
Unregistered boolImages If true, running images in the container that are not registered in Aqua is prevented.
- Block
Use boolIpc Namespace If true, prevent containers from running with the privilege to use the IPC namespace.
- Block
Use boolPid Namespace If true, prevent containers from running with the privilege to use the PID namespace.
- Block
Use boolUser Namespace If true, prevent containers from running with the privilege to use the user namespace.
- Block
Use boolUts Namespace If true, prevent containers from running with the privilege to use the UTS namespace.
- Blocked
Capabilities []string If true, prevents containers from using specific Unix capabilities.
- Blocked
Executables []string List of executables that are prevented from running in containers.
- Blocked
Files []string List of files that are prevented from being read, modified and executed in the containers.
- Blocked
Inbound []stringPorts List of blocked inbound ports.
- Blocked
Outbound []stringPorts List of blocked outbound ports.
- Blocked
Packages []string Prevent containers from reading, writing, or executing all files in the list of packages.
- Blocked
Volumes []string List of volumes that are prevented from being mounted in the containers.
- Container
Exec []stringAllowed Processes List of processes that will be allowed.
- Description string
The description of the container runtime policy
- Enable
Drift boolPrevention If true, executables that are not in the original image is prevented from running.
- Enable
Fork boolGuard If true, fork bombs are prevented in the containers.
- Enable
Ip boolReputation Security If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- Enable
Port boolScan Detection If true, detects port scanning behavior in the container.
- Enabled bool
Indicates if the runtime policy is enabled or not.
- Enforce bool
Indicates that policy should effect container execution (not just for audit).
- Enforce
After intDays Indicates the number of days after which the runtime policy will be changed to enforce mode.
- Exceptional
Readonly []stringFiles And Directories List of files and directories to be excluded from the read-only list.
- Exec
Lockdown []stringWhite Lists Specify processes that will be allowed
- File
Integrity ContainerMonitoring Runtime Policy File Integrity Monitoring Args Configuration for file integrity monitoring.
- Fork
Guard intProcess Limit Process limit for the fork guard.
- Limit
New boolPrivileges If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- Malware
Scan ContainerOptions Runtime Policy Malware Scan Options Args Configuration for Real-Time Malware Protection.
- Monitor
System boolTime Changes If true, system time changes will be monitored.
- Name string
Name of the container runtime policy
- Readonly
Files []stringAnd Directories List of files and directories to be restricted as read-only
- Reverse
Shell []stringAllowed Ips List of IPs/ CIDRs that will be allowed
- Reverse
Shell []stringAllowed Processes List of processes that will be allowed
- Scope
Expression string Logical expression of how to compute the dependency of the scope variables.
- Scope
Variables []ContainerRuntime Policy Scope Variable Args List of scope attributes.
- allowed
Executables List<String> List of executables that are allowed for the user.
- allowed
Registries List<String> List of registries that allowed for running containers.
- application
Scopes List<String> Indicates the application scope of the service.
- audit
All BooleanNetwork Activity If true, all network activity will be audited.
- audit
All BooleanProcesses Activity If true, all process activity will be audited.
- audit
Full BooleanCommand Arguments If true, full command arguments will be audited.
- String
Username of the account that created the service.
- block
Access BooleanHost Network If true, prevent containers from running with access to host network.
- block
Adding BooleanCapabilities If true, prevent containers from running with adding capabilities with
--cap-addprivilege.- block
Container BooleanExec If true, exec into a container is prevented.
- block
Cryptocurrency BooleanMining Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block
Fileless BooleanExec Detect and prevent running in-memory execution
- block
Low BooleanPort Binding If true, prevent containers from running with the capability to bind in port lower than 1024.
- block
Non BooleanCompliant Images If true, running non-compliant image in the container is prevented.
- block
Non BooleanCompliant Workloads If true, running containers in non-compliant pods is prevented.
- block
Non BooleanK8s Containers If true, running non-kubernetes containers is prevented.
- block
Privileged BooleanContainers If true, prevent containers from running with privileged container capability.
- block
Reverse BooleanShell If true, reverse shell is prevented.
- block
Root BooleanUser If true, prevent containers from running with root user.
- block
Unregistered BooleanImages If true, running images in the container that are not registered in Aqua is prevented.
- block
Use BooleanIpc Namespace If true, prevent containers from running with the privilege to use the IPC namespace.
- block
Use BooleanPid Namespace If true, prevent containers from running with the privilege to use the PID namespace.
- block
Use BooleanUser Namespace If true, prevent containers from running with the privilege to use the user namespace.
- block
Use BooleanUts Namespace If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked
Capabilities List<String> If true, prevents containers from using specific Unix capabilities.
- blocked
Executables List<String> List of executables that are prevented from running in containers.
- blocked
Files List<String> List of files that are prevented from being read, modified and executed in the containers.
- blocked
Inbound List<String>Ports List of blocked inbound ports.
- blocked
Outbound List<String>Ports List of blocked outbound ports.
- blocked
Packages List<String> Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked
Volumes List<String> List of volumes that are prevented from being mounted in the containers.
- container
Exec List<String>Allowed Processes List of processes that will be allowed.
- description String
The description of the container runtime policy
- enable
Drift BooleanPrevention If true, executables that are not in the original image is prevented from running.
- enable
Fork BooleanGuard If true, fork bombs are prevented in the containers.
- enable
Ip BooleanReputation Security If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- enable
Port BooleanScan Detection If true, detects port scanning behavior in the container.
- enabled Boolean
Indicates if the runtime policy is enabled or not.
- enforce Boolean
Indicates that policy should effect container execution (not just for audit).
- enforce
After IntegerDays Indicates the number of days after which the runtime policy will be changed to enforce mode.
- exceptional
Readonly List<String>Files And Directories List of files and directories to be excluded from the read-only list.
- exec
Lockdown List<String>White Lists Specify processes that will be allowed
- file
Integrity ContainerMonitoring Runtime Policy File Integrity Monitoring Args Configuration for file integrity monitoring.
- fork
Guard IntegerProcess Limit Process limit for the fork guard.
- limit
New BooleanPrivileges If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- malware
Scan ContainerOptions Runtime Policy Malware Scan Options Args Configuration for Real-Time Malware Protection.
- monitor
System BooleanTime Changes If true, system time changes will be monitored.
- name String
Name of the container runtime policy
- readonly
Files List<String>And Directories List of files and directories to be restricted as read-only
- reverse
Shell List<String>Allowed Ips List of IPs/ CIDRs that will be allowed
- reverse
Shell List<String>Allowed Processes List of processes that will be allowed
- scope
Expression String Logical expression of how to compute the dependency of the scope variables.
- scope
Variables List<ContainerRuntime Policy Scope Variable Args> List of scope attributes.
- allowed
Executables string[] List of executables that are allowed for the user.
- allowed
Registries string[] List of registries that allowed for running containers.
- application
Scopes string[] Indicates the application scope of the service.
- audit
All booleanNetwork Activity If true, all network activity will be audited.
- audit
All booleanProcesses Activity If true, all process activity will be audited.
- audit
Full booleanCommand Arguments If true, full command arguments will be audited.
- string
Username of the account that created the service.
- block
Access booleanHost Network If true, prevent containers from running with access to host network.
- block
Adding booleanCapabilities If true, prevent containers from running with adding capabilities with
--cap-addprivilege.- block
Container booleanExec If true, exec into a container is prevented.
- block
Cryptocurrency booleanMining Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block
Fileless booleanExec Detect and prevent running in-memory execution
- block
Low booleanPort Binding If true, prevent containers from running with the capability to bind in port lower than 1024.
- block
Non booleanCompliant Images If true, running non-compliant image in the container is prevented.
- block
Non booleanCompliant Workloads If true, running containers in non-compliant pods is prevented.
- block
Non booleanK8s Containers If true, running non-kubernetes containers is prevented.
- block
Privileged booleanContainers If true, prevent containers from running with privileged container capability.
- block
Reverse booleanShell If true, reverse shell is prevented.
- block
Root booleanUser If true, prevent containers from running with root user.
- block
Unregistered booleanImages If true, running images in the container that are not registered in Aqua is prevented.
- block
Use booleanIpc Namespace If true, prevent containers from running with the privilege to use the IPC namespace.
- block
Use booleanPid Namespace If true, prevent containers from running with the privilege to use the PID namespace.
- block
Use booleanUser Namespace If true, prevent containers from running with the privilege to use the user namespace.
- block
Use booleanUts Namespace If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked
Capabilities string[] If true, prevents containers from using specific Unix capabilities.
- blocked
Executables string[] List of executables that are prevented from running in containers.
- blocked
Files string[] List of files that are prevented from being read, modified and executed in the containers.
- blocked
Inbound string[]Ports List of blocked inbound ports.
- blocked
Outbound string[]Ports List of blocked outbound ports.
- blocked
Packages string[] Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked
Volumes string[] List of volumes that are prevented from being mounted in the containers.
- container
Exec string[]Allowed Processes List of processes that will be allowed.
- description string
The description of the container runtime policy
- enable
Drift booleanPrevention If true, executables that are not in the original image is prevented from running.
- enable
Fork booleanGuard If true, fork bombs are prevented in the containers.
- enable
Ip booleanReputation Security If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- enable
Port booleanScan Detection If true, detects port scanning behavior in the container.
- enabled boolean
Indicates if the runtime policy is enabled or not.
- enforce boolean
Indicates that policy should effect container execution (not just for audit).
- enforce
After numberDays Indicates the number of days after which the runtime policy will be changed to enforce mode.
- exceptional
Readonly string[]Files And Directories List of files and directories to be excluded from the read-only list.
- exec
Lockdown string[]White Lists Specify processes that will be allowed
- file
Integrity ContainerMonitoring Runtime Policy File Integrity Monitoring Args Configuration for file integrity monitoring.
- fork
Guard numberProcess Limit Process limit for the fork guard.
- limit
New booleanPrivileges If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- malware
Scan ContainerOptions Runtime Policy Malware Scan Options Args Configuration for Real-Time Malware Protection.
- monitor
System booleanTime Changes If true, system time changes will be monitored.
- name string
Name of the container runtime policy
- readonly
Files string[]And Directories List of files and directories to be restricted as read-only
- reverse
Shell string[]Allowed Ips List of IPs/ CIDRs that will be allowed
- reverse
Shell string[]Allowed Processes List of processes that will be allowed
- scope
Expression string Logical expression of how to compute the dependency of the scope variables.
- scope
Variables ContainerRuntime Policy Scope Variable Args[] List of scope attributes.
- allowed_
executables Sequence[str] List of executables that are allowed for the user.
- allowed_
registries Sequence[str] List of registries that allowed for running containers.
- application_
scopes Sequence[str] Indicates the application scope of the service.
- audit_
all_ boolnetwork_ activity If true, all network activity will be audited.
- audit_
all_ boolprocesses_ activity If true, all process activity will be audited.
- audit_
full_ boolcommand_ arguments If true, full command arguments will be audited.
- str
Username of the account that created the service.
- block_
access_ boolhost_ network If true, prevent containers from running with access to host network.
- block_
adding_ boolcapabilities If true, prevent containers from running with adding capabilities with
--cap-addprivilege.- block_
container_ boolexec If true, exec into a container is prevented.
- block_
cryptocurrency_ boolmining Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block_
fileless_ boolexec Detect and prevent running in-memory execution
- block_
low_ boolport_ binding If true, prevent containers from running with the capability to bind in port lower than 1024.
- block_
non_ boolcompliant_ images If true, running non-compliant image in the container is prevented.
- block_
non_ boolcompliant_ workloads If true, running containers in non-compliant pods is prevented.
- block_
non_ boolk8s_ containers If true, running non-kubernetes containers is prevented.
- block_
privileged_ boolcontainers If true, prevent containers from running with privileged container capability.
- block_
reverse_ boolshell If true, reverse shell is prevented.
- block_
root_ booluser If true, prevent containers from running with root user.
- block_
unregistered_ boolimages If true, running images in the container that are not registered in Aqua is prevented.
- block_
use_ boolipc_ namespace If true, prevent containers from running with the privilege to use the IPC namespace.
- block_
use_ boolpid_ namespace If true, prevent containers from running with the privilege to use the PID namespace.
- block_
use_ booluser_ namespace If true, prevent containers from running with the privilege to use the user namespace.
- block_
use_ booluts_ namespace If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked_
capabilities Sequence[str] If true, prevents containers from using specific Unix capabilities.
- blocked_
executables Sequence[str] List of executables that are prevented from running in containers.
- blocked_
files Sequence[str] List of files that are prevented from being read, modified and executed in the containers.
- blocked_
inbound_ Sequence[str]ports List of blocked inbound ports.
- blocked_
outbound_ Sequence[str]ports List of blocked outbound ports.
- blocked_
packages Sequence[str] Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked_
volumes Sequence[str] List of volumes that are prevented from being mounted in the containers.
- container_
exec_ Sequence[str]allowed_ processes List of processes that will be allowed.
- description str
The description of the container runtime policy
- enable_
drift_ boolprevention If true, executables that are not in the original image is prevented from running.
- enable_
fork_ boolguard If true, fork bombs are prevented in the containers.
- enable_
ip_ boolreputation_ security If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- enable_
port_ boolscan_ detection If true, detects port scanning behavior in the container.
- enabled bool
Indicates if the runtime policy is enabled or not.
- enforce bool
Indicates that policy should effect container execution (not just for audit).
- enforce_
after_ intdays Indicates the number of days after which the runtime policy will be changed to enforce mode.
- exceptional_
readonly_ Sequence[str]files_ and_ directories List of files and directories to be excluded from the read-only list.
- exec_
lockdown_ Sequence[str]white_ lists Specify processes that will be allowed
- file_
integrity_ Containermonitoring Runtime Policy File Integrity Monitoring Args Configuration for file integrity monitoring.
- fork_
guard_ intprocess_ limit Process limit for the fork guard.
- limit_
new_ boolprivileges If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- malware_
scan_ Containeroptions Runtime Policy Malware Scan Options Args Configuration for Real-Time Malware Protection.
- monitor_
system_ booltime_ changes If true, system time changes will be monitored.
- name str
Name of the container runtime policy
- readonly_
files_ Sequence[str]and_ directories List of files and directories to be restricted as read-only
- reverse_
shell_ Sequence[str]allowed_ ips List of IPs/ CIDRs that will be allowed
- reverse_
shell_ Sequence[str]allowed_ processes List of processes that will be allowed
- scope_
expression str Logical expression of how to compute the dependency of the scope variables.
- scope_
variables Sequence[ContainerRuntime Policy Scope Variable Args] List of scope attributes.
- allowed
Executables List<String> List of executables that are allowed for the user.
- allowed
Registries List<String> List of registries that allowed for running containers.
- application
Scopes List<String> Indicates the application scope of the service.
- audit
All BooleanNetwork Activity If true, all network activity will be audited.
- audit
All BooleanProcesses Activity If true, all process activity will be audited.
- audit
Full BooleanCommand Arguments If true, full command arguments will be audited.
- String
Username of the account that created the service.
- block
Access BooleanHost Network If true, prevent containers from running with access to host network.
- block
Adding BooleanCapabilities If true, prevent containers from running with adding capabilities with
--cap-addprivilege.- block
Container BooleanExec If true, exec into a container is prevented.
- block
Cryptocurrency BooleanMining Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block
Fileless BooleanExec Detect and prevent running in-memory execution
- block
Low BooleanPort Binding If true, prevent containers from running with the capability to bind in port lower than 1024.
- block
Non BooleanCompliant Images If true, running non-compliant image in the container is prevented.
- block
Non BooleanCompliant Workloads If true, running containers in non-compliant pods is prevented.
- block
Non BooleanK8s Containers If true, running non-kubernetes containers is prevented.
- block
Privileged BooleanContainers If true, prevent containers from running with privileged container capability.
- block
Reverse BooleanShell If true, reverse shell is prevented.
- block
Root BooleanUser If true, prevent containers from running with root user.
- block
Unregistered BooleanImages If true, running images in the container that are not registered in Aqua is prevented.
- block
Use BooleanIpc Namespace If true, prevent containers from running with the privilege to use the IPC namespace.
- block
Use BooleanPid Namespace If true, prevent containers from running with the privilege to use the PID namespace.
- block
Use BooleanUser Namespace If true, prevent containers from running with the privilege to use the user namespace.
- block
Use BooleanUts Namespace If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked
Capabilities List<String> If true, prevents containers from using specific Unix capabilities.
- blocked
Executables List<String> List of executables that are prevented from running in containers.
- blocked
Files List<String> List of files that are prevented from being read, modified and executed in the containers.
- blocked
Inbound List<String>Ports List of blocked inbound ports.
- blocked
Outbound List<String>Ports List of blocked outbound ports.
- blocked
Packages List<String> Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked
Volumes List<String> List of volumes that are prevented from being mounted in the containers.
- container
Exec List<String>Allowed Processes List of processes that will be allowed.
- description String
The description of the container runtime policy
- enable
Drift BooleanPrevention If true, executables that are not in the original image is prevented from running.
- enable
Fork BooleanGuard If true, fork bombs are prevented in the containers.
- enable
Ip BooleanReputation Security If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- enable
Port BooleanScan Detection If true, detects port scanning behavior in the container.
- enabled Boolean
Indicates if the runtime policy is enabled or not.
- enforce Boolean
Indicates that policy should effect container execution (not just for audit).
- enforce
After NumberDays Indicates the number of days after which the runtime policy will be changed to enforce mode.
- exceptional
Readonly List<String>Files And Directories List of files and directories to be excluded from the read-only list.
- exec
Lockdown List<String>White Lists Specify processes that will be allowed
- file
Integrity Property MapMonitoring Configuration for file integrity monitoring.
- fork
Guard NumberProcess Limit Process limit for the fork guard.
- limit
New BooleanPrivileges If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- malware
Scan Property MapOptions Configuration for Real-Time Malware Protection.
- monitor
System BooleanTime Changes If true, system time changes will be monitored.
- name String
Name of the container runtime policy
- readonly
Files List<String>And Directories List of files and directories to be restricted as read-only
- reverse
Shell List<String>Allowed Ips List of IPs/ CIDRs that will be allowed
- reverse
Shell List<String>Allowed Processes List of processes that will be allowed
- scope
Expression String Logical expression of how to compute the dependency of the scope variables.
- scope
Variables List<Property Map> List of scope attributes.
Supporting Types
ContainerRuntimePolicyFileIntegrityMonitoring
- Excluded
Paths List<string> List of paths to be excluded from being monitored.
- Excluded
Processes List<string> List of processes to be excluded from being monitored.
- Excluded
Users List<string> List of users to be excluded from being monitored.
- Monitor
Attributes bool If true, add attributes operations will be monitored.
- Monitor
Create bool If true, create operations will be monitored.
- Monitor
Delete bool If true, deletion operations will be monitored.
- Monitor
Modify bool If true, modification operations will be monitored.
- Monitor
Read bool If true, read operations will be monitored.
- Monitored
Paths List<string> List of paths to be monitored.
- Monitored
Processes List<string> List of processes to be monitored.
- Monitored
Users List<string> List of users to be monitored.
- Excluded
Paths []string List of paths to be excluded from being monitored.
- Excluded
Processes []string List of processes to be excluded from being monitored.
- Excluded
Users []string List of users to be excluded from being monitored.
- Monitor
Attributes bool If true, add attributes operations will be monitored.
- Monitor
Create bool If true, create operations will be monitored.
- Monitor
Delete bool If true, deletion operations will be monitored.
- Monitor
Modify bool If true, modification operations will be monitored.
- Monitor
Read bool If true, read operations will be monitored.
- Monitored
Paths []string List of paths to be monitored.
- Monitored
Processes []string List of processes to be monitored.
- Monitored
Users []string List of users to be monitored.
- excluded
Paths List<String> List of paths to be excluded from being monitored.
- excluded
Processes List<String> List of processes to be excluded from being monitored.
- excluded
Users List<String> List of users to be excluded from being monitored.
- monitor
Attributes Boolean If true, add attributes operations will be monitored.
- monitor
Create Boolean If true, create operations will be monitored.
- monitor
Delete Boolean If true, deletion operations will be monitored.
- monitor
Modify Boolean If true, modification operations will be monitored.
- monitor
Read Boolean If true, read operations will be monitored.
- monitored
Paths List<String> List of paths to be monitored.
- monitored
Processes List<String> List of processes to be monitored.
- monitored
Users List<String> List of users to be monitored.
- excluded
Paths string[] List of paths to be excluded from being monitored.
- excluded
Processes string[] List of processes to be excluded from being monitored.
- excluded
Users string[] List of users to be excluded from being monitored.
- monitor
Attributes boolean If true, add attributes operations will be monitored.
- monitor
Create boolean If true, create operations will be monitored.
- monitor
Delete boolean If true, deletion operations will be monitored.
- monitor
Modify boolean If true, modification operations will be monitored.
- monitor
Read boolean If true, read operations will be monitored.
- monitored
Paths string[] List of paths to be monitored.
- monitored
Processes string[] List of processes to be monitored.
- monitored
Users string[] List of users to be monitored.
- excluded_
paths Sequence[str] List of paths to be excluded from being monitored.
- excluded_
processes Sequence[str] List of processes to be excluded from being monitored.
- excluded_
users Sequence[str] List of users to be excluded from being monitored.
- monitor_
attributes bool If true, add attributes operations will be monitored.
- monitor_
create bool If true, create operations will be monitored.
- monitor_
delete bool If true, deletion operations will be monitored.
- monitor_
modify bool If true, modification operations will be monitored.
- monitor_
read bool If true, read operations will be monitored.
- monitored_
paths Sequence[str] List of paths to be monitored.
- monitored_
processes Sequence[str] List of processes to be monitored.
- monitored_
users Sequence[str] List of users to be monitored.
- excluded
Paths List<String> List of paths to be excluded from being monitored.
- excluded
Processes List<String> List of processes to be excluded from being monitored.
- excluded
Users List<String> List of users to be excluded from being monitored.
- monitor
Attributes Boolean If true, add attributes operations will be monitored.
- monitor
Create Boolean If true, create operations will be monitored.
- monitor
Delete Boolean If true, deletion operations will be monitored.
- monitor
Modify Boolean If true, modification operations will be monitored.
- monitor
Read Boolean If true, read operations will be monitored.
- monitored
Paths List<String> List of paths to be monitored.
- monitored
Processes List<String> List of processes to be monitored.
- monitored
Users List<String> List of users to be monitored.
ContainerRuntimePolicyMalwareScanOptions
- Action string
Set Action, Defaults to 'Alert' when empty
- Enabled bool
Defines if enabled or not
- Exclude
Directories List<string> List of registry paths to be excluded from being protected.
- Exclude
Processes List<string> List of registry processes to be excluded from being protected.
- Action string
Set Action, Defaults to 'Alert' when empty
- Enabled bool
Defines if enabled or not
- Exclude
Directories []string List of registry paths to be excluded from being protected.
- Exclude
Processes []string List of registry processes to be excluded from being protected.
- action String
Set Action, Defaults to 'Alert' when empty
- enabled Boolean
Defines if enabled or not
- exclude
Directories List<String> List of registry paths to be excluded from being protected.
- exclude
Processes List<String> List of registry processes to be excluded from being protected.
- action string
Set Action, Defaults to 'Alert' when empty
- enabled boolean
Defines if enabled or not
- exclude
Directories string[] List of registry paths to be excluded from being protected.
- exclude
Processes string[] List of registry processes to be excluded from being protected.
- action str
Set Action, Defaults to 'Alert' when empty
- enabled bool
Defines if enabled or not
- exclude_
directories Sequence[str] List of registry paths to be excluded from being protected.
- exclude_
processes Sequence[str] List of registry processes to be excluded from being protected.
- action String
Set Action, Defaults to 'Alert' when empty
- enabled Boolean
Defines if enabled or not
- exclude
Directories List<String> List of registry paths to be excluded from being protected.
- exclude
Processes List<String> List of registry processes to be excluded from being protected.
ContainerRuntimePolicyScopeVariable
Package Details
- Repository
- aquasec pulumiverse/pulumi-aquasec
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
aquasecTerraform Provider.