Aquasec

v0.2.2 published on Monday, Nov 14, 2022 by Pulumiverse

ContainerRuntimePolicy

Example Usage

using System.Collections.Generic;
using Pulumi;
using Aquasec = Pulumiverse.Aquasec;

return await Deployment.RunAsync(() => 
{
    var containerRuntimePolicy = new Aquasec.ContainerRuntimePolicy("containerRuntimePolicy", new()
    {
        AllowedExecutables = new[]
        {
            "exe",
            "bin",
        },
        AllowedRegistries = new[]
        {
            "registry1",
            "registry2",
        },
        ApplicationScopes = new[]
        {
            "Global",
        },
        AuditAllNetworkActivity = true,
        AuditAllProcessesActivity = true,
        AuditFullCommandArguments = true,
        BlockAccessHostNetwork = true,
        BlockAddingCapabilities = true,
        BlockContainerExec = true,
        BlockCryptocurrencyMining = true,
        BlockFilelessExec = true,
        BlockLowPortBinding = true,
        BlockNonCompliantImages = true,
        BlockNonCompliantWorkloads = true,
        BlockNonK8sContainers = true,
        BlockPrivilegedContainers = true,
        BlockReverseShell = true,
        BlockRootUser = true,
        BlockUnregisteredImages = true,
        BlockUseIpcNamespace = true,
        BlockUsePidNamespace = true,
        BlockUseUserNamespace = true,
        BlockUseUtsNamespace = true,
        BlockedCapabilities = new[]
        {
            "AUDIT_CONTROL",
            "AUDIT_WRITE",
        },
        BlockedExecutables = new[]
        {
            "exe1",
            "exe2",
        },
        BlockedFiles = new[]
        {
            "test1",
            "test2",
        },
        BlockedInboundPorts = new[]
        {
            "80",
            "8080",
        },
        BlockedOutboundPorts = new[]
        {
            "90",
            "9090",
        },
        BlockedPackages = new[]
        {
            "pkg",
            "pkg2",
        },
        BlockedVolumes = new[]
        {
            "blocked",
            "vol",
        },
        ContainerExecAllowedProcesses = new[]
        {
            "proc1",
            "proc2",
        },
        Description = "container_runtime_policy",
        EnableDriftPrevention = true,
        EnableForkGuard = true,
        EnableIpReputationSecurity = true,
        EnablePortScanDetection = true,
        Enabled = true,
        Enforce = false,
        ExceptionalReadonlyFilesAndDirectories = new[]
        {
            "readonly2",
            "/dir2/",
        },
        FileIntegrityMonitoring = new Aquasec.Inputs.ContainerRuntimePolicyFileIntegrityMonitoringArgs
        {
            ExcludedPaths = new[]
            {
                "expaths",
            },
            ExcludedProcesses = new[]
            {
                "exprocess",
            },
            ExcludedUsers = new[]
            {
                "expuser",
            },
            MonitorAttributes = true,
            MonitorCreate = true,
            MonitorDelete = true,
            MonitorModify = true,
            MonitorRead = true,
            MonitoredPaths = new[]
            {
                "paths",
            },
            MonitoredProcesses = new[]
            {
                "process",
            },
            MonitoredUsers = new[]
            {
                "user",
            },
        },
        ForkGuardProcessLimit = 13,
        LimitNewPrivileges = true,
        MalwareScanOptions = new Aquasec.Inputs.ContainerRuntimePolicyMalwareScanOptionsArgs
        {
            Action = "alert",
            Enabled = true,
        },
        MonitorSystemTimeChanges = true,
        ReadonlyFilesAndDirectories = new[]
        {
            "readonly",
            "/dir/",
        },
        ReverseShellAllowedIps = new[]
        {
            "ip1",
            "ip2",
        },
        ReverseShellAllowedProcesses = new[]
        {
            "proc1",
            "proc2",
        },
        ScopeExpression = "v1 || v2",
        ScopeVariables = new[]
        {
            new Aquasec.Inputs.ContainerRuntimePolicyScopeVariableArgs
            {
                Attribute = "kubernetes.cluster",
                Value = "default",
            },
            new Aquasec.Inputs.ContainerRuntimePolicyScopeVariableArgs
            {
                Attribute = "kubernetes.label",
                Name = "app",
                Value = "aqua",
            },
        },
    });

});
package main

import (
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
	"github.com/pulumiverse/pulumi-aquasec/sdk/go/aquasec"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := aquasec.NewContainerRuntimePolicy(ctx, "containerRuntimePolicy", &aquasec.ContainerRuntimePolicyArgs{
			AllowedExecutables: pulumi.StringArray{
				pulumi.String("exe"),
				pulumi.String("bin"),
			},
			AllowedRegistries: pulumi.StringArray{
				pulumi.String("registry1"),
				pulumi.String("registry2"),
			},
			ApplicationScopes: pulumi.StringArray{
				pulumi.String("Global"),
			},
			AuditAllNetworkActivity:    pulumi.Bool(true),
			AuditAllProcessesActivity:  pulumi.Bool(true),
			AuditFullCommandArguments:  pulumi.Bool(true),
			BlockAccessHostNetwork:     pulumi.Bool(true),
			BlockAddingCapabilities:    pulumi.Bool(true),
			BlockContainerExec:         pulumi.Bool(true),
			BlockCryptocurrencyMining:  pulumi.Bool(true),
			BlockFilelessExec:          pulumi.Bool(true),
			BlockLowPortBinding:        pulumi.Bool(true),
			BlockNonCompliantImages:    pulumi.Bool(true),
			BlockNonCompliantWorkloads: pulumi.Bool(true),
			BlockNonK8sContainers:      pulumi.Bool(true),
			BlockPrivilegedContainers:  pulumi.Bool(true),
			BlockReverseShell:          pulumi.Bool(true),
			BlockRootUser:              pulumi.Bool(true),
			BlockUnregisteredImages:    pulumi.Bool(true),
			BlockUseIpcNamespace:       pulumi.Bool(true),
			BlockUsePidNamespace:       pulumi.Bool(true),
			BlockUseUserNamespace:      pulumi.Bool(true),
			BlockUseUtsNamespace:       pulumi.Bool(true),
			BlockedCapabilities: pulumi.StringArray{
				pulumi.String("AUDIT_CONTROL"),
				pulumi.String("AUDIT_WRITE"),
			},
			BlockedExecutables: pulumi.StringArray{
				pulumi.String("exe1"),
				pulumi.String("exe2"),
			},
			BlockedFiles: pulumi.StringArray{
				pulumi.String("test1"),
				pulumi.String("test2"),
			},
			BlockedInboundPorts: pulumi.StringArray{
				pulumi.String("80"),
				pulumi.String("8080"),
			},
			BlockedOutboundPorts: pulumi.StringArray{
				pulumi.String("90"),
				pulumi.String("9090"),
			},
			BlockedPackages: pulumi.StringArray{
				pulumi.String("pkg"),
				pulumi.String("pkg2"),
			},
			BlockedVolumes: pulumi.StringArray{
				pulumi.String("blocked"),
				pulumi.String("vol"),
			},
			ContainerExecAllowedProcesses: pulumi.StringArray{
				pulumi.String("proc1"),
				pulumi.String("proc2"),
			},
			Description:                pulumi.String("container_runtime_policy"),
			EnableDriftPrevention:      pulumi.Bool(true),
			EnableForkGuard:            pulumi.Bool(true),
			EnableIpReputationSecurity: pulumi.Bool(true),
			EnablePortScanDetection:    pulumi.Bool(true),
			Enabled:                    pulumi.Bool(true),
			Enforce:                    pulumi.Bool(false),
			ExceptionalReadonlyFilesAndDirectories: pulumi.StringArray{
				pulumi.String("readonly2"),
				pulumi.String("/dir2/"),
			},
			FileIntegrityMonitoring: &ContainerRuntimePolicyFileIntegrityMonitoringArgs{
				ExcludedPaths: pulumi.StringArray{
					pulumi.String("expaths"),
				},
				ExcludedProcesses: pulumi.StringArray{
					pulumi.String("exprocess"),
				},
				ExcludedUsers: pulumi.StringArray{
					pulumi.String("expuser"),
				},
				MonitorAttributes: pulumi.Bool(true),
				MonitorCreate:     pulumi.Bool(true),
				MonitorDelete:     pulumi.Bool(true),
				MonitorModify:     pulumi.Bool(true),
				MonitorRead:       pulumi.Bool(true),
				MonitoredPaths: pulumi.StringArray{
					pulumi.String("paths"),
				},
				MonitoredProcesses: pulumi.StringArray{
					pulumi.String("process"),
				},
				MonitoredUsers: pulumi.StringArray{
					pulumi.String("user"),
				},
			},
			ForkGuardProcessLimit: pulumi.Int(13),
			LimitNewPrivileges:    pulumi.Bool(true),
			MalwareScanOptions: &ContainerRuntimePolicyMalwareScanOptionsArgs{
				Action:  pulumi.String("alert"),
				Enabled: pulumi.Bool(true),
			},
			MonitorSystemTimeChanges: pulumi.Bool(true),
			ReadonlyFilesAndDirectories: pulumi.StringArray{
				pulumi.String("readonly"),
				pulumi.String("/dir/"),
			},
			ReverseShellAllowedIps: pulumi.StringArray{
				pulumi.String("ip1"),
				pulumi.String("ip2"),
			},
			ReverseShellAllowedProcesses: pulumi.StringArray{
				pulumi.String("proc1"),
				pulumi.String("proc2"),
			},
			ScopeExpression: pulumi.String("v1 || v2"),
			ScopeVariables: ContainerRuntimePolicyScopeVariableArray{
				&ContainerRuntimePolicyScopeVariableArgs{
					Attribute: pulumi.String("kubernetes.cluster"),
					Value:     pulumi.String("default"),
				},
				&ContainerRuntimePolicyScopeVariableArgs{
					Attribute: pulumi.String("kubernetes.label"),
					Name:      pulumi.String("app"),
					Value:     pulumi.String("aqua"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aquasec.ContainerRuntimePolicy;
import com.pulumi.aquasec.ContainerRuntimePolicyArgs;
import com.pulumi.aquasec.inputs.ContainerRuntimePolicyFileIntegrityMonitoringArgs;
import com.pulumi.aquasec.inputs.ContainerRuntimePolicyMalwareScanOptionsArgs;
import com.pulumi.aquasec.inputs.ContainerRuntimePolicyScopeVariableArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var containerRuntimePolicy = new ContainerRuntimePolicy("containerRuntimePolicy", ContainerRuntimePolicyArgs.builder()        
            .allowedExecutables(            
                "exe",
                "bin")
            .allowedRegistries(            
                "registry1",
                "registry2")
            .applicationScopes("Global")
            .auditAllNetworkActivity(true)
            .auditAllProcessesActivity(true)
            .auditFullCommandArguments(true)
            .blockAccessHostNetwork(true)
            .blockAddingCapabilities(true)
            .blockContainerExec(true)
            .blockCryptocurrencyMining(true)
            .blockFilelessExec(true)
            .blockLowPortBinding(true)
            .blockNonCompliantImages(true)
            .blockNonCompliantWorkloads(true)
            .blockNonK8sContainers(true)
            .blockPrivilegedContainers(true)
            .blockReverseShell(true)
            .blockRootUser(true)
            .blockUnregisteredImages(true)
            .blockUseIpcNamespace(true)
            .blockUsePidNamespace(true)
            .blockUseUserNamespace(true)
            .blockUseUtsNamespace(true)
            .blockedCapabilities(            
                "AUDIT_CONTROL",
                "AUDIT_WRITE")
            .blockedExecutables(            
                "exe1",
                "exe2")
            .blockedFiles(            
                "test1",
                "test2")
            .blockedInboundPorts(            
                "80",
                "8080")
            .blockedOutboundPorts(            
                "90",
                "9090")
            .blockedPackages(            
                "pkg",
                "pkg2")
            .blockedVolumes(            
                "blocked",
                "vol")
            .containerExecAllowedProcesses(            
                "proc1",
                "proc2")
            .description("container_runtime_policy")
            .enableDriftPrevention(true)
            .enableForkGuard(true)
            .enableIpReputationSecurity(true)
            .enablePortScanDetection(true)
            .enabled(true)
            .enforce(false)
            .exceptionalReadonlyFilesAndDirectories(            
                "readonly2",
                "/dir2/")
            .fileIntegrityMonitoring(ContainerRuntimePolicyFileIntegrityMonitoringArgs.builder()
                .excludedPaths("expaths")
                .excludedProcesses("exprocess")
                .excludedUsers("expuser")
                .monitorAttributes(true)
                .monitorCreate(true)
                .monitorDelete(true)
                .monitorModify(true)
                .monitorRead(true)
                .monitoredPaths("paths")
                .monitoredProcesses("process")
                .monitoredUsers("user")
                .build())
            .forkGuardProcessLimit(13)
            .limitNewPrivileges(true)
            .malwareScanOptions(ContainerRuntimePolicyMalwareScanOptionsArgs.builder()
                .action("alert")
                .enabled(true)
                .build())
            .monitorSystemTimeChanges("true")
            .readonlyFilesAndDirectories(            
                "readonly",
                "/dir/")
            .reverseShellAllowedIps(            
                "ip1",
                "ip2")
            .reverseShellAllowedProcesses(            
                "proc1",
                "proc2")
            .scopeExpression("v1 || v2")
            .scopeVariables(            
                ContainerRuntimePolicyScopeVariableArgs.builder()
                    .attribute("kubernetes.cluster")
                    .value("default")
                    .build(),
                ContainerRuntimePolicyScopeVariableArgs.builder()
                    .attribute("kubernetes.label")
                    .name("app")
                    .value("aqua")
                    .build())
            .build());

    }
}
import pulumi
import pulumiverse_aquasec as aquasec

container_runtime_policy = aquasec.ContainerRuntimePolicy("containerRuntimePolicy",
    allowed_executables=[
        "exe",
        "bin",
    ],
    allowed_registries=[
        "registry1",
        "registry2",
    ],
    application_scopes=["Global"],
    audit_all_network_activity=True,
    audit_all_processes_activity=True,
    audit_full_command_arguments=True,
    block_access_host_network=True,
    block_adding_capabilities=True,
    block_container_exec=True,
    block_cryptocurrency_mining=True,
    block_fileless_exec=True,
    block_low_port_binding=True,
    block_non_compliant_images=True,
    block_non_compliant_workloads=True,
    block_non_k8s_containers=True,
    block_privileged_containers=True,
    block_reverse_shell=True,
    block_root_user=True,
    block_unregistered_images=True,
    block_use_ipc_namespace=True,
    block_use_pid_namespace=True,
    block_use_user_namespace=True,
    block_use_uts_namespace=True,
    blocked_capabilities=[
        "AUDIT_CONTROL",
        "AUDIT_WRITE",
    ],
    blocked_executables=[
        "exe1",
        "exe2",
    ],
    blocked_files=[
        "test1",
        "test2",
    ],
    blocked_inbound_ports=[
        "80",
        "8080",
    ],
    blocked_outbound_ports=[
        "90",
        "9090",
    ],
    blocked_packages=[
        "pkg",
        "pkg2",
    ],
    blocked_volumes=[
        "blocked",
        "vol",
    ],
    container_exec_allowed_processes=[
        "proc1",
        "proc2",
    ],
    description="container_runtime_policy",
    enable_drift_prevention=True,
    enable_fork_guard=True,
    enable_ip_reputation_security=True,
    enable_port_scan_detection=True,
    enabled=True,
    enforce=False,
    exceptional_readonly_files_and_directories=[
        "readonly2",
        "/dir2/",
    ],
    file_integrity_monitoring=aquasec.ContainerRuntimePolicyFileIntegrityMonitoringArgs(
        excluded_paths=["expaths"],
        excluded_processes=["exprocess"],
        excluded_users=["expuser"],
        monitor_attributes=True,
        monitor_create=True,
        monitor_delete=True,
        monitor_modify=True,
        monitor_read=True,
        monitored_paths=["paths"],
        monitored_processes=["process"],
        monitored_users=["user"],
    ),
    fork_guard_process_limit=13,
    limit_new_privileges=True,
    malware_scan_options=aquasec.ContainerRuntimePolicyMalwareScanOptionsArgs(
        action="alert",
        enabled=True,
    ),
    monitor_system_time_changes=True,
    readonly_files_and_directories=[
        "readonly",
        "/dir/",
    ],
    reverse_shell_allowed_ips=[
        "ip1",
        "ip2",
    ],
    reverse_shell_allowed_processes=[
        "proc1",
        "proc2",
    ],
    scope_expression="v1 || v2",
    scope_variables=[
        aquasec.ContainerRuntimePolicyScopeVariableArgs(
            attribute="kubernetes.cluster",
            value="default",
        ),
        aquasec.ContainerRuntimePolicyScopeVariableArgs(
            attribute="kubernetes.label",
            name="app",
            value="aqua",
        ),
    ])
import * as pulumi from "@pulumi/pulumi";
import * as aquasec from "@pulumi/aquasec";

const containerRuntimePolicy = new aquasec.ContainerRuntimePolicy("container_runtime_policy", {
    allowedExecutables: [
        "exe",
        "bin",
    ],
    allowedRegistries: [
        "registry1",
        "registry2",
    ],
    applicationScopes: ["Global"],
    auditAllNetworkActivity: true,
    auditAllProcessesActivity: true,
    auditFullCommandArguments: true,
    blockAccessHostNetwork: true,
    blockAddingCapabilities: true,
    blockContainerExec: true,
    blockCryptocurrencyMining: true,
    blockFilelessExec: true,
    blockLowPortBinding: true,
    blockNonCompliantImages: true,
    blockNonCompliantWorkloads: true,
    blockNonK8sContainers: true,
    blockPrivilegedContainers: true,
    blockReverseShell: true,
    blockRootUser: true,
    blockUnregisteredImages: true,
    blockUseIpcNamespace: true,
    blockUsePidNamespace: true,
    blockUseUserNamespace: true,
    blockUseUtsNamespace: true,
    blockedCapabilities: [
        "AUDIT_CONTROL",
        "AUDIT_WRITE",
    ],
    blockedExecutables: [
        "exe1",
        "exe2",
    ],
    blockedFiles: [
        "test1",
        "test2",
    ],
    blockedInboundPorts: [
        "80",
        "8080",
    ],
    blockedOutboundPorts: [
        "90",
        "9090",
    ],
    blockedPackages: [
        "pkg",
        "pkg2",
    ],
    blockedVolumes: [
        "blocked",
        "vol",
    ],
    containerExecAllowedProcesses: [
        "proc1",
        "proc2",
    ],
    description: "container_runtime_policy",
    enableDriftPrevention: true,
    enableForkGuard: true,
    enableIpReputationSecurity: true,
    enablePortScanDetection: true,
    enabled: true,
    enforce: false,
    exceptionalReadonlyFilesAndDirectories: [
        "readonly2",
        "/dir2/",
    ],
    fileIntegrityMonitoring: {
        excludedPaths: ["expaths"],
        excludedProcesses: ["exprocess"],
        excludedUsers: ["expuser"],
        monitorAttributes: true,
        monitorCreate: true,
        monitorDelete: true,
        monitorModify: true,
        monitorRead: true,
        monitoredPaths: ["paths"],
        monitoredProcesses: ["process"],
        monitoredUsers: ["user"],
    },
    forkGuardProcessLimit: 13,
    limitNewPrivileges: true,
    malwareScanOptions: {
        action: "alert",
        enabled: true,
    },
    monitorSystemTimeChanges: true,
    readonlyFilesAndDirectories: [
        "readonly",
        "/dir/",
    ],
    reverseShellAllowedIps: [
        "ip1",
        "ip2",
    ],
    reverseShellAllowedProcesses: [
        "proc1",
        "proc2",
    ],
    scopeExpression: "v1 || v2",
    scopeVariables: [
        {
            attribute: "kubernetes.cluster",
            value: "default",
        },
        {
            attribute: "kubernetes.label",
            name: "app",
            value: "aqua",
        },
    ],
});
resources:
  containerRuntimePolicy:
    type: aquasec:ContainerRuntimePolicy
    properties:
      allowedExecutables:
        - exe
        - bin
      allowedRegistries:
        - registry1
        - registry2
      applicationScopes:
        - Global
      auditAllNetworkActivity: true
      auditAllProcessesActivity: true
      auditFullCommandArguments: true
      blockAccessHostNetwork: true
      blockAddingCapabilities: true
      blockContainerExec: true
      blockCryptocurrencyMining: true
      blockFilelessExec: true
      blockLowPortBinding: true
      blockNonCompliantImages: true
      blockNonCompliantWorkloads: true
      blockNonK8sContainers: true
      blockPrivilegedContainers: true
      blockReverseShell: true
      blockRootUser: true
      blockUnregisteredImages: true
      blockUseIpcNamespace: true
      blockUsePidNamespace: true
      blockUseUserNamespace: true
      blockUseUtsNamespace: true
      blockedCapabilities:
        - AUDIT_CONTROL
        - AUDIT_WRITE
      blockedExecutables:
        - exe1
        - exe2
      blockedFiles:
        - test1
        - test2
      blockedInboundPorts:
        - '80'
        - '8080'
      blockedOutboundPorts:
        - '90'
        - '9090'
      blockedPackages:
        - pkg
        - pkg2
      blockedVolumes:
        - blocked
        - vol
      containerExecAllowedProcesses:
        - proc1
        - proc2
      description: container_runtime_policy
      enableDriftPrevention: true
      enableForkGuard: true
      enableIpReputationSecurity: true
      enablePortScanDetection: true
      enabled: true
      enforce: false
      exceptionalReadonlyFilesAndDirectories:
        - readonly2
        - /dir2/
      fileIntegrityMonitoring:
        excludedPaths:
          - expaths
        excludedProcesses:
          - exprocess
        excludedUsers:
          - expuser
        monitorAttributes: true
        monitorCreate: true
        monitorDelete: true
        monitorModify: true
        monitorRead: true
        monitoredPaths:
          - paths
        monitoredProcesses:
          - process
        monitoredUsers:
          - user
      forkGuardProcessLimit: 13
      limitNewPrivileges: true
      malwareScanOptions:
        action: alert
        enabled: true
      monitorSystemTimeChanges: 'true'
      readonlyFilesAndDirectories:
        - readonly
        - /dir/
      reverseShellAllowedIps:
        - ip1
        - ip2
      reverseShellAllowedProcesses:
        - proc1
        - proc2
      scopeExpression: v1 || v2
      scopeVariables:
        - attribute: kubernetes.cluster
          value: default
        - attribute: kubernetes.label
          name: app
          value: aqua

Create ContainerRuntimePolicy Resource

new ContainerRuntimePolicy(name: string, args?: ContainerRuntimePolicyArgs, opts?: CustomResourceOptions);
@overload
def ContainerRuntimePolicy(resource_name: str,
                           opts: Optional[ResourceOptions] = None,
                           allowed_executables: Optional[Sequence[str]] = None,
                           allowed_registries: Optional[Sequence[str]] = None,
                           application_scopes: Optional[Sequence[str]] = None,
                           audit_all_network_activity: Optional[bool] = None,
                           audit_all_processes_activity: Optional[bool] = None,
                           audit_full_command_arguments: Optional[bool] = None,
                           block_access_host_network: Optional[bool] = None,
                           block_adding_capabilities: Optional[bool] = None,
                           block_container_exec: Optional[bool] = None,
                           block_cryptocurrency_mining: Optional[bool] = None,
                           block_fileless_exec: Optional[bool] = None,
                           block_low_port_binding: Optional[bool] = None,
                           block_non_compliant_images: Optional[bool] = None,
                           block_non_compliant_workloads: Optional[bool] = None,
                           block_non_k8s_containers: Optional[bool] = None,
                           block_privileged_containers: Optional[bool] = None,
                           block_reverse_shell: Optional[bool] = None,
                           block_root_user: Optional[bool] = None,
                           block_unregistered_images: Optional[bool] = None,
                           block_use_ipc_namespace: Optional[bool] = None,
                           block_use_pid_namespace: Optional[bool] = None,
                           block_use_user_namespace: Optional[bool] = None,
                           block_use_uts_namespace: Optional[bool] = None,
                           blocked_capabilities: Optional[Sequence[str]] = None,
                           blocked_executables: Optional[Sequence[str]] = None,
                           blocked_files: Optional[Sequence[str]] = None,
                           blocked_inbound_ports: Optional[Sequence[str]] = None,
                           blocked_outbound_ports: Optional[Sequence[str]] = None,
                           blocked_packages: Optional[Sequence[str]] = None,
                           blocked_volumes: Optional[Sequence[str]] = None,
                           container_exec_allowed_processes: Optional[Sequence[str]] = None,
                           description: Optional[str] = None,
                           enable_drift_prevention: Optional[bool] = None,
                           enable_fork_guard: Optional[bool] = None,
                           enable_ip_reputation_security: Optional[bool] = None,
                           enable_port_scan_detection: Optional[bool] = None,
                           enabled: Optional[bool] = None,
                           enforce: Optional[bool] = None,
                           enforce_after_days: Optional[int] = None,
                           exceptional_readonly_files_and_directories: Optional[Sequence[str]] = None,
                           file_integrity_monitoring: Optional[ContainerRuntimePolicyFileIntegrityMonitoringArgs] = None,
                           fork_guard_process_limit: Optional[int] = None,
                           limit_new_privileges: Optional[bool] = None,
                           malware_scan_options: Optional[ContainerRuntimePolicyMalwareScanOptionsArgs] = None,
                           monitor_system_time_changes: Optional[bool] = None,
                           name: Optional[str] = None,
                           readonly_files_and_directories: Optional[Sequence[str]] = None,
                           reverse_shell_allowed_ips: Optional[Sequence[str]] = None,
                           reverse_shell_allowed_processes: Optional[Sequence[str]] = None,
                           scope_expression: Optional[str] = None,
                           scope_variables: Optional[Sequence[ContainerRuntimePolicyScopeVariableArgs]] = None)
@overload
def ContainerRuntimePolicy(resource_name: str,
                           args: Optional[ContainerRuntimePolicyArgs] = None,
                           opts: Optional[ResourceOptions] = None)
func NewContainerRuntimePolicy(ctx *Context, name string, args *ContainerRuntimePolicyArgs, opts ...ResourceOption) (*ContainerRuntimePolicy, error)
public ContainerRuntimePolicy(string name, ContainerRuntimePolicyArgs? args = null, CustomResourceOptions? opts = null)
public ContainerRuntimePolicy(String name, ContainerRuntimePolicyArgs args)
public ContainerRuntimePolicy(String name, ContainerRuntimePolicyArgs args, CustomResourceOptions options)
type: aquasec:ContainerRuntimePolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args ContainerRuntimePolicyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args ContainerRuntimePolicyArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args ContainerRuntimePolicyArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args ContainerRuntimePolicyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args ContainerRuntimePolicyArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

ContainerRuntimePolicy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The ContainerRuntimePolicy resource accepts the following input properties:

AllowedExecutables List<string>

List of executables that are allowed for the user.

AllowedRegistries List<string>

List of registries that allowed for running containers.

ApplicationScopes List<string>

Indicates the application scope of the service.

AuditAllNetworkActivity bool

If true, all network activity will be audited.

AuditAllProcessesActivity bool

If true, all process activity will be audited.

AuditFullCommandArguments bool

If true, full command arguments will be audited.

BlockAccessHostNetwork bool

If true, prevent containers from running with access to host network.

BlockAddingCapabilities bool

If true, prevent containers from running with adding capabilities with --cap-add privilege.

BlockContainerExec bool

If true, exec into a container is prevented.

BlockCryptocurrencyMining bool

Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

BlockFilelessExec bool

Detect and prevent running in-memory execution

BlockLowPortBinding bool

If true, prevent containers from running with the capability to bind in port lower than 1024.

BlockNonCompliantImages bool

If true, running non-compliant image in the container is prevented.

BlockNonCompliantWorkloads bool

If true, running containers in non-compliant pods is prevented.

BlockNonK8sContainers bool

If true, running non-kubernetes containers is prevented.

BlockPrivilegedContainers bool

If true, prevent containers from running with privileged container capability.

BlockReverseShell bool

If true, reverse shell is prevented.

BlockRootUser bool

If true, prevent containers from running with root user.

BlockUnregisteredImages bool

If true, running images in the container that are not registered in Aqua is prevented.

BlockUseIpcNamespace bool

If true, prevent containers from running with the privilege to use the IPC namespace.

BlockUsePidNamespace bool

If true, prevent containers from running with the privilege to use the PID namespace.

BlockUseUserNamespace bool

If true, prevent containers from running with the privilege to use the user namespace.

BlockUseUtsNamespace bool

If true, prevent containers from running with the privilege to use the UTS namespace.

BlockedCapabilities List<string>

If true, prevents containers from using specific Unix capabilities.

BlockedExecutables List<string>

List of executables that are prevented from running in containers.

BlockedFiles List<string>

List of files that are prevented from being read, modified and executed in the containers.

BlockedInboundPorts List<string>

List of blocked inbound ports.

BlockedOutboundPorts List<string>

List of blocked outbound ports.

BlockedPackages List<string>

Prevent containers from reading, writing, or executing all files in the list of packages.

BlockedVolumes List<string>

List of volumes that are prevented from being mounted in the containers.

ContainerExecAllowedProcesses List<string>

List of processes that will be allowed.

Description string

The description of the container runtime policy

EnableDriftPrevention bool

If true, executables that are not in the original image is prevented from running.

EnableForkGuard bool

If true, fork bombs are prevented in the containers.

EnableIpReputationSecurity bool

If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

EnablePortScanDetection bool

If true, detects port scanning behavior in the container.

Enabled bool

Indicates if the runtime policy is enabled or not.

Enforce bool

Indicates that policy should effect container execution (not just for audit).

EnforceAfterDays int

Indicates the number of days after which the runtime policy will be changed to enforce mode.

ExceptionalReadonlyFilesAndDirectories List<string>

List of files and directories to be excluded from the read-only list.

FileIntegrityMonitoring Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyFileIntegrityMonitoringArgs

Configuration for file integrity monitoring.

ForkGuardProcessLimit int

Process limit for the fork guard.

LimitNewPrivileges bool

If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

MalwareScanOptions Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyMalwareScanOptionsArgs

Configuration for Real-Time Malware Protection.

MonitorSystemTimeChanges bool

If true, system time changes will be monitored.

Name string

Name of the container runtime policy

ReadonlyFilesAndDirectories List<string>

List of files and directories to be restricted as read-only

ReverseShellAllowedIps List<string>

List of IPs/ CIDRs that will be allowed

ReverseShellAllowedProcesses List<string>

List of processes that will be allowed

ScopeExpression string

Logical expression of how to compute the dependency of the scope variables.

ScopeVariables List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyScopeVariableArgs>

List of scope attributes.

AllowedExecutables []string

List of executables that are allowed for the user.

AllowedRegistries []string

List of registries that allowed for running containers.

ApplicationScopes []string

Indicates the application scope of the service.

AuditAllNetworkActivity bool

If true, all network activity will be audited.

AuditAllProcessesActivity bool

If true, all process activity will be audited.

AuditFullCommandArguments bool

If true, full command arguments will be audited.

BlockAccessHostNetwork bool

If true, prevent containers from running with access to host network.

BlockAddingCapabilities bool

If true, prevent containers from running with adding capabilities with --cap-add privilege.

BlockContainerExec bool

If true, exec into a container is prevented.

BlockCryptocurrencyMining bool

Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

BlockFilelessExec bool

Detect and prevent running in-memory execution

BlockLowPortBinding bool

If true, prevent containers from running with the capability to bind in port lower than 1024.

BlockNonCompliantImages bool

If true, running non-compliant image in the container is prevented.

BlockNonCompliantWorkloads bool

If true, running containers in non-compliant pods is prevented.

BlockNonK8sContainers bool

If true, running non-kubernetes containers is prevented.

BlockPrivilegedContainers bool

If true, prevent containers from running with privileged container capability.

BlockReverseShell bool

If true, reverse shell is prevented.

BlockRootUser bool

If true, prevent containers from running with root user.

BlockUnregisteredImages bool

If true, running images in the container that are not registered in Aqua is prevented.

BlockUseIpcNamespace bool

If true, prevent containers from running with the privilege to use the IPC namespace.

BlockUsePidNamespace bool

If true, prevent containers from running with the privilege to use the PID namespace.

BlockUseUserNamespace bool

If true, prevent containers from running with the privilege to use the user namespace.

BlockUseUtsNamespace bool

If true, prevent containers from running with the privilege to use the UTS namespace.

BlockedCapabilities []string

If true, prevents containers from using specific Unix capabilities.

BlockedExecutables []string

List of executables that are prevented from running in containers.

BlockedFiles []string

List of files that are prevented from being read, modified and executed in the containers.

BlockedInboundPorts []string

List of blocked inbound ports.

BlockedOutboundPorts []string

List of blocked outbound ports.

BlockedPackages []string

Prevent containers from reading, writing, or executing all files in the list of packages.

BlockedVolumes []string

List of volumes that are prevented from being mounted in the containers.

ContainerExecAllowedProcesses []string

List of processes that will be allowed.

Description string

The description of the container runtime policy

EnableDriftPrevention bool

If true, executables that are not in the original image is prevented from running.

EnableForkGuard bool

If true, fork bombs are prevented in the containers.

EnableIpReputationSecurity bool

If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

EnablePortScanDetection bool

If true, detects port scanning behavior in the container.

Enabled bool

Indicates if the runtime policy is enabled or not.

Enforce bool

Indicates that policy should effect container execution (not just for audit).

EnforceAfterDays int

Indicates the number of days after which the runtime policy will be changed to enforce mode.

ExceptionalReadonlyFilesAndDirectories []string

List of files and directories to be excluded from the read-only list.

FileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs

Configuration for file integrity monitoring.

ForkGuardProcessLimit int

Process limit for the fork guard.

LimitNewPrivileges bool

If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

MalwareScanOptions ContainerRuntimePolicyMalwareScanOptionsArgs

Configuration for Real-Time Malware Protection.

MonitorSystemTimeChanges bool

If true, system time changes will be monitored.

Name string

Name of the container runtime policy

ReadonlyFilesAndDirectories []string

List of files and directories to be restricted as read-only

ReverseShellAllowedIps []string

List of IPs/ CIDRs that will be allowed

ReverseShellAllowedProcesses []string

List of processes that will be allowed

ScopeExpression string

Logical expression of how to compute the dependency of the scope variables.

ScopeVariables []ContainerRuntimePolicyScopeVariableArgs

List of scope attributes.

allowedExecutables List<String>

List of executables that are allowed for the user.

allowedRegistries List<String>

List of registries that allowed for running containers.

applicationScopes List<String>

Indicates the application scope of the service.

auditAllNetworkActivity Boolean

If true, all network activity will be audited.

auditAllProcessesActivity Boolean

If true, all process activity will be audited.

auditFullCommandArguments Boolean

If true, full command arguments will be audited.

blockAccessHostNetwork Boolean

If true, prevent containers from running with access to host network.

blockAddingCapabilities Boolean

If true, prevent containers from running with adding capabilities with --cap-add privilege.

blockContainerExec Boolean

If true, exec into a container is prevented.

blockCryptocurrencyMining Boolean

Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

blockFilelessExec Boolean

Detect and prevent running in-memory execution

blockLowPortBinding Boolean

If true, prevent containers from running with the capability to bind in port lower than 1024.

blockNonCompliantImages Boolean

If true, running non-compliant image in the container is prevented.

blockNonCompliantWorkloads Boolean

If true, running containers in non-compliant pods is prevented.

blockNonK8sContainers Boolean

If true, running non-kubernetes containers is prevented.

blockPrivilegedContainers Boolean

If true, prevent containers from running with privileged container capability.

blockReverseShell Boolean

If true, reverse shell is prevented.

blockRootUser Boolean

If true, prevent containers from running with root user.

blockUnregisteredImages Boolean

If true, running images in the container that are not registered in Aqua is prevented.

blockUseIpcNamespace Boolean

If true, prevent containers from running with the privilege to use the IPC namespace.

blockUsePidNamespace Boolean

If true, prevent containers from running with the privilege to use the PID namespace.

blockUseUserNamespace Boolean

If true, prevent containers from running with the privilege to use the user namespace.

blockUseUtsNamespace Boolean

If true, prevent containers from running with the privilege to use the UTS namespace.

blockedCapabilities List<String>

If true, prevents containers from using specific Unix capabilities.

blockedExecutables List<String>

List of executables that are prevented from running in containers.

blockedFiles List<String>

List of files that are prevented from being read, modified and executed in the containers.

blockedInboundPorts List<String>

List of blocked inbound ports.

blockedOutboundPorts List<String>

List of blocked outbound ports.

blockedPackages List<String>

Prevent containers from reading, writing, or executing all files in the list of packages.

blockedVolumes List<String>

List of volumes that are prevented from being mounted in the containers.

containerExecAllowedProcesses List<String>

List of processes that will be allowed.

description String

The description of the container runtime policy

enableDriftPrevention Boolean

If true, executables that are not in the original image is prevented from running.

enableForkGuard Boolean

If true, fork bombs are prevented in the containers.

enableIpReputationSecurity Boolean

If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

enablePortScanDetection Boolean

If true, detects port scanning behavior in the container.

enabled Boolean

Indicates if the runtime policy is enabled or not.

enforce Boolean

Indicates that policy should effect container execution (not just for audit).

enforceAfterDays Integer

Indicates the number of days after which the runtime policy will be changed to enforce mode.

exceptionalReadonlyFilesAndDirectories List<String>

List of files and directories to be excluded from the read-only list.

fileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs

Configuration for file integrity monitoring.

forkGuardProcessLimit Integer

Process limit for the fork guard.

limitNewPrivileges Boolean

If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

malwareScanOptions ContainerRuntimePolicyMalwareScanOptionsArgs

Configuration for Real-Time Malware Protection.

monitorSystemTimeChanges Boolean

If true, system time changes will be monitored.

name String

Name of the container runtime policy

readonlyFilesAndDirectories List<String>

List of files and directories to be restricted as read-only

reverseShellAllowedIps List<String>

List of IPs/ CIDRs that will be allowed

reverseShellAllowedProcesses List<String>

List of processes that will be allowed

scopeExpression String

Logical expression of how to compute the dependency of the scope variables.

scopeVariables List<ContainerRuntimePolicyScopeVariableArgs>

List of scope attributes.

allowedExecutables string[]

List of executables that are allowed for the user.

allowedRegistries string[]

List of registries that allowed for running containers.

applicationScopes string[]

Indicates the application scope of the service.

auditAllNetworkActivity boolean

If true, all network activity will be audited.

auditAllProcessesActivity boolean

If true, all process activity will be audited.

auditFullCommandArguments boolean

If true, full command arguments will be audited.

blockAccessHostNetwork boolean

If true, prevent containers from running with access to host network.

blockAddingCapabilities boolean

If true, prevent containers from running with adding capabilities with --cap-add privilege.

blockContainerExec boolean

If true, exec into a container is prevented.

blockCryptocurrencyMining boolean

Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

blockFilelessExec boolean

Detect and prevent running in-memory execution

blockLowPortBinding boolean

If true, prevent containers from running with the capability to bind in port lower than 1024.

blockNonCompliantImages boolean

If true, running non-compliant image in the container is prevented.

blockNonCompliantWorkloads boolean

If true, running containers in non-compliant pods is prevented.

blockNonK8sContainers boolean

If true, running non-kubernetes containers is prevented.

blockPrivilegedContainers boolean

If true, prevent containers from running with privileged container capability.

blockReverseShell boolean

If true, reverse shell is prevented.

blockRootUser boolean

If true, prevent containers from running with root user.

blockUnregisteredImages boolean

If true, running images in the container that are not registered in Aqua is prevented.

blockUseIpcNamespace boolean

If true, prevent containers from running with the privilege to use the IPC namespace.

blockUsePidNamespace boolean

If true, prevent containers from running with the privilege to use the PID namespace.

blockUseUserNamespace boolean

If true, prevent containers from running with the privilege to use the user namespace.

blockUseUtsNamespace boolean

If true, prevent containers from running with the privilege to use the UTS namespace.

blockedCapabilities string[]

If true, prevents containers from using specific Unix capabilities.

blockedExecutables string[]

List of executables that are prevented from running in containers.

blockedFiles string[]

List of files that are prevented from being read, modified and executed in the containers.

blockedInboundPorts string[]

List of blocked inbound ports.

blockedOutboundPorts string[]

List of blocked outbound ports.

blockedPackages string[]

Prevent containers from reading, writing, or executing all files in the list of packages.

blockedVolumes string[]

List of volumes that are prevented from being mounted in the containers.

containerExecAllowedProcesses string[]

List of processes that will be allowed.

description string

The description of the container runtime policy

enableDriftPrevention boolean

If true, executables that are not in the original image is prevented from running.

enableForkGuard boolean

If true, fork bombs are prevented in the containers.

enableIpReputationSecurity boolean

If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

enablePortScanDetection boolean

If true, detects port scanning behavior in the container.

enabled boolean

Indicates if the runtime policy is enabled or not.

enforce boolean

Indicates that policy should effect container execution (not just for audit).

enforceAfterDays number

Indicates the number of days after which the runtime policy will be changed to enforce mode.

exceptionalReadonlyFilesAndDirectories string[]

List of files and directories to be excluded from the read-only list.

fileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs

Configuration for file integrity monitoring.

forkGuardProcessLimit number

Process limit for the fork guard.

limitNewPrivileges boolean

If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

malwareScanOptions ContainerRuntimePolicyMalwareScanOptionsArgs

Configuration for Real-Time Malware Protection.

monitorSystemTimeChanges boolean

If true, system time changes will be monitored.

name string

Name of the container runtime policy

readonlyFilesAndDirectories string[]

List of files and directories to be restricted as read-only

reverseShellAllowedIps string[]

List of IPs/ CIDRs that will be allowed

reverseShellAllowedProcesses string[]

List of processes that will be allowed

scopeExpression string

Logical expression of how to compute the dependency of the scope variables.

scopeVariables ContainerRuntimePolicyScopeVariableArgs[]

List of scope attributes.

allowed_executables Sequence[str]

List of executables that are allowed for the user.

allowed_registries Sequence[str]

List of registries that allowed for running containers.

application_scopes Sequence[str]

Indicates the application scope of the service.

audit_all_network_activity bool

If true, all network activity will be audited.

audit_all_processes_activity bool

If true, all process activity will be audited.

audit_full_command_arguments bool

If true, full command arguments will be audited.

block_access_host_network bool

If true, prevent containers from running with access to host network.

block_adding_capabilities bool

If true, prevent containers from running with adding capabilities with --cap-add privilege.

block_container_exec bool

If true, exec into a container is prevented.

block_cryptocurrency_mining bool

Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

block_fileless_exec bool

Detect and prevent running in-memory execution

block_low_port_binding bool

If true, prevent containers from running with the capability to bind in port lower than 1024.

block_non_compliant_images bool

If true, running non-compliant image in the container is prevented.

block_non_compliant_workloads bool

If true, running containers in non-compliant pods is prevented.

block_non_k8s_containers bool

If true, running non-kubernetes containers is prevented.

block_privileged_containers bool

If true, prevent containers from running with privileged container capability.

block_reverse_shell bool

If true, reverse shell is prevented.

block_root_user bool

If true, prevent containers from running with root user.

block_unregistered_images bool

If true, running images in the container that are not registered in Aqua is prevented.

block_use_ipc_namespace bool

If true, prevent containers from running with the privilege to use the IPC namespace.

block_use_pid_namespace bool

If true, prevent containers from running with the privilege to use the PID namespace.

block_use_user_namespace bool

If true, prevent containers from running with the privilege to use the user namespace.

block_use_uts_namespace bool

If true, prevent containers from running with the privilege to use the UTS namespace.

blocked_capabilities Sequence[str]

If true, prevents containers from using specific Unix capabilities.

blocked_executables Sequence[str]

List of executables that are prevented from running in containers.

blocked_files Sequence[str]

List of files that are prevented from being read, modified and executed in the containers.

blocked_inbound_ports Sequence[str]

List of blocked inbound ports.

blocked_outbound_ports Sequence[str]

List of blocked outbound ports.

blocked_packages Sequence[str]

Prevent containers from reading, writing, or executing all files in the list of packages.

blocked_volumes Sequence[str]

List of volumes that are prevented from being mounted in the containers.

container_exec_allowed_processes Sequence[str]

List of processes that will be allowed.

description str

The description of the container runtime policy

enable_drift_prevention bool

If true, executables that are not in the original image is prevented from running.

enable_fork_guard bool

If true, fork bombs are prevented in the containers.

enable_ip_reputation_security bool

If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

enable_port_scan_detection bool

If true, detects port scanning behavior in the container.

enabled bool

Indicates if the runtime policy is enabled or not.

enforce bool

Indicates that policy should effect container execution (not just for audit).

enforce_after_days int

Indicates the number of days after which the runtime policy will be changed to enforce mode.

exceptional_readonly_files_and_directories Sequence[str]

List of files and directories to be excluded from the read-only list.

file_integrity_monitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs

Configuration for file integrity monitoring.

fork_guard_process_limit int

Process limit for the fork guard.

limit_new_privileges bool

If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

malware_scan_options ContainerRuntimePolicyMalwareScanOptionsArgs

Configuration for Real-Time Malware Protection.

monitor_system_time_changes bool

If true, system time changes will be monitored.

name str

Name of the container runtime policy

readonly_files_and_directories Sequence[str]

List of files and directories to be restricted as read-only

reverse_shell_allowed_ips Sequence[str]

List of IPs/ CIDRs that will be allowed

reverse_shell_allowed_processes Sequence[str]

List of processes that will be allowed

scope_expression str

Logical expression of how to compute the dependency of the scope variables.

scope_variables Sequence[ContainerRuntimePolicyScopeVariableArgs]

List of scope attributes.

allowedExecutables List<String>

List of executables that are allowed for the user.

allowedRegistries List<String>

List of registries that allowed for running containers.

applicationScopes List<String>

Indicates the application scope of the service.

auditAllNetworkActivity Boolean

If true, all network activity will be audited.

auditAllProcessesActivity Boolean

If true, all process activity will be audited.

auditFullCommandArguments Boolean

If true, full command arguments will be audited.

blockAccessHostNetwork Boolean

If true, prevent containers from running with access to host network.

blockAddingCapabilities Boolean

If true, prevent containers from running with adding capabilities with --cap-add privilege.

blockContainerExec Boolean

If true, exec into a container is prevented.

blockCryptocurrencyMining Boolean

Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

blockFilelessExec Boolean

Detect and prevent running in-memory execution

blockLowPortBinding Boolean

If true, prevent containers from running with the capability to bind in port lower than 1024.

blockNonCompliantImages Boolean

If true, running non-compliant image in the container is prevented.

blockNonCompliantWorkloads Boolean

If true, running containers in non-compliant pods is prevented.

blockNonK8sContainers Boolean

If true, running non-kubernetes containers is prevented.

blockPrivilegedContainers Boolean

If true, prevent containers from running with privileged container capability.

blockReverseShell Boolean

If true, reverse shell is prevented.

blockRootUser Boolean

If true, prevent containers from running with root user.

blockUnregisteredImages Boolean

If true, running images in the container that are not registered in Aqua is prevented.

blockUseIpcNamespace Boolean

If true, prevent containers from running with the privilege to use the IPC namespace.

blockUsePidNamespace Boolean

If true, prevent containers from running with the privilege to use the PID namespace.

blockUseUserNamespace Boolean

If true, prevent containers from running with the privilege to use the user namespace.

blockUseUtsNamespace Boolean

If true, prevent containers from running with the privilege to use the UTS namespace.

blockedCapabilities List<String>

If true, prevents containers from using specific Unix capabilities.

blockedExecutables List<String>

List of executables that are prevented from running in containers.

blockedFiles List<String>

List of files that are prevented from being read, modified and executed in the containers.

blockedInboundPorts List<String>

List of blocked inbound ports.

blockedOutboundPorts List<String>

List of blocked outbound ports.

blockedPackages List<String>

Prevent containers from reading, writing, or executing all files in the list of packages.

blockedVolumes List<String>

List of volumes that are prevented from being mounted in the containers.

containerExecAllowedProcesses List<String>

List of processes that will be allowed.

description String

The description of the container runtime policy

enableDriftPrevention Boolean

If true, executables that are not in the original image is prevented from running.

enableForkGuard Boolean

If true, fork bombs are prevented in the containers.

enableIpReputationSecurity Boolean

If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

enablePortScanDetection Boolean

If true, detects port scanning behavior in the container.

enabled Boolean

Indicates if the runtime policy is enabled or not.

enforce Boolean

Indicates that policy should effect container execution (not just for audit).

enforceAfterDays Number

Indicates the number of days after which the runtime policy will be changed to enforce mode.

exceptionalReadonlyFilesAndDirectories List<String>

List of files and directories to be excluded from the read-only list.

fileIntegrityMonitoring Property Map

Configuration for file integrity monitoring.

forkGuardProcessLimit Number

Process limit for the fork guard.

limitNewPrivileges Boolean

If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

malwareScanOptions Property Map

Configuration for Real-Time Malware Protection.

monitorSystemTimeChanges Boolean

If true, system time changes will be monitored.

name String

Name of the container runtime policy

readonlyFilesAndDirectories List<String>

List of files and directories to be restricted as read-only

reverseShellAllowedIps List<String>

List of IPs/ CIDRs that will be allowed

reverseShellAllowedProcesses List<String>

List of processes that will be allowed

scopeExpression String

Logical expression of how to compute the dependency of the scope variables.

scopeVariables List<Property Map>

List of scope attributes.

Outputs

All input properties are implicitly available as output properties. Additionally, the ContainerRuntimePolicy resource produces the following output properties:

Author string

Username of the account that created the service.

Id string

The provider-assigned unique ID for this managed resource.

Author string

Username of the account that created the service.

Id string

The provider-assigned unique ID for this managed resource.

author String

Username of the account that created the service.

id String

The provider-assigned unique ID for this managed resource.

author string

Username of the account that created the service.

id string

The provider-assigned unique ID for this managed resource.

author str

Username of the account that created the service.

id str

The provider-assigned unique ID for this managed resource.

author String

Username of the account that created the service.

id String

The provider-assigned unique ID for this managed resource.

Look up Existing ContainerRuntimePolicy Resource

Get an existing ContainerRuntimePolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ContainerRuntimePolicyState, opts?: CustomResourceOptions): ContainerRuntimePolicy
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        allowed_executables: Optional[Sequence[str]] = None,
        allowed_registries: Optional[Sequence[str]] = None,
        application_scopes: Optional[Sequence[str]] = None,
        audit_all_network_activity: Optional[bool] = None,
        audit_all_processes_activity: Optional[bool] = None,
        audit_full_command_arguments: Optional[bool] = None,
        author: Optional[str] = None,
        block_access_host_network: Optional[bool] = None,
        block_adding_capabilities: Optional[bool] = None,
        block_container_exec: Optional[bool] = None,
        block_cryptocurrency_mining: Optional[bool] = None,
        block_fileless_exec: Optional[bool] = None,
        block_low_port_binding: Optional[bool] = None,
        block_non_compliant_images: Optional[bool] = None,
        block_non_compliant_workloads: Optional[bool] = None,
        block_non_k8s_containers: Optional[bool] = None,
        block_privileged_containers: Optional[bool] = None,
        block_reverse_shell: Optional[bool] = None,
        block_root_user: Optional[bool] = None,
        block_unregistered_images: Optional[bool] = None,
        block_use_ipc_namespace: Optional[bool] = None,
        block_use_pid_namespace: Optional[bool] = None,
        block_use_user_namespace: Optional[bool] = None,
        block_use_uts_namespace: Optional[bool] = None,
        blocked_capabilities: Optional[Sequence[str]] = None,
        blocked_executables: Optional[Sequence[str]] = None,
        blocked_files: Optional[Sequence[str]] = None,
        blocked_inbound_ports: Optional[Sequence[str]] = None,
        blocked_outbound_ports: Optional[Sequence[str]] = None,
        blocked_packages: Optional[Sequence[str]] = None,
        blocked_volumes: Optional[Sequence[str]] = None,
        container_exec_allowed_processes: Optional[Sequence[str]] = None,
        description: Optional[str] = None,
        enable_drift_prevention: Optional[bool] = None,
        enable_fork_guard: Optional[bool] = None,
        enable_ip_reputation_security: Optional[bool] = None,
        enable_port_scan_detection: Optional[bool] = None,
        enabled: Optional[bool] = None,
        enforce: Optional[bool] = None,
        enforce_after_days: Optional[int] = None,
        exceptional_readonly_files_and_directories: Optional[Sequence[str]] = None,
        file_integrity_monitoring: Optional[ContainerRuntimePolicyFileIntegrityMonitoringArgs] = None,
        fork_guard_process_limit: Optional[int] = None,
        limit_new_privileges: Optional[bool] = None,
        malware_scan_options: Optional[ContainerRuntimePolicyMalwareScanOptionsArgs] = None,
        monitor_system_time_changes: Optional[bool] = None,
        name: Optional[str] = None,
        readonly_files_and_directories: Optional[Sequence[str]] = None,
        reverse_shell_allowed_ips: Optional[Sequence[str]] = None,
        reverse_shell_allowed_processes: Optional[Sequence[str]] = None,
        scope_expression: Optional[str] = None,
        scope_variables: Optional[Sequence[ContainerRuntimePolicyScopeVariableArgs]] = None) -> ContainerRuntimePolicy
func GetContainerRuntimePolicy(ctx *Context, name string, id IDInput, state *ContainerRuntimePolicyState, opts ...ResourceOption) (*ContainerRuntimePolicy, error)
public static ContainerRuntimePolicy Get(string name, Input<string> id, ContainerRuntimePolicyState? state, CustomResourceOptions? opts = null)
public static ContainerRuntimePolicy get(String name, Output<String> id, ContainerRuntimePolicyState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AllowedExecutables List<string>

List of executables that are allowed for the user.

AllowedRegistries List<string>

List of registries that allowed for running containers.

ApplicationScopes List<string>

Indicates the application scope of the service.

AuditAllNetworkActivity bool

If true, all network activity will be audited.

AuditAllProcessesActivity bool

If true, all process activity will be audited.

AuditFullCommandArguments bool

If true, full command arguments will be audited.

Author string

Username of the account that created the service.

BlockAccessHostNetwork bool

If true, prevent containers from running with access to host network.

BlockAddingCapabilities bool

If true, prevent containers from running with adding capabilities with --cap-add privilege.

BlockContainerExec bool

If true, exec into a container is prevented.

BlockCryptocurrencyMining bool

Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

BlockFilelessExec bool

Detect and prevent running in-memory execution

BlockLowPortBinding bool

If true, prevent containers from running with the capability to bind in port lower than 1024.

BlockNonCompliantImages bool

If true, running non-compliant image in the container is prevented.

BlockNonCompliantWorkloads bool

If true, running containers in non-compliant pods is prevented.

BlockNonK8sContainers bool

If true, running non-kubernetes containers is prevented.

BlockPrivilegedContainers bool

If true, prevent containers from running with privileged container capability.

BlockReverseShell bool

If true, reverse shell is prevented.

BlockRootUser bool

If true, prevent containers from running with root user.

BlockUnregisteredImages bool

If true, running images in the container that are not registered in Aqua is prevented.

BlockUseIpcNamespace bool

If true, prevent containers from running with the privilege to use the IPC namespace.

BlockUsePidNamespace bool

If true, prevent containers from running with the privilege to use the PID namespace.

BlockUseUserNamespace bool

If true, prevent containers from running with the privilege to use the user namespace.

BlockUseUtsNamespace bool

If true, prevent containers from running with the privilege to use the UTS namespace.

BlockedCapabilities List<string>

If true, prevents containers from using specific Unix capabilities.

BlockedExecutables List<string>

List of executables that are prevented from running in containers.

BlockedFiles List<string>

List of files that are prevented from being read, modified and executed in the containers.

BlockedInboundPorts List<string>

List of blocked inbound ports.

BlockedOutboundPorts List<string>

List of blocked outbound ports.

BlockedPackages List<string>

Prevent containers from reading, writing, or executing all files in the list of packages.

BlockedVolumes List<string>

List of volumes that are prevented from being mounted in the containers.

ContainerExecAllowedProcesses List<string>

List of processes that will be allowed.

Description string

The description of the container runtime policy

EnableDriftPrevention bool

If true, executables that are not in the original image is prevented from running.

EnableForkGuard bool

If true, fork bombs are prevented in the containers.

EnableIpReputationSecurity bool

If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

EnablePortScanDetection bool

If true, detects port scanning behavior in the container.

Enabled bool

Indicates if the runtime policy is enabled or not.

Enforce bool

Indicates that policy should effect container execution (not just for audit).

EnforceAfterDays int

Indicates the number of days after which the runtime policy will be changed to enforce mode.

ExceptionalReadonlyFilesAndDirectories List<string>

List of files and directories to be excluded from the read-only list.

FileIntegrityMonitoring Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyFileIntegrityMonitoringArgs

Configuration for file integrity monitoring.

ForkGuardProcessLimit int

Process limit for the fork guard.

LimitNewPrivileges bool

If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

MalwareScanOptions Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyMalwareScanOptionsArgs

Configuration for Real-Time Malware Protection.

MonitorSystemTimeChanges bool

If true, system time changes will be monitored.

Name string

Name of the container runtime policy

ReadonlyFilesAndDirectories List<string>

List of files and directories to be restricted as read-only

ReverseShellAllowedIps List<string>

List of IPs/ CIDRs that will be allowed

ReverseShellAllowedProcesses List<string>

List of processes that will be allowed

ScopeExpression string

Logical expression of how to compute the dependency of the scope variables.

ScopeVariables List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyScopeVariableArgs>

List of scope attributes.

AllowedExecutables []string

List of executables that are allowed for the user.

AllowedRegistries []string

List of registries that allowed for running containers.

ApplicationScopes []string

Indicates the application scope of the service.

AuditAllNetworkActivity bool

If true, all network activity will be audited.

AuditAllProcessesActivity bool

If true, all process activity will be audited.

AuditFullCommandArguments bool

If true, full command arguments will be audited.

Author string

Username of the account that created the service.

BlockAccessHostNetwork bool

If true, prevent containers from running with access to host network.

BlockAddingCapabilities bool

If true, prevent containers from running with adding capabilities with --cap-add privilege.

BlockContainerExec bool

If true, exec into a container is prevented.

BlockCryptocurrencyMining bool

Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

BlockFilelessExec bool

Detect and prevent running in-memory execution

BlockLowPortBinding bool

If true, prevent containers from running with the capability to bind in port lower than 1024.

BlockNonCompliantImages bool

If true, running non-compliant image in the container is prevented.

BlockNonCompliantWorkloads bool

If true, running containers in non-compliant pods is prevented.

BlockNonK8sContainers bool

If true, running non-kubernetes containers is prevented.

BlockPrivilegedContainers bool

If true, prevent containers from running with privileged container capability.

BlockReverseShell bool

If true, reverse shell is prevented.

BlockRootUser bool

If true, prevent containers from running with root user.

BlockUnregisteredImages bool

If true, running images in the container that are not registered in Aqua is prevented.

BlockUseIpcNamespace bool

If true, prevent containers from running with the privilege to use the IPC namespace.

BlockUsePidNamespace bool

If true, prevent containers from running with the privilege to use the PID namespace.

BlockUseUserNamespace bool

If true, prevent containers from running with the privilege to use the user namespace.

BlockUseUtsNamespace bool

If true, prevent containers from running with the privilege to use the UTS namespace.

BlockedCapabilities []string

If true, prevents containers from using specific Unix capabilities.

BlockedExecutables []string

List of executables that are prevented from running in containers.

BlockedFiles []string

List of files that are prevented from being read, modified and executed in the containers.

BlockedInboundPorts []string

List of blocked inbound ports.

BlockedOutboundPorts []string

List of blocked outbound ports.

BlockedPackages []string

Prevent containers from reading, writing, or executing all files in the list of packages.

BlockedVolumes []string

List of volumes that are prevented from being mounted in the containers.

ContainerExecAllowedProcesses []string

List of processes that will be allowed.

Description string

The description of the container runtime policy

EnableDriftPrevention bool

If true, executables that are not in the original image is prevented from running.

EnableForkGuard bool

If true, fork bombs are prevented in the containers.

EnableIpReputationSecurity bool

If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

EnablePortScanDetection bool

If true, detects port scanning behavior in the container.

Enabled bool

Indicates if the runtime policy is enabled or not.

Enforce bool

Indicates that policy should effect container execution (not just for audit).

EnforceAfterDays int

Indicates the number of days after which the runtime policy will be changed to enforce mode.

ExceptionalReadonlyFilesAndDirectories []string

List of files and directories to be excluded from the read-only list.

FileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs

Configuration for file integrity monitoring.

ForkGuardProcessLimit int

Process limit for the fork guard.

LimitNewPrivileges bool

If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

MalwareScanOptions ContainerRuntimePolicyMalwareScanOptionsArgs

Configuration for Real-Time Malware Protection.

MonitorSystemTimeChanges bool

If true, system time changes will be monitored.

Name string

Name of the container runtime policy

ReadonlyFilesAndDirectories []string

List of files and directories to be restricted as read-only

ReverseShellAllowedIps []string

List of IPs/ CIDRs that will be allowed

ReverseShellAllowedProcesses []string

List of processes that will be allowed

ScopeExpression string

Logical expression of how to compute the dependency of the scope variables.

ScopeVariables []ContainerRuntimePolicyScopeVariableArgs

List of scope attributes.

allowedExecutables List<String>

List of executables that are allowed for the user.

allowedRegistries List<String>

List of registries that allowed for running containers.

applicationScopes List<String>

Indicates the application scope of the service.

auditAllNetworkActivity Boolean

If true, all network activity will be audited.

auditAllProcessesActivity Boolean

If true, all process activity will be audited.

auditFullCommandArguments Boolean

If true, full command arguments will be audited.

author String

Username of the account that created the service.

blockAccessHostNetwork Boolean

If true, prevent containers from running with access to host network.

blockAddingCapabilities Boolean

If true, prevent containers from running with adding capabilities with --cap-add privilege.

blockContainerExec Boolean

If true, exec into a container is prevented.

blockCryptocurrencyMining Boolean

Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

blockFilelessExec Boolean

Detect and prevent running in-memory execution

blockLowPortBinding Boolean

If true, prevent containers from running with the capability to bind in port lower than 1024.

blockNonCompliantImages Boolean

If true, running non-compliant image in the container is prevented.

blockNonCompliantWorkloads Boolean

If true, running containers in non-compliant pods is prevented.

blockNonK8sContainers Boolean

If true, running non-kubernetes containers is prevented.

blockPrivilegedContainers Boolean

If true, prevent containers from running with privileged container capability.

blockReverseShell Boolean

If true, reverse shell is prevented.

blockRootUser Boolean

If true, prevent containers from running with root user.

blockUnregisteredImages Boolean

If true, running images in the container that are not registered in Aqua is prevented.

blockUseIpcNamespace Boolean

If true, prevent containers from running with the privilege to use the IPC namespace.

blockUsePidNamespace Boolean

If true, prevent containers from running with the privilege to use the PID namespace.

blockUseUserNamespace Boolean

If true, prevent containers from running with the privilege to use the user namespace.

blockUseUtsNamespace Boolean

If true, prevent containers from running with the privilege to use the UTS namespace.

blockedCapabilities List<String>

If true, prevents containers from using specific Unix capabilities.

blockedExecutables List<String>

List of executables that are prevented from running in containers.

blockedFiles List<String>

List of files that are prevented from being read, modified and executed in the containers.

blockedInboundPorts List<String>

List of blocked inbound ports.

blockedOutboundPorts List<String>

List of blocked outbound ports.

blockedPackages List<String>

Prevent containers from reading, writing, or executing all files in the list of packages.

blockedVolumes List<String>

List of volumes that are prevented from being mounted in the containers.

containerExecAllowedProcesses List<String>

List of processes that will be allowed.

description String

The description of the container runtime policy

enableDriftPrevention Boolean

If true, executables that are not in the original image is prevented from running.

enableForkGuard Boolean

If true, fork bombs are prevented in the containers.

enableIpReputationSecurity Boolean

If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

enablePortScanDetection Boolean

If true, detects port scanning behavior in the container.

enabled Boolean

Indicates if the runtime policy is enabled or not.

enforce Boolean

Indicates that policy should effect container execution (not just for audit).

enforceAfterDays Integer

Indicates the number of days after which the runtime policy will be changed to enforce mode.

exceptionalReadonlyFilesAndDirectories List<String>

List of files and directories to be excluded from the read-only list.

fileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs

Configuration for file integrity monitoring.

forkGuardProcessLimit Integer

Process limit for the fork guard.

limitNewPrivileges Boolean

If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

malwareScanOptions ContainerRuntimePolicyMalwareScanOptionsArgs

Configuration for Real-Time Malware Protection.

monitorSystemTimeChanges Boolean

If true, system time changes will be monitored.

name String

Name of the container runtime policy

readonlyFilesAndDirectories List<String>

List of files and directories to be restricted as read-only

reverseShellAllowedIps List<String>

List of IPs/ CIDRs that will be allowed

reverseShellAllowedProcesses List<String>

List of processes that will be allowed

scopeExpression String

Logical expression of how to compute the dependency of the scope variables.

scopeVariables List<ContainerRuntimePolicyScopeVariableArgs>

List of scope attributes.

allowedExecutables string[]

List of executables that are allowed for the user.

allowedRegistries string[]

List of registries that allowed for running containers.

applicationScopes string[]

Indicates the application scope of the service.

auditAllNetworkActivity boolean

If true, all network activity will be audited.

auditAllProcessesActivity boolean

If true, all process activity will be audited.

auditFullCommandArguments boolean

If true, full command arguments will be audited.

author string

Username of the account that created the service.

blockAccessHostNetwork boolean

If true, prevent containers from running with access to host network.

blockAddingCapabilities boolean

If true, prevent containers from running with adding capabilities with --cap-add privilege.

blockContainerExec boolean

If true, exec into a container is prevented.

blockCryptocurrencyMining boolean

Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

blockFilelessExec boolean

Detect and prevent running in-memory execution

blockLowPortBinding boolean

If true, prevent containers from running with the capability to bind in port lower than 1024.

blockNonCompliantImages boolean

If true, running non-compliant image in the container is prevented.

blockNonCompliantWorkloads boolean

If true, running containers in non-compliant pods is prevented.

blockNonK8sContainers boolean

If true, running non-kubernetes containers is prevented.

blockPrivilegedContainers boolean

If true, prevent containers from running with privileged container capability.

blockReverseShell boolean

If true, reverse shell is prevented.

blockRootUser boolean

If true, prevent containers from running with root user.

blockUnregisteredImages boolean

If true, running images in the container that are not registered in Aqua is prevented.

blockUseIpcNamespace boolean

If true, prevent containers from running with the privilege to use the IPC namespace.

blockUsePidNamespace boolean

If true, prevent containers from running with the privilege to use the PID namespace.

blockUseUserNamespace boolean

If true, prevent containers from running with the privilege to use the user namespace.

blockUseUtsNamespace boolean

If true, prevent containers from running with the privilege to use the UTS namespace.

blockedCapabilities string[]

If true, prevents containers from using specific Unix capabilities.

blockedExecutables string[]

List of executables that are prevented from running in containers.

blockedFiles string[]

List of files that are prevented from being read, modified and executed in the containers.

blockedInboundPorts string[]

List of blocked inbound ports.

blockedOutboundPorts string[]

List of blocked outbound ports.

blockedPackages string[]

Prevent containers from reading, writing, or executing all files in the list of packages.

blockedVolumes string[]

List of volumes that are prevented from being mounted in the containers.

containerExecAllowedProcesses string[]

List of processes that will be allowed.

description string

The description of the container runtime policy

enableDriftPrevention boolean

If true, executables that are not in the original image is prevented from running.

enableForkGuard boolean

If true, fork bombs are prevented in the containers.

enableIpReputationSecurity boolean

If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

enablePortScanDetection boolean

If true, detects port scanning behavior in the container.

enabled boolean

Indicates if the runtime policy is enabled or not.

enforce boolean

Indicates that policy should effect container execution (not just for audit).

enforceAfterDays number

Indicates the number of days after which the runtime policy will be changed to enforce mode.

exceptionalReadonlyFilesAndDirectories string[]

List of files and directories to be excluded from the read-only list.

fileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs

Configuration for file integrity monitoring.

forkGuardProcessLimit number

Process limit for the fork guard.

limitNewPrivileges boolean

If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

malwareScanOptions ContainerRuntimePolicyMalwareScanOptionsArgs

Configuration for Real-Time Malware Protection.

monitorSystemTimeChanges boolean

If true, system time changes will be monitored.

name string

Name of the container runtime policy

readonlyFilesAndDirectories string[]

List of files and directories to be restricted as read-only

reverseShellAllowedIps string[]

List of IPs/ CIDRs that will be allowed

reverseShellAllowedProcesses string[]

List of processes that will be allowed

scopeExpression string

Logical expression of how to compute the dependency of the scope variables.

scopeVariables ContainerRuntimePolicyScopeVariableArgs[]

List of scope attributes.

allowed_executables Sequence[str]

List of executables that are allowed for the user.

allowed_registries Sequence[str]

List of registries that allowed for running containers.

application_scopes Sequence[str]

Indicates the application scope of the service.

audit_all_network_activity bool

If true, all network activity will be audited.

audit_all_processes_activity bool

If true, all process activity will be audited.

audit_full_command_arguments bool

If true, full command arguments will be audited.

author str

Username of the account that created the service.

block_access_host_network bool

If true, prevent containers from running with access to host network.

block_adding_capabilities bool

If true, prevent containers from running with adding capabilities with --cap-add privilege.

block_container_exec bool

If true, exec into a container is prevented.

block_cryptocurrency_mining bool

Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

block_fileless_exec bool

Detect and prevent running in-memory execution

block_low_port_binding bool

If true, prevent containers from running with the capability to bind in port lower than 1024.

block_non_compliant_images bool

If true, running non-compliant image in the container is prevented.

block_non_compliant_workloads bool

If true, running containers in non-compliant pods is prevented.

block_non_k8s_containers bool

If true, running non-kubernetes containers is prevented.

block_privileged_containers bool

If true, prevent containers from running with privileged container capability.

block_reverse_shell bool

If true, reverse shell is prevented.

block_root_user bool

If true, prevent containers from running with root user.

block_unregistered_images bool

If true, running images in the container that are not registered in Aqua is prevented.

block_use_ipc_namespace bool

If true, prevent containers from running with the privilege to use the IPC namespace.

block_use_pid_namespace bool

If true, prevent containers from running with the privilege to use the PID namespace.

block_use_user_namespace bool

If true, prevent containers from running with the privilege to use the user namespace.

block_use_uts_namespace bool

If true, prevent containers from running with the privilege to use the UTS namespace.

blocked_capabilities Sequence[str]

If true, prevents containers from using specific Unix capabilities.

blocked_executables Sequence[str]

List of executables that are prevented from running in containers.

blocked_files Sequence[str]

List of files that are prevented from being read, modified and executed in the containers.

blocked_inbound_ports Sequence[str]

List of blocked inbound ports.

blocked_outbound_ports Sequence[str]

List of blocked outbound ports.

blocked_packages Sequence[str]

Prevent containers from reading, writing, or executing all files in the list of packages.

blocked_volumes Sequence[str]

List of volumes that are prevented from being mounted in the containers.

container_exec_allowed_processes Sequence[str]

List of processes that will be allowed.

description str

The description of the container runtime policy

enable_drift_prevention bool

If true, executables that are not in the original image is prevented from running.

enable_fork_guard bool

If true, fork bombs are prevented in the containers.

enable_ip_reputation_security bool

If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

enable_port_scan_detection bool

If true, detects port scanning behavior in the container.

enabled bool

Indicates if the runtime policy is enabled or not.

enforce bool

Indicates that policy should effect container execution (not just for audit).

enforce_after_days int

Indicates the number of days after which the runtime policy will be changed to enforce mode.

exceptional_readonly_files_and_directories Sequence[str]

List of files and directories to be excluded from the read-only list.

file_integrity_monitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs

Configuration for file integrity monitoring.

fork_guard_process_limit int

Process limit for the fork guard.

limit_new_privileges bool

If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

malware_scan_options ContainerRuntimePolicyMalwareScanOptionsArgs

Configuration for Real-Time Malware Protection.

monitor_system_time_changes bool

If true, system time changes will be monitored.

name str

Name of the container runtime policy

readonly_files_and_directories Sequence[str]

List of files and directories to be restricted as read-only

reverse_shell_allowed_ips Sequence[str]

List of IPs/ CIDRs that will be allowed

reverse_shell_allowed_processes Sequence[str]

List of processes that will be allowed

scope_expression str

Logical expression of how to compute the dependency of the scope variables.

scope_variables Sequence[ContainerRuntimePolicyScopeVariableArgs]

List of scope attributes.

allowedExecutables List<String>

List of executables that are allowed for the user.

allowedRegistries List<String>

List of registries that allowed for running containers.

applicationScopes List<String>

Indicates the application scope of the service.

auditAllNetworkActivity Boolean

If true, all network activity will be audited.

auditAllProcessesActivity Boolean

If true, all process activity will be audited.

auditFullCommandArguments Boolean

If true, full command arguments will be audited.

author String

Username of the account that created the service.

blockAccessHostNetwork Boolean

If true, prevent containers from running with access to host network.

blockAddingCapabilities Boolean

If true, prevent containers from running with adding capabilities with --cap-add privilege.

blockContainerExec Boolean

If true, exec into a container is prevented.

blockCryptocurrencyMining Boolean

Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

blockFilelessExec Boolean

Detect and prevent running in-memory execution

blockLowPortBinding Boolean

If true, prevent containers from running with the capability to bind in port lower than 1024.

blockNonCompliantImages Boolean

If true, running non-compliant image in the container is prevented.

blockNonCompliantWorkloads Boolean

If true, running containers in non-compliant pods is prevented.

blockNonK8sContainers Boolean

If true, running non-kubernetes containers is prevented.

blockPrivilegedContainers Boolean

If true, prevent containers from running with privileged container capability.

blockReverseShell Boolean

If true, reverse shell is prevented.

blockRootUser Boolean

If true, prevent containers from running with root user.

blockUnregisteredImages Boolean

If true, running images in the container that are not registered in Aqua is prevented.

blockUseIpcNamespace Boolean

If true, prevent containers from running with the privilege to use the IPC namespace.

blockUsePidNamespace Boolean

If true, prevent containers from running with the privilege to use the PID namespace.

blockUseUserNamespace Boolean

If true, prevent containers from running with the privilege to use the user namespace.

blockUseUtsNamespace Boolean

If true, prevent containers from running with the privilege to use the UTS namespace.

blockedCapabilities List<String>

If true, prevents containers from using specific Unix capabilities.

blockedExecutables List<String>

List of executables that are prevented from running in containers.

blockedFiles List<String>

List of files that are prevented from being read, modified and executed in the containers.

blockedInboundPorts List<String>

List of blocked inbound ports.

blockedOutboundPorts List<String>

List of blocked outbound ports.

blockedPackages List<String>

Prevent containers from reading, writing, or executing all files in the list of packages.

blockedVolumes List<String>

List of volumes that are prevented from being mounted in the containers.

containerExecAllowedProcesses List<String>

List of processes that will be allowed.

description String

The description of the container runtime policy

enableDriftPrevention Boolean

If true, executables that are not in the original image is prevented from running.

enableForkGuard Boolean

If true, fork bombs are prevented in the containers.

enableIpReputationSecurity Boolean

If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

enablePortScanDetection Boolean

If true, detects port scanning behavior in the container.

enabled Boolean

Indicates if the runtime policy is enabled or not.

enforce Boolean

Indicates that policy should effect container execution (not just for audit).

enforceAfterDays Number

Indicates the number of days after which the runtime policy will be changed to enforce mode.

exceptionalReadonlyFilesAndDirectories List<String>

List of files and directories to be excluded from the read-only list.

fileIntegrityMonitoring Property Map

Configuration for file integrity monitoring.

forkGuardProcessLimit Number

Process limit for the fork guard.

limitNewPrivileges Boolean

If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

malwareScanOptions Property Map

Configuration for Real-Time Malware Protection.

monitorSystemTimeChanges Boolean

If true, system time changes will be monitored.

name String

Name of the container runtime policy

readonlyFilesAndDirectories List<String>

List of files and directories to be restricted as read-only

reverseShellAllowedIps List<String>

List of IPs/ CIDRs that will be allowed

reverseShellAllowedProcesses List<String>

List of processes that will be allowed

scopeExpression String

Logical expression of how to compute the dependency of the scope variables.

scopeVariables List<Property Map>

List of scope attributes.

Supporting Types

ContainerRuntimePolicyFileIntegrityMonitoring

ExcludedPaths List<string>

List of paths to be excluded from being monitored.

ExcludedProcesses List<string>

List of processes to be excluded from being monitored.

ExcludedUsers List<string>

List of users to be excluded from being monitored.

MonitorAttributes bool

If true, add attributes operations will be monitored.

MonitorCreate bool

If true, create operations will be monitored.

MonitorDelete bool

If true, deletion operations will be monitored.

MonitorModify bool

If true, modification operations will be monitored.

MonitorRead bool

If true, read operations will be monitored.

MonitoredPaths List<string>

List of paths to be monitored.

MonitoredProcesses List<string>

List of processes to be monitored.

MonitoredUsers List<string>

List of users to be monitored.

ExcludedPaths []string

List of paths to be excluded from being monitored.

ExcludedProcesses []string

List of processes to be excluded from being monitored.

ExcludedUsers []string

List of users to be excluded from being monitored.

MonitorAttributes bool

If true, add attributes operations will be monitored.

MonitorCreate bool

If true, create operations will be monitored.

MonitorDelete bool

If true, deletion operations will be monitored.

MonitorModify bool

If true, modification operations will be monitored.

MonitorRead bool

If true, read operations will be monitored.

MonitoredPaths []string

List of paths to be monitored.

MonitoredProcesses []string

List of processes to be monitored.

MonitoredUsers []string

List of users to be monitored.

excludedPaths List<String>

List of paths to be excluded from being monitored.

excludedProcesses List<String>

List of processes to be excluded from being monitored.

excludedUsers List<String>

List of users to be excluded from being monitored.

monitorAttributes Boolean

If true, add attributes operations will be monitored.

monitorCreate Boolean

If true, create operations will be monitored.

monitorDelete Boolean

If true, deletion operations will be monitored.

monitorModify Boolean

If true, modification operations will be monitored.

monitorRead Boolean

If true, read operations will be monitored.

monitoredPaths List<String>

List of paths to be monitored.

monitoredProcesses List<String>

List of processes to be monitored.

monitoredUsers List<String>

List of users to be monitored.

excludedPaths string[]

List of paths to be excluded from being monitored.

excludedProcesses string[]

List of processes to be excluded from being monitored.

excludedUsers string[]

List of users to be excluded from being monitored.

monitorAttributes boolean

If true, add attributes operations will be monitored.

monitorCreate boolean

If true, create operations will be monitored.

monitorDelete boolean

If true, deletion operations will be monitored.

monitorModify boolean

If true, modification operations will be monitored.

monitorRead boolean

If true, read operations will be monitored.

monitoredPaths string[]

List of paths to be monitored.

monitoredProcesses string[]

List of processes to be monitored.

monitoredUsers string[]

List of users to be monitored.

excluded_paths Sequence[str]

List of paths to be excluded from being monitored.

excluded_processes Sequence[str]

List of processes to be excluded from being monitored.

excluded_users Sequence[str]

List of users to be excluded from being monitored.

monitor_attributes bool

If true, add attributes operations will be monitored.

monitor_create bool

If true, create operations will be monitored.

monitor_delete bool

If true, deletion operations will be monitored.

monitor_modify bool

If true, modification operations will be monitored.

monitor_read bool

If true, read operations will be monitored.

monitored_paths Sequence[str]

List of paths to be monitored.

monitored_processes Sequence[str]

List of processes to be monitored.

monitored_users Sequence[str]

List of users to be monitored.

excludedPaths List<String>

List of paths to be excluded from being monitored.

excludedProcesses List<String>

List of processes to be excluded from being monitored.

excludedUsers List<String>

List of users to be excluded from being monitored.

monitorAttributes Boolean

If true, add attributes operations will be monitored.

monitorCreate Boolean

If true, create operations will be monitored.

monitorDelete Boolean

If true, deletion operations will be monitored.

monitorModify Boolean

If true, modification operations will be monitored.

monitorRead Boolean

If true, read operations will be monitored.

monitoredPaths List<String>

List of paths to be monitored.

monitoredProcesses List<String>

List of processes to be monitored.

monitoredUsers List<String>

List of users to be monitored.

ContainerRuntimePolicyMalwareScanOptions

Action string

Set Action, Defaults to 'Alert' when empty

Enabled bool

Defines if enabled or not

ExcludeDirectories List<string>

List of registry paths to be excluded from being protected.

ExcludeProcesses List<string>

List of registry processes to be excluded from being protected.

Action string

Set Action, Defaults to 'Alert' when empty

Enabled bool

Defines if enabled or not

ExcludeDirectories []string

List of registry paths to be excluded from being protected.

ExcludeProcesses []string

List of registry processes to be excluded from being protected.

action String

Set Action, Defaults to 'Alert' when empty

enabled Boolean

Defines if enabled or not

excludeDirectories List<String>

List of registry paths to be excluded from being protected.

excludeProcesses List<String>

List of registry processes to be excluded from being protected.

action string

Set Action, Defaults to 'Alert' when empty

enabled boolean

Defines if enabled or not

excludeDirectories string[]

List of registry paths to be excluded from being protected.

excludeProcesses string[]

List of registry processes to be excluded from being protected.

action str

Set Action, Defaults to 'Alert' when empty

enabled bool

Defines if enabled or not

exclude_directories Sequence[str]

List of registry paths to be excluded from being protected.

exclude_processes Sequence[str]

List of registry processes to be excluded from being protected.

action String

Set Action, Defaults to 'Alert' when empty

enabled Boolean

Defines if enabled or not

excludeDirectories List<String>

List of registry paths to be excluded from being protected.

excludeProcesses List<String>

List of registry processes to be excluded from being protected.

ContainerRuntimePolicyScopeVariable

Attribute string

Class of supported scope.

Value string

Value assigned to the attribute.

Name string

Name assigned to the attribute.

Attribute string

Class of supported scope.

Value string

Value assigned to the attribute.

Name string

Name assigned to the attribute.

attribute String

Class of supported scope.

value String

Value assigned to the attribute.

name String

Name assigned to the attribute.

attribute string

Class of supported scope.

value string

Value assigned to the attribute.

name string

Name assigned to the attribute.

attribute str

Class of supported scope.

value str

Value assigned to the attribute.

name str

Name assigned to the attribute.

attribute String

Class of supported scope.

value String

Value assigned to the attribute.

name String

Name assigned to the attribute.

Package Details

Repository
https://github.com/pulumiverse/pulumi-aquasec
License
Apache-2.0
Notes

This Pulumi package is based on the aquasec Terraform Provider.