Aquasec v0.8.25, Apr 25 23

Aquasec v0.8.25 published on Tuesday, Apr 25, 2023 by Pulumiverse

aquasec.ContainerRuntimePolicy

Explore with Pulumi AI

Aquasec v0.8.25 published on Tuesday, Apr 25, 2023 by Pulumiverse

Example Usage

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aquasec = Pulumiverse.Aquasec;

return await Deployment.RunAsync(() => 
{
    var containerRuntimePolicy = new Aquasec.ContainerRuntimePolicy("containerRuntimePolicy", new()
    {
        AllowedExecutables = new[]
        {
            "exe",
            "bin",
        },
        AllowedRegistries = new[]
        {
            "registry1",
            "registry2",
        },
        ApplicationScopes = new[]
        {
            "Global",
        },
        AuditAllNetworkActivity = true,
        AuditAllProcessesActivity = true,
        AuditFullCommandArguments = true,
        BlockAccessHostNetwork = true,
        BlockAddingCapabilities = true,
        BlockContainerExec = true,
        BlockCryptocurrencyMining = true,
        BlockFilelessExec = true,
        BlockLowPortBinding = true,
        BlockNonCompliantImages = true,
        BlockNonCompliantWorkloads = true,
        BlockNonK8sContainers = true,
        BlockPrivilegedContainers = true,
        BlockReverseShell = true,
        BlockRootUser = true,
        BlockUnregisteredImages = true,
        BlockUseIpcNamespace = true,
        BlockUsePidNamespace = true,
        BlockUseUserNamespace = true,
        BlockUseUtsNamespace = true,
        BlockedCapabilities = new[]
        {
            "AUDIT_CONTROL",
            "AUDIT_WRITE",
        },
        BlockedExecutables = new[]
        {
            "exe1",
            "exe2",
        },
        BlockedFiles = new[]
        {
            "test1",
            "test2",
        },
        BlockedInboundPorts = new[]
        {
            "80",
            "8080",
        },
        BlockedOutboundPorts = new[]
        {
            "90",
            "9090",
        },
        BlockedPackages = new[]
        {
            "pkg",
            "pkg2",
        },
        BlockedVolumes = new[]
        {
            "blocked",
            "vol",
        },
        ContainerExecAllowedProcesses = new[]
        {
            "proc1",
            "proc2",
        },
        Description = "container_runtime_policy",
        EnableDriftPrevention = true,
        EnableForkGuard = true,
        EnableIpReputationSecurity = true,
        EnablePortScanDetection = true,
        Enabled = true,
        Enforce = false,
        ExceptionalReadonlyFilesAndDirectories = new[]
        {
            "readonly2",
            "/dir2/",
        },
        FileIntegrityMonitoring = new Aquasec.Inputs.ContainerRuntimePolicyFileIntegrityMonitoringArgs
        {
            ExcludedPaths = new[]
            {
                "expaths",
            },
            ExcludedProcesses = new[]
            {
                "exprocess",
            },
            ExcludedUsers = new[]
            {
                "expuser",
            },
            MonitorAttributes = true,
            MonitorCreate = true,
            MonitorDelete = true,
            MonitorModify = true,
            MonitorRead = true,
            MonitoredPaths = new[]
            {
                "paths",
            },
            MonitoredProcesses = new[]
            {
                "process",
            },
            MonitoredUsers = new[]
            {
                "user",
            },
        },
        ForkGuardProcessLimit = 13,
        LimitNewPrivileges = true,
        MalwareScanOptions = new Aquasec.Inputs.ContainerRuntimePolicyMalwareScanOptionsArgs
        {
            Action = "alert",
            Enabled = true,
        },
        MonitorSystemTimeChanges = true,
        ReadonlyFilesAndDirectories = new[]
        {
            "readonly",
            "/dir/",
        },
        ReverseShellAllowedIps = new[]
        {
            "ip1",
            "ip2",
        },
        ReverseShellAllowedProcesses = new[]
        {
            "proc1",
            "proc2",
        },
        ScopeExpression = "v1 || v2",
        ScopeVariables = new[]
        {
            new Aquasec.Inputs.ContainerRuntimePolicyScopeVariableArgs
            {
                Attribute = "kubernetes.cluster",
                Value = "default",
            },
            new Aquasec.Inputs.ContainerRuntimePolicyScopeVariableArgs
            {
                Attribute = "kubernetes.label",
                Name = "app",
                Value = "aqua",
            },
        },
    });

});

package main

import (
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
	"github.com/pulumiverse/pulumi-aquasec/sdk/go/aquasec"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := aquasec.NewContainerRuntimePolicy(ctx, "containerRuntimePolicy", &aquasec.ContainerRuntimePolicyArgs{
			AllowedExecutables: pulumi.StringArray{
				pulumi.String("exe"),
				pulumi.String("bin"),
			},
			AllowedRegistries: pulumi.StringArray{
				pulumi.String("registry1"),
				pulumi.String("registry2"),
			},
			ApplicationScopes: pulumi.StringArray{
				pulumi.String("Global"),
			},
			AuditAllNetworkActivity:    pulumi.Bool(true),
			AuditAllProcessesActivity:  pulumi.Bool(true),
			AuditFullCommandArguments:  pulumi.Bool(true),
			BlockAccessHostNetwork:     pulumi.Bool(true),
			BlockAddingCapabilities:    pulumi.Bool(true),
			BlockContainerExec:         pulumi.Bool(true),
			BlockCryptocurrencyMining:  pulumi.Bool(true),
			BlockFilelessExec:          pulumi.Bool(true),
			BlockLowPortBinding:        pulumi.Bool(true),
			BlockNonCompliantImages:    pulumi.Bool(true),
			BlockNonCompliantWorkloads: pulumi.Bool(true),
			BlockNonK8sContainers:      pulumi.Bool(true),
			BlockPrivilegedContainers:  pulumi.Bool(true),
			BlockReverseShell:          pulumi.Bool(true),
			BlockRootUser:              pulumi.Bool(true),
			BlockUnregisteredImages:    pulumi.Bool(true),
			BlockUseIpcNamespace:       pulumi.Bool(true),
			BlockUsePidNamespace:       pulumi.Bool(true),
			BlockUseUserNamespace:      pulumi.Bool(true),
			BlockUseUtsNamespace:       pulumi.Bool(true),
			BlockedCapabilities: pulumi.StringArray{
				pulumi.String("AUDIT_CONTROL"),
				pulumi.String("AUDIT_WRITE"),
			},
			BlockedExecutables: pulumi.StringArray{
				pulumi.String("exe1"),
				pulumi.String("exe2"),
			},
			BlockedFiles: pulumi.StringArray{
				pulumi.String("test1"),
				pulumi.String("test2"),
			},
			BlockedInboundPorts: pulumi.StringArray{
				pulumi.String("80"),
				pulumi.String("8080"),
			},
			BlockedOutboundPorts: pulumi.StringArray{
				pulumi.String("90"),
				pulumi.String("9090"),
			},
			BlockedPackages: pulumi.StringArray{
				pulumi.String("pkg"),
				pulumi.String("pkg2"),
			},
			BlockedVolumes: pulumi.StringArray{
				pulumi.String("blocked"),
				pulumi.String("vol"),
			},
			ContainerExecAllowedProcesses: pulumi.StringArray{
				pulumi.String("proc1"),
				pulumi.String("proc2"),
			},
			Description:                pulumi.String("container_runtime_policy"),
			EnableDriftPrevention:      pulumi.Bool(true),
			EnableForkGuard:            pulumi.Bool(true),
			EnableIpReputationSecurity: pulumi.Bool(true),
			EnablePortScanDetection:    pulumi.Bool(true),
			Enabled:                    pulumi.Bool(true),
			Enforce:                    pulumi.Bool(false),
			ExceptionalReadonlyFilesAndDirectories: pulumi.StringArray{
				pulumi.String("readonly2"),
				pulumi.String("/dir2/"),
			},
			FileIntegrityMonitoring: &aquasec.ContainerRuntimePolicyFileIntegrityMonitoringArgs{
				ExcludedPaths: pulumi.StringArray{
					pulumi.String("expaths"),
				},
				ExcludedProcesses: pulumi.StringArray{
					pulumi.String("exprocess"),
				},
				ExcludedUsers: pulumi.StringArray{
					pulumi.String("expuser"),
				},
				MonitorAttributes: pulumi.Bool(true),
				MonitorCreate:     pulumi.Bool(true),
				MonitorDelete:     pulumi.Bool(true),
				MonitorModify:     pulumi.Bool(true),
				MonitorRead:       pulumi.Bool(true),
				MonitoredPaths: pulumi.StringArray{
					pulumi.String("paths"),
				},
				MonitoredProcesses: pulumi.StringArray{
					pulumi.String("process"),
				},
				MonitoredUsers: pulumi.StringArray{
					pulumi.String("user"),
				},
			},
			ForkGuardProcessLimit: pulumi.Int(13),
			LimitNewPrivileges:    pulumi.Bool(true),
			MalwareScanOptions: &aquasec.ContainerRuntimePolicyMalwareScanOptionsArgs{
				Action:  pulumi.String("alert"),
				Enabled: pulumi.Bool(true),
			},
			MonitorSystemTimeChanges: pulumi.Bool(true),
			ReadonlyFilesAndDirectories: pulumi.StringArray{
				pulumi.String("readonly"),
				pulumi.String("/dir/"),
			},
			ReverseShellAllowedIps: pulumi.StringArray{
				pulumi.String("ip1"),
				pulumi.String("ip2"),
			},
			ReverseShellAllowedProcesses: pulumi.StringArray{
				pulumi.String("proc1"),
				pulumi.String("proc2"),
			},
			ScopeExpression: pulumi.String("v1 || v2"),
			ScopeVariables: aquasec.ContainerRuntimePolicyScopeVariableArray{
				&aquasec.ContainerRuntimePolicyScopeVariableArgs{
					Attribute: pulumi.String("kubernetes.cluster"),
					Value:     pulumi.String("default"),
				},
				&aquasec.ContainerRuntimePolicyScopeVariableArgs{
					Attribute: pulumi.String("kubernetes.label"),
					Name:      pulumi.String("app"),
					Value:     pulumi.String("aqua"),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aquasec.ContainerRuntimePolicy;
import com.pulumi.aquasec.ContainerRuntimePolicyArgs;
import com.pulumi.aquasec.inputs.ContainerRuntimePolicyFileIntegrityMonitoringArgs;
import com.pulumi.aquasec.inputs.ContainerRuntimePolicyMalwareScanOptionsArgs;
import com.pulumi.aquasec.inputs.ContainerRuntimePolicyScopeVariableArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var containerRuntimePolicy = new ContainerRuntimePolicy("containerRuntimePolicy", ContainerRuntimePolicyArgs.builder()        
            .allowedExecutables(            
                "exe",
                "bin")
            .allowedRegistries(            
                "registry1",
                "registry2")
            .applicationScopes("Global")
            .auditAllNetworkActivity(true)
            .auditAllProcessesActivity(true)
            .auditFullCommandArguments(true)
            .blockAccessHostNetwork(true)
            .blockAddingCapabilities(true)
            .blockContainerExec(true)
            .blockCryptocurrencyMining(true)
            .blockFilelessExec(true)
            .blockLowPortBinding(true)
            .blockNonCompliantImages(true)
            .blockNonCompliantWorkloads(true)
            .blockNonK8sContainers(true)
            .blockPrivilegedContainers(true)
            .blockReverseShell(true)
            .blockRootUser(true)
            .blockUnregisteredImages(true)
            .blockUseIpcNamespace(true)
            .blockUsePidNamespace(true)
            .blockUseUserNamespace(true)
            .blockUseUtsNamespace(true)
            .blockedCapabilities(            
                "AUDIT_CONTROL",
                "AUDIT_WRITE")
            .blockedExecutables(            
                "exe1",
                "exe2")
            .blockedFiles(            
                "test1",
                "test2")
            .blockedInboundPorts(            
                "80",
                "8080")
            .blockedOutboundPorts(            
                "90",
                "9090")
            .blockedPackages(            
                "pkg",
                "pkg2")
            .blockedVolumes(            
                "blocked",
                "vol")
            .containerExecAllowedProcesses(            
                "proc1",
                "proc2")
            .description("container_runtime_policy")
            .enableDriftPrevention(true)
            .enableForkGuard(true)
            .enableIpReputationSecurity(true)
            .enablePortScanDetection(true)
            .enabled(true)
            .enforce(false)
            .exceptionalReadonlyFilesAndDirectories(            
                "readonly2",
                "/dir2/")
            .fileIntegrityMonitoring(ContainerRuntimePolicyFileIntegrityMonitoringArgs.builder()
                .excludedPaths("expaths")
                .excludedProcesses("exprocess")
                .excludedUsers("expuser")
                .monitorAttributes(true)
                .monitorCreate(true)
                .monitorDelete(true)
                .monitorModify(true)
                .monitorRead(true)
                .monitoredPaths("paths")
                .monitoredProcesses("process")
                .monitoredUsers("user")
                .build())
            .forkGuardProcessLimit(13)
            .limitNewPrivileges(true)
            .malwareScanOptions(ContainerRuntimePolicyMalwareScanOptionsArgs.builder()
                .action("alert")
                .enabled(true)
                .build())
            .monitorSystemTimeChanges("true")
            .readonlyFilesAndDirectories(            
                "readonly",
                "/dir/")
            .reverseShellAllowedIps(            
                "ip1",
                "ip2")
            .reverseShellAllowedProcesses(            
                "proc1",
                "proc2")
            .scopeExpression("v1 || v2")
            .scopeVariables(            
                ContainerRuntimePolicyScopeVariableArgs.builder()
                    .attribute("kubernetes.cluster")
                    .value("default")
                    .build(),
                ContainerRuntimePolicyScopeVariableArgs.builder()
                    .attribute("kubernetes.label")
                    .name("app")
                    .value("aqua")
                    .build())
            .build());

    }
}

import pulumi
import pulumiverse_aquasec as aquasec

container_runtime_policy = aquasec.ContainerRuntimePolicy("containerRuntimePolicy",
    allowed_executables=[
        "exe",
        "bin",
    ],
    allowed_registries=[
        "registry1",
        "registry2",
    ],
    application_scopes=["Global"],
    audit_all_network_activity=True,
    audit_all_processes_activity=True,
    audit_full_command_arguments=True,
    block_access_host_network=True,
    block_adding_capabilities=True,
    block_container_exec=True,
    block_cryptocurrency_mining=True,
    block_fileless_exec=True,
    block_low_port_binding=True,
    block_non_compliant_images=True,
    block_non_compliant_workloads=True,
    block_non_k8s_containers=True,
    block_privileged_containers=True,
    block_reverse_shell=True,
    block_root_user=True,
    block_unregistered_images=True,
    block_use_ipc_namespace=True,
    block_use_pid_namespace=True,
    block_use_user_namespace=True,
    block_use_uts_namespace=True,
    blocked_capabilities=[
        "AUDIT_CONTROL",
        "AUDIT_WRITE",
    ],
    blocked_executables=[
        "exe1",
        "exe2",
    ],
    blocked_files=[
        "test1",
        "test2",
    ],
    blocked_inbound_ports=[
        "80",
        "8080",
    ],
    blocked_outbound_ports=[
        "90",
        "9090",
    ],
    blocked_packages=[
        "pkg",
        "pkg2",
    ],
    blocked_volumes=[
        "blocked",
        "vol",
    ],
    container_exec_allowed_processes=[
        "proc1",
        "proc2",
    ],
    description="container_runtime_policy",
    enable_drift_prevention=True,
    enable_fork_guard=True,
    enable_ip_reputation_security=True,
    enable_port_scan_detection=True,
    enabled=True,
    enforce=False,
    exceptional_readonly_files_and_directories=[
        "readonly2",
        "/dir2/",
    ],
    file_integrity_monitoring=aquasec.ContainerRuntimePolicyFileIntegrityMonitoringArgs(
        excluded_paths=["expaths"],
        excluded_processes=["exprocess"],
        excluded_users=["expuser"],
        monitor_attributes=True,
        monitor_create=True,
        monitor_delete=True,
        monitor_modify=True,
        monitor_read=True,
        monitored_paths=["paths"],
        monitored_processes=["process"],
        monitored_users=["user"],
    ),
    fork_guard_process_limit=13,
    limit_new_privileges=True,
    malware_scan_options=aquasec.ContainerRuntimePolicyMalwareScanOptionsArgs(
        action="alert",
        enabled=True,
    ),
    monitor_system_time_changes=True,
    readonly_files_and_directories=[
        "readonly",
        "/dir/",
    ],
    reverse_shell_allowed_ips=[
        "ip1",
        "ip2",
    ],
    reverse_shell_allowed_processes=[
        "proc1",
        "proc2",
    ],
    scope_expression="v1 || v2",
    scope_variables=[
        aquasec.ContainerRuntimePolicyScopeVariableArgs(
            attribute="kubernetes.cluster",
            value="default",
        ),
        aquasec.ContainerRuntimePolicyScopeVariableArgs(
            attribute="kubernetes.label",
            name="app",
            value="aqua",
        ),
    ])

import * as pulumi from "@pulumi/pulumi";
import * as aquasec from "@pulumiverse/aquasec";

const containerRuntimePolicy = new aquasec.ContainerRuntimePolicy("containerRuntimePolicy", {
    allowedExecutables: [
        "exe",
        "bin",
    ],
    allowedRegistries: [
        "registry1",
        "registry2",
    ],
    applicationScopes: ["Global"],
    auditAllNetworkActivity: true,
    auditAllProcessesActivity: true,
    auditFullCommandArguments: true,
    blockAccessHostNetwork: true,
    blockAddingCapabilities: true,
    blockContainerExec: true,
    blockCryptocurrencyMining: true,
    blockFilelessExec: true,
    blockLowPortBinding: true,
    blockNonCompliantImages: true,
    blockNonCompliantWorkloads: true,
    blockNonK8sContainers: true,
    blockPrivilegedContainers: true,
    blockReverseShell: true,
    blockRootUser: true,
    blockUnregisteredImages: true,
    blockUseIpcNamespace: true,
    blockUsePidNamespace: true,
    blockUseUserNamespace: true,
    blockUseUtsNamespace: true,
    blockedCapabilities: [
        "AUDIT_CONTROL",
        "AUDIT_WRITE",
    ],
    blockedExecutables: [
        "exe1",
        "exe2",
    ],
    blockedFiles: [
        "test1",
        "test2",
    ],
    blockedInboundPorts: [
        "80",
        "8080",
    ],
    blockedOutboundPorts: [
        "90",
        "9090",
    ],
    blockedPackages: [
        "pkg",
        "pkg2",
    ],
    blockedVolumes: [
        "blocked",
        "vol",
    ],
    containerExecAllowedProcesses: [
        "proc1",
        "proc2",
    ],
    description: "container_runtime_policy",
    enableDriftPrevention: true,
    enableForkGuard: true,
    enableIpReputationSecurity: true,
    enablePortScanDetection: true,
    enabled: true,
    enforce: false,
    exceptionalReadonlyFilesAndDirectories: [
        "readonly2",
        "/dir2/",
    ],
    fileIntegrityMonitoring: {
        excludedPaths: ["expaths"],
        excludedProcesses: ["exprocess"],
        excludedUsers: ["expuser"],
        monitorAttributes: true,
        monitorCreate: true,
        monitorDelete: true,
        monitorModify: true,
        monitorRead: true,
        monitoredPaths: ["paths"],
        monitoredProcesses: ["process"],
        monitoredUsers: ["user"],
    },
    forkGuardProcessLimit: 13,
    limitNewPrivileges: true,
    malwareScanOptions: {
        action: "alert",
        enabled: true,
    },
    monitorSystemTimeChanges: true,
    readonlyFilesAndDirectories: [
        "readonly",
        "/dir/",
    ],
    reverseShellAllowedIps: [
        "ip1",
        "ip2",
    ],
    reverseShellAllowedProcesses: [
        "proc1",
        "proc2",
    ],
    scopeExpression: "v1 || v2",
    scopeVariables: [
        {
            attribute: "kubernetes.cluster",
            value: "default",
        },
        {
            attribute: "kubernetes.label",
            name: "app",
            value: "aqua",
        },
    ],
});

resources:
  containerRuntimePolicy:
    type: aquasec:ContainerRuntimePolicy
    properties:
      allowedExecutables:
        - exe
        - bin
      allowedRegistries:
        - registry1
        - registry2
      applicationScopes:
        - Global
      auditAllNetworkActivity: true
      auditAllProcessesActivity: true
      auditFullCommandArguments: true
      blockAccessHostNetwork: true
      blockAddingCapabilities: true
      blockContainerExec: true
      blockCryptocurrencyMining: true
      blockFilelessExec: true
      blockLowPortBinding: true
      blockNonCompliantImages: true
      blockNonCompliantWorkloads: true
      blockNonK8sContainers: true
      blockPrivilegedContainers: true
      blockReverseShell: true
      blockRootUser: true
      blockUnregisteredImages: true
      blockUseIpcNamespace: true
      blockUsePidNamespace: true
      blockUseUserNamespace: true
      blockUseUtsNamespace: true
      blockedCapabilities:
        - AUDIT_CONTROL
        - AUDIT_WRITE
      blockedExecutables:
        - exe1
        - exe2
      blockedFiles:
        - test1
        - test2
      blockedInboundPorts:
        - '80'
        - '8080'
      blockedOutboundPorts:
        - '90'
        - '9090'
      blockedPackages:
        - pkg
        - pkg2
      blockedVolumes:
        - blocked
        - vol
      containerExecAllowedProcesses:
        - proc1
        - proc2
      description: container_runtime_policy
      enableDriftPrevention: true
      enableForkGuard: true
      enableIpReputationSecurity: true
      enablePortScanDetection: true
      enabled: true
      enforce: false
      exceptionalReadonlyFilesAndDirectories:
        - readonly2
        - /dir2/
      fileIntegrityMonitoring:
        excludedPaths:
          - expaths
        excludedProcesses:
          - exprocess
        excludedUsers:
          - expuser
        monitorAttributes: true
        monitorCreate: true
        monitorDelete: true
        monitorModify: true
        monitorRead: true
        monitoredPaths:
          - paths
        monitoredProcesses:
          - process
        monitoredUsers:
          - user
      forkGuardProcessLimit: 13
      limitNewPrivileges: true
      malwareScanOptions:
        action: alert
        enabled: true
      monitorSystemTimeChanges: 'true'
      readonlyFilesAndDirectories:
        - readonly
        - /dir/
      reverseShellAllowedIps:
        - ip1
        - ip2
      reverseShellAllowedProcesses:
        - proc1
        - proc2
      scopeExpression: v1 || v2
      scopeVariables:
        - attribute: kubernetes.cluster
          value: default
        - attribute: kubernetes.label
          name: app
          value: aqua

Create ContainerRuntimePolicy Resource

new ContainerRuntimePolicy(name: string, args?: ContainerRuntimePolicyArgs, opts?: CustomResourceOptions);

@overload
def ContainerRuntimePolicy(resource_name: str,
                           opts: Optional[ResourceOptions] = None,
                           allowed_executables: Optional[Sequence[str]] = None,
                           allowed_registries: Optional[Sequence[str]] = None,
                           application_scopes: Optional[Sequence[str]] = None,
                           audit_all_network_activity: Optional[bool] = None,
                           audit_all_processes_activity: Optional[bool] = None,
                           audit_full_command_arguments: Optional[bool] = None,
                           block_access_host_network: Optional[bool] = None,
                           block_adding_capabilities: Optional[bool] = None,
                           block_container_exec: Optional[bool] = None,
                           block_cryptocurrency_mining: Optional[bool] = None,
                           block_fileless_exec: Optional[bool] = None,
                           block_low_port_binding: Optional[bool] = None,
                           block_non_compliant_images: Optional[bool] = None,
                           block_non_compliant_workloads: Optional[bool] = None,
                           block_non_k8s_containers: Optional[bool] = None,
                           block_privileged_containers: Optional[bool] = None,
                           block_reverse_shell: Optional[bool] = None,
                           block_root_user: Optional[bool] = None,
                           block_unregistered_images: Optional[bool] = None,
                           block_use_ipc_namespace: Optional[bool] = None,
                           block_use_pid_namespace: Optional[bool] = None,
                           block_use_user_namespace: Optional[bool] = None,
                           block_use_uts_namespace: Optional[bool] = None,
                           blocked_capabilities: Optional[Sequence[str]] = None,
                           blocked_executables: Optional[Sequence[str]] = None,
                           blocked_files: Optional[Sequence[str]] = None,
                           blocked_inbound_ports: Optional[Sequence[str]] = None,
                           blocked_outbound_ports: Optional[Sequence[str]] = None,
                           blocked_packages: Optional[Sequence[str]] = None,
                           blocked_volumes: Optional[Sequence[str]] = None,
                           container_exec_allowed_processes: Optional[Sequence[str]] = None,
                           description: Optional[str] = None,
                           enable_drift_prevention: Optional[bool] = None,
                           enable_fork_guard: Optional[bool] = None,
                           enable_ip_reputation_security: Optional[bool] = None,
                           enable_port_scan_detection: Optional[bool] = None,
                           enabled: Optional[bool] = None,
                           enforce: Optional[bool] = None,
                           enforce_after_days: Optional[int] = None,
                           exceptional_readonly_files_and_directories: Optional[Sequence[str]] = None,
                           exec_lockdown_white_lists: Optional[Sequence[str]] = None,
                           file_integrity_monitoring: Optional[ContainerRuntimePolicyFileIntegrityMonitoringArgs] = None,
                           fork_guard_process_limit: Optional[int] = None,
                           limit_new_privileges: Optional[bool] = None,
                           malware_scan_options: Optional[ContainerRuntimePolicyMalwareScanOptionsArgs] = None,
                           monitor_system_time_changes: Optional[bool] = None,
                           name: Optional[str] = None,
                           readonly_files_and_directories: Optional[Sequence[str]] = None,
                           reverse_shell_allowed_ips: Optional[Sequence[str]] = None,
                           reverse_shell_allowed_processes: Optional[Sequence[str]] = None,
                           scope_expression: Optional[str] = None,
                           scope_variables: Optional[Sequence[ContainerRuntimePolicyScopeVariableArgs]] = None)
@overload
def ContainerRuntimePolicy(resource_name: str,
                           args: Optional[ContainerRuntimePolicyArgs] = None,
                           opts: Optional[ResourceOptions] = None)

func NewContainerRuntimePolicy(ctx *Context, name string, args *ContainerRuntimePolicyArgs, opts ...ResourceOption) (*ContainerRuntimePolicy, error)

public ContainerRuntimePolicy(string name, ContainerRuntimePolicyArgs? args = null, CustomResourceOptions? opts = null)

public ContainerRuntimePolicy(String name, ContainerRuntimePolicyArgs args)
public ContainerRuntimePolicy(String name, ContainerRuntimePolicyArgs args, CustomResourceOptions options)

type: aquasec:ContainerRuntimePolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ContainerRuntimePolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args ContainerRuntimePolicyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args ContainerRuntimePolicyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args ContainerRuntimePolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args ContainerRuntimePolicyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

ContainerRuntimePolicy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The ContainerRuntimePolicy resource accepts the following input properties:

AllowedExecutables List<string>: List of executables that are allowed for the user.
AllowedRegistries List<string>: List of registries that allowed for running containers.
ApplicationScopes List<string>: Indicates the application scope of the service.
AuditAllNetworkActivity bool: If true, all network activity will be audited.
AuditAllProcessesActivity bool: If true, all process activity will be audited.
AuditFullCommandArguments bool: If true, full command arguments will be audited.
BlockAccessHostNetwork bool: If true, prevent containers from running with access to host network.
BlockAddingCapabilities bool: If true, prevent containers from running with adding capabilities with --cap-add privilege.
BlockContainerExec bool: If true, exec into a container is prevented.
BlockCryptocurrencyMining bool: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
BlockFilelessExec bool: Detect and prevent running in-memory execution
BlockLowPortBinding bool: If true, prevent containers from running with the capability to bind in port lower than 1024.
BlockNonCompliantImages bool: If true, running non-compliant image in the container is prevented.
BlockNonCompliantWorkloads bool: If true, running containers in non-compliant pods is prevented.
BlockNonK8sContainers bool: If true, running non-kubernetes containers is prevented.
BlockPrivilegedContainers bool: If true, prevent containers from running with privileged container capability.
BlockReverseShell bool: If true, reverse shell is prevented.
BlockRootUser bool: If true, prevent containers from running with root user.
BlockUnregisteredImages bool: If true, running images in the container that are not registered in Aqua is prevented.
BlockUseIpcNamespace bool: If true, prevent containers from running with the privilege to use the IPC namespace.
BlockUsePidNamespace bool: If true, prevent containers from running with the privilege to use the PID namespace.
BlockUseUserNamespace bool: If true, prevent containers from running with the privilege to use the user namespace.
BlockUseUtsNamespace bool: If true, prevent containers from running with the privilege to use the UTS namespace.
BlockedCapabilities List<string>: If true, prevents containers from using specific Unix capabilities.
BlockedExecutables List<string>: List of executables that are prevented from running in containers.
BlockedFiles List<string>: List of files that are prevented from being read, modified and executed in the containers.
BlockedInboundPorts List<string>: List of blocked inbound ports.
BlockedOutboundPorts List<string>: List of blocked outbound ports.
BlockedPackages List<string>: Prevent containers from reading, writing, or executing all files in the list of packages.
BlockedVolumes List<string>: List of volumes that are prevented from being mounted in the containers.
ContainerExecAllowedProcesses List<string>: List of processes that will be allowed.
Description string: The description of the container runtime policy
EnableDriftPrevention bool: If true, executables that are not in the original image is prevented from running.
EnableForkGuard bool: If true, fork bombs are prevented in the containers.
EnableIpReputationSecurity bool: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
EnablePortScanDetection bool: If true, detects port scanning behavior in the container.
Enabled bool: Indicates if the runtime policy is enabled or not.
Enforce bool: Indicates that policy should effect container execution (not just for audit).
EnforceAfterDays int: Indicates the number of days after which the runtime policy will be changed to enforce mode.
ExceptionalReadonlyFilesAndDirectories List<string>: List of files and directories to be excluded from the read-only list.
ExecLockdownWhiteLists List<string>: Specify processes that will be allowed
FileIntegrityMonitoring Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyFileIntegrityMonitoring: Configuration for file integrity monitoring.
ForkGuardProcessLimit int: Process limit for the fork guard.
LimitNewPrivileges bool: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
MalwareScanOptions Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyMalwareScanOptions: Configuration for Real-Time Malware Protection.
MonitorSystemTimeChanges bool: If true, system time changes will be monitored.
Name string: Name of the container runtime policy
ReadonlyFilesAndDirectories List<string>: List of files and directories to be restricted as read-only
ReverseShellAllowedIps List<string>: List of IPs/ CIDRs that will be allowed
ReverseShellAllowedProcesses List<string>: List of processes that will be allowed
ScopeExpression string: Logical expression of how to compute the dependency of the scope variables.
ScopeVariables List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyScopeVariable>: List of scope attributes.

AllowedExecutables []string: List of executables that are allowed for the user.
AllowedRegistries []string: List of registries that allowed for running containers.
ApplicationScopes []string: Indicates the application scope of the service.
AuditAllNetworkActivity bool: If true, all network activity will be audited.
AuditAllProcessesActivity bool: If true, all process activity will be audited.
AuditFullCommandArguments bool: If true, full command arguments will be audited.
BlockAccessHostNetwork bool: If true, prevent containers from running with access to host network.
BlockAddingCapabilities bool: If true, prevent containers from running with adding capabilities with --cap-add privilege.
BlockContainerExec bool: If true, exec into a container is prevented.
BlockCryptocurrencyMining bool: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
BlockFilelessExec bool: Detect and prevent running in-memory execution
BlockLowPortBinding bool: If true, prevent containers from running with the capability to bind in port lower than 1024.
BlockNonCompliantImages bool: If true, running non-compliant image in the container is prevented.
BlockNonCompliantWorkloads bool: If true, running containers in non-compliant pods is prevented.
BlockNonK8sContainers bool: If true, running non-kubernetes containers is prevented.
BlockPrivilegedContainers bool: If true, prevent containers from running with privileged container capability.
BlockReverseShell bool: If true, reverse shell is prevented.
BlockRootUser bool: If true, prevent containers from running with root user.
BlockUnregisteredImages bool: If true, running images in the container that are not registered in Aqua is prevented.
BlockUseIpcNamespace bool: If true, prevent containers from running with the privilege to use the IPC namespace.
BlockUsePidNamespace bool: If true, prevent containers from running with the privilege to use the PID namespace.
BlockUseUserNamespace bool: If true, prevent containers from running with the privilege to use the user namespace.
BlockUseUtsNamespace bool: If true, prevent containers from running with the privilege to use the UTS namespace.
BlockedCapabilities []string: If true, prevents containers from using specific Unix capabilities.
BlockedExecutables []string: List of executables that are prevented from running in containers.
BlockedFiles []string: List of files that are prevented from being read, modified and executed in the containers.
BlockedInboundPorts []string: List of blocked inbound ports.
BlockedOutboundPorts []string: List of blocked outbound ports.
BlockedPackages []string: Prevent containers from reading, writing, or executing all files in the list of packages.
BlockedVolumes []string: List of volumes that are prevented from being mounted in the containers.
ContainerExecAllowedProcesses []string: List of processes that will be allowed.
Description string: The description of the container runtime policy
EnableDriftPrevention bool: If true, executables that are not in the original image is prevented from running.
EnableForkGuard bool: If true, fork bombs are prevented in the containers.
EnableIpReputationSecurity bool: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
EnablePortScanDetection bool: If true, detects port scanning behavior in the container.
Enabled bool: Indicates if the runtime policy is enabled or not.
Enforce bool: Indicates that policy should effect container execution (not just for audit).
EnforceAfterDays int: Indicates the number of days after which the runtime policy will be changed to enforce mode.
ExceptionalReadonlyFilesAndDirectories []string: List of files and directories to be excluded from the read-only list.
ExecLockdownWhiteLists []string: Specify processes that will be allowed
FileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs: Configuration for file integrity monitoring.
ForkGuardProcessLimit int: Process limit for the fork guard.
LimitNewPrivileges bool: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
MalwareScanOptions ContainerRuntimePolicyMalwareScanOptionsArgs: Configuration for Real-Time Malware Protection.
MonitorSystemTimeChanges bool: If true, system time changes will be monitored.
Name string: Name of the container runtime policy
ReadonlyFilesAndDirectories []string: List of files and directories to be restricted as read-only
ReverseShellAllowedIps []string: List of IPs/ CIDRs that will be allowed
ReverseShellAllowedProcesses []string: List of processes that will be allowed
ScopeExpression string: Logical expression of how to compute the dependency of the scope variables.
ScopeVariables []ContainerRuntimePolicyScopeVariableArgs: List of scope attributes.

allowedExecutables List<String>: List of executables that are allowed for the user.
allowedRegistries List<String>: List of registries that allowed for running containers.
applicationScopes List<String>: Indicates the application scope of the service.
auditAllNetworkActivity Boolean: If true, all network activity will be audited.
auditAllProcessesActivity Boolean: If true, all process activity will be audited.
auditFullCommandArguments Boolean: If true, full command arguments will be audited.
blockAccessHostNetwork Boolean: If true, prevent containers from running with access to host network.
blockAddingCapabilities Boolean: If true, prevent containers from running with adding capabilities with --cap-add privilege.
blockContainerExec Boolean: If true, exec into a container is prevented.
blockCryptocurrencyMining Boolean: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
blockFilelessExec Boolean: Detect and prevent running in-memory execution
blockLowPortBinding Boolean: If true, prevent containers from running with the capability to bind in port lower than 1024.
blockNonCompliantImages Boolean: If true, running non-compliant image in the container is prevented.
blockNonCompliantWorkloads Boolean: If true, running containers in non-compliant pods is prevented.
blockNonK8sContainers Boolean: If true, running non-kubernetes containers is prevented.
blockPrivilegedContainers Boolean: If true, prevent containers from running with privileged container capability.
blockReverseShell Boolean: If true, reverse shell is prevented.
blockRootUser Boolean: If true, prevent containers from running with root user.
blockUnregisteredImages Boolean: If true, running images in the container that are not registered in Aqua is prevented.
blockUseIpcNamespace Boolean: If true, prevent containers from running with the privilege to use the IPC namespace.
blockUsePidNamespace Boolean: If true, prevent containers from running with the privilege to use the PID namespace.
blockUseUserNamespace Boolean: If true, prevent containers from running with the privilege to use the user namespace.
blockUseUtsNamespace Boolean: If true, prevent containers from running with the privilege to use the UTS namespace.
blockedCapabilities List<String>: If true, prevents containers from using specific Unix capabilities.
blockedExecutables List<String>: List of executables that are prevented from running in containers.
blockedFiles List<String>: List of files that are prevented from being read, modified and executed in the containers.
blockedInboundPorts List<String>: List of blocked inbound ports.
blockedOutboundPorts List<String>: List of blocked outbound ports.
blockedPackages List<String>: Prevent containers from reading, writing, or executing all files in the list of packages.
blockedVolumes List<String>: List of volumes that are prevented from being mounted in the containers.
containerExecAllowedProcesses List<String>: List of processes that will be allowed.
description String: The description of the container runtime policy
enableDriftPrevention Boolean: If true, executables that are not in the original image is prevented from running.
enableForkGuard Boolean: If true, fork bombs are prevented in the containers.
enableIpReputationSecurity Boolean: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
enablePortScanDetection Boolean: If true, detects port scanning behavior in the container.
enabled Boolean: Indicates if the runtime policy is enabled or not.
enforce Boolean: Indicates that policy should effect container execution (not just for audit).
enforceAfterDays Integer: Indicates the number of days after which the runtime policy will be changed to enforce mode.
exceptionalReadonlyFilesAndDirectories List<String>: List of files and directories to be excluded from the read-only list.
execLockdownWhiteLists List<String>: Specify processes that will be allowed
fileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoring: Configuration for file integrity monitoring.
forkGuardProcessLimit Integer: Process limit for the fork guard.
limitNewPrivileges Boolean: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
malwareScanOptions ContainerRuntimePolicyMalwareScanOptions: Configuration for Real-Time Malware Protection.
monitorSystemTimeChanges Boolean: If true, system time changes will be monitored.
name String: Name of the container runtime policy
readonlyFilesAndDirectories List<String>: List of files and directories to be restricted as read-only
reverseShellAllowedIps List<String>: List of IPs/ CIDRs that will be allowed
reverseShellAllowedProcesses List<String>: List of processes that will be allowed
scopeExpression String: Logical expression of how to compute the dependency of the scope variables.
scopeVariables List<ContainerRuntimePolicyScopeVariable>: List of scope attributes.

allowedExecutables string[]: List of executables that are allowed for the user.
allowedRegistries string[]: List of registries that allowed for running containers.
applicationScopes string[]: Indicates the application scope of the service.
auditAllNetworkActivity boolean: If true, all network activity will be audited.
auditAllProcessesActivity boolean: If true, all process activity will be audited.
auditFullCommandArguments boolean: If true, full command arguments will be audited.
blockAccessHostNetwork boolean: If true, prevent containers from running with access to host network.
blockAddingCapabilities boolean: If true, prevent containers from running with adding capabilities with --cap-add privilege.
blockContainerExec boolean: If true, exec into a container is prevented.
blockCryptocurrencyMining boolean: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
blockFilelessExec boolean: Detect and prevent running in-memory execution
blockLowPortBinding boolean: If true, prevent containers from running with the capability to bind in port lower than 1024.
blockNonCompliantImages boolean: If true, running non-compliant image in the container is prevented.
blockNonCompliantWorkloads boolean: If true, running containers in non-compliant pods is prevented.
blockNonK8sContainers boolean: If true, running non-kubernetes containers is prevented.
blockPrivilegedContainers boolean: If true, prevent containers from running with privileged container capability.
blockReverseShell boolean: If true, reverse shell is prevented.
blockRootUser boolean: If true, prevent containers from running with root user.
blockUnregisteredImages boolean: If true, running images in the container that are not registered in Aqua is prevented.
blockUseIpcNamespace boolean: If true, prevent containers from running with the privilege to use the IPC namespace.
blockUsePidNamespace boolean: If true, prevent containers from running with the privilege to use the PID namespace.
blockUseUserNamespace boolean: If true, prevent containers from running with the privilege to use the user namespace.
blockUseUtsNamespace boolean: If true, prevent containers from running with the privilege to use the UTS namespace.
blockedCapabilities string[]: If true, prevents containers from using specific Unix capabilities.
blockedExecutables string[]: List of executables that are prevented from running in containers.
blockedFiles string[]: List of files that are prevented from being read, modified and executed in the containers.
blockedInboundPorts string[]: List of blocked inbound ports.
blockedOutboundPorts string[]: List of blocked outbound ports.
blockedPackages string[]: Prevent containers from reading, writing, or executing all files in the list of packages.
blockedVolumes string[]: List of volumes that are prevented from being mounted in the containers.
containerExecAllowedProcesses string[]: List of processes that will be allowed.
description string: The description of the container runtime policy
enableDriftPrevention boolean: If true, executables that are not in the original image is prevented from running.
enableForkGuard boolean: If true, fork bombs are prevented in the containers.
enableIpReputationSecurity boolean: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
enablePortScanDetection boolean: If true, detects port scanning behavior in the container.
enabled boolean: Indicates if the runtime policy is enabled or not.
enforce boolean: Indicates that policy should effect container execution (not just for audit).
enforceAfterDays number: Indicates the number of days after which the runtime policy will be changed to enforce mode.
exceptionalReadonlyFilesAndDirectories string[]: List of files and directories to be excluded from the read-only list.
execLockdownWhiteLists string[]: Specify processes that will be allowed
fileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoring: Configuration for file integrity monitoring.
forkGuardProcessLimit number: Process limit for the fork guard.
limitNewPrivileges boolean: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
malwareScanOptions ContainerRuntimePolicyMalwareScanOptions: Configuration for Real-Time Malware Protection.
monitorSystemTimeChanges boolean: If true, system time changes will be monitored.
name string: Name of the container runtime policy
readonlyFilesAndDirectories string[]: List of files and directories to be restricted as read-only
reverseShellAllowedIps string[]: List of IPs/ CIDRs that will be allowed
reverseShellAllowedProcesses string[]: List of processes that will be allowed
scopeExpression string: Logical expression of how to compute the dependency of the scope variables.
scopeVariables ContainerRuntimePolicyScopeVariable[]: List of scope attributes.

allowed_executables Sequence[str]: List of executables that are allowed for the user.
allowed_registries Sequence[str]: List of registries that allowed for running containers.
application_scopes Sequence[str]: Indicates the application scope of the service.
audit_all_network_activity bool: If true, all network activity will be audited.
audit_all_processes_activity bool: If true, all process activity will be audited.
audit_full_command_arguments bool: If true, full command arguments will be audited.
block_access_host_network bool: If true, prevent containers from running with access to host network.
block_adding_capabilities bool: If true, prevent containers from running with adding capabilities with --cap-add privilege.
block_container_exec bool: If true, exec into a container is prevented.
block_cryptocurrency_mining bool: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
block_fileless_exec bool: Detect and prevent running in-memory execution
block_low_port_binding bool: If true, prevent containers from running with the capability to bind in port lower than 1024.
block_non_compliant_images bool: If true, running non-compliant image in the container is prevented.
block_non_compliant_workloads bool: If true, running containers in non-compliant pods is prevented.
block_non_k8s_containers bool: If true, running non-kubernetes containers is prevented.
block_privileged_containers bool: If true, prevent containers from running with privileged container capability.
block_reverse_shell bool: If true, reverse shell is prevented.
block_root_user bool: If true, prevent containers from running with root user.
block_unregistered_images bool: If true, running images in the container that are not registered in Aqua is prevented.
block_use_ipc_namespace bool: If true, prevent containers from running with the privilege to use the IPC namespace.
block_use_pid_namespace bool: If true, prevent containers from running with the privilege to use the PID namespace.
block_use_user_namespace bool: If true, prevent containers from running with the privilege to use the user namespace.
block_use_uts_namespace bool: If true, prevent containers from running with the privilege to use the UTS namespace.
blocked_capabilities Sequence[str]: If true, prevents containers from using specific Unix capabilities.
blocked_executables Sequence[str]: List of executables that are prevented from running in containers.
blocked_files Sequence[str]: List of files that are prevented from being read, modified and executed in the containers.
blocked_inbound_ports Sequence[str]: List of blocked inbound ports.
blocked_outbound_ports Sequence[str]: List of blocked outbound ports.
blocked_packages Sequence[str]: Prevent containers from reading, writing, or executing all files in the list of packages.
blocked_volumes Sequence[str]: List of volumes that are prevented from being mounted in the containers.
container_exec_allowed_processes Sequence[str]: List of processes that will be allowed.
description str: The description of the container runtime policy
enable_drift_prevention bool: If true, executables that are not in the original image is prevented from running.
enable_fork_guard bool: If true, fork bombs are prevented in the containers.
enable_ip_reputation_security bool: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
enable_port_scan_detection bool: If true, detects port scanning behavior in the container.
enabled bool: Indicates if the runtime policy is enabled or not.
enforce bool: Indicates that policy should effect container execution (not just for audit).
enforce_after_days int: Indicates the number of days after which the runtime policy will be changed to enforce mode.
exceptional_readonly_files_and_directories Sequence[str]: List of files and directories to be excluded from the read-only list.
exec_lockdown_white_lists Sequence[str]: Specify processes that will be allowed
file_integrity_monitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs: Configuration for file integrity monitoring.
fork_guard_process_limit int: Process limit for the fork guard.
limit_new_privileges bool: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
malware_scan_options ContainerRuntimePolicyMalwareScanOptionsArgs: Configuration for Real-Time Malware Protection.
monitor_system_time_changes bool: If true, system time changes will be monitored.
name str: Name of the container runtime policy
readonly_files_and_directories Sequence[str]: List of files and directories to be restricted as read-only
reverse_shell_allowed_ips Sequence[str]: List of IPs/ CIDRs that will be allowed
reverse_shell_allowed_processes Sequence[str]: List of processes that will be allowed
scope_expression str: Logical expression of how to compute the dependency of the scope variables.
scope_variables Sequence[ContainerRuntimePolicyScopeVariableArgs]: List of scope attributes.

allowedExecutables List<String>: List of executables that are allowed for the user.
allowedRegistries List<String>: List of registries that allowed for running containers.
applicationScopes List<String>: Indicates the application scope of the service.
auditAllNetworkActivity Boolean: If true, all network activity will be audited.
auditAllProcessesActivity Boolean: If true, all process activity will be audited.
auditFullCommandArguments Boolean: If true, full command arguments will be audited.
blockAccessHostNetwork Boolean: If true, prevent containers from running with access to host network.
blockAddingCapabilities Boolean: If true, prevent containers from running with adding capabilities with --cap-add privilege.
blockContainerExec Boolean: If true, exec into a container is prevented.
blockCryptocurrencyMining Boolean: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
blockFilelessExec Boolean: Detect and prevent running in-memory execution
blockLowPortBinding Boolean: If true, prevent containers from running with the capability to bind in port lower than 1024.
blockNonCompliantImages Boolean: If true, running non-compliant image in the container is prevented.
blockNonCompliantWorkloads Boolean: If true, running containers in non-compliant pods is prevented.
blockNonK8sContainers Boolean: If true, running non-kubernetes containers is prevented.
blockPrivilegedContainers Boolean: If true, prevent containers from running with privileged container capability.
blockReverseShell Boolean: If true, reverse shell is prevented.
blockRootUser Boolean: If true, prevent containers from running with root user.
blockUnregisteredImages Boolean: If true, running images in the container that are not registered in Aqua is prevented.
blockUseIpcNamespace Boolean: If true, prevent containers from running with the privilege to use the IPC namespace.
blockUsePidNamespace Boolean: If true, prevent containers from running with the privilege to use the PID namespace.
blockUseUserNamespace Boolean: If true, prevent containers from running with the privilege to use the user namespace.
blockUseUtsNamespace Boolean: If true, prevent containers from running with the privilege to use the UTS namespace.
blockedCapabilities List<String>: If true, prevents containers from using specific Unix capabilities.
blockedExecutables List<String>: List of executables that are prevented from running in containers.
blockedFiles List<String>: List of files that are prevented from being read, modified and executed in the containers.
blockedInboundPorts List<String>: List of blocked inbound ports.
blockedOutboundPorts List<String>: List of blocked outbound ports.
blockedPackages List<String>: Prevent containers from reading, writing, or executing all files in the list of packages.
blockedVolumes List<String>: List of volumes that are prevented from being mounted in the containers.
containerExecAllowedProcesses List<String>: List of processes that will be allowed.
description String: The description of the container runtime policy
enableDriftPrevention Boolean: If true, executables that are not in the original image is prevented from running.
enableForkGuard Boolean: If true, fork bombs are prevented in the containers.
enableIpReputationSecurity Boolean: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
enablePortScanDetection Boolean: If true, detects port scanning behavior in the container.
enabled Boolean: Indicates if the runtime policy is enabled or not.
enforce Boolean: Indicates that policy should effect container execution (not just for audit).
enforceAfterDays Number: Indicates the number of days after which the runtime policy will be changed to enforce mode.
exceptionalReadonlyFilesAndDirectories List<String>: List of files and directories to be excluded from the read-only list.
execLockdownWhiteLists List<String>: Specify processes that will be allowed
fileIntegrityMonitoring Property Map: Configuration for file integrity monitoring.
forkGuardProcessLimit Number: Process limit for the fork guard.
limitNewPrivileges Boolean: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
malwareScanOptions Property Map: Configuration for Real-Time Malware Protection.
monitorSystemTimeChanges Boolean: If true, system time changes will be monitored.
name String: Name of the container runtime policy
readonlyFilesAndDirectories List<String>: List of files and directories to be restricted as read-only
reverseShellAllowedIps List<String>: List of IPs/ CIDRs that will be allowed
reverseShellAllowedProcesses List<String>: List of processes that will be allowed
scopeExpression String: Logical expression of how to compute the dependency of the scope variables.
scopeVariables List<Property Map>: List of scope attributes.

Outputs

All input properties are implicitly available as output properties. Additionally, the ContainerRuntimePolicy resource produces the following output properties:

Author string: Username of the account that created the service.
Id string: The provider-assigned unique ID for this managed resource.

Author string: Username of the account that created the service.
Id string: The provider-assigned unique ID for this managed resource.

author String: Username of the account that created the service.
id String: The provider-assigned unique ID for this managed resource.

author string: Username of the account that created the service.
id string: The provider-assigned unique ID for this managed resource.

author str: Username of the account that created the service.
id str: The provider-assigned unique ID for this managed resource.

author String: Username of the account that created the service.
id String: The provider-assigned unique ID for this managed resource.

Look up Existing ContainerRuntimePolicy Resource

Get an existing ContainerRuntimePolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ContainerRuntimePolicyState, opts?: CustomResourceOptions): ContainerRuntimePolicy

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        allowed_executables: Optional[Sequence[str]] = None,
        allowed_registries: Optional[Sequence[str]] = None,
        application_scopes: Optional[Sequence[str]] = None,
        audit_all_network_activity: Optional[bool] = None,
        audit_all_processes_activity: Optional[bool] = None,
        audit_full_command_arguments: Optional[bool] = None,
        author: Optional[str] = None,
        block_access_host_network: Optional[bool] = None,
        block_adding_capabilities: Optional[bool] = None,
        block_container_exec: Optional[bool] = None,
        block_cryptocurrency_mining: Optional[bool] = None,
        block_fileless_exec: Optional[bool] = None,
        block_low_port_binding: Optional[bool] = None,
        block_non_compliant_images: Optional[bool] = None,
        block_non_compliant_workloads: Optional[bool] = None,
        block_non_k8s_containers: Optional[bool] = None,
        block_privileged_containers: Optional[bool] = None,
        block_reverse_shell: Optional[bool] = None,
        block_root_user: Optional[bool] = None,
        block_unregistered_images: Optional[bool] = None,
        block_use_ipc_namespace: Optional[bool] = None,
        block_use_pid_namespace: Optional[bool] = None,
        block_use_user_namespace: Optional[bool] = None,
        block_use_uts_namespace: Optional[bool] = None,
        blocked_capabilities: Optional[Sequence[str]] = None,
        blocked_executables: Optional[Sequence[str]] = None,
        blocked_files: Optional[Sequence[str]] = None,
        blocked_inbound_ports: Optional[Sequence[str]] = None,
        blocked_outbound_ports: Optional[Sequence[str]] = None,
        blocked_packages: Optional[Sequence[str]] = None,
        blocked_volumes: Optional[Sequence[str]] = None,
        container_exec_allowed_processes: Optional[Sequence[str]] = None,
        description: Optional[str] = None,
        enable_drift_prevention: Optional[bool] = None,
        enable_fork_guard: Optional[bool] = None,
        enable_ip_reputation_security: Optional[bool] = None,
        enable_port_scan_detection: Optional[bool] = None,
        enabled: Optional[bool] = None,
        enforce: Optional[bool] = None,
        enforce_after_days: Optional[int] = None,
        exceptional_readonly_files_and_directories: Optional[Sequence[str]] = None,
        exec_lockdown_white_lists: Optional[Sequence[str]] = None,
        file_integrity_monitoring: Optional[ContainerRuntimePolicyFileIntegrityMonitoringArgs] = None,
        fork_guard_process_limit: Optional[int] = None,
        limit_new_privileges: Optional[bool] = None,
        malware_scan_options: Optional[ContainerRuntimePolicyMalwareScanOptionsArgs] = None,
        monitor_system_time_changes: Optional[bool] = None,
        name: Optional[str] = None,
        readonly_files_and_directories: Optional[Sequence[str]] = None,
        reverse_shell_allowed_ips: Optional[Sequence[str]] = None,
        reverse_shell_allowed_processes: Optional[Sequence[str]] = None,
        scope_expression: Optional[str] = None,
        scope_variables: Optional[Sequence[ContainerRuntimePolicyScopeVariableArgs]] = None) -> ContainerRuntimePolicy

func GetContainerRuntimePolicy(ctx *Context, name string, id IDInput, state *ContainerRuntimePolicyState, opts ...ResourceOption) (*ContainerRuntimePolicy, error)

public static ContainerRuntimePolicy Get(string name, Input<string> id, ContainerRuntimePolicyState? state, CustomResourceOptions? opts = null)

public static ContainerRuntimePolicy get(String name, Output<String> id, ContainerRuntimePolicyState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AllowedExecutables List<string>: List of executables that are allowed for the user.
AllowedRegistries List<string>: List of registries that allowed for running containers.
ApplicationScopes List<string>: Indicates the application scope of the service.
AuditAllNetworkActivity bool: If true, all network activity will be audited.
AuditAllProcessesActivity bool: If true, all process activity will be audited.
AuditFullCommandArguments bool: If true, full command arguments will be audited.
Author string: Username of the account that created the service.
BlockAccessHostNetwork bool: If true, prevent containers from running with access to host network.
BlockAddingCapabilities bool: If true, prevent containers from running with adding capabilities with --cap-add privilege.
BlockContainerExec bool: If true, exec into a container is prevented.
BlockCryptocurrencyMining bool: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
BlockFilelessExec bool: Detect and prevent running in-memory execution
BlockLowPortBinding bool: If true, prevent containers from running with the capability to bind in port lower than 1024.
BlockNonCompliantImages bool: If true, running non-compliant image in the container is prevented.
BlockNonCompliantWorkloads bool: If true, running containers in non-compliant pods is prevented.
BlockNonK8sContainers bool: If true, running non-kubernetes containers is prevented.
BlockPrivilegedContainers bool: If true, prevent containers from running with privileged container capability.
BlockReverseShell bool: If true, reverse shell is prevented.
BlockRootUser bool: If true, prevent containers from running with root user.
BlockUnregisteredImages bool: If true, running images in the container that are not registered in Aqua is prevented.
BlockUseIpcNamespace bool: If true, prevent containers from running with the privilege to use the IPC namespace.
BlockUsePidNamespace bool: If true, prevent containers from running with the privilege to use the PID namespace.
BlockUseUserNamespace bool: If true, prevent containers from running with the privilege to use the user namespace.
BlockUseUtsNamespace bool: If true, prevent containers from running with the privilege to use the UTS namespace.
BlockedCapabilities List<string>: If true, prevents containers from using specific Unix capabilities.
BlockedExecutables List<string>: List of executables that are prevented from running in containers.
BlockedFiles List<string>: List of files that are prevented from being read, modified and executed in the containers.
BlockedInboundPorts List<string>: List of blocked inbound ports.
BlockedOutboundPorts List<string>: List of blocked outbound ports.
BlockedPackages List<string>: Prevent containers from reading, writing, or executing all files in the list of packages.
BlockedVolumes List<string>: List of volumes that are prevented from being mounted in the containers.
ContainerExecAllowedProcesses List<string>: List of processes that will be allowed.
Description string: The description of the container runtime policy
EnableDriftPrevention bool: If true, executables that are not in the original image is prevented from running.
EnableForkGuard bool: If true, fork bombs are prevented in the containers.
EnableIpReputationSecurity bool: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
EnablePortScanDetection bool: If true, detects port scanning behavior in the container.
Enabled bool: Indicates if the runtime policy is enabled or not.
Enforce bool: Indicates that policy should effect container execution (not just for audit).
EnforceAfterDays int: Indicates the number of days after which the runtime policy will be changed to enforce mode.
ExceptionalReadonlyFilesAndDirectories List<string>: List of files and directories to be excluded from the read-only list.
ExecLockdownWhiteLists List<string>: Specify processes that will be allowed
FileIntegrityMonitoring Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyFileIntegrityMonitoring: Configuration for file integrity monitoring.
ForkGuardProcessLimit int: Process limit for the fork guard.
LimitNewPrivileges bool: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
MalwareScanOptions Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyMalwareScanOptions: Configuration for Real-Time Malware Protection.
MonitorSystemTimeChanges bool: If true, system time changes will be monitored.
Name string: Name of the container runtime policy
ReadonlyFilesAndDirectories List<string>: List of files and directories to be restricted as read-only
ReverseShellAllowedIps List<string>: List of IPs/ CIDRs that will be allowed
ReverseShellAllowedProcesses List<string>: List of processes that will be allowed
ScopeExpression string: Logical expression of how to compute the dependency of the scope variables.
ScopeVariables List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyScopeVariable>: List of scope attributes.

AllowedExecutables []string: List of executables that are allowed for the user.
AllowedRegistries []string: List of registries that allowed for running containers.
ApplicationScopes []string: Indicates the application scope of the service.
AuditAllNetworkActivity bool: If true, all network activity will be audited.
AuditAllProcessesActivity bool: If true, all process activity will be audited.
AuditFullCommandArguments bool: If true, full command arguments will be audited.
Author string: Username of the account that created the service.
BlockAccessHostNetwork bool: If true, prevent containers from running with access to host network.
BlockAddingCapabilities bool: If true, prevent containers from running with adding capabilities with --cap-add privilege.
BlockContainerExec bool: If true, exec into a container is prevented.
BlockCryptocurrencyMining bool: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
BlockFilelessExec bool: Detect and prevent running in-memory execution
BlockLowPortBinding bool: If true, prevent containers from running with the capability to bind in port lower than 1024.
BlockNonCompliantImages bool: If true, running non-compliant image in the container is prevented.
BlockNonCompliantWorkloads bool: If true, running containers in non-compliant pods is prevented.
BlockNonK8sContainers bool: If true, running non-kubernetes containers is prevented.
BlockPrivilegedContainers bool: If true, prevent containers from running with privileged container capability.
BlockReverseShell bool: If true, reverse shell is prevented.
BlockRootUser bool: If true, prevent containers from running with root user.
BlockUnregisteredImages bool: If true, running images in the container that are not registered in Aqua is prevented.
BlockUseIpcNamespace bool: If true, prevent containers from running with the privilege to use the IPC namespace.
BlockUsePidNamespace bool: If true, prevent containers from running with the privilege to use the PID namespace.
BlockUseUserNamespace bool: If true, prevent containers from running with the privilege to use the user namespace.
BlockUseUtsNamespace bool: If true, prevent containers from running with the privilege to use the UTS namespace.
BlockedCapabilities []string: If true, prevents containers from using specific Unix capabilities.
BlockedExecutables []string: List of executables that are prevented from running in containers.
BlockedFiles []string: List of files that are prevented from being read, modified and executed in the containers.
BlockedInboundPorts []string: List of blocked inbound ports.
BlockedOutboundPorts []string: List of blocked outbound ports.
BlockedPackages []string: Prevent containers from reading, writing, or executing all files in the list of packages.
BlockedVolumes []string: List of volumes that are prevented from being mounted in the containers.
ContainerExecAllowedProcesses []string: List of processes that will be allowed.
Description string: The description of the container runtime policy
EnableDriftPrevention bool: If true, executables that are not in the original image is prevented from running.
EnableForkGuard bool: If true, fork bombs are prevented in the containers.
EnableIpReputationSecurity bool: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
EnablePortScanDetection bool: If true, detects port scanning behavior in the container.
Enabled bool: Indicates if the runtime policy is enabled or not.
Enforce bool: Indicates that policy should effect container execution (not just for audit).
EnforceAfterDays int: Indicates the number of days after which the runtime policy will be changed to enforce mode.
ExceptionalReadonlyFilesAndDirectories []string: List of files and directories to be excluded from the read-only list.
ExecLockdownWhiteLists []string: Specify processes that will be allowed
FileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs: Configuration for file integrity monitoring.
ForkGuardProcessLimit int: Process limit for the fork guard.
LimitNewPrivileges bool: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
MalwareScanOptions ContainerRuntimePolicyMalwareScanOptionsArgs: Configuration for Real-Time Malware Protection.
MonitorSystemTimeChanges bool: If true, system time changes will be monitored.
Name string: Name of the container runtime policy
ReadonlyFilesAndDirectories []string: List of files and directories to be restricted as read-only
ReverseShellAllowedIps []string: List of IPs/ CIDRs that will be allowed
ReverseShellAllowedProcesses []string: List of processes that will be allowed
ScopeExpression string: Logical expression of how to compute the dependency of the scope variables.
ScopeVariables []ContainerRuntimePolicyScopeVariableArgs: List of scope attributes.

allowedExecutables List<String>: List of executables that are allowed for the user.
allowedRegistries List<String>: List of registries that allowed for running containers.
applicationScopes List<String>: Indicates the application scope of the service.
auditAllNetworkActivity Boolean: If true, all network activity will be audited.
auditAllProcessesActivity Boolean: If true, all process activity will be audited.
auditFullCommandArguments Boolean: If true, full command arguments will be audited.
author String: Username of the account that created the service.
blockAccessHostNetwork Boolean: If true, prevent containers from running with access to host network.
blockAddingCapabilities Boolean: If true, prevent containers from running with adding capabilities with --cap-add privilege.
blockContainerExec Boolean: If true, exec into a container is prevented.
blockCryptocurrencyMining Boolean: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
blockFilelessExec Boolean: Detect and prevent running in-memory execution
blockLowPortBinding Boolean: If true, prevent containers from running with the capability to bind in port lower than 1024.
blockNonCompliantImages Boolean: If true, running non-compliant image in the container is prevented.
blockNonCompliantWorkloads Boolean: If true, running containers in non-compliant pods is prevented.
blockNonK8sContainers Boolean: If true, running non-kubernetes containers is prevented.
blockPrivilegedContainers Boolean: If true, prevent containers from running with privileged container capability.
blockReverseShell Boolean: If true, reverse shell is prevented.
blockRootUser Boolean: If true, prevent containers from running with root user.
blockUnregisteredImages Boolean: If true, running images in the container that are not registered in Aqua is prevented.
blockUseIpcNamespace Boolean: If true, prevent containers from running with the privilege to use the IPC namespace.
blockUsePidNamespace Boolean: If true, prevent containers from running with the privilege to use the PID namespace.
blockUseUserNamespace Boolean: If true, prevent containers from running with the privilege to use the user namespace.
blockUseUtsNamespace Boolean: If true, prevent containers from running with the privilege to use the UTS namespace.
blockedCapabilities List<String>: If true, prevents containers from using specific Unix capabilities.
blockedExecutables List<String>: List of executables that are prevented from running in containers.
blockedFiles List<String>: List of files that are prevented from being read, modified and executed in the containers.
blockedInboundPorts List<String>: List of blocked inbound ports.
blockedOutboundPorts List<String>: List of blocked outbound ports.
blockedPackages List<String>: Prevent containers from reading, writing, or executing all files in the list of packages.
blockedVolumes List<String>: List of volumes that are prevented from being mounted in the containers.
containerExecAllowedProcesses List<String>: List of processes that will be allowed.
description String: The description of the container runtime policy
enableDriftPrevention Boolean: If true, executables that are not in the original image is prevented from running.
enableForkGuard Boolean: If true, fork bombs are prevented in the containers.
enableIpReputationSecurity Boolean: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
enablePortScanDetection Boolean: If true, detects port scanning behavior in the container.
enabled Boolean: Indicates if the runtime policy is enabled or not.
enforce Boolean: Indicates that policy should effect container execution (not just for audit).
enforceAfterDays Integer: Indicates the number of days after which the runtime policy will be changed to enforce mode.
exceptionalReadonlyFilesAndDirectories List<String>: List of files and directories to be excluded from the read-only list.
execLockdownWhiteLists List<String>: Specify processes that will be allowed
fileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoring: Configuration for file integrity monitoring.
forkGuardProcessLimit Integer: Process limit for the fork guard.
limitNewPrivileges Boolean: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
malwareScanOptions ContainerRuntimePolicyMalwareScanOptions: Configuration for Real-Time Malware Protection.
monitorSystemTimeChanges Boolean: If true, system time changes will be monitored.
name String: Name of the container runtime policy
readonlyFilesAndDirectories List<String>: List of files and directories to be restricted as read-only
reverseShellAllowedIps List<String>: List of IPs/ CIDRs that will be allowed
reverseShellAllowedProcesses List<String>: List of processes that will be allowed
scopeExpression String: Logical expression of how to compute the dependency of the scope variables.
scopeVariables List<ContainerRuntimePolicyScopeVariable>: List of scope attributes.

allowedExecutables string[]: List of executables that are allowed for the user.
allowedRegistries string[]: List of registries that allowed for running containers.
applicationScopes string[]: Indicates the application scope of the service.
auditAllNetworkActivity boolean: If true, all network activity will be audited.
auditAllProcessesActivity boolean: If true, all process activity will be audited.
auditFullCommandArguments boolean: If true, full command arguments will be audited.
author string: Username of the account that created the service.
blockAccessHostNetwork boolean: If true, prevent containers from running with access to host network.
blockAddingCapabilities boolean: If true, prevent containers from running with adding capabilities with --cap-add privilege.
blockContainerExec boolean: If true, exec into a container is prevented.
blockCryptocurrencyMining boolean: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
blockFilelessExec boolean: Detect and prevent running in-memory execution
blockLowPortBinding boolean: If true, prevent containers from running with the capability to bind in port lower than 1024.
blockNonCompliantImages boolean: If true, running non-compliant image in the container is prevented.
blockNonCompliantWorkloads boolean: If true, running containers in non-compliant pods is prevented.
blockNonK8sContainers boolean: If true, running non-kubernetes containers is prevented.
blockPrivilegedContainers boolean: If true, prevent containers from running with privileged container capability.
blockReverseShell boolean: If true, reverse shell is prevented.
blockRootUser boolean: If true, prevent containers from running with root user.
blockUnregisteredImages boolean: If true, running images in the container that are not registered in Aqua is prevented.
blockUseIpcNamespace boolean: If true, prevent containers from running with the privilege to use the IPC namespace.
blockUsePidNamespace boolean: If true, prevent containers from running with the privilege to use the PID namespace.
blockUseUserNamespace boolean: If true, prevent containers from running with the privilege to use the user namespace.
blockUseUtsNamespace boolean: If true, prevent containers from running with the privilege to use the UTS namespace.
blockedCapabilities string[]: If true, prevents containers from using specific Unix capabilities.
blockedExecutables string[]: List of executables that are prevented from running in containers.
blockedFiles string[]: List of files that are prevented from being read, modified and executed in the containers.
blockedInboundPorts string[]: List of blocked inbound ports.
blockedOutboundPorts string[]: List of blocked outbound ports.
blockedPackages string[]: Prevent containers from reading, writing, or executing all files in the list of packages.
blockedVolumes string[]: List of volumes that are prevented from being mounted in the containers.
containerExecAllowedProcesses string[]: List of processes that will be allowed.
description string: The description of the container runtime policy
enableDriftPrevention boolean: If true, executables that are not in the original image is prevented from running.
enableForkGuard boolean: If true, fork bombs are prevented in the containers.
enableIpReputationSecurity boolean: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
enablePortScanDetection boolean: If true, detects port scanning behavior in the container.
enabled boolean: Indicates if the runtime policy is enabled or not.
enforce boolean: Indicates that policy should effect container execution (not just for audit).
enforceAfterDays number: Indicates the number of days after which the runtime policy will be changed to enforce mode.
exceptionalReadonlyFilesAndDirectories string[]: List of files and directories to be excluded from the read-only list.
execLockdownWhiteLists string[]: Specify processes that will be allowed
fileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoring: Configuration for file integrity monitoring.
forkGuardProcessLimit number: Process limit for the fork guard.
limitNewPrivileges boolean: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
malwareScanOptions ContainerRuntimePolicyMalwareScanOptions: Configuration for Real-Time Malware Protection.
monitorSystemTimeChanges boolean: If true, system time changes will be monitored.
name string: Name of the container runtime policy
readonlyFilesAndDirectories string[]: List of files and directories to be restricted as read-only
reverseShellAllowedIps string[]: List of IPs/ CIDRs that will be allowed
reverseShellAllowedProcesses string[]: List of processes that will be allowed
scopeExpression string: Logical expression of how to compute the dependency of the scope variables.
scopeVariables ContainerRuntimePolicyScopeVariable[]: List of scope attributes.

allowed_executables Sequence[str]: List of executables that are allowed for the user.
allowed_registries Sequence[str]: List of registries that allowed for running containers.
application_scopes Sequence[str]: Indicates the application scope of the service.
audit_all_network_activity bool: If true, all network activity will be audited.
audit_all_processes_activity bool: If true, all process activity will be audited.
audit_full_command_arguments bool: If true, full command arguments will be audited.
author str: Username of the account that created the service.
block_access_host_network bool: If true, prevent containers from running with access to host network.
block_adding_capabilities bool: If true, prevent containers from running with adding capabilities with --cap-add privilege.
block_container_exec bool: If true, exec into a container is prevented.
block_cryptocurrency_mining bool: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
block_fileless_exec bool: Detect and prevent running in-memory execution
block_low_port_binding bool: If true, prevent containers from running with the capability to bind in port lower than 1024.
block_non_compliant_images bool: If true, running non-compliant image in the container is prevented.
block_non_compliant_workloads bool: If true, running containers in non-compliant pods is prevented.
block_non_k8s_containers bool: If true, running non-kubernetes containers is prevented.
block_privileged_containers bool: If true, prevent containers from running with privileged container capability.
block_reverse_shell bool: If true, reverse shell is prevented.
block_root_user bool: If true, prevent containers from running with root user.
block_unregistered_images bool: If true, running images in the container that are not registered in Aqua is prevented.
block_use_ipc_namespace bool: If true, prevent containers from running with the privilege to use the IPC namespace.
block_use_pid_namespace bool: If true, prevent containers from running with the privilege to use the PID namespace.
block_use_user_namespace bool: If true, prevent containers from running with the privilege to use the user namespace.
block_use_uts_namespace bool: If true, prevent containers from running with the privilege to use the UTS namespace.
blocked_capabilities Sequence[str]: If true, prevents containers from using specific Unix capabilities.
blocked_executables Sequence[str]: List of executables that are prevented from running in containers.
blocked_files Sequence[str]: List of files that are prevented from being read, modified and executed in the containers.
blocked_inbound_ports Sequence[str]: List of blocked inbound ports.
blocked_outbound_ports Sequence[str]: List of blocked outbound ports.
blocked_packages Sequence[str]: Prevent containers from reading, writing, or executing all files in the list of packages.
blocked_volumes Sequence[str]: List of volumes that are prevented from being mounted in the containers.
container_exec_allowed_processes Sequence[str]: List of processes that will be allowed.
description str: The description of the container runtime policy
enable_drift_prevention bool: If true, executables that are not in the original image is prevented from running.
enable_fork_guard bool: If true, fork bombs are prevented in the containers.
enable_ip_reputation_security bool: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
enable_port_scan_detection bool: If true, detects port scanning behavior in the container.
enabled bool: Indicates if the runtime policy is enabled or not.
enforce bool: Indicates that policy should effect container execution (not just for audit).
enforce_after_days int: Indicates the number of days after which the runtime policy will be changed to enforce mode.
exceptional_readonly_files_and_directories Sequence[str]: List of files and directories to be excluded from the read-only list.
exec_lockdown_white_lists Sequence[str]: Specify processes that will be allowed
file_integrity_monitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs: Configuration for file integrity monitoring.
fork_guard_process_limit int: Process limit for the fork guard.
limit_new_privileges bool: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
malware_scan_options ContainerRuntimePolicyMalwareScanOptionsArgs: Configuration for Real-Time Malware Protection.
monitor_system_time_changes bool: If true, system time changes will be monitored.
name str: Name of the container runtime policy
readonly_files_and_directories Sequence[str]: List of files and directories to be restricted as read-only
reverse_shell_allowed_ips Sequence[str]: List of IPs/ CIDRs that will be allowed
reverse_shell_allowed_processes Sequence[str]: List of processes that will be allowed
scope_expression str: Logical expression of how to compute the dependency of the scope variables.
scope_variables Sequence[ContainerRuntimePolicyScopeVariableArgs]: List of scope attributes.

allowedExecutables List<String>: List of executables that are allowed for the user.
allowedRegistries List<String>: List of registries that allowed for running containers.
applicationScopes List<String>: Indicates the application scope of the service.
auditAllNetworkActivity Boolean: If true, all network activity will be audited.
auditAllProcessesActivity Boolean: If true, all process activity will be audited.
auditFullCommandArguments Boolean: If true, full command arguments will be audited.
author String: Username of the account that created the service.
blockAccessHostNetwork Boolean: If true, prevent containers from running with access to host network.
blockAddingCapabilities Boolean: If true, prevent containers from running with adding capabilities with --cap-add privilege.
blockContainerExec Boolean: If true, exec into a container is prevented.
blockCryptocurrencyMining Boolean: Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
blockFilelessExec Boolean: Detect and prevent running in-memory execution
blockLowPortBinding Boolean: If true, prevent containers from running with the capability to bind in port lower than 1024.
blockNonCompliantImages Boolean: If true, running non-compliant image in the container is prevented.
blockNonCompliantWorkloads Boolean: If true, running containers in non-compliant pods is prevented.
blockNonK8sContainers Boolean: If true, running non-kubernetes containers is prevented.
blockPrivilegedContainers Boolean: If true, prevent containers from running with privileged container capability.
blockReverseShell Boolean: If true, reverse shell is prevented.
blockRootUser Boolean: If true, prevent containers from running with root user.
blockUnregisteredImages Boolean: If true, running images in the container that are not registered in Aqua is prevented.
blockUseIpcNamespace Boolean: If true, prevent containers from running with the privilege to use the IPC namespace.
blockUsePidNamespace Boolean: If true, prevent containers from running with the privilege to use the PID namespace.
blockUseUserNamespace Boolean: If true, prevent containers from running with the privilege to use the user namespace.
blockUseUtsNamespace Boolean: If true, prevent containers from running with the privilege to use the UTS namespace.
blockedCapabilities List<String>: If true, prevents containers from using specific Unix capabilities.
blockedExecutables List<String>: List of executables that are prevented from running in containers.
blockedFiles List<String>: List of files that are prevented from being read, modified and executed in the containers.
blockedInboundPorts List<String>: List of blocked inbound ports.
blockedOutboundPorts List<String>: List of blocked outbound ports.
blockedPackages List<String>: Prevent containers from reading, writing, or executing all files in the list of packages.
blockedVolumes List<String>: List of volumes that are prevented from being mounted in the containers.
containerExecAllowedProcesses List<String>: List of processes that will be allowed.
description String: The description of the container runtime policy
enableDriftPrevention Boolean: If true, executables that are not in the original image is prevented from running.
enableForkGuard Boolean: If true, fork bombs are prevented in the containers.
enableIpReputationSecurity Boolean: If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
enablePortScanDetection Boolean: If true, detects port scanning behavior in the container.
enabled Boolean: Indicates if the runtime policy is enabled or not.
enforce Boolean: Indicates that policy should effect container execution (not just for audit).
enforceAfterDays Number: Indicates the number of days after which the runtime policy will be changed to enforce mode.
exceptionalReadonlyFilesAndDirectories List<String>: List of files and directories to be excluded from the read-only list.
execLockdownWhiteLists List<String>: Specify processes that will be allowed
fileIntegrityMonitoring Property Map: Configuration for file integrity monitoring.
forkGuardProcessLimit Number: Process limit for the fork guard.
limitNewPrivileges Boolean: If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
malwareScanOptions Property Map: Configuration for Real-Time Malware Protection.
monitorSystemTimeChanges Boolean: If true, system time changes will be monitored.
name String: Name of the container runtime policy
readonlyFilesAndDirectories List<String>: List of files and directories to be restricted as read-only
reverseShellAllowedIps List<String>: List of IPs/ CIDRs that will be allowed
reverseShellAllowedProcesses List<String>: List of processes that will be allowed
scopeExpression String: Logical expression of how to compute the dependency of the scope variables.
scopeVariables List<Property Map>: List of scope attributes.

Supporting Types

ContainerRuntimePolicyFileIntegrityMonitoring, ContainerRuntimePolicyFileIntegrityMonitoringArgs

ExcludedPaths List<string>: List of paths to be excluded from being monitored.
ExcludedProcesses List<string>: List of processes to be excluded from being monitored.
ExcludedUsers List<string>: List of users to be excluded from being monitored.
MonitorAttributes bool: If true, add attributes operations will be monitored.
MonitorCreate bool: If true, create operations will be monitored.
MonitorDelete bool: If true, deletion operations will be monitored.
MonitorModify bool: If true, modification operations will be monitored.
MonitorRead bool: If true, read operations will be monitored.
MonitoredPaths List<string>: List of paths to be monitored.
MonitoredProcesses List<string>: List of processes to be monitored.
MonitoredUsers List<string>: List of users to be monitored.

ExcludedPaths []string: List of paths to be excluded from being monitored.
ExcludedProcesses []string: List of processes to be excluded from being monitored.
ExcludedUsers []string: List of users to be excluded from being monitored.
MonitorAttributes bool: If true, add attributes operations will be monitored.
MonitorCreate bool: If true, create operations will be monitored.
MonitorDelete bool: If true, deletion operations will be monitored.
MonitorModify bool: If true, modification operations will be monitored.
MonitorRead bool: If true, read operations will be monitored.
MonitoredPaths []string: List of paths to be monitored.
MonitoredProcesses []string: List of processes to be monitored.
MonitoredUsers []string: List of users to be monitored.

excludedPaths List<String>: List of paths to be excluded from being monitored.
excludedProcesses List<String>: List of processes to be excluded from being monitored.
excludedUsers List<String>: List of users to be excluded from being monitored.
monitorAttributes Boolean: If true, add attributes operations will be monitored.
monitorCreate Boolean: If true, create operations will be monitored.
monitorDelete Boolean: If true, deletion operations will be monitored.
monitorModify Boolean: If true, modification operations will be monitored.
monitorRead Boolean: If true, read operations will be monitored.
monitoredPaths List<String>: List of paths to be monitored.
monitoredProcesses List<String>: List of processes to be monitored.
monitoredUsers List<String>: List of users to be monitored.

excludedPaths string[]: List of paths to be excluded from being monitored.
excludedProcesses string[]: List of processes to be excluded from being monitored.
excludedUsers string[]: List of users to be excluded from being monitored.
monitorAttributes boolean: If true, add attributes operations will be monitored.
monitorCreate boolean: If true, create operations will be monitored.
monitorDelete boolean: If true, deletion operations will be monitored.
monitorModify boolean: If true, modification operations will be monitored.
monitorRead boolean: If true, read operations will be monitored.
monitoredPaths string[]: List of paths to be monitored.
monitoredProcesses string[]: List of processes to be monitored.
monitoredUsers string[]: List of users to be monitored.

excluded_paths Sequence[str]: List of paths to be excluded from being monitored.
excluded_processes Sequence[str]: List of processes to be excluded from being monitored.
excluded_users Sequence[str]: List of users to be excluded from being monitored.
monitor_attributes bool: If true, add attributes operations will be monitored.
monitor_create bool: If true, create operations will be monitored.
monitor_delete bool: If true, deletion operations will be monitored.
monitor_modify bool: If true, modification operations will be monitored.
monitor_read bool: If true, read operations will be monitored.
monitored_paths Sequence[str]: List of paths to be monitored.
monitored_processes Sequence[str]: List of processes to be monitored.
monitored_users Sequence[str]: List of users to be monitored.

excludedPaths List<String>: List of paths to be excluded from being monitored.
excludedProcesses List<String>: List of processes to be excluded from being monitored.
excludedUsers List<String>: List of users to be excluded from being monitored.
monitorAttributes Boolean: If true, add attributes operations will be monitored.
monitorCreate Boolean: If true, create operations will be monitored.
monitorDelete Boolean: If true, deletion operations will be monitored.
monitorModify Boolean: If true, modification operations will be monitored.
monitorRead Boolean: If true, read operations will be monitored.
monitoredPaths List<String>: List of paths to be monitored.
monitoredProcesses List<String>: List of processes to be monitored.
monitoredUsers List<String>: List of users to be monitored.

ContainerRuntimePolicyMalwareScanOptions, ContainerRuntimePolicyMalwareScanOptionsArgs

Action string: Set Action, Defaults to 'Alert' when empty
Enabled bool: Defines if enabled or not
ExcludeDirectories List<string>: List of registry paths to be excluded from being protected.
ExcludeProcesses List<string>: List of registry processes to be excluded from being protected.

Action string: Set Action, Defaults to 'Alert' when empty
Enabled bool: Defines if enabled or not
ExcludeDirectories []string: List of registry paths to be excluded from being protected.
ExcludeProcesses []string: List of registry processes to be excluded from being protected.

action String: Set Action, Defaults to 'Alert' when empty
enabled Boolean: Defines if enabled or not
excludeDirectories List<String>: List of registry paths to be excluded from being protected.
excludeProcesses List<String>: List of registry processes to be excluded from being protected.

action string: Set Action, Defaults to 'Alert' when empty
enabled boolean: Defines if enabled or not
excludeDirectories string[]: List of registry paths to be excluded from being protected.
excludeProcesses string[]: List of registry processes to be excluded from being protected.

action str: Set Action, Defaults to 'Alert' when empty
enabled bool: Defines if enabled or not
exclude_directories Sequence[str]: List of registry paths to be excluded from being protected.
exclude_processes Sequence[str]: List of registry processes to be excluded from being protected.

action String: Set Action, Defaults to 'Alert' when empty
enabled Boolean: Defines if enabled or not
excludeDirectories List<String>: List of registry paths to be excluded from being protected.
excludeProcesses List<String>: List of registry processes to be excluded from being protected.

ContainerRuntimePolicyScopeVariable, ContainerRuntimePolicyScopeVariableArgs

Attribute string: Class of supported scope.
Value string: Value assigned to the attribute.
Name string: Name assigned to the attribute.

Attribute string: Class of supported scope.
Value string: Value assigned to the attribute.
Name string: Name assigned to the attribute.

attribute String: Class of supported scope.
value String: Value assigned to the attribute.
name String: Name assigned to the attribute.

attribute string: Class of supported scope.
value string: Value assigned to the attribute.
name string: Name assigned to the attribute.

attribute str: Class of supported scope.
value str: Value assigned to the attribute.
name str: Name assigned to the attribute.

attribute String: Class of supported scope.
value String: Value assigned to the attribute.
name String: Name assigned to the attribute.

Package Details

Repository: aquasec pulumiverse/pulumi-aquasec
License: Apache-2.0
Notes: This Pulumi package is based on the aquasec Terraform Provider.

Aquasec v0.8.25 published on Tuesday, Apr 25, 2023 by Pulumiverse

pulumiverse/pulumi-aquasec

aquasec.ContainerRuntimePolicy

On this page

On this page

Example Usage

Create ContainerRuntimePolicy Resource

ContainerRuntimePolicy Resource Properties

Inputs

Outputs

Look up Existing ContainerRuntimePolicy Resource

Supporting Types

ContainerRuntimePolicyFileIntegrityMonitoring, ContainerRuntimePolicyFileIntegrityMonitoringArgs

ContainerRuntimePolicyMalwareScanOptions, ContainerRuntimePolicyMalwareScanOptionsArgs

ContainerRuntimePolicyScopeVariable, ContainerRuntimePolicyScopeVariableArgs

Package Details

On this page

On this page