1. Packages
  2. Aquasec
  3. API Docs
  4. ContainerRuntimePolicy
Aquasec v0.8.25 published on Tuesday, Apr 25, 2023 by Pulumiverse

aquasec.ContainerRuntimePolicy

Explore with Pulumi AI

aquasec logo
Aquasec v0.8.25 published on Tuesday, Apr 25, 2023 by Pulumiverse

    Example Usage

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aquasec = Pulumiverse.Aquasec;
    
    return await Deployment.RunAsync(() => 
    {
        var containerRuntimePolicy = new Aquasec.ContainerRuntimePolicy("containerRuntimePolicy", new()
        {
            AllowedExecutables = new[]
            {
                "exe",
                "bin",
            },
            AllowedRegistries = new[]
            {
                "registry1",
                "registry2",
            },
            ApplicationScopes = new[]
            {
                "Global",
            },
            AuditAllNetworkActivity = true,
            AuditAllProcessesActivity = true,
            AuditFullCommandArguments = true,
            BlockAccessHostNetwork = true,
            BlockAddingCapabilities = true,
            BlockContainerExec = true,
            BlockCryptocurrencyMining = true,
            BlockFilelessExec = true,
            BlockLowPortBinding = true,
            BlockNonCompliantImages = true,
            BlockNonCompliantWorkloads = true,
            BlockNonK8sContainers = true,
            BlockPrivilegedContainers = true,
            BlockReverseShell = true,
            BlockRootUser = true,
            BlockUnregisteredImages = true,
            BlockUseIpcNamespace = true,
            BlockUsePidNamespace = true,
            BlockUseUserNamespace = true,
            BlockUseUtsNamespace = true,
            BlockedCapabilities = new[]
            {
                "AUDIT_CONTROL",
                "AUDIT_WRITE",
            },
            BlockedExecutables = new[]
            {
                "exe1",
                "exe2",
            },
            BlockedFiles = new[]
            {
                "test1",
                "test2",
            },
            BlockedInboundPorts = new[]
            {
                "80",
                "8080",
            },
            BlockedOutboundPorts = new[]
            {
                "90",
                "9090",
            },
            BlockedPackages = new[]
            {
                "pkg",
                "pkg2",
            },
            BlockedVolumes = new[]
            {
                "blocked",
                "vol",
            },
            ContainerExecAllowedProcesses = new[]
            {
                "proc1",
                "proc2",
            },
            Description = "container_runtime_policy",
            EnableDriftPrevention = true,
            EnableForkGuard = true,
            EnableIpReputationSecurity = true,
            EnablePortScanDetection = true,
            Enabled = true,
            Enforce = false,
            ExceptionalReadonlyFilesAndDirectories = new[]
            {
                "readonly2",
                "/dir2/",
            },
            FileIntegrityMonitoring = new Aquasec.Inputs.ContainerRuntimePolicyFileIntegrityMonitoringArgs
            {
                ExcludedPaths = new[]
                {
                    "expaths",
                },
                ExcludedProcesses = new[]
                {
                    "exprocess",
                },
                ExcludedUsers = new[]
                {
                    "expuser",
                },
                MonitorAttributes = true,
                MonitorCreate = true,
                MonitorDelete = true,
                MonitorModify = true,
                MonitorRead = true,
                MonitoredPaths = new[]
                {
                    "paths",
                },
                MonitoredProcesses = new[]
                {
                    "process",
                },
                MonitoredUsers = new[]
                {
                    "user",
                },
            },
            ForkGuardProcessLimit = 13,
            LimitNewPrivileges = true,
            MalwareScanOptions = new Aquasec.Inputs.ContainerRuntimePolicyMalwareScanOptionsArgs
            {
                Action = "alert",
                Enabled = true,
            },
            MonitorSystemTimeChanges = true,
            ReadonlyFilesAndDirectories = new[]
            {
                "readonly",
                "/dir/",
            },
            ReverseShellAllowedIps = new[]
            {
                "ip1",
                "ip2",
            },
            ReverseShellAllowedProcesses = new[]
            {
                "proc1",
                "proc2",
            },
            ScopeExpression = "v1 || v2",
            ScopeVariables = new[]
            {
                new Aquasec.Inputs.ContainerRuntimePolicyScopeVariableArgs
                {
                    Attribute = "kubernetes.cluster",
                    Value = "default",
                },
                new Aquasec.Inputs.ContainerRuntimePolicyScopeVariableArgs
                {
                    Attribute = "kubernetes.label",
                    Name = "app",
                    Value = "aqua",
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    	"github.com/pulumiverse/pulumi-aquasec/sdk/go/aquasec"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := aquasec.NewContainerRuntimePolicy(ctx, "containerRuntimePolicy", &aquasec.ContainerRuntimePolicyArgs{
    			AllowedExecutables: pulumi.StringArray{
    				pulumi.String("exe"),
    				pulumi.String("bin"),
    			},
    			AllowedRegistries: pulumi.StringArray{
    				pulumi.String("registry1"),
    				pulumi.String("registry2"),
    			},
    			ApplicationScopes: pulumi.StringArray{
    				pulumi.String("Global"),
    			},
    			AuditAllNetworkActivity:    pulumi.Bool(true),
    			AuditAllProcessesActivity:  pulumi.Bool(true),
    			AuditFullCommandArguments:  pulumi.Bool(true),
    			BlockAccessHostNetwork:     pulumi.Bool(true),
    			BlockAddingCapabilities:    pulumi.Bool(true),
    			BlockContainerExec:         pulumi.Bool(true),
    			BlockCryptocurrencyMining:  pulumi.Bool(true),
    			BlockFilelessExec:          pulumi.Bool(true),
    			BlockLowPortBinding:        pulumi.Bool(true),
    			BlockNonCompliantImages:    pulumi.Bool(true),
    			BlockNonCompliantWorkloads: pulumi.Bool(true),
    			BlockNonK8sContainers:      pulumi.Bool(true),
    			BlockPrivilegedContainers:  pulumi.Bool(true),
    			BlockReverseShell:          pulumi.Bool(true),
    			BlockRootUser:              pulumi.Bool(true),
    			BlockUnregisteredImages:    pulumi.Bool(true),
    			BlockUseIpcNamespace:       pulumi.Bool(true),
    			BlockUsePidNamespace:       pulumi.Bool(true),
    			BlockUseUserNamespace:      pulumi.Bool(true),
    			BlockUseUtsNamespace:       pulumi.Bool(true),
    			BlockedCapabilities: pulumi.StringArray{
    				pulumi.String("AUDIT_CONTROL"),
    				pulumi.String("AUDIT_WRITE"),
    			},
    			BlockedExecutables: pulumi.StringArray{
    				pulumi.String("exe1"),
    				pulumi.String("exe2"),
    			},
    			BlockedFiles: pulumi.StringArray{
    				pulumi.String("test1"),
    				pulumi.String("test2"),
    			},
    			BlockedInboundPorts: pulumi.StringArray{
    				pulumi.String("80"),
    				pulumi.String("8080"),
    			},
    			BlockedOutboundPorts: pulumi.StringArray{
    				pulumi.String("90"),
    				pulumi.String("9090"),
    			},
    			BlockedPackages: pulumi.StringArray{
    				pulumi.String("pkg"),
    				pulumi.String("pkg2"),
    			},
    			BlockedVolumes: pulumi.StringArray{
    				pulumi.String("blocked"),
    				pulumi.String("vol"),
    			},
    			ContainerExecAllowedProcesses: pulumi.StringArray{
    				pulumi.String("proc1"),
    				pulumi.String("proc2"),
    			},
    			Description:                pulumi.String("container_runtime_policy"),
    			EnableDriftPrevention:      pulumi.Bool(true),
    			EnableForkGuard:            pulumi.Bool(true),
    			EnableIpReputationSecurity: pulumi.Bool(true),
    			EnablePortScanDetection:    pulumi.Bool(true),
    			Enabled:                    pulumi.Bool(true),
    			Enforce:                    pulumi.Bool(false),
    			ExceptionalReadonlyFilesAndDirectories: pulumi.StringArray{
    				pulumi.String("readonly2"),
    				pulumi.String("/dir2/"),
    			},
    			FileIntegrityMonitoring: &aquasec.ContainerRuntimePolicyFileIntegrityMonitoringArgs{
    				ExcludedPaths: pulumi.StringArray{
    					pulumi.String("expaths"),
    				},
    				ExcludedProcesses: pulumi.StringArray{
    					pulumi.String("exprocess"),
    				},
    				ExcludedUsers: pulumi.StringArray{
    					pulumi.String("expuser"),
    				},
    				MonitorAttributes: pulumi.Bool(true),
    				MonitorCreate:     pulumi.Bool(true),
    				MonitorDelete:     pulumi.Bool(true),
    				MonitorModify:     pulumi.Bool(true),
    				MonitorRead:       pulumi.Bool(true),
    				MonitoredPaths: pulumi.StringArray{
    					pulumi.String("paths"),
    				},
    				MonitoredProcesses: pulumi.StringArray{
    					pulumi.String("process"),
    				},
    				MonitoredUsers: pulumi.StringArray{
    					pulumi.String("user"),
    				},
    			},
    			ForkGuardProcessLimit: pulumi.Int(13),
    			LimitNewPrivileges:    pulumi.Bool(true),
    			MalwareScanOptions: &aquasec.ContainerRuntimePolicyMalwareScanOptionsArgs{
    				Action:  pulumi.String("alert"),
    				Enabled: pulumi.Bool(true),
    			},
    			MonitorSystemTimeChanges: pulumi.Bool(true),
    			ReadonlyFilesAndDirectories: pulumi.StringArray{
    				pulumi.String("readonly"),
    				pulumi.String("/dir/"),
    			},
    			ReverseShellAllowedIps: pulumi.StringArray{
    				pulumi.String("ip1"),
    				pulumi.String("ip2"),
    			},
    			ReverseShellAllowedProcesses: pulumi.StringArray{
    				pulumi.String("proc1"),
    				pulumi.String("proc2"),
    			},
    			ScopeExpression: pulumi.String("v1 || v2"),
    			ScopeVariables: aquasec.ContainerRuntimePolicyScopeVariableArray{
    				&aquasec.ContainerRuntimePolicyScopeVariableArgs{
    					Attribute: pulumi.String("kubernetes.cluster"),
    					Value:     pulumi.String("default"),
    				},
    				&aquasec.ContainerRuntimePolicyScopeVariableArgs{
    					Attribute: pulumi.String("kubernetes.label"),
    					Name:      pulumi.String("app"),
    					Value:     pulumi.String("aqua"),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aquasec.ContainerRuntimePolicy;
    import com.pulumi.aquasec.ContainerRuntimePolicyArgs;
    import com.pulumi.aquasec.inputs.ContainerRuntimePolicyFileIntegrityMonitoringArgs;
    import com.pulumi.aquasec.inputs.ContainerRuntimePolicyMalwareScanOptionsArgs;
    import com.pulumi.aquasec.inputs.ContainerRuntimePolicyScopeVariableArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var containerRuntimePolicy = new ContainerRuntimePolicy("containerRuntimePolicy", ContainerRuntimePolicyArgs.builder()        
                .allowedExecutables(            
                    "exe",
                    "bin")
                .allowedRegistries(            
                    "registry1",
                    "registry2")
                .applicationScopes("Global")
                .auditAllNetworkActivity(true)
                .auditAllProcessesActivity(true)
                .auditFullCommandArguments(true)
                .blockAccessHostNetwork(true)
                .blockAddingCapabilities(true)
                .blockContainerExec(true)
                .blockCryptocurrencyMining(true)
                .blockFilelessExec(true)
                .blockLowPortBinding(true)
                .blockNonCompliantImages(true)
                .blockNonCompliantWorkloads(true)
                .blockNonK8sContainers(true)
                .blockPrivilegedContainers(true)
                .blockReverseShell(true)
                .blockRootUser(true)
                .blockUnregisteredImages(true)
                .blockUseIpcNamespace(true)
                .blockUsePidNamespace(true)
                .blockUseUserNamespace(true)
                .blockUseUtsNamespace(true)
                .blockedCapabilities(            
                    "AUDIT_CONTROL",
                    "AUDIT_WRITE")
                .blockedExecutables(            
                    "exe1",
                    "exe2")
                .blockedFiles(            
                    "test1",
                    "test2")
                .blockedInboundPorts(            
                    "80",
                    "8080")
                .blockedOutboundPorts(            
                    "90",
                    "9090")
                .blockedPackages(            
                    "pkg",
                    "pkg2")
                .blockedVolumes(            
                    "blocked",
                    "vol")
                .containerExecAllowedProcesses(            
                    "proc1",
                    "proc2")
                .description("container_runtime_policy")
                .enableDriftPrevention(true)
                .enableForkGuard(true)
                .enableIpReputationSecurity(true)
                .enablePortScanDetection(true)
                .enabled(true)
                .enforce(false)
                .exceptionalReadonlyFilesAndDirectories(            
                    "readonly2",
                    "/dir2/")
                .fileIntegrityMonitoring(ContainerRuntimePolicyFileIntegrityMonitoringArgs.builder()
                    .excludedPaths("expaths")
                    .excludedProcesses("exprocess")
                    .excludedUsers("expuser")
                    .monitorAttributes(true)
                    .monitorCreate(true)
                    .monitorDelete(true)
                    .monitorModify(true)
                    .monitorRead(true)
                    .monitoredPaths("paths")
                    .monitoredProcesses("process")
                    .monitoredUsers("user")
                    .build())
                .forkGuardProcessLimit(13)
                .limitNewPrivileges(true)
                .malwareScanOptions(ContainerRuntimePolicyMalwareScanOptionsArgs.builder()
                    .action("alert")
                    .enabled(true)
                    .build())
                .monitorSystemTimeChanges("true")
                .readonlyFilesAndDirectories(            
                    "readonly",
                    "/dir/")
                .reverseShellAllowedIps(            
                    "ip1",
                    "ip2")
                .reverseShellAllowedProcesses(            
                    "proc1",
                    "proc2")
                .scopeExpression("v1 || v2")
                .scopeVariables(            
                    ContainerRuntimePolicyScopeVariableArgs.builder()
                        .attribute("kubernetes.cluster")
                        .value("default")
                        .build(),
                    ContainerRuntimePolicyScopeVariableArgs.builder()
                        .attribute("kubernetes.label")
                        .name("app")
                        .value("aqua")
                        .build())
                .build());
    
        }
    }
    
    import pulumi
    import pulumiverse_aquasec as aquasec
    
    container_runtime_policy = aquasec.ContainerRuntimePolicy("containerRuntimePolicy",
        allowed_executables=[
            "exe",
            "bin",
        ],
        allowed_registries=[
            "registry1",
            "registry2",
        ],
        application_scopes=["Global"],
        audit_all_network_activity=True,
        audit_all_processes_activity=True,
        audit_full_command_arguments=True,
        block_access_host_network=True,
        block_adding_capabilities=True,
        block_container_exec=True,
        block_cryptocurrency_mining=True,
        block_fileless_exec=True,
        block_low_port_binding=True,
        block_non_compliant_images=True,
        block_non_compliant_workloads=True,
        block_non_k8s_containers=True,
        block_privileged_containers=True,
        block_reverse_shell=True,
        block_root_user=True,
        block_unregistered_images=True,
        block_use_ipc_namespace=True,
        block_use_pid_namespace=True,
        block_use_user_namespace=True,
        block_use_uts_namespace=True,
        blocked_capabilities=[
            "AUDIT_CONTROL",
            "AUDIT_WRITE",
        ],
        blocked_executables=[
            "exe1",
            "exe2",
        ],
        blocked_files=[
            "test1",
            "test2",
        ],
        blocked_inbound_ports=[
            "80",
            "8080",
        ],
        blocked_outbound_ports=[
            "90",
            "9090",
        ],
        blocked_packages=[
            "pkg",
            "pkg2",
        ],
        blocked_volumes=[
            "blocked",
            "vol",
        ],
        container_exec_allowed_processes=[
            "proc1",
            "proc2",
        ],
        description="container_runtime_policy",
        enable_drift_prevention=True,
        enable_fork_guard=True,
        enable_ip_reputation_security=True,
        enable_port_scan_detection=True,
        enabled=True,
        enforce=False,
        exceptional_readonly_files_and_directories=[
            "readonly2",
            "/dir2/",
        ],
        file_integrity_monitoring=aquasec.ContainerRuntimePolicyFileIntegrityMonitoringArgs(
            excluded_paths=["expaths"],
            excluded_processes=["exprocess"],
            excluded_users=["expuser"],
            monitor_attributes=True,
            monitor_create=True,
            monitor_delete=True,
            monitor_modify=True,
            monitor_read=True,
            monitored_paths=["paths"],
            monitored_processes=["process"],
            monitored_users=["user"],
        ),
        fork_guard_process_limit=13,
        limit_new_privileges=True,
        malware_scan_options=aquasec.ContainerRuntimePolicyMalwareScanOptionsArgs(
            action="alert",
            enabled=True,
        ),
        monitor_system_time_changes=True,
        readonly_files_and_directories=[
            "readonly",
            "/dir/",
        ],
        reverse_shell_allowed_ips=[
            "ip1",
            "ip2",
        ],
        reverse_shell_allowed_processes=[
            "proc1",
            "proc2",
        ],
        scope_expression="v1 || v2",
        scope_variables=[
            aquasec.ContainerRuntimePolicyScopeVariableArgs(
                attribute="kubernetes.cluster",
                value="default",
            ),
            aquasec.ContainerRuntimePolicyScopeVariableArgs(
                attribute="kubernetes.label",
                name="app",
                value="aqua",
            ),
        ])
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aquasec from "@pulumiverse/aquasec";
    
    const containerRuntimePolicy = new aquasec.ContainerRuntimePolicy("containerRuntimePolicy", {
        allowedExecutables: [
            "exe",
            "bin",
        ],
        allowedRegistries: [
            "registry1",
            "registry2",
        ],
        applicationScopes: ["Global"],
        auditAllNetworkActivity: true,
        auditAllProcessesActivity: true,
        auditFullCommandArguments: true,
        blockAccessHostNetwork: true,
        blockAddingCapabilities: true,
        blockContainerExec: true,
        blockCryptocurrencyMining: true,
        blockFilelessExec: true,
        blockLowPortBinding: true,
        blockNonCompliantImages: true,
        blockNonCompliantWorkloads: true,
        blockNonK8sContainers: true,
        blockPrivilegedContainers: true,
        blockReverseShell: true,
        blockRootUser: true,
        blockUnregisteredImages: true,
        blockUseIpcNamespace: true,
        blockUsePidNamespace: true,
        blockUseUserNamespace: true,
        blockUseUtsNamespace: true,
        blockedCapabilities: [
            "AUDIT_CONTROL",
            "AUDIT_WRITE",
        ],
        blockedExecutables: [
            "exe1",
            "exe2",
        ],
        blockedFiles: [
            "test1",
            "test2",
        ],
        blockedInboundPorts: [
            "80",
            "8080",
        ],
        blockedOutboundPorts: [
            "90",
            "9090",
        ],
        blockedPackages: [
            "pkg",
            "pkg2",
        ],
        blockedVolumes: [
            "blocked",
            "vol",
        ],
        containerExecAllowedProcesses: [
            "proc1",
            "proc2",
        ],
        description: "container_runtime_policy",
        enableDriftPrevention: true,
        enableForkGuard: true,
        enableIpReputationSecurity: true,
        enablePortScanDetection: true,
        enabled: true,
        enforce: false,
        exceptionalReadonlyFilesAndDirectories: [
            "readonly2",
            "/dir2/",
        ],
        fileIntegrityMonitoring: {
            excludedPaths: ["expaths"],
            excludedProcesses: ["exprocess"],
            excludedUsers: ["expuser"],
            monitorAttributes: true,
            monitorCreate: true,
            monitorDelete: true,
            monitorModify: true,
            monitorRead: true,
            monitoredPaths: ["paths"],
            monitoredProcesses: ["process"],
            monitoredUsers: ["user"],
        },
        forkGuardProcessLimit: 13,
        limitNewPrivileges: true,
        malwareScanOptions: {
            action: "alert",
            enabled: true,
        },
        monitorSystemTimeChanges: true,
        readonlyFilesAndDirectories: [
            "readonly",
            "/dir/",
        ],
        reverseShellAllowedIps: [
            "ip1",
            "ip2",
        ],
        reverseShellAllowedProcesses: [
            "proc1",
            "proc2",
        ],
        scopeExpression: "v1 || v2",
        scopeVariables: [
            {
                attribute: "kubernetes.cluster",
                value: "default",
            },
            {
                attribute: "kubernetes.label",
                name: "app",
                value: "aqua",
            },
        ],
    });
    
    resources:
      containerRuntimePolicy:
        type: aquasec:ContainerRuntimePolicy
        properties:
          allowedExecutables:
            - exe
            - bin
          allowedRegistries:
            - registry1
            - registry2
          applicationScopes:
            - Global
          auditAllNetworkActivity: true
          auditAllProcessesActivity: true
          auditFullCommandArguments: true
          blockAccessHostNetwork: true
          blockAddingCapabilities: true
          blockContainerExec: true
          blockCryptocurrencyMining: true
          blockFilelessExec: true
          blockLowPortBinding: true
          blockNonCompliantImages: true
          blockNonCompliantWorkloads: true
          blockNonK8sContainers: true
          blockPrivilegedContainers: true
          blockReverseShell: true
          blockRootUser: true
          blockUnregisteredImages: true
          blockUseIpcNamespace: true
          blockUsePidNamespace: true
          blockUseUserNamespace: true
          blockUseUtsNamespace: true
          blockedCapabilities:
            - AUDIT_CONTROL
            - AUDIT_WRITE
          blockedExecutables:
            - exe1
            - exe2
          blockedFiles:
            - test1
            - test2
          blockedInboundPorts:
            - '80'
            - '8080'
          blockedOutboundPorts:
            - '90'
            - '9090'
          blockedPackages:
            - pkg
            - pkg2
          blockedVolumes:
            - blocked
            - vol
          containerExecAllowedProcesses:
            - proc1
            - proc2
          description: container_runtime_policy
          enableDriftPrevention: true
          enableForkGuard: true
          enableIpReputationSecurity: true
          enablePortScanDetection: true
          enabled: true
          enforce: false
          exceptionalReadonlyFilesAndDirectories:
            - readonly2
            - /dir2/
          fileIntegrityMonitoring:
            excludedPaths:
              - expaths
            excludedProcesses:
              - exprocess
            excludedUsers:
              - expuser
            monitorAttributes: true
            monitorCreate: true
            monitorDelete: true
            monitorModify: true
            monitorRead: true
            monitoredPaths:
              - paths
            monitoredProcesses:
              - process
            monitoredUsers:
              - user
          forkGuardProcessLimit: 13
          limitNewPrivileges: true
          malwareScanOptions:
            action: alert
            enabled: true
          monitorSystemTimeChanges: 'true'
          readonlyFilesAndDirectories:
            - readonly
            - /dir/
          reverseShellAllowedIps:
            - ip1
            - ip2
          reverseShellAllowedProcesses:
            - proc1
            - proc2
          scopeExpression: v1 || v2
          scopeVariables:
            - attribute: kubernetes.cluster
              value: default
            - attribute: kubernetes.label
              name: app
              value: aqua
    

    Create ContainerRuntimePolicy Resource

    new ContainerRuntimePolicy(name: string, args?: ContainerRuntimePolicyArgs, opts?: CustomResourceOptions);
    @overload
    def ContainerRuntimePolicy(resource_name: str,
                               opts: Optional[ResourceOptions] = None,
                               allowed_executables: Optional[Sequence[str]] = None,
                               allowed_registries: Optional[Sequence[str]] = None,
                               application_scopes: Optional[Sequence[str]] = None,
                               audit_all_network_activity: Optional[bool] = None,
                               audit_all_processes_activity: Optional[bool] = None,
                               audit_full_command_arguments: Optional[bool] = None,
                               block_access_host_network: Optional[bool] = None,
                               block_adding_capabilities: Optional[bool] = None,
                               block_container_exec: Optional[bool] = None,
                               block_cryptocurrency_mining: Optional[bool] = None,
                               block_fileless_exec: Optional[bool] = None,
                               block_low_port_binding: Optional[bool] = None,
                               block_non_compliant_images: Optional[bool] = None,
                               block_non_compliant_workloads: Optional[bool] = None,
                               block_non_k8s_containers: Optional[bool] = None,
                               block_privileged_containers: Optional[bool] = None,
                               block_reverse_shell: Optional[bool] = None,
                               block_root_user: Optional[bool] = None,
                               block_unregistered_images: Optional[bool] = None,
                               block_use_ipc_namespace: Optional[bool] = None,
                               block_use_pid_namespace: Optional[bool] = None,
                               block_use_user_namespace: Optional[bool] = None,
                               block_use_uts_namespace: Optional[bool] = None,
                               blocked_capabilities: Optional[Sequence[str]] = None,
                               blocked_executables: Optional[Sequence[str]] = None,
                               blocked_files: Optional[Sequence[str]] = None,
                               blocked_inbound_ports: Optional[Sequence[str]] = None,
                               blocked_outbound_ports: Optional[Sequence[str]] = None,
                               blocked_packages: Optional[Sequence[str]] = None,
                               blocked_volumes: Optional[Sequence[str]] = None,
                               container_exec_allowed_processes: Optional[Sequence[str]] = None,
                               description: Optional[str] = None,
                               enable_drift_prevention: Optional[bool] = None,
                               enable_fork_guard: Optional[bool] = None,
                               enable_ip_reputation_security: Optional[bool] = None,
                               enable_port_scan_detection: Optional[bool] = None,
                               enabled: Optional[bool] = None,
                               enforce: Optional[bool] = None,
                               enforce_after_days: Optional[int] = None,
                               exceptional_readonly_files_and_directories: Optional[Sequence[str]] = None,
                               exec_lockdown_white_lists: Optional[Sequence[str]] = None,
                               file_integrity_monitoring: Optional[ContainerRuntimePolicyFileIntegrityMonitoringArgs] = None,
                               fork_guard_process_limit: Optional[int] = None,
                               limit_new_privileges: Optional[bool] = None,
                               malware_scan_options: Optional[ContainerRuntimePolicyMalwareScanOptionsArgs] = None,
                               monitor_system_time_changes: Optional[bool] = None,
                               name: Optional[str] = None,
                               readonly_files_and_directories: Optional[Sequence[str]] = None,
                               reverse_shell_allowed_ips: Optional[Sequence[str]] = None,
                               reverse_shell_allowed_processes: Optional[Sequence[str]] = None,
                               scope_expression: Optional[str] = None,
                               scope_variables: Optional[Sequence[ContainerRuntimePolicyScopeVariableArgs]] = None)
    @overload
    def ContainerRuntimePolicy(resource_name: str,
                               args: Optional[ContainerRuntimePolicyArgs] = None,
                               opts: Optional[ResourceOptions] = None)
    func NewContainerRuntimePolicy(ctx *Context, name string, args *ContainerRuntimePolicyArgs, opts ...ResourceOption) (*ContainerRuntimePolicy, error)
    public ContainerRuntimePolicy(string name, ContainerRuntimePolicyArgs? args = null, CustomResourceOptions? opts = null)
    public ContainerRuntimePolicy(String name, ContainerRuntimePolicyArgs args)
    public ContainerRuntimePolicy(String name, ContainerRuntimePolicyArgs args, CustomResourceOptions options)
    
    type: aquasec:ContainerRuntimePolicy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args ContainerRuntimePolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args ContainerRuntimePolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args ContainerRuntimePolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args ContainerRuntimePolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args ContainerRuntimePolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    ContainerRuntimePolicy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The ContainerRuntimePolicy resource accepts the following input properties:

    AllowedExecutables List<string>

    List of executables that are allowed for the user.

    AllowedRegistries List<string>

    List of registries that allowed for running containers.

    ApplicationScopes List<string>

    Indicates the application scope of the service.

    AuditAllNetworkActivity bool

    If true, all network activity will be audited.

    AuditAllProcessesActivity bool

    If true, all process activity will be audited.

    AuditFullCommandArguments bool

    If true, full command arguments will be audited.

    BlockAccessHostNetwork bool

    If true, prevent containers from running with access to host network.

    BlockAddingCapabilities bool

    If true, prevent containers from running with adding capabilities with --cap-add privilege.

    BlockContainerExec bool

    If true, exec into a container is prevented.

    BlockCryptocurrencyMining bool

    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

    BlockFilelessExec bool

    Detect and prevent running in-memory execution

    BlockLowPortBinding bool

    If true, prevent containers from running with the capability to bind in port lower than 1024.

    BlockNonCompliantImages bool

    If true, running non-compliant image in the container is prevented.

    BlockNonCompliantWorkloads bool

    If true, running containers in non-compliant pods is prevented.

    BlockNonK8sContainers bool

    If true, running non-kubernetes containers is prevented.

    BlockPrivilegedContainers bool

    If true, prevent containers from running with privileged container capability.

    BlockReverseShell bool

    If true, reverse shell is prevented.

    BlockRootUser bool

    If true, prevent containers from running with root user.

    BlockUnregisteredImages bool

    If true, running images in the container that are not registered in Aqua is prevented.

    BlockUseIpcNamespace bool

    If true, prevent containers from running with the privilege to use the IPC namespace.

    BlockUsePidNamespace bool

    If true, prevent containers from running with the privilege to use the PID namespace.

    BlockUseUserNamespace bool

    If true, prevent containers from running with the privilege to use the user namespace.

    BlockUseUtsNamespace bool

    If true, prevent containers from running with the privilege to use the UTS namespace.

    BlockedCapabilities List<string>

    If true, prevents containers from using specific Unix capabilities.

    BlockedExecutables List<string>

    List of executables that are prevented from running in containers.

    BlockedFiles List<string>

    List of files that are prevented from being read, modified and executed in the containers.

    BlockedInboundPorts List<string>

    List of blocked inbound ports.

    BlockedOutboundPorts List<string>

    List of blocked outbound ports.

    BlockedPackages List<string>

    Prevent containers from reading, writing, or executing all files in the list of packages.

    BlockedVolumes List<string>

    List of volumes that are prevented from being mounted in the containers.

    ContainerExecAllowedProcesses List<string>

    List of processes that will be allowed.

    Description string

    The description of the container runtime policy

    EnableDriftPrevention bool

    If true, executables that are not in the original image is prevented from running.

    EnableForkGuard bool

    If true, fork bombs are prevented in the containers.

    EnableIpReputationSecurity bool

    If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

    EnablePortScanDetection bool

    If true, detects port scanning behavior in the container.

    Enabled bool

    Indicates if the runtime policy is enabled or not.

    Enforce bool

    Indicates that policy should effect container execution (not just for audit).

    EnforceAfterDays int

    Indicates the number of days after which the runtime policy will be changed to enforce mode.

    ExceptionalReadonlyFilesAndDirectories List<string>

    List of files and directories to be excluded from the read-only list.

    ExecLockdownWhiteLists List<string>

    Specify processes that will be allowed

    FileIntegrityMonitoring Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyFileIntegrityMonitoring

    Configuration for file integrity monitoring.

    ForkGuardProcessLimit int

    Process limit for the fork guard.

    LimitNewPrivileges bool

    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

    MalwareScanOptions Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyMalwareScanOptions

    Configuration for Real-Time Malware Protection.

    MonitorSystemTimeChanges bool

    If true, system time changes will be monitored.

    Name string

    Name of the container runtime policy

    ReadonlyFilesAndDirectories List<string>

    List of files and directories to be restricted as read-only

    ReverseShellAllowedIps List<string>

    List of IPs/ CIDRs that will be allowed

    ReverseShellAllowedProcesses List<string>

    List of processes that will be allowed

    ScopeExpression string

    Logical expression of how to compute the dependency of the scope variables.

    ScopeVariables List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyScopeVariable>

    List of scope attributes.

    AllowedExecutables []string

    List of executables that are allowed for the user.

    AllowedRegistries []string

    List of registries that allowed for running containers.

    ApplicationScopes []string

    Indicates the application scope of the service.

    AuditAllNetworkActivity bool

    If true, all network activity will be audited.

    AuditAllProcessesActivity bool

    If true, all process activity will be audited.

    AuditFullCommandArguments bool

    If true, full command arguments will be audited.

    BlockAccessHostNetwork bool

    If true, prevent containers from running with access to host network.

    BlockAddingCapabilities bool

    If true, prevent containers from running with adding capabilities with --cap-add privilege.

    BlockContainerExec bool

    If true, exec into a container is prevented.

    BlockCryptocurrencyMining bool

    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

    BlockFilelessExec bool

    Detect and prevent running in-memory execution

    BlockLowPortBinding bool

    If true, prevent containers from running with the capability to bind in port lower than 1024.

    BlockNonCompliantImages bool

    If true, running non-compliant image in the container is prevented.

    BlockNonCompliantWorkloads bool

    If true, running containers in non-compliant pods is prevented.

    BlockNonK8sContainers bool

    If true, running non-kubernetes containers is prevented.

    BlockPrivilegedContainers bool

    If true, prevent containers from running with privileged container capability.

    BlockReverseShell bool

    If true, reverse shell is prevented.

    BlockRootUser bool

    If true, prevent containers from running with root user.

    BlockUnregisteredImages bool

    If true, running images in the container that are not registered in Aqua is prevented.

    BlockUseIpcNamespace bool

    If true, prevent containers from running with the privilege to use the IPC namespace.

    BlockUsePidNamespace bool

    If true, prevent containers from running with the privilege to use the PID namespace.

    BlockUseUserNamespace bool

    If true, prevent containers from running with the privilege to use the user namespace.

    BlockUseUtsNamespace bool

    If true, prevent containers from running with the privilege to use the UTS namespace.

    BlockedCapabilities []string

    If true, prevents containers from using specific Unix capabilities.

    BlockedExecutables []string

    List of executables that are prevented from running in containers.

    BlockedFiles []string

    List of files that are prevented from being read, modified and executed in the containers.

    BlockedInboundPorts []string

    List of blocked inbound ports.

    BlockedOutboundPorts []string

    List of blocked outbound ports.

    BlockedPackages []string

    Prevent containers from reading, writing, or executing all files in the list of packages.

    BlockedVolumes []string

    List of volumes that are prevented from being mounted in the containers.

    ContainerExecAllowedProcesses []string

    List of processes that will be allowed.

    Description string

    The description of the container runtime policy

    EnableDriftPrevention bool

    If true, executables that are not in the original image is prevented from running.

    EnableForkGuard bool

    If true, fork bombs are prevented in the containers.

    EnableIpReputationSecurity bool

    If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

    EnablePortScanDetection bool

    If true, detects port scanning behavior in the container.

    Enabled bool

    Indicates if the runtime policy is enabled or not.

    Enforce bool

    Indicates that policy should effect container execution (not just for audit).

    EnforceAfterDays int

    Indicates the number of days after which the runtime policy will be changed to enforce mode.

    ExceptionalReadonlyFilesAndDirectories []string

    List of files and directories to be excluded from the read-only list.

    ExecLockdownWhiteLists []string

    Specify processes that will be allowed

    FileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs

    Configuration for file integrity monitoring.

    ForkGuardProcessLimit int

    Process limit for the fork guard.

    LimitNewPrivileges bool

    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

    MalwareScanOptions ContainerRuntimePolicyMalwareScanOptionsArgs

    Configuration for Real-Time Malware Protection.

    MonitorSystemTimeChanges bool

    If true, system time changes will be monitored.

    Name string

    Name of the container runtime policy

    ReadonlyFilesAndDirectories []string

    List of files and directories to be restricted as read-only

    ReverseShellAllowedIps []string

    List of IPs/ CIDRs that will be allowed

    ReverseShellAllowedProcesses []string

    List of processes that will be allowed

    ScopeExpression string

    Logical expression of how to compute the dependency of the scope variables.

    ScopeVariables []ContainerRuntimePolicyScopeVariableArgs

    List of scope attributes.

    allowedExecutables List<String>

    List of executables that are allowed for the user.

    allowedRegistries List<String>

    List of registries that allowed for running containers.

    applicationScopes List<String>

    Indicates the application scope of the service.

    auditAllNetworkActivity Boolean

    If true, all network activity will be audited.

    auditAllProcessesActivity Boolean

    If true, all process activity will be audited.

    auditFullCommandArguments Boolean

    If true, full command arguments will be audited.

    blockAccessHostNetwork Boolean

    If true, prevent containers from running with access to host network.

    blockAddingCapabilities Boolean

    If true, prevent containers from running with adding capabilities with --cap-add privilege.

    blockContainerExec Boolean

    If true, exec into a container is prevented.

    blockCryptocurrencyMining Boolean

    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

    blockFilelessExec Boolean

    Detect and prevent running in-memory execution

    blockLowPortBinding Boolean

    If true, prevent containers from running with the capability to bind in port lower than 1024.

    blockNonCompliantImages Boolean

    If true, running non-compliant image in the container is prevented.

    blockNonCompliantWorkloads Boolean

    If true, running containers in non-compliant pods is prevented.

    blockNonK8sContainers Boolean

    If true, running non-kubernetes containers is prevented.

    blockPrivilegedContainers Boolean

    If true, prevent containers from running with privileged container capability.

    blockReverseShell Boolean

    If true, reverse shell is prevented.

    blockRootUser Boolean

    If true, prevent containers from running with root user.

    blockUnregisteredImages Boolean

    If true, running images in the container that are not registered in Aqua is prevented.

    blockUseIpcNamespace Boolean

    If true, prevent containers from running with the privilege to use the IPC namespace.

    blockUsePidNamespace Boolean

    If true, prevent containers from running with the privilege to use the PID namespace.

    blockUseUserNamespace Boolean

    If true, prevent containers from running with the privilege to use the user namespace.

    blockUseUtsNamespace Boolean

    If true, prevent containers from running with the privilege to use the UTS namespace.

    blockedCapabilities List<String>

    If true, prevents containers from using specific Unix capabilities.

    blockedExecutables List<String>

    List of executables that are prevented from running in containers.

    blockedFiles List<String>

    List of files that are prevented from being read, modified and executed in the containers.

    blockedInboundPorts List<String>

    List of blocked inbound ports.

    blockedOutboundPorts List<String>

    List of blocked outbound ports.

    blockedPackages List<String>

    Prevent containers from reading, writing, or executing all files in the list of packages.

    blockedVolumes List<String>

    List of volumes that are prevented from being mounted in the containers.

    containerExecAllowedProcesses List<String>

    List of processes that will be allowed.

    description String

    The description of the container runtime policy

    enableDriftPrevention Boolean

    If true, executables that are not in the original image is prevented from running.

    enableForkGuard Boolean

    If true, fork bombs are prevented in the containers.

    enableIpReputationSecurity Boolean

    If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

    enablePortScanDetection Boolean

    If true, detects port scanning behavior in the container.

    enabled Boolean

    Indicates if the runtime policy is enabled or not.

    enforce Boolean

    Indicates that policy should effect container execution (not just for audit).

    enforceAfterDays Integer

    Indicates the number of days after which the runtime policy will be changed to enforce mode.

    exceptionalReadonlyFilesAndDirectories List<String>

    List of files and directories to be excluded from the read-only list.

    execLockdownWhiteLists List<String>

    Specify processes that will be allowed

    fileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoring

    Configuration for file integrity monitoring.

    forkGuardProcessLimit Integer

    Process limit for the fork guard.

    limitNewPrivileges Boolean

    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

    malwareScanOptions ContainerRuntimePolicyMalwareScanOptions

    Configuration for Real-Time Malware Protection.

    monitorSystemTimeChanges Boolean

    If true, system time changes will be monitored.

    name String

    Name of the container runtime policy

    readonlyFilesAndDirectories List<String>

    List of files and directories to be restricted as read-only

    reverseShellAllowedIps List<String>

    List of IPs/ CIDRs that will be allowed

    reverseShellAllowedProcesses List<String>

    List of processes that will be allowed

    scopeExpression String

    Logical expression of how to compute the dependency of the scope variables.

    scopeVariables List<ContainerRuntimePolicyScopeVariable>

    List of scope attributes.

    allowedExecutables string[]

    List of executables that are allowed for the user.

    allowedRegistries string[]

    List of registries that allowed for running containers.

    applicationScopes string[]

    Indicates the application scope of the service.

    auditAllNetworkActivity boolean

    If true, all network activity will be audited.

    auditAllProcessesActivity boolean

    If true, all process activity will be audited.

    auditFullCommandArguments boolean

    If true, full command arguments will be audited.

    blockAccessHostNetwork boolean

    If true, prevent containers from running with access to host network.

    blockAddingCapabilities boolean

    If true, prevent containers from running with adding capabilities with --cap-add privilege.

    blockContainerExec boolean

    If true, exec into a container is prevented.

    blockCryptocurrencyMining boolean

    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

    blockFilelessExec boolean

    Detect and prevent running in-memory execution

    blockLowPortBinding boolean

    If true, prevent containers from running with the capability to bind in port lower than 1024.

    blockNonCompliantImages boolean

    If true, running non-compliant image in the container is prevented.

    blockNonCompliantWorkloads boolean

    If true, running containers in non-compliant pods is prevented.

    blockNonK8sContainers boolean

    If true, running non-kubernetes containers is prevented.

    blockPrivilegedContainers boolean

    If true, prevent containers from running with privileged container capability.

    blockReverseShell boolean

    If true, reverse shell is prevented.

    blockRootUser boolean

    If true, prevent containers from running with root user.

    blockUnregisteredImages boolean

    If true, running images in the container that are not registered in Aqua is prevented.

    blockUseIpcNamespace boolean

    If true, prevent containers from running with the privilege to use the IPC namespace.

    blockUsePidNamespace boolean

    If true, prevent containers from running with the privilege to use the PID namespace.

    blockUseUserNamespace boolean

    If true, prevent containers from running with the privilege to use the user namespace.

    blockUseUtsNamespace boolean

    If true, prevent containers from running with the privilege to use the UTS namespace.

    blockedCapabilities string[]

    If true, prevents containers from using specific Unix capabilities.

    blockedExecutables string[]

    List of executables that are prevented from running in containers.

    blockedFiles string[]

    List of files that are prevented from being read, modified and executed in the containers.

    blockedInboundPorts string[]

    List of blocked inbound ports.

    blockedOutboundPorts string[]

    List of blocked outbound ports.

    blockedPackages string[]

    Prevent containers from reading, writing, or executing all files in the list of packages.

    blockedVolumes string[]

    List of volumes that are prevented from being mounted in the containers.

    containerExecAllowedProcesses string[]

    List of processes that will be allowed.

    description string

    The description of the container runtime policy

    enableDriftPrevention boolean

    If true, executables that are not in the original image is prevented from running.

    enableForkGuard boolean

    If true, fork bombs are prevented in the containers.

    enableIpReputationSecurity boolean

    If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

    enablePortScanDetection boolean

    If true, detects port scanning behavior in the container.

    enabled boolean

    Indicates if the runtime policy is enabled or not.

    enforce boolean

    Indicates that policy should effect container execution (not just for audit).

    enforceAfterDays number

    Indicates the number of days after which the runtime policy will be changed to enforce mode.

    exceptionalReadonlyFilesAndDirectories string[]

    List of files and directories to be excluded from the read-only list.

    execLockdownWhiteLists string[]

    Specify processes that will be allowed

    fileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoring

    Configuration for file integrity monitoring.

    forkGuardProcessLimit number

    Process limit for the fork guard.

    limitNewPrivileges boolean

    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

    malwareScanOptions ContainerRuntimePolicyMalwareScanOptions

    Configuration for Real-Time Malware Protection.

    monitorSystemTimeChanges boolean

    If true, system time changes will be monitored.

    name string

    Name of the container runtime policy

    readonlyFilesAndDirectories string[]

    List of files and directories to be restricted as read-only

    reverseShellAllowedIps string[]

    List of IPs/ CIDRs that will be allowed

    reverseShellAllowedProcesses string[]

    List of processes that will be allowed

    scopeExpression string

    Logical expression of how to compute the dependency of the scope variables.

    scopeVariables ContainerRuntimePolicyScopeVariable[]

    List of scope attributes.

    allowed_executables Sequence[str]

    List of executables that are allowed for the user.

    allowed_registries Sequence[str]

    List of registries that allowed for running containers.

    application_scopes Sequence[str]

    Indicates the application scope of the service.

    audit_all_network_activity bool

    If true, all network activity will be audited.

    audit_all_processes_activity bool

    If true, all process activity will be audited.

    audit_full_command_arguments bool

    If true, full command arguments will be audited.

    block_access_host_network bool

    If true, prevent containers from running with access to host network.

    block_adding_capabilities bool

    If true, prevent containers from running with adding capabilities with --cap-add privilege.

    block_container_exec bool

    If true, exec into a container is prevented.

    block_cryptocurrency_mining bool

    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

    block_fileless_exec bool

    Detect and prevent running in-memory execution

    block_low_port_binding bool

    If true, prevent containers from running with the capability to bind in port lower than 1024.

    block_non_compliant_images bool

    If true, running non-compliant image in the container is prevented.

    block_non_compliant_workloads bool

    If true, running containers in non-compliant pods is prevented.

    block_non_k8s_containers bool

    If true, running non-kubernetes containers is prevented.

    block_privileged_containers bool

    If true, prevent containers from running with privileged container capability.

    block_reverse_shell bool

    If true, reverse shell is prevented.

    block_root_user bool

    If true, prevent containers from running with root user.

    block_unregistered_images bool

    If true, running images in the container that are not registered in Aqua is prevented.

    block_use_ipc_namespace bool

    If true, prevent containers from running with the privilege to use the IPC namespace.

    block_use_pid_namespace bool

    If true, prevent containers from running with the privilege to use the PID namespace.

    block_use_user_namespace bool

    If true, prevent containers from running with the privilege to use the user namespace.

    block_use_uts_namespace bool

    If true, prevent containers from running with the privilege to use the UTS namespace.

    blocked_capabilities Sequence[str]

    If true, prevents containers from using specific Unix capabilities.

    blocked_executables Sequence[str]

    List of executables that are prevented from running in containers.

    blocked_files Sequence[str]

    List of files that are prevented from being read, modified and executed in the containers.

    blocked_inbound_ports Sequence[str]

    List of blocked inbound ports.

    blocked_outbound_ports Sequence[str]

    List of blocked outbound ports.

    blocked_packages Sequence[str]

    Prevent containers from reading, writing, or executing all files in the list of packages.

    blocked_volumes Sequence[str]

    List of volumes that are prevented from being mounted in the containers.

    container_exec_allowed_processes Sequence[str]

    List of processes that will be allowed.

    description str

    The description of the container runtime policy

    enable_drift_prevention bool

    If true, executables that are not in the original image is prevented from running.

    enable_fork_guard bool

    If true, fork bombs are prevented in the containers.

    enable_ip_reputation_security bool

    If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

    enable_port_scan_detection bool

    If true, detects port scanning behavior in the container.

    enabled bool

    Indicates if the runtime policy is enabled or not.

    enforce bool

    Indicates that policy should effect container execution (not just for audit).

    enforce_after_days int

    Indicates the number of days after which the runtime policy will be changed to enforce mode.

    exceptional_readonly_files_and_directories Sequence[str]

    List of files and directories to be excluded from the read-only list.

    exec_lockdown_white_lists Sequence[str]

    Specify processes that will be allowed

    file_integrity_monitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs

    Configuration for file integrity monitoring.

    fork_guard_process_limit int

    Process limit for the fork guard.

    limit_new_privileges bool

    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

    malware_scan_options ContainerRuntimePolicyMalwareScanOptionsArgs

    Configuration for Real-Time Malware Protection.

    monitor_system_time_changes bool

    If true, system time changes will be monitored.

    name str

    Name of the container runtime policy

    readonly_files_and_directories Sequence[str]

    List of files and directories to be restricted as read-only

    reverse_shell_allowed_ips Sequence[str]

    List of IPs/ CIDRs that will be allowed

    reverse_shell_allowed_processes Sequence[str]

    List of processes that will be allowed

    scope_expression str

    Logical expression of how to compute the dependency of the scope variables.

    scope_variables Sequence[ContainerRuntimePolicyScopeVariableArgs]

    List of scope attributes.

    allowedExecutables List<String>

    List of executables that are allowed for the user.

    allowedRegistries List<String>

    List of registries that allowed for running containers.

    applicationScopes List<String>

    Indicates the application scope of the service.

    auditAllNetworkActivity Boolean

    If true, all network activity will be audited.

    auditAllProcessesActivity Boolean

    If true, all process activity will be audited.

    auditFullCommandArguments Boolean

    If true, full command arguments will be audited.

    blockAccessHostNetwork Boolean

    If true, prevent containers from running with access to host network.

    blockAddingCapabilities Boolean

    If true, prevent containers from running with adding capabilities with --cap-add privilege.

    blockContainerExec Boolean

    If true, exec into a container is prevented.

    blockCryptocurrencyMining Boolean

    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

    blockFilelessExec Boolean

    Detect and prevent running in-memory execution

    blockLowPortBinding Boolean

    If true, prevent containers from running with the capability to bind in port lower than 1024.

    blockNonCompliantImages Boolean

    If true, running non-compliant image in the container is prevented.

    blockNonCompliantWorkloads Boolean

    If true, running containers in non-compliant pods is prevented.

    blockNonK8sContainers Boolean

    If true, running non-kubernetes containers is prevented.

    blockPrivilegedContainers Boolean

    If true, prevent containers from running with privileged container capability.

    blockReverseShell Boolean

    If true, reverse shell is prevented.

    blockRootUser Boolean

    If true, prevent containers from running with root user.

    blockUnregisteredImages Boolean

    If true, running images in the container that are not registered in Aqua is prevented.

    blockUseIpcNamespace Boolean

    If true, prevent containers from running with the privilege to use the IPC namespace.

    blockUsePidNamespace Boolean

    If true, prevent containers from running with the privilege to use the PID namespace.

    blockUseUserNamespace Boolean

    If true, prevent containers from running with the privilege to use the user namespace.

    blockUseUtsNamespace Boolean

    If true, prevent containers from running with the privilege to use the UTS namespace.

    blockedCapabilities List<String>

    If true, prevents containers from using specific Unix capabilities.

    blockedExecutables List<String>

    List of executables that are prevented from running in containers.

    blockedFiles List<String>

    List of files that are prevented from being read, modified and executed in the containers.

    blockedInboundPorts List<String>

    List of blocked inbound ports.

    blockedOutboundPorts List<String>

    List of blocked outbound ports.

    blockedPackages List<String>

    Prevent containers from reading, writing, or executing all files in the list of packages.

    blockedVolumes List<String>

    List of volumes that are prevented from being mounted in the containers.

    containerExecAllowedProcesses List<String>

    List of processes that will be allowed.

    description String

    The description of the container runtime policy

    enableDriftPrevention Boolean

    If true, executables that are not in the original image is prevented from running.

    enableForkGuard Boolean

    If true, fork bombs are prevented in the containers.

    enableIpReputationSecurity Boolean

    If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

    enablePortScanDetection Boolean

    If true, detects port scanning behavior in the container.

    enabled Boolean

    Indicates if the runtime policy is enabled or not.

    enforce Boolean

    Indicates that policy should effect container execution (not just for audit).

    enforceAfterDays Number

    Indicates the number of days after which the runtime policy will be changed to enforce mode.

    exceptionalReadonlyFilesAndDirectories List<String>

    List of files and directories to be excluded from the read-only list.

    execLockdownWhiteLists List<String>

    Specify processes that will be allowed

    fileIntegrityMonitoring Property Map

    Configuration for file integrity monitoring.

    forkGuardProcessLimit Number

    Process limit for the fork guard.

    limitNewPrivileges Boolean

    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

    malwareScanOptions Property Map

    Configuration for Real-Time Malware Protection.

    monitorSystemTimeChanges Boolean

    If true, system time changes will be monitored.

    name String

    Name of the container runtime policy

    readonlyFilesAndDirectories List<String>

    List of files and directories to be restricted as read-only

    reverseShellAllowedIps List<String>

    List of IPs/ CIDRs that will be allowed

    reverseShellAllowedProcesses List<String>

    List of processes that will be allowed

    scopeExpression String

    Logical expression of how to compute the dependency of the scope variables.

    scopeVariables List<Property Map>

    List of scope attributes.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the ContainerRuntimePolicy resource produces the following output properties:

    Author string

    Username of the account that created the service.

    Id string

    The provider-assigned unique ID for this managed resource.

    Author string

    Username of the account that created the service.

    Id string

    The provider-assigned unique ID for this managed resource.

    author String

    Username of the account that created the service.

    id String

    The provider-assigned unique ID for this managed resource.

    author string

    Username of the account that created the service.

    id string

    The provider-assigned unique ID for this managed resource.

    author str

    Username of the account that created the service.

    id str

    The provider-assigned unique ID for this managed resource.

    author String

    Username of the account that created the service.

    id String

    The provider-assigned unique ID for this managed resource.

    Look up Existing ContainerRuntimePolicy Resource

    Get an existing ContainerRuntimePolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: ContainerRuntimePolicyState, opts?: CustomResourceOptions): ContainerRuntimePolicy
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            allowed_executables: Optional[Sequence[str]] = None,
            allowed_registries: Optional[Sequence[str]] = None,
            application_scopes: Optional[Sequence[str]] = None,
            audit_all_network_activity: Optional[bool] = None,
            audit_all_processes_activity: Optional[bool] = None,
            audit_full_command_arguments: Optional[bool] = None,
            author: Optional[str] = None,
            block_access_host_network: Optional[bool] = None,
            block_adding_capabilities: Optional[bool] = None,
            block_container_exec: Optional[bool] = None,
            block_cryptocurrency_mining: Optional[bool] = None,
            block_fileless_exec: Optional[bool] = None,
            block_low_port_binding: Optional[bool] = None,
            block_non_compliant_images: Optional[bool] = None,
            block_non_compliant_workloads: Optional[bool] = None,
            block_non_k8s_containers: Optional[bool] = None,
            block_privileged_containers: Optional[bool] = None,
            block_reverse_shell: Optional[bool] = None,
            block_root_user: Optional[bool] = None,
            block_unregistered_images: Optional[bool] = None,
            block_use_ipc_namespace: Optional[bool] = None,
            block_use_pid_namespace: Optional[bool] = None,
            block_use_user_namespace: Optional[bool] = None,
            block_use_uts_namespace: Optional[bool] = None,
            blocked_capabilities: Optional[Sequence[str]] = None,
            blocked_executables: Optional[Sequence[str]] = None,
            blocked_files: Optional[Sequence[str]] = None,
            blocked_inbound_ports: Optional[Sequence[str]] = None,
            blocked_outbound_ports: Optional[Sequence[str]] = None,
            blocked_packages: Optional[Sequence[str]] = None,
            blocked_volumes: Optional[Sequence[str]] = None,
            container_exec_allowed_processes: Optional[Sequence[str]] = None,
            description: Optional[str] = None,
            enable_drift_prevention: Optional[bool] = None,
            enable_fork_guard: Optional[bool] = None,
            enable_ip_reputation_security: Optional[bool] = None,
            enable_port_scan_detection: Optional[bool] = None,
            enabled: Optional[bool] = None,
            enforce: Optional[bool] = None,
            enforce_after_days: Optional[int] = None,
            exceptional_readonly_files_and_directories: Optional[Sequence[str]] = None,
            exec_lockdown_white_lists: Optional[Sequence[str]] = None,
            file_integrity_monitoring: Optional[ContainerRuntimePolicyFileIntegrityMonitoringArgs] = None,
            fork_guard_process_limit: Optional[int] = None,
            limit_new_privileges: Optional[bool] = None,
            malware_scan_options: Optional[ContainerRuntimePolicyMalwareScanOptionsArgs] = None,
            monitor_system_time_changes: Optional[bool] = None,
            name: Optional[str] = None,
            readonly_files_and_directories: Optional[Sequence[str]] = None,
            reverse_shell_allowed_ips: Optional[Sequence[str]] = None,
            reverse_shell_allowed_processes: Optional[Sequence[str]] = None,
            scope_expression: Optional[str] = None,
            scope_variables: Optional[Sequence[ContainerRuntimePolicyScopeVariableArgs]] = None) -> ContainerRuntimePolicy
    func GetContainerRuntimePolicy(ctx *Context, name string, id IDInput, state *ContainerRuntimePolicyState, opts ...ResourceOption) (*ContainerRuntimePolicy, error)
    public static ContainerRuntimePolicy Get(string name, Input<string> id, ContainerRuntimePolicyState? state, CustomResourceOptions? opts = null)
    public static ContainerRuntimePolicy get(String name, Output<String> id, ContainerRuntimePolicyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AllowedExecutables List<string>

    List of executables that are allowed for the user.

    AllowedRegistries List<string>

    List of registries that allowed for running containers.

    ApplicationScopes List<string>

    Indicates the application scope of the service.

    AuditAllNetworkActivity bool

    If true, all network activity will be audited.

    AuditAllProcessesActivity bool

    If true, all process activity will be audited.

    AuditFullCommandArguments bool

    If true, full command arguments will be audited.

    Author string

    Username of the account that created the service.

    BlockAccessHostNetwork bool

    If true, prevent containers from running with access to host network.

    BlockAddingCapabilities bool

    If true, prevent containers from running with adding capabilities with --cap-add privilege.

    BlockContainerExec bool

    If true, exec into a container is prevented.

    BlockCryptocurrencyMining bool

    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

    BlockFilelessExec bool

    Detect and prevent running in-memory execution

    BlockLowPortBinding bool

    If true, prevent containers from running with the capability to bind in port lower than 1024.

    BlockNonCompliantImages bool

    If true, running non-compliant image in the container is prevented.

    BlockNonCompliantWorkloads bool

    If true, running containers in non-compliant pods is prevented.

    BlockNonK8sContainers bool

    If true, running non-kubernetes containers is prevented.

    BlockPrivilegedContainers bool

    If true, prevent containers from running with privileged container capability.

    BlockReverseShell bool

    If true, reverse shell is prevented.

    BlockRootUser bool

    If true, prevent containers from running with root user.

    BlockUnregisteredImages bool

    If true, running images in the container that are not registered in Aqua is prevented.

    BlockUseIpcNamespace bool

    If true, prevent containers from running with the privilege to use the IPC namespace.

    BlockUsePidNamespace bool

    If true, prevent containers from running with the privilege to use the PID namespace.

    BlockUseUserNamespace bool

    If true, prevent containers from running with the privilege to use the user namespace.

    BlockUseUtsNamespace bool

    If true, prevent containers from running with the privilege to use the UTS namespace.

    BlockedCapabilities List<string>

    If true, prevents containers from using specific Unix capabilities.

    BlockedExecutables List<string>

    List of executables that are prevented from running in containers.

    BlockedFiles List<string>

    List of files that are prevented from being read, modified and executed in the containers.

    BlockedInboundPorts List<string>

    List of blocked inbound ports.

    BlockedOutboundPorts List<string>

    List of blocked outbound ports.

    BlockedPackages List<string>

    Prevent containers from reading, writing, or executing all files in the list of packages.

    BlockedVolumes List<string>

    List of volumes that are prevented from being mounted in the containers.

    ContainerExecAllowedProcesses List<string>

    List of processes that will be allowed.

    Description string

    The description of the container runtime policy

    EnableDriftPrevention bool

    If true, executables that are not in the original image is prevented from running.

    EnableForkGuard bool

    If true, fork bombs are prevented in the containers.

    EnableIpReputationSecurity bool

    If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

    EnablePortScanDetection bool

    If true, detects port scanning behavior in the container.

    Enabled bool

    Indicates if the runtime policy is enabled or not.

    Enforce bool

    Indicates that policy should effect container execution (not just for audit).

    EnforceAfterDays int

    Indicates the number of days after which the runtime policy will be changed to enforce mode.

    ExceptionalReadonlyFilesAndDirectories List<string>

    List of files and directories to be excluded from the read-only list.

    ExecLockdownWhiteLists List<string>

    Specify processes that will be allowed

    FileIntegrityMonitoring Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyFileIntegrityMonitoring

    Configuration for file integrity monitoring.

    ForkGuardProcessLimit int

    Process limit for the fork guard.

    LimitNewPrivileges bool

    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

    MalwareScanOptions Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyMalwareScanOptions

    Configuration for Real-Time Malware Protection.

    MonitorSystemTimeChanges bool

    If true, system time changes will be monitored.

    Name string

    Name of the container runtime policy

    ReadonlyFilesAndDirectories List<string>

    List of files and directories to be restricted as read-only

    ReverseShellAllowedIps List<string>

    List of IPs/ CIDRs that will be allowed

    ReverseShellAllowedProcesses List<string>

    List of processes that will be allowed

    ScopeExpression string

    Logical expression of how to compute the dependency of the scope variables.

    ScopeVariables List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyScopeVariable>

    List of scope attributes.

    AllowedExecutables []string

    List of executables that are allowed for the user.

    AllowedRegistries []string

    List of registries that allowed for running containers.

    ApplicationScopes []string

    Indicates the application scope of the service.

    AuditAllNetworkActivity bool

    If true, all network activity will be audited.

    AuditAllProcessesActivity bool

    If true, all process activity will be audited.

    AuditFullCommandArguments bool

    If true, full command arguments will be audited.

    Author string

    Username of the account that created the service.

    BlockAccessHostNetwork bool

    If true, prevent containers from running with access to host network.

    BlockAddingCapabilities bool

    If true, prevent containers from running with adding capabilities with --cap-add privilege.

    BlockContainerExec bool

    If true, exec into a container is prevented.

    BlockCryptocurrencyMining bool

    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

    BlockFilelessExec bool

    Detect and prevent running in-memory execution

    BlockLowPortBinding bool

    If true, prevent containers from running with the capability to bind in port lower than 1024.

    BlockNonCompliantImages bool

    If true, running non-compliant image in the container is prevented.

    BlockNonCompliantWorkloads bool

    If true, running containers in non-compliant pods is prevented.

    BlockNonK8sContainers bool

    If true, running non-kubernetes containers is prevented.

    BlockPrivilegedContainers bool

    If true, prevent containers from running with privileged container capability.

    BlockReverseShell bool

    If true, reverse shell is prevented.

    BlockRootUser bool

    If true, prevent containers from running with root user.

    BlockUnregisteredImages bool

    If true, running images in the container that are not registered in Aqua is prevented.

    BlockUseIpcNamespace bool

    If true, prevent containers from running with the privilege to use the IPC namespace.

    BlockUsePidNamespace bool

    If true, prevent containers from running with the privilege to use the PID namespace.

    BlockUseUserNamespace bool

    If true, prevent containers from running with the privilege to use the user namespace.

    BlockUseUtsNamespace bool

    If true, prevent containers from running with the privilege to use the UTS namespace.

    BlockedCapabilities []string

    If true, prevents containers from using specific Unix capabilities.

    BlockedExecutables []string

    List of executables that are prevented from running in containers.

    BlockedFiles []string

    List of files that are prevented from being read, modified and executed in the containers.

    BlockedInboundPorts []string

    List of blocked inbound ports.

    BlockedOutboundPorts []string

    List of blocked outbound ports.

    BlockedPackages []string

    Prevent containers from reading, writing, or executing all files in the list of packages.

    BlockedVolumes []string

    List of volumes that are prevented from being mounted in the containers.

    ContainerExecAllowedProcesses []string

    List of processes that will be allowed.

    Description string

    The description of the container runtime policy

    EnableDriftPrevention bool

    If true, executables that are not in the original image is prevented from running.

    EnableForkGuard bool

    If true, fork bombs are prevented in the containers.

    EnableIpReputationSecurity bool

    If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

    EnablePortScanDetection bool

    If true, detects port scanning behavior in the container.

    Enabled bool

    Indicates if the runtime policy is enabled or not.

    Enforce bool

    Indicates that policy should effect container execution (not just for audit).

    EnforceAfterDays int

    Indicates the number of days after which the runtime policy will be changed to enforce mode.

    ExceptionalReadonlyFilesAndDirectories []string

    List of files and directories to be excluded from the read-only list.

    ExecLockdownWhiteLists []string

    Specify processes that will be allowed

    FileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs

    Configuration for file integrity monitoring.

    ForkGuardProcessLimit int

    Process limit for the fork guard.

    LimitNewPrivileges bool

    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

    MalwareScanOptions ContainerRuntimePolicyMalwareScanOptionsArgs

    Configuration for Real-Time Malware Protection.

    MonitorSystemTimeChanges bool

    If true, system time changes will be monitored.

    Name string

    Name of the container runtime policy

    ReadonlyFilesAndDirectories []string

    List of files and directories to be restricted as read-only

    ReverseShellAllowedIps []string

    List of IPs/ CIDRs that will be allowed

    ReverseShellAllowedProcesses []string

    List of processes that will be allowed

    ScopeExpression string

    Logical expression of how to compute the dependency of the scope variables.

    ScopeVariables []ContainerRuntimePolicyScopeVariableArgs

    List of scope attributes.

    allowedExecutables List<String>

    List of executables that are allowed for the user.

    allowedRegistries List<String>

    List of registries that allowed for running containers.

    applicationScopes List<String>

    Indicates the application scope of the service.

    auditAllNetworkActivity Boolean

    If true, all network activity will be audited.

    auditAllProcessesActivity Boolean

    If true, all process activity will be audited.

    auditFullCommandArguments Boolean

    If true, full command arguments will be audited.

    author String

    Username of the account that created the service.

    blockAccessHostNetwork Boolean

    If true, prevent containers from running with access to host network.

    blockAddingCapabilities Boolean

    If true, prevent containers from running with adding capabilities with --cap-add privilege.

    blockContainerExec Boolean

    If true, exec into a container is prevented.

    blockCryptocurrencyMining Boolean

    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

    blockFilelessExec Boolean

    Detect and prevent running in-memory execution

    blockLowPortBinding Boolean

    If true, prevent containers from running with the capability to bind in port lower than 1024.

    blockNonCompliantImages Boolean

    If true, running non-compliant image in the container is prevented.

    blockNonCompliantWorkloads Boolean

    If true, running containers in non-compliant pods is prevented.

    blockNonK8sContainers Boolean

    If true, running non-kubernetes containers is prevented.

    blockPrivilegedContainers Boolean

    If true, prevent containers from running with privileged container capability.

    blockReverseShell Boolean

    If true, reverse shell is prevented.

    blockRootUser Boolean

    If true, prevent containers from running with root user.

    blockUnregisteredImages Boolean

    If true, running images in the container that are not registered in Aqua is prevented.

    blockUseIpcNamespace Boolean

    If true, prevent containers from running with the privilege to use the IPC namespace.

    blockUsePidNamespace Boolean

    If true, prevent containers from running with the privilege to use the PID namespace.

    blockUseUserNamespace Boolean

    If true, prevent containers from running with the privilege to use the user namespace.

    blockUseUtsNamespace Boolean

    If true, prevent containers from running with the privilege to use the UTS namespace.

    blockedCapabilities List<String>

    If true, prevents containers from using specific Unix capabilities.

    blockedExecutables List<String>

    List of executables that are prevented from running in containers.

    blockedFiles List<String>

    List of files that are prevented from being read, modified and executed in the containers.

    blockedInboundPorts List<String>

    List of blocked inbound ports.

    blockedOutboundPorts List<String>

    List of blocked outbound ports.

    blockedPackages List<String>

    Prevent containers from reading, writing, or executing all files in the list of packages.

    blockedVolumes List<String>

    List of volumes that are prevented from being mounted in the containers.

    containerExecAllowedProcesses List<String>

    List of processes that will be allowed.

    description String

    The description of the container runtime policy

    enableDriftPrevention Boolean

    If true, executables that are not in the original image is prevented from running.

    enableForkGuard Boolean

    If true, fork bombs are prevented in the containers.

    enableIpReputationSecurity Boolean

    If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

    enablePortScanDetection Boolean

    If true, detects port scanning behavior in the container.

    enabled Boolean

    Indicates if the runtime policy is enabled or not.

    enforce Boolean

    Indicates that policy should effect container execution (not just for audit).

    enforceAfterDays Integer

    Indicates the number of days after which the runtime policy will be changed to enforce mode.

    exceptionalReadonlyFilesAndDirectories List<String>

    List of files and directories to be excluded from the read-only list.

    execLockdownWhiteLists List<String>

    Specify processes that will be allowed

    fileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoring

    Configuration for file integrity monitoring.

    forkGuardProcessLimit Integer

    Process limit for the fork guard.

    limitNewPrivileges Boolean

    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

    malwareScanOptions ContainerRuntimePolicyMalwareScanOptions

    Configuration for Real-Time Malware Protection.

    monitorSystemTimeChanges Boolean

    If true, system time changes will be monitored.

    name String

    Name of the container runtime policy

    readonlyFilesAndDirectories List<String>

    List of files and directories to be restricted as read-only

    reverseShellAllowedIps List<String>

    List of IPs/ CIDRs that will be allowed

    reverseShellAllowedProcesses List<String>

    List of processes that will be allowed

    scopeExpression String

    Logical expression of how to compute the dependency of the scope variables.

    scopeVariables List<ContainerRuntimePolicyScopeVariable>

    List of scope attributes.

    allowedExecutables string[]

    List of executables that are allowed for the user.

    allowedRegistries string[]

    List of registries that allowed for running containers.

    applicationScopes string[]

    Indicates the application scope of the service.

    auditAllNetworkActivity boolean

    If true, all network activity will be audited.

    auditAllProcessesActivity boolean

    If true, all process activity will be audited.

    auditFullCommandArguments boolean

    If true, full command arguments will be audited.

    author string

    Username of the account that created the service.

    blockAccessHostNetwork boolean

    If true, prevent containers from running with access to host network.

    blockAddingCapabilities boolean

    If true, prevent containers from running with adding capabilities with --cap-add privilege.

    blockContainerExec boolean

    If true, exec into a container is prevented.

    blockCryptocurrencyMining boolean

    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

    blockFilelessExec boolean

    Detect and prevent running in-memory execution

    blockLowPortBinding boolean

    If true, prevent containers from running with the capability to bind in port lower than 1024.

    blockNonCompliantImages boolean

    If true, running non-compliant image in the container is prevented.

    blockNonCompliantWorkloads boolean

    If true, running containers in non-compliant pods is prevented.

    blockNonK8sContainers boolean

    If true, running non-kubernetes containers is prevented.

    blockPrivilegedContainers boolean

    If true, prevent containers from running with privileged container capability.

    blockReverseShell boolean

    If true, reverse shell is prevented.

    blockRootUser boolean

    If true, prevent containers from running with root user.

    blockUnregisteredImages boolean

    If true, running images in the container that are not registered in Aqua is prevented.

    blockUseIpcNamespace boolean

    If true, prevent containers from running with the privilege to use the IPC namespace.

    blockUsePidNamespace boolean

    If true, prevent containers from running with the privilege to use the PID namespace.

    blockUseUserNamespace boolean

    If true, prevent containers from running with the privilege to use the user namespace.

    blockUseUtsNamespace boolean

    If true, prevent containers from running with the privilege to use the UTS namespace.

    blockedCapabilities string[]

    If true, prevents containers from using specific Unix capabilities.

    blockedExecutables string[]

    List of executables that are prevented from running in containers.

    blockedFiles string[]

    List of files that are prevented from being read, modified and executed in the containers.

    blockedInboundPorts string[]

    List of blocked inbound ports.

    blockedOutboundPorts string[]

    List of blocked outbound ports.

    blockedPackages string[]

    Prevent containers from reading, writing, or executing all files in the list of packages.

    blockedVolumes string[]

    List of volumes that are prevented from being mounted in the containers.

    containerExecAllowedProcesses string[]

    List of processes that will be allowed.

    description string

    The description of the container runtime policy

    enableDriftPrevention boolean

    If true, executables that are not in the original image is prevented from running.

    enableForkGuard boolean

    If true, fork bombs are prevented in the containers.

    enableIpReputationSecurity boolean

    If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

    enablePortScanDetection boolean

    If true, detects port scanning behavior in the container.

    enabled boolean

    Indicates if the runtime policy is enabled or not.

    enforce boolean

    Indicates that policy should effect container execution (not just for audit).

    enforceAfterDays number

    Indicates the number of days after which the runtime policy will be changed to enforce mode.

    exceptionalReadonlyFilesAndDirectories string[]

    List of files and directories to be excluded from the read-only list.

    execLockdownWhiteLists string[]

    Specify processes that will be allowed

    fileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoring

    Configuration for file integrity monitoring.

    forkGuardProcessLimit number

    Process limit for the fork guard.

    limitNewPrivileges boolean

    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

    malwareScanOptions ContainerRuntimePolicyMalwareScanOptions

    Configuration for Real-Time Malware Protection.

    monitorSystemTimeChanges boolean

    If true, system time changes will be monitored.

    name string

    Name of the container runtime policy

    readonlyFilesAndDirectories string[]

    List of files and directories to be restricted as read-only

    reverseShellAllowedIps string[]

    List of IPs/ CIDRs that will be allowed

    reverseShellAllowedProcesses string[]

    List of processes that will be allowed

    scopeExpression string

    Logical expression of how to compute the dependency of the scope variables.

    scopeVariables ContainerRuntimePolicyScopeVariable[]

    List of scope attributes.

    allowed_executables Sequence[str]

    List of executables that are allowed for the user.

    allowed_registries Sequence[str]

    List of registries that allowed for running containers.

    application_scopes Sequence[str]

    Indicates the application scope of the service.

    audit_all_network_activity bool

    If true, all network activity will be audited.

    audit_all_processes_activity bool

    If true, all process activity will be audited.

    audit_full_command_arguments bool

    If true, full command arguments will be audited.

    author str

    Username of the account that created the service.

    block_access_host_network bool

    If true, prevent containers from running with access to host network.

    block_adding_capabilities bool

    If true, prevent containers from running with adding capabilities with --cap-add privilege.

    block_container_exec bool

    If true, exec into a container is prevented.

    block_cryptocurrency_mining bool

    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

    block_fileless_exec bool

    Detect and prevent running in-memory execution

    block_low_port_binding bool

    If true, prevent containers from running with the capability to bind in port lower than 1024.

    block_non_compliant_images bool

    If true, running non-compliant image in the container is prevented.

    block_non_compliant_workloads bool

    If true, running containers in non-compliant pods is prevented.

    block_non_k8s_containers bool

    If true, running non-kubernetes containers is prevented.

    block_privileged_containers bool

    If true, prevent containers from running with privileged container capability.

    block_reverse_shell bool

    If true, reverse shell is prevented.

    block_root_user bool

    If true, prevent containers from running with root user.

    block_unregistered_images bool

    If true, running images in the container that are not registered in Aqua is prevented.

    block_use_ipc_namespace bool

    If true, prevent containers from running with the privilege to use the IPC namespace.

    block_use_pid_namespace bool

    If true, prevent containers from running with the privilege to use the PID namespace.

    block_use_user_namespace bool

    If true, prevent containers from running with the privilege to use the user namespace.

    block_use_uts_namespace bool

    If true, prevent containers from running with the privilege to use the UTS namespace.

    blocked_capabilities Sequence[str]

    If true, prevents containers from using specific Unix capabilities.

    blocked_executables Sequence[str]

    List of executables that are prevented from running in containers.

    blocked_files Sequence[str]

    List of files that are prevented from being read, modified and executed in the containers.

    blocked_inbound_ports Sequence[str]

    List of blocked inbound ports.

    blocked_outbound_ports Sequence[str]

    List of blocked outbound ports.

    blocked_packages Sequence[str]

    Prevent containers from reading, writing, or executing all files in the list of packages.

    blocked_volumes Sequence[str]

    List of volumes that are prevented from being mounted in the containers.

    container_exec_allowed_processes Sequence[str]

    List of processes that will be allowed.

    description str

    The description of the container runtime policy

    enable_drift_prevention bool

    If true, executables that are not in the original image is prevented from running.

    enable_fork_guard bool

    If true, fork bombs are prevented in the containers.

    enable_ip_reputation_security bool

    If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

    enable_port_scan_detection bool

    If true, detects port scanning behavior in the container.

    enabled bool

    Indicates if the runtime policy is enabled or not.

    enforce bool

    Indicates that policy should effect container execution (not just for audit).

    enforce_after_days int

    Indicates the number of days after which the runtime policy will be changed to enforce mode.

    exceptional_readonly_files_and_directories Sequence[str]

    List of files and directories to be excluded from the read-only list.

    exec_lockdown_white_lists Sequence[str]

    Specify processes that will be allowed

    file_integrity_monitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs

    Configuration for file integrity monitoring.

    fork_guard_process_limit int

    Process limit for the fork guard.

    limit_new_privileges bool

    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

    malware_scan_options ContainerRuntimePolicyMalwareScanOptionsArgs

    Configuration for Real-Time Malware Protection.

    monitor_system_time_changes bool

    If true, system time changes will be monitored.

    name str

    Name of the container runtime policy

    readonly_files_and_directories Sequence[str]

    List of files and directories to be restricted as read-only

    reverse_shell_allowed_ips Sequence[str]

    List of IPs/ CIDRs that will be allowed

    reverse_shell_allowed_processes Sequence[str]

    List of processes that will be allowed

    scope_expression str

    Logical expression of how to compute the dependency of the scope variables.

    scope_variables Sequence[ContainerRuntimePolicyScopeVariableArgs]

    List of scope attributes.

    allowedExecutables List<String>

    List of executables that are allowed for the user.

    allowedRegistries List<String>

    List of registries that allowed for running containers.

    applicationScopes List<String>

    Indicates the application scope of the service.

    auditAllNetworkActivity Boolean

    If true, all network activity will be audited.

    auditAllProcessesActivity Boolean

    If true, all process activity will be audited.

    auditFullCommandArguments Boolean

    If true, full command arguments will be audited.

    author String

    Username of the account that created the service.

    blockAccessHostNetwork Boolean

    If true, prevent containers from running with access to host network.

    blockAddingCapabilities Boolean

    If true, prevent containers from running with adding capabilities with --cap-add privilege.

    blockContainerExec Boolean

    If true, exec into a container is prevented.

    blockCryptocurrencyMining Boolean

    Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

    blockFilelessExec Boolean

    Detect and prevent running in-memory execution

    blockLowPortBinding Boolean

    If true, prevent containers from running with the capability to bind in port lower than 1024.

    blockNonCompliantImages Boolean

    If true, running non-compliant image in the container is prevented.

    blockNonCompliantWorkloads Boolean

    If true, running containers in non-compliant pods is prevented.

    blockNonK8sContainers Boolean

    If true, running non-kubernetes containers is prevented.

    blockPrivilegedContainers Boolean

    If true, prevent containers from running with privileged container capability.

    blockReverseShell Boolean

    If true, reverse shell is prevented.

    blockRootUser Boolean

    If true, prevent containers from running with root user.

    blockUnregisteredImages Boolean

    If true, running images in the container that are not registered in Aqua is prevented.

    blockUseIpcNamespace Boolean

    If true, prevent containers from running with the privilege to use the IPC namespace.

    blockUsePidNamespace Boolean

    If true, prevent containers from running with the privilege to use the PID namespace.

    blockUseUserNamespace Boolean

    If true, prevent containers from running with the privilege to use the user namespace.

    blockUseUtsNamespace Boolean

    If true, prevent containers from running with the privilege to use the UTS namespace.

    blockedCapabilities List<String>

    If true, prevents containers from using specific Unix capabilities.

    blockedExecutables List<String>

    List of executables that are prevented from running in containers.

    blockedFiles List<String>

    List of files that are prevented from being read, modified and executed in the containers.

    blockedInboundPorts List<String>

    List of blocked inbound ports.

    blockedOutboundPorts List<String>

    List of blocked outbound ports.

    blockedPackages List<String>

    Prevent containers from reading, writing, or executing all files in the list of packages.

    blockedVolumes List<String>

    List of volumes that are prevented from being mounted in the containers.

    containerExecAllowedProcesses List<String>

    List of processes that will be allowed.

    description String

    The description of the container runtime policy

    enableDriftPrevention Boolean

    If true, executables that are not in the original image is prevented from running.

    enableForkGuard Boolean

    If true, fork bombs are prevented in the containers.

    enableIpReputationSecurity Boolean

    If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

    enablePortScanDetection Boolean

    If true, detects port scanning behavior in the container.

    enabled Boolean

    Indicates if the runtime policy is enabled or not.

    enforce Boolean

    Indicates that policy should effect container execution (not just for audit).

    enforceAfterDays Number

    Indicates the number of days after which the runtime policy will be changed to enforce mode.

    exceptionalReadonlyFilesAndDirectories List<String>

    List of files and directories to be excluded from the read-only list.

    execLockdownWhiteLists List<String>

    Specify processes that will be allowed

    fileIntegrityMonitoring Property Map

    Configuration for file integrity monitoring.

    forkGuardProcessLimit Number

    Process limit for the fork guard.

    limitNewPrivileges Boolean

    If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

    malwareScanOptions Property Map

    Configuration for Real-Time Malware Protection.

    monitorSystemTimeChanges Boolean

    If true, system time changes will be monitored.

    name String

    Name of the container runtime policy

    readonlyFilesAndDirectories List<String>

    List of files and directories to be restricted as read-only

    reverseShellAllowedIps List<String>

    List of IPs/ CIDRs that will be allowed

    reverseShellAllowedProcesses List<String>

    List of processes that will be allowed

    scopeExpression String

    Logical expression of how to compute the dependency of the scope variables.

    scopeVariables List<Property Map>

    List of scope attributes.

    Supporting Types

    ContainerRuntimePolicyFileIntegrityMonitoring, ContainerRuntimePolicyFileIntegrityMonitoringArgs

    ExcludedPaths List<string>

    List of paths to be excluded from being monitored.

    ExcludedProcesses List<string>

    List of processes to be excluded from being monitored.

    ExcludedUsers List<string>

    List of users to be excluded from being monitored.

    MonitorAttributes bool

    If true, add attributes operations will be monitored.

    MonitorCreate bool

    If true, create operations will be monitored.

    MonitorDelete bool

    If true, deletion operations will be monitored.

    MonitorModify bool

    If true, modification operations will be monitored.

    MonitorRead bool

    If true, read operations will be monitored.

    MonitoredPaths List<string>

    List of paths to be monitored.

    MonitoredProcesses List<string>

    List of processes to be monitored.

    MonitoredUsers List<string>

    List of users to be monitored.

    ExcludedPaths []string

    List of paths to be excluded from being monitored.

    ExcludedProcesses []string

    List of processes to be excluded from being monitored.

    ExcludedUsers []string

    List of users to be excluded from being monitored.

    MonitorAttributes bool

    If true, add attributes operations will be monitored.

    MonitorCreate bool

    If true, create operations will be monitored.

    MonitorDelete bool

    If true, deletion operations will be monitored.

    MonitorModify bool

    If true, modification operations will be monitored.

    MonitorRead bool

    If true, read operations will be monitored.

    MonitoredPaths []string

    List of paths to be monitored.

    MonitoredProcesses []string

    List of processes to be monitored.

    MonitoredUsers []string

    List of users to be monitored.

    excludedPaths List<String>

    List of paths to be excluded from being monitored.

    excludedProcesses List<String>

    List of processes to be excluded from being monitored.

    excludedUsers List<String>

    List of users to be excluded from being monitored.

    monitorAttributes Boolean

    If true, add attributes operations will be monitored.

    monitorCreate Boolean

    If true, create operations will be monitored.

    monitorDelete Boolean

    If true, deletion operations will be monitored.

    monitorModify Boolean

    If true, modification operations will be monitored.

    monitorRead Boolean

    If true, read operations will be monitored.

    monitoredPaths List<String>

    List of paths to be monitored.

    monitoredProcesses List<String>

    List of processes to be monitored.

    monitoredUsers List<String>

    List of users to be monitored.

    excludedPaths string[]

    List of paths to be excluded from being monitored.

    excludedProcesses string[]

    List of processes to be excluded from being monitored.

    excludedUsers string[]

    List of users to be excluded from being monitored.

    monitorAttributes boolean

    If true, add attributes operations will be monitored.

    monitorCreate boolean

    If true, create operations will be monitored.

    monitorDelete boolean

    If true, deletion operations will be monitored.

    monitorModify boolean

    If true, modification operations will be monitored.

    monitorRead boolean

    If true, read operations will be monitored.

    monitoredPaths string[]

    List of paths to be monitored.

    monitoredProcesses string[]

    List of processes to be monitored.

    monitoredUsers string[]

    List of users to be monitored.

    excluded_paths Sequence[str]

    List of paths to be excluded from being monitored.

    excluded_processes Sequence[str]

    List of processes to be excluded from being monitored.

    excluded_users Sequence[str]

    List of users to be excluded from being monitored.

    monitor_attributes bool

    If true, add attributes operations will be monitored.

    monitor_create bool

    If true, create operations will be monitored.

    monitor_delete bool

    If true, deletion operations will be monitored.

    monitor_modify bool

    If true, modification operations will be monitored.

    monitor_read bool

    If true, read operations will be monitored.

    monitored_paths Sequence[str]

    List of paths to be monitored.

    monitored_processes Sequence[str]

    List of processes to be monitored.

    monitored_users Sequence[str]

    List of users to be monitored.

    excludedPaths List<String>

    List of paths to be excluded from being monitored.

    excludedProcesses List<String>

    List of processes to be excluded from being monitored.

    excludedUsers List<String>

    List of users to be excluded from being monitored.

    monitorAttributes Boolean

    If true, add attributes operations will be monitored.

    monitorCreate Boolean

    If true, create operations will be monitored.

    monitorDelete Boolean

    If true, deletion operations will be monitored.

    monitorModify Boolean

    If true, modification operations will be monitored.

    monitorRead Boolean

    If true, read operations will be monitored.

    monitoredPaths List<String>

    List of paths to be monitored.

    monitoredProcesses List<String>

    List of processes to be monitored.

    monitoredUsers List<String>

    List of users to be monitored.

    ContainerRuntimePolicyMalwareScanOptions, ContainerRuntimePolicyMalwareScanOptionsArgs

    Action string

    Set Action, Defaults to 'Alert' when empty

    Enabled bool

    Defines if enabled or not

    ExcludeDirectories List<string>

    List of registry paths to be excluded from being protected.

    ExcludeProcesses List<string>

    List of registry processes to be excluded from being protected.

    Action string

    Set Action, Defaults to 'Alert' when empty

    Enabled bool

    Defines if enabled or not

    ExcludeDirectories []string

    List of registry paths to be excluded from being protected.

    ExcludeProcesses []string

    List of registry processes to be excluded from being protected.

    action String

    Set Action, Defaults to 'Alert' when empty

    enabled Boolean

    Defines if enabled or not

    excludeDirectories List<String>

    List of registry paths to be excluded from being protected.

    excludeProcesses List<String>

    List of registry processes to be excluded from being protected.

    action string

    Set Action, Defaults to 'Alert' when empty

    enabled boolean

    Defines if enabled or not

    excludeDirectories string[]

    List of registry paths to be excluded from being protected.

    excludeProcesses string[]

    List of registry processes to be excluded from being protected.

    action str

    Set Action, Defaults to 'Alert' when empty

    enabled bool

    Defines if enabled or not

    exclude_directories Sequence[str]

    List of registry paths to be excluded from being protected.

    exclude_processes Sequence[str]

    List of registry processes to be excluded from being protected.

    action String

    Set Action, Defaults to 'Alert' when empty

    enabled Boolean

    Defines if enabled or not

    excludeDirectories List<String>

    List of registry paths to be excluded from being protected.

    excludeProcesses List<String>

    List of registry processes to be excluded from being protected.

    ContainerRuntimePolicyScopeVariable, ContainerRuntimePolicyScopeVariableArgs

    Attribute string

    Class of supported scope.

    Value string

    Value assigned to the attribute.

    Name string

    Name assigned to the attribute.

    Attribute string

    Class of supported scope.

    Value string

    Value assigned to the attribute.

    Name string

    Name assigned to the attribute.

    attribute String

    Class of supported scope.

    value String

    Value assigned to the attribute.

    name String

    Name assigned to the attribute.

    attribute string

    Class of supported scope.

    value string

    Value assigned to the attribute.

    name string

    Name assigned to the attribute.

    attribute str

    Class of supported scope.

    value str

    Value assigned to the attribute.

    name str

    Name assigned to the attribute.

    attribute String

    Class of supported scope.

    value String

    Value assigned to the attribute.

    name String

    Name assigned to the attribute.

    Package Details

    Repository
    aquasec pulumiverse/pulumi-aquasec
    License
    Apache-2.0
    Notes

    This Pulumi package is based on the aquasec Terraform Provider.

    aquasec logo
    Aquasec v0.8.25 published on Tuesday, Apr 25, 2023 by Pulumiverse