Aquasec

v0.2.2 published on Monday, Nov 14, 2022 by Pulumiverse

getContainerRuntimePolicy

Example Usage

using System.Collections.Generic;
using Pulumi;
using Aquasec = Pulumi.Aquasec;

return await Deployment.RunAsync(() => 
{
    var containerRuntimePolicy = Aquasec.GetContainerRuntimePolicy.Invoke(new()
    {
        Name = "FunctionRuntimePolicyName",
    });

    return new Dictionary<string, object?>
    {
        ["containerRuntimePolicyDetails"] = containerRuntimePolicy.Apply(getContainerRuntimePolicyResult => getContainerRuntimePolicyResult),
    };
});
package main

import (
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
	"github.com/pulumiverse/pulumi-aquasec/sdk/go/aquasec"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		containerRuntimePolicy, err := aquasec.LookupContainerRuntimePolicy(ctx, &GetContainerRuntimePolicyArgs{
			Name: "FunctionRuntimePolicyName",
		}, nil)
		if err != nil {
			return err
		}
		ctx.Export("containerRuntimePolicyDetails", containerRuntimePolicy)
		return nil
	})
}
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aquasec.AquasecFunctions;
import com.pulumi.aquasec.inputs.GetContainerRuntimePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var containerRuntimePolicy = AquasecFunctions.getContainerRuntimePolicy(GetContainerRuntimePolicyArgs.builder()
            .name("FunctionRuntimePolicyName")
            .build());

        ctx.export("containerRuntimePolicyDetails", containerRuntimePolicy.applyValue(getContainerRuntimePolicyResult -> getContainerRuntimePolicyResult));
    }
}
import pulumi
import pulumi_aquasec as aquasec

container_runtime_policy = aquasec.get_container_runtime_policy(name="FunctionRuntimePolicyName")
pulumi.export("containerRuntimePolicyDetails", container_runtime_policy)
import * as pulumi from "@pulumi/pulumi";
import * as aquasec from "@pulumi/aquasec";

const containerRuntimePolicy = aquasec.getContainerRuntimePolicy({
    name: "FunctionRuntimePolicyName",
});
export const containerRuntimePolicyDetails = containerRuntimePolicy;
variables:
  containerRuntimePolicy:
    fn::invoke:
      Function: aquasec:getContainerRuntimePolicy
      Arguments:
        name: FunctionRuntimePolicyName
outputs:
  containerRuntimePolicyDetails: ${containerRuntimePolicy}

Using getContainerRuntimePolicy

Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

function getContainerRuntimePolicy(args: GetContainerRuntimePolicyArgs, opts?: InvokeOptions): Promise<GetContainerRuntimePolicyResult>
function getContainerRuntimePolicyOutput(args: GetContainerRuntimePolicyOutputArgs, opts?: InvokeOptions): Output<GetContainerRuntimePolicyResult>
def get_container_runtime_policy(malware_scan_options: Optional[Sequence[GetContainerRuntimePolicyMalwareScanOption]] = None,
                                 name: Optional[str] = None,
                                 opts: Optional[InvokeOptions] = None) -> GetContainerRuntimePolicyResult
def get_container_runtime_policy_output(malware_scan_options: Optional[pulumi.Input[Sequence[pulumi.Input[GetContainerRuntimePolicyMalwareScanOptionArgs]]]] = None,
                                 name: Optional[pulumi.Input[str]] = None,
                                 opts: Optional[InvokeOptions] = None) -> Output[GetContainerRuntimePolicyResult]
func LookupContainerRuntimePolicy(ctx *Context, args *LookupContainerRuntimePolicyArgs, opts ...InvokeOption) (*LookupContainerRuntimePolicyResult, error)
func LookupContainerRuntimePolicyOutput(ctx *Context, args *LookupContainerRuntimePolicyOutputArgs, opts ...InvokeOption) LookupContainerRuntimePolicyResultOutput

> Note: This function is named LookupContainerRuntimePolicy in the Go SDK.

public static class GetContainerRuntimePolicy 
{
    public static Task<GetContainerRuntimePolicyResult> InvokeAsync(GetContainerRuntimePolicyArgs args, InvokeOptions? opts = null)
    public static Output<GetContainerRuntimePolicyResult> Invoke(GetContainerRuntimePolicyInvokeArgs args, InvokeOptions? opts = null)
}
public static CompletableFuture<GetContainerRuntimePolicyResult> getContainerRuntimePolicy(GetContainerRuntimePolicyArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
  function: aquasec:index/getContainerRuntimePolicy:getContainerRuntimePolicy
  arguments:
    # arguments dictionary

The following arguments are supported:

Name string

Name of the container runtime policy

MalwareScanOptions List<Pulumiverse.Aquasec.Inputs.GetContainerRuntimePolicyMalwareScanOption>

Configuration for Real-Time Malware Protection.

Name string

Name of the container runtime policy

MalwareScanOptions []GetContainerRuntimePolicyMalwareScanOption

Configuration for Real-Time Malware Protection.

name String

Name of the container runtime policy

malwareScanOptions List<GetContainerRuntimePolicyMalwareScanOption>

Configuration for Real-Time Malware Protection.

name string

Name of the container runtime policy

malwareScanOptions GetContainerRuntimePolicyMalwareScanOption[]

Configuration for Real-Time Malware Protection.

name str

Name of the container runtime policy

malware_scan_options Sequence[GetContainerRuntimePolicyMalwareScanOption]

Configuration for Real-Time Malware Protection.

name String

Name of the container runtime policy

malwareScanOptions List<Property Map>

Configuration for Real-Time Malware Protection.

getContainerRuntimePolicy Result

The following output properties are available:

AllowedExecutables List<string>

List of executables that are allowed for the user.

AllowedRegistries List<string>

List of registries that allowed for running containers.

ApplicationScopes List<string>

Indicates the application scope of the service.

AuditAllNetworkActivity bool

If true, all network activity will be audited.

AuditAllProcessesActivity bool

If true, all process activity will be audited.

AuditFullCommandArguments bool

If true, full command arguments will be audited.

Author string

Username of the account that created the service.

BlockAccessHostNetwork bool

If true, prevent containers from running with access to host network.

BlockAddingCapabilities bool

If true, prevent containers from running with adding capabilities with --cap-add privilege.

BlockContainerExec bool

If true, exec into a container is prevented.

BlockCryptocurrencyMining bool

Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

BlockFilelessExec bool

Detect and prevent running in-memory execution

BlockLowPortBinding bool

If true, prevent containers from running with the capability to bind in port lower than 1024.

BlockNonCompliantImages bool

If true, running non-compliant image in the container is prevented.

BlockNonCompliantWorkloads bool

If true, running containers in non-compliant pods is prevented.

BlockNonK8sContainers bool

If true, running non-kubernetes containers is prevented.

BlockPrivilegedContainers bool

If true, prevent containers from running with privileged container capability.

BlockReverseShell bool

If true, reverse shell is prevented.

BlockRootUser bool

If true, prevent containers from running with root user.

BlockUnregisteredImages bool

If true, running images in the container that are not registered in Aqua is prevented.

BlockUseIpcNamespace bool

If true, prevent containers from running with the privilege to use the IPC namespace.

BlockUsePidNamespace bool

If true, prevent containers from running with the privilege to use the PID namespace.

BlockUseUserNamespace bool

If true, prevent containers from running with the privilege to use the user namespace.

BlockUseUtsNamespace bool

If true, prevent containers from running with the privilege to use the UTS namespace.

BlockedCapabilities List<string>

If true, prevents containers from using specific Unix capabilities.

BlockedExecutables List<string>

List of executables that are prevented from running in containers.

BlockedFiles List<string>

List of files that are prevented from being read, modified and executed in the containers.

BlockedInboundPorts List<string>

List of blocked inbound ports.

BlockedOutboundPorts List<string>

List of blocked outbound ports.

BlockedPackages List<string>

Prevent containers from reading, writing, or executing all files in the list of packages.

BlockedVolumes List<string>

List of volumes that are prevented from being mounted in the containers.

ContainerExecAllowedProcesses List<string>

List of processes that will be allowed.

Description string

The description of the container runtime policy

EnableDriftPrevention bool

If true, executables that are not in the original image is prevented from running.

EnableForkGuard bool

If true, fork bombs are prevented in the containers.

EnableIpReputationSecurity bool

If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

EnablePortScanDetection bool

If true, detects port scanning behavior in the container.

Enabled bool

Indicates if the runtime policy is enabled or not.

Enforce bool

Indicates that policy should effect container execution (not just for audit).

EnforceAfterDays int

Indicates the number of days after which the runtime policy will be changed to enforce mode.

ExceptionalReadonlyFilesAndDirectories List<string>

List of files and directories to be excluded from the read-only list.

FileIntegrityMonitorings List<Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyFileIntegrityMonitoring>

Configuration for file integrity monitoring.

ForkGuardProcessLimit int

Process limit for the fork guard.

Id string

The provider-assigned unique ID for this managed resource.

LimitNewPrivileges bool

If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

MalwareScanOptions List<Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyMalwareScanOption>

Configuration for Real-Time Malware Protection.

MonitorSystemTimeChanges bool

If true, system time changes will be monitored.

Name string

Name of the container runtime policy

ReadonlyFilesAndDirectories List<string>

List of files and directories to be restricted as read-only

ReverseShellAllowedIps List<string>

List of IPs/ CIDRs that will be allowed

ReverseShellAllowedProcesses List<string>

List of processes that will be allowed

ScopeExpression string

Logical expression of how to compute the dependency of the scope variables.

ScopeVariables List<Pulumiverse.Aquasec.Outputs.GetContainerRuntimePolicyScopeVariable>

List of scope attributes.

AllowedExecutables []string

List of executables that are allowed for the user.

AllowedRegistries []string

List of registries that allowed for running containers.

ApplicationScopes []string

Indicates the application scope of the service.

AuditAllNetworkActivity bool

If true, all network activity will be audited.

AuditAllProcessesActivity bool

If true, all process activity will be audited.

AuditFullCommandArguments bool

If true, full command arguments will be audited.

Author string

Username of the account that created the service.

BlockAccessHostNetwork bool

If true, prevent containers from running with access to host network.

BlockAddingCapabilities bool

If true, prevent containers from running with adding capabilities with --cap-add privilege.

BlockContainerExec bool

If true, exec into a container is prevented.

BlockCryptocurrencyMining bool

Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

BlockFilelessExec bool

Detect and prevent running in-memory execution

BlockLowPortBinding bool

If true, prevent containers from running with the capability to bind in port lower than 1024.

BlockNonCompliantImages bool

If true, running non-compliant image in the container is prevented.

BlockNonCompliantWorkloads bool

If true, running containers in non-compliant pods is prevented.

BlockNonK8sContainers bool

If true, running non-kubernetes containers is prevented.

BlockPrivilegedContainers bool

If true, prevent containers from running with privileged container capability.

BlockReverseShell bool

If true, reverse shell is prevented.

BlockRootUser bool

If true, prevent containers from running with root user.

BlockUnregisteredImages bool

If true, running images in the container that are not registered in Aqua is prevented.

BlockUseIpcNamespace bool

If true, prevent containers from running with the privilege to use the IPC namespace.

BlockUsePidNamespace bool

If true, prevent containers from running with the privilege to use the PID namespace.

BlockUseUserNamespace bool

If true, prevent containers from running with the privilege to use the user namespace.

BlockUseUtsNamespace bool

If true, prevent containers from running with the privilege to use the UTS namespace.

BlockedCapabilities []string

If true, prevents containers from using specific Unix capabilities.

BlockedExecutables []string

List of executables that are prevented from running in containers.

BlockedFiles []string

List of files that are prevented from being read, modified and executed in the containers.

BlockedInboundPorts []string

List of blocked inbound ports.

BlockedOutboundPorts []string

List of blocked outbound ports.

BlockedPackages []string

Prevent containers from reading, writing, or executing all files in the list of packages.

BlockedVolumes []string

List of volumes that are prevented from being mounted in the containers.

ContainerExecAllowedProcesses []string

List of processes that will be allowed.

Description string

The description of the container runtime policy

EnableDriftPrevention bool

If true, executables that are not in the original image is prevented from running.

EnableForkGuard bool

If true, fork bombs are prevented in the containers.

EnableIpReputationSecurity bool

If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

EnablePortScanDetection bool

If true, detects port scanning behavior in the container.

Enabled bool

Indicates if the runtime policy is enabled or not.

Enforce bool

Indicates that policy should effect container execution (not just for audit).

EnforceAfterDays int

Indicates the number of days after which the runtime policy will be changed to enforce mode.

ExceptionalReadonlyFilesAndDirectories []string

List of files and directories to be excluded from the read-only list.

FileIntegrityMonitorings []GetContainerRuntimePolicyFileIntegrityMonitoring

Configuration for file integrity monitoring.

ForkGuardProcessLimit int

Process limit for the fork guard.

Id string

The provider-assigned unique ID for this managed resource.

LimitNewPrivileges bool

If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

MalwareScanOptions []GetContainerRuntimePolicyMalwareScanOption

Configuration for Real-Time Malware Protection.

MonitorSystemTimeChanges bool

If true, system time changes will be monitored.

Name string

Name of the container runtime policy

ReadonlyFilesAndDirectories []string

List of files and directories to be restricted as read-only

ReverseShellAllowedIps []string

List of IPs/ CIDRs that will be allowed

ReverseShellAllowedProcesses []string

List of processes that will be allowed

ScopeExpression string

Logical expression of how to compute the dependency of the scope variables.

ScopeVariables []GetContainerRuntimePolicyScopeVariable

List of scope attributes.

allowedExecutables List<String>

List of executables that are allowed for the user.

allowedRegistries List<String>

List of registries that allowed for running containers.

applicationScopes List<String>

Indicates the application scope of the service.

auditAllNetworkActivity Boolean

If true, all network activity will be audited.

auditAllProcessesActivity Boolean

If true, all process activity will be audited.

auditFullCommandArguments Boolean

If true, full command arguments will be audited.

author String

Username of the account that created the service.

blockAccessHostNetwork Boolean

If true, prevent containers from running with access to host network.

blockAddingCapabilities Boolean

If true, prevent containers from running with adding capabilities with --cap-add privilege.

blockContainerExec Boolean

If true, exec into a container is prevented.

blockCryptocurrencyMining Boolean

Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

blockFilelessExec Boolean

Detect and prevent running in-memory execution

blockLowPortBinding Boolean

If true, prevent containers from running with the capability to bind in port lower than 1024.

blockNonCompliantImages Boolean

If true, running non-compliant image in the container is prevented.

blockNonCompliantWorkloads Boolean

If true, running containers in non-compliant pods is prevented.

blockNonK8sContainers Boolean

If true, running non-kubernetes containers is prevented.

blockPrivilegedContainers Boolean

If true, prevent containers from running with privileged container capability.

blockReverseShell Boolean

If true, reverse shell is prevented.

blockRootUser Boolean

If true, prevent containers from running with root user.

blockUnregisteredImages Boolean

If true, running images in the container that are not registered in Aqua is prevented.

blockUseIpcNamespace Boolean

If true, prevent containers from running with the privilege to use the IPC namespace.

blockUsePidNamespace Boolean

If true, prevent containers from running with the privilege to use the PID namespace.

blockUseUserNamespace Boolean

If true, prevent containers from running with the privilege to use the user namespace.

blockUseUtsNamespace Boolean

If true, prevent containers from running with the privilege to use the UTS namespace.

blockedCapabilities List<String>

If true, prevents containers from using specific Unix capabilities.

blockedExecutables List<String>

List of executables that are prevented from running in containers.

blockedFiles List<String>

List of files that are prevented from being read, modified and executed in the containers.

blockedInboundPorts List<String>

List of blocked inbound ports.

blockedOutboundPorts List<String>

List of blocked outbound ports.

blockedPackages List<String>

Prevent containers from reading, writing, or executing all files in the list of packages.

blockedVolumes List<String>

List of volumes that are prevented from being mounted in the containers.

containerExecAllowedProcesses List<String>

List of processes that will be allowed.

description String

The description of the container runtime policy

enableDriftPrevention Boolean

If true, executables that are not in the original image is prevented from running.

enableForkGuard Boolean

If true, fork bombs are prevented in the containers.

enableIpReputationSecurity Boolean

If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

enablePortScanDetection Boolean

If true, detects port scanning behavior in the container.

enabled Boolean

Indicates if the runtime policy is enabled or not.

enforce Boolean

Indicates that policy should effect container execution (not just for audit).

enforceAfterDays Integer

Indicates the number of days after which the runtime policy will be changed to enforce mode.

exceptionalReadonlyFilesAndDirectories List<String>

List of files and directories to be excluded from the read-only list.

fileIntegrityMonitorings List<GetContainerRuntimePolicyFileIntegrityMonitoring>

Configuration for file integrity monitoring.

forkGuardProcessLimit Integer

Process limit for the fork guard.

id String

The provider-assigned unique ID for this managed resource.

limitNewPrivileges Boolean

If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

malwareScanOptions List<GetContainerRuntimePolicyMalwareScanOption>

Configuration for Real-Time Malware Protection.

monitorSystemTimeChanges Boolean

If true, system time changes will be monitored.

name String

Name of the container runtime policy

readonlyFilesAndDirectories List<String>

List of files and directories to be restricted as read-only

reverseShellAllowedIps List<String>

List of IPs/ CIDRs that will be allowed

reverseShellAllowedProcesses List<String>

List of processes that will be allowed

scopeExpression String

Logical expression of how to compute the dependency of the scope variables.

scopeVariables List<GetContainerRuntimePolicyScopeVariable>

List of scope attributes.

allowedExecutables string[]

List of executables that are allowed for the user.

allowedRegistries string[]

List of registries that allowed for running containers.

applicationScopes string[]

Indicates the application scope of the service.

auditAllNetworkActivity boolean

If true, all network activity will be audited.

auditAllProcessesActivity boolean

If true, all process activity will be audited.

auditFullCommandArguments boolean

If true, full command arguments will be audited.

author string

Username of the account that created the service.

blockAccessHostNetwork boolean

If true, prevent containers from running with access to host network.

blockAddingCapabilities boolean

If true, prevent containers from running with adding capabilities with --cap-add privilege.

blockContainerExec boolean

If true, exec into a container is prevented.

blockCryptocurrencyMining boolean

Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

blockFilelessExec boolean

Detect and prevent running in-memory execution

blockLowPortBinding boolean

If true, prevent containers from running with the capability to bind in port lower than 1024.

blockNonCompliantImages boolean

If true, running non-compliant image in the container is prevented.

blockNonCompliantWorkloads boolean

If true, running containers in non-compliant pods is prevented.

blockNonK8sContainers boolean

If true, running non-kubernetes containers is prevented.

blockPrivilegedContainers boolean

If true, prevent containers from running with privileged container capability.

blockReverseShell boolean

If true, reverse shell is prevented.

blockRootUser boolean

If true, prevent containers from running with root user.

blockUnregisteredImages boolean

If true, running images in the container that are not registered in Aqua is prevented.

blockUseIpcNamespace boolean

If true, prevent containers from running with the privilege to use the IPC namespace.

blockUsePidNamespace boolean

If true, prevent containers from running with the privilege to use the PID namespace.

blockUseUserNamespace boolean

If true, prevent containers from running with the privilege to use the user namespace.

blockUseUtsNamespace boolean

If true, prevent containers from running with the privilege to use the UTS namespace.

blockedCapabilities string[]

If true, prevents containers from using specific Unix capabilities.

blockedExecutables string[]

List of executables that are prevented from running in containers.

blockedFiles string[]

List of files that are prevented from being read, modified and executed in the containers.

blockedInboundPorts string[]

List of blocked inbound ports.

blockedOutboundPorts string[]

List of blocked outbound ports.

blockedPackages string[]

Prevent containers from reading, writing, or executing all files in the list of packages.

blockedVolumes string[]

List of volumes that are prevented from being mounted in the containers.

containerExecAllowedProcesses string[]

List of processes that will be allowed.

description string

The description of the container runtime policy

enableDriftPrevention boolean

If true, executables that are not in the original image is prevented from running.

enableForkGuard boolean

If true, fork bombs are prevented in the containers.

enableIpReputationSecurity boolean

If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

enablePortScanDetection boolean

If true, detects port scanning behavior in the container.

enabled boolean

Indicates if the runtime policy is enabled or not.

enforce boolean

Indicates that policy should effect container execution (not just for audit).

enforceAfterDays number

Indicates the number of days after which the runtime policy will be changed to enforce mode.

exceptionalReadonlyFilesAndDirectories string[]

List of files and directories to be excluded from the read-only list.

fileIntegrityMonitorings GetContainerRuntimePolicyFileIntegrityMonitoring[]

Configuration for file integrity monitoring.

forkGuardProcessLimit number

Process limit for the fork guard.

id string

The provider-assigned unique ID for this managed resource.

limitNewPrivileges boolean

If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

malwareScanOptions GetContainerRuntimePolicyMalwareScanOption[]

Configuration for Real-Time Malware Protection.

monitorSystemTimeChanges boolean

If true, system time changes will be monitored.

name string

Name of the container runtime policy

readonlyFilesAndDirectories string[]

List of files and directories to be restricted as read-only

reverseShellAllowedIps string[]

List of IPs/ CIDRs that will be allowed

reverseShellAllowedProcesses string[]

List of processes that will be allowed

scopeExpression string

Logical expression of how to compute the dependency of the scope variables.

scopeVariables GetContainerRuntimePolicyScopeVariable[]

List of scope attributes.

allowed_executables Sequence[str]

List of executables that are allowed for the user.

allowed_registries Sequence[str]

List of registries that allowed for running containers.

application_scopes Sequence[str]

Indicates the application scope of the service.

audit_all_network_activity bool

If true, all network activity will be audited.

audit_all_processes_activity bool

If true, all process activity will be audited.

audit_full_command_arguments bool

If true, full command arguments will be audited.

author str

Username of the account that created the service.

block_access_host_network bool

If true, prevent containers from running with access to host network.

block_adding_capabilities bool

If true, prevent containers from running with adding capabilities with --cap-add privilege.

block_container_exec bool

If true, exec into a container is prevented.

block_cryptocurrency_mining bool

Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

block_fileless_exec bool

Detect and prevent running in-memory execution

block_low_port_binding bool

If true, prevent containers from running with the capability to bind in port lower than 1024.

block_non_compliant_images bool

If true, running non-compliant image in the container is prevented.

block_non_compliant_workloads bool

If true, running containers in non-compliant pods is prevented.

block_non_k8s_containers bool

If true, running non-kubernetes containers is prevented.

block_privileged_containers bool

If true, prevent containers from running with privileged container capability.

block_reverse_shell bool

If true, reverse shell is prevented.

block_root_user bool

If true, prevent containers from running with root user.

block_unregistered_images bool

If true, running images in the container that are not registered in Aqua is prevented.

block_use_ipc_namespace bool

If true, prevent containers from running with the privilege to use the IPC namespace.

block_use_pid_namespace bool

If true, prevent containers from running with the privilege to use the PID namespace.

block_use_user_namespace bool

If true, prevent containers from running with the privilege to use the user namespace.

block_use_uts_namespace bool

If true, prevent containers from running with the privilege to use the UTS namespace.

blocked_capabilities Sequence[str]

If true, prevents containers from using specific Unix capabilities.

blocked_executables Sequence[str]

List of executables that are prevented from running in containers.

blocked_files Sequence[str]

List of files that are prevented from being read, modified and executed in the containers.

blocked_inbound_ports Sequence[str]

List of blocked inbound ports.

blocked_outbound_ports Sequence[str]

List of blocked outbound ports.

blocked_packages Sequence[str]

Prevent containers from reading, writing, or executing all files in the list of packages.

blocked_volumes Sequence[str]

List of volumes that are prevented from being mounted in the containers.

container_exec_allowed_processes Sequence[str]

List of processes that will be allowed.

description str

The description of the container runtime policy

enable_drift_prevention bool

If true, executables that are not in the original image is prevented from running.

enable_fork_guard bool

If true, fork bombs are prevented in the containers.

enable_ip_reputation_security bool

If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

enable_port_scan_detection bool

If true, detects port scanning behavior in the container.

enabled bool

Indicates if the runtime policy is enabled or not.

enforce bool

Indicates that policy should effect container execution (not just for audit).

enforce_after_days int

Indicates the number of days after which the runtime policy will be changed to enforce mode.

exceptional_readonly_files_and_directories Sequence[str]

List of files and directories to be excluded from the read-only list.

file_integrity_monitorings Sequence[GetContainerRuntimePolicyFileIntegrityMonitoring]

Configuration for file integrity monitoring.

fork_guard_process_limit int

Process limit for the fork guard.

id str

The provider-assigned unique ID for this managed resource.

limit_new_privileges bool

If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

malware_scan_options Sequence[GetContainerRuntimePolicyMalwareScanOption]

Configuration for Real-Time Malware Protection.

monitor_system_time_changes bool

If true, system time changes will be monitored.

name str

Name of the container runtime policy

readonly_files_and_directories Sequence[str]

List of files and directories to be restricted as read-only

reverse_shell_allowed_ips Sequence[str]

List of IPs/ CIDRs that will be allowed

reverse_shell_allowed_processes Sequence[str]

List of processes that will be allowed

scope_expression str

Logical expression of how to compute the dependency of the scope variables.

scope_variables Sequence[GetContainerRuntimePolicyScopeVariable]

List of scope attributes.

allowedExecutables List<String>

List of executables that are allowed for the user.

allowedRegistries List<String>

List of registries that allowed for running containers.

applicationScopes List<String>

Indicates the application scope of the service.

auditAllNetworkActivity Boolean

If true, all network activity will be audited.

auditAllProcessesActivity Boolean

If true, all process activity will be audited.

auditFullCommandArguments Boolean

If true, full command arguments will be audited.

author String

Username of the account that created the service.

blockAccessHostNetwork Boolean

If true, prevent containers from running with access to host network.

blockAddingCapabilities Boolean

If true, prevent containers from running with adding capabilities with --cap-add privilege.

blockContainerExec Boolean

If true, exec into a container is prevented.

blockCryptocurrencyMining Boolean

Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining

blockFilelessExec Boolean

Detect and prevent running in-memory execution

blockLowPortBinding Boolean

If true, prevent containers from running with the capability to bind in port lower than 1024.

blockNonCompliantImages Boolean

If true, running non-compliant image in the container is prevented.

blockNonCompliantWorkloads Boolean

If true, running containers in non-compliant pods is prevented.

blockNonK8sContainers Boolean

If true, running non-kubernetes containers is prevented.

blockPrivilegedContainers Boolean

If true, prevent containers from running with privileged container capability.

blockReverseShell Boolean

If true, reverse shell is prevented.

blockRootUser Boolean

If true, prevent containers from running with root user.

blockUnregisteredImages Boolean

If true, running images in the container that are not registered in Aqua is prevented.

blockUseIpcNamespace Boolean

If true, prevent containers from running with the privilege to use the IPC namespace.

blockUsePidNamespace Boolean

If true, prevent containers from running with the privilege to use the PID namespace.

blockUseUserNamespace Boolean

If true, prevent containers from running with the privilege to use the user namespace.

blockUseUtsNamespace Boolean

If true, prevent containers from running with the privilege to use the UTS namespace.

blockedCapabilities List<String>

If true, prevents containers from using specific Unix capabilities.

blockedExecutables List<String>

List of executables that are prevented from running in containers.

blockedFiles List<String>

List of files that are prevented from being read, modified and executed in the containers.

blockedInboundPorts List<String>

List of blocked inbound ports.

blockedOutboundPorts List<String>

List of blocked outbound ports.

blockedPackages List<String>

Prevent containers from reading, writing, or executing all files in the list of packages.

blockedVolumes List<String>

List of volumes that are prevented from being mounted in the containers.

containerExecAllowedProcesses List<String>

List of processes that will be allowed.

description String

The description of the container runtime policy

enableDriftPrevention Boolean

If true, executables that are not in the original image is prevented from running.

enableForkGuard Boolean

If true, fork bombs are prevented in the containers.

enableIpReputationSecurity Boolean

If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.

enablePortScanDetection Boolean

If true, detects port scanning behavior in the container.

enabled Boolean

Indicates if the runtime policy is enabled or not.

enforce Boolean

Indicates that policy should effect container execution (not just for audit).

enforceAfterDays Number

Indicates the number of days after which the runtime policy will be changed to enforce mode.

exceptionalReadonlyFilesAndDirectories List<String>

List of files and directories to be excluded from the read-only list.

fileIntegrityMonitorings List<Property Map>

Configuration for file integrity monitoring.

forkGuardProcessLimit Number

Process limit for the fork guard.

id String

The provider-assigned unique ID for this managed resource.

limitNewPrivileges Boolean

If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)

malwareScanOptions List<Property Map>

Configuration for Real-Time Malware Protection.

monitorSystemTimeChanges Boolean

If true, system time changes will be monitored.

name String

Name of the container runtime policy

readonlyFilesAndDirectories List<String>

List of files and directories to be restricted as read-only

reverseShellAllowedIps List<String>

List of IPs/ CIDRs that will be allowed

reverseShellAllowedProcesses List<String>

List of processes that will be allowed

scopeExpression String

Logical expression of how to compute the dependency of the scope variables.

scopeVariables List<Property Map>

List of scope attributes.

Supporting Types

GetContainerRuntimePolicyFileIntegrityMonitoring

excludedPaths List<String>
excludedProcesses List<String>
excludedUsers List<String>
monitorAttributes Boolean
monitorCreate Boolean
monitorDelete Boolean
monitorModify Boolean
monitorRead Boolean
monitoredPaths List<String>
monitoredProcesses List<String>
monitoredUsers List<String>
excludedPaths List<String>
excludedProcesses List<String>
excludedUsers List<String>
monitorAttributes Boolean
monitorCreate Boolean
monitorDelete Boolean
monitorModify Boolean
monitorRead Boolean
monitoredPaths List<String>
monitoredProcesses List<String>
monitoredUsers List<String>

GetContainerRuntimePolicyMalwareScanOption

Action string

Set Action, Defaults to 'Alert' when empty

Enabled bool

Defines if enabled or not

ExcludeDirectories List<string>

List of registry paths to be excluded from being protected.

ExcludeProcesses List<string>

List of registry processes to be excluded from being protected.

Action string

Set Action, Defaults to 'Alert' when empty

Enabled bool

Defines if enabled or not

ExcludeDirectories []string

List of registry paths to be excluded from being protected.

ExcludeProcesses []string

List of registry processes to be excluded from being protected.

action String

Set Action, Defaults to 'Alert' when empty

enabled Boolean

Defines if enabled or not

excludeDirectories List<String>

List of registry paths to be excluded from being protected.

excludeProcesses List<String>

List of registry processes to be excluded from being protected.

action string

Set Action, Defaults to 'Alert' when empty

enabled boolean

Defines if enabled or not

excludeDirectories string[]

List of registry paths to be excluded from being protected.

excludeProcesses string[]

List of registry processes to be excluded from being protected.

action str

Set Action, Defaults to 'Alert' when empty

enabled bool

Defines if enabled or not

exclude_directories Sequence[str]

List of registry paths to be excluded from being protected.

exclude_processes Sequence[str]

List of registry processes to be excluded from being protected.

action String

Set Action, Defaults to 'Alert' when empty

enabled Boolean

Defines if enabled or not

excludeDirectories List<String>

List of registry paths to be excluded from being protected.

excludeProcesses List<String>

List of registry processes to be excluded from being protected.

GetContainerRuntimePolicyScopeVariable

Attribute string
Name string

Name of the container runtime policy

Value string
Attribute string
Name string

Name of the container runtime policy

Value string
attribute String
name String

Name of the container runtime policy

value String
attribute string
name string

Name of the container runtime policy

value string
attribute str
name str

Name of the container runtime policy

value str
attribute String
name String

Name of the container runtime policy

value String

Package Details

Repository
https://github.com/pulumiverse/pulumi-aquasec
License
Apache-2.0
Notes

This Pulumi package is based on the aquasec Terraform Provider.