aquasec.getContainerRuntimePolicy
Example Usage
using System.Collections.Generic;
using Pulumi;
using Aquasec = Pulumi.Aquasec;
return await Deployment.RunAsync(() =>
{
var containerRuntimePolicy = Aquasec.GetContainerRuntimePolicy.Invoke(new()
{
Name = "FunctionRuntimePolicyName",
});
return new Dictionary<string, object?>
{
["containerRuntimePolicyDetails"] = containerRuntimePolicy,
};
});
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-aquasec/sdk/go/aquasec"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
containerRuntimePolicy, err := aquasec.LookupContainerRuntimePolicy(ctx, &aquasec.LookupContainerRuntimePolicyArgs{
Name: "FunctionRuntimePolicyName",
}, nil)
if err != nil {
return err
}
ctx.Export("containerRuntimePolicyDetails", containerRuntimePolicy)
return nil
})
}
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aquasec.AquasecFunctions;
import com.pulumi.aquasec.inputs.GetContainerRuntimePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var containerRuntimePolicy = AquasecFunctions.getContainerRuntimePolicy(GetContainerRuntimePolicyArgs.builder()
.name("FunctionRuntimePolicyName")
.build());
ctx.export("containerRuntimePolicyDetails", containerRuntimePolicy.applyValue(getContainerRuntimePolicyResult -> getContainerRuntimePolicyResult));
}
}
import pulumi
import pulumi_aquasec as aquasec
container_runtime_policy = aquasec.get_container_runtime_policy(name="FunctionRuntimePolicyName")
pulumi.export("containerRuntimePolicyDetails", container_runtime_policy)
import * as pulumi from "@pulumi/pulumi";
import * as aquasec from "@pulumi/aquasec";
const containerRuntimePolicy = aquasec.getContainerRuntimePolicy({
name: "FunctionRuntimePolicyName",
});
export const containerRuntimePolicyDetails = containerRuntimePolicy;
variables:
containerRuntimePolicy:
fn::invoke:
Function: aquasec:getContainerRuntimePolicy
Arguments:
name: FunctionRuntimePolicyName
outputs:
containerRuntimePolicyDetails: ${containerRuntimePolicy}
Using getContainerRuntimePolicy
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getContainerRuntimePolicy(args: GetContainerRuntimePolicyArgs, opts?: InvokeOptions): Promise<GetContainerRuntimePolicyResult>
function getContainerRuntimePolicyOutput(args: GetContainerRuntimePolicyOutputArgs, opts?: InvokeOptions): Output<GetContainerRuntimePolicyResult>def get_container_runtime_policy(malware_scan_options: Optional[Sequence[GetContainerRuntimePolicyMalwareScanOption]] = None,
name: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetContainerRuntimePolicyResult
def get_container_runtime_policy_output(malware_scan_options: Optional[pulumi.Input[Sequence[pulumi.Input[GetContainerRuntimePolicyMalwareScanOptionArgs]]]] = None,
name: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetContainerRuntimePolicyResult]func LookupContainerRuntimePolicy(ctx *Context, args *LookupContainerRuntimePolicyArgs, opts ...InvokeOption) (*LookupContainerRuntimePolicyResult, error)
func LookupContainerRuntimePolicyOutput(ctx *Context, args *LookupContainerRuntimePolicyOutputArgs, opts ...InvokeOption) LookupContainerRuntimePolicyResultOutput> Note: This function is named LookupContainerRuntimePolicy in the Go SDK.
public static class GetContainerRuntimePolicy
{
public static Task<GetContainerRuntimePolicyResult> InvokeAsync(GetContainerRuntimePolicyArgs args, InvokeOptions? opts = null)
public static Output<GetContainerRuntimePolicyResult> Invoke(GetContainerRuntimePolicyInvokeArgs args, InvokeOptions? opts = null)
}public static CompletableFuture<GetContainerRuntimePolicyResult> getContainerRuntimePolicy(GetContainerRuntimePolicyArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
function: aquasec:index/getContainerRuntimePolicy:getContainerRuntimePolicy
arguments:
# arguments dictionaryThe following arguments are supported:
- Name string
Name of the container runtime policy
- Malware
Scan List<Pulumiverse.Options Aquasec. Inputs. Get Container Runtime Policy Malware Scan Option> Configuration for Real-Time Malware Protection.
- Name string
Name of the container runtime policy
- Malware
Scan []GetOptions Container Runtime Policy Malware Scan Option Configuration for Real-Time Malware Protection.
- name String
Name of the container runtime policy
- malware
Scan List<GetOptions Container Runtime Policy Malware Scan Option> Configuration for Real-Time Malware Protection.
- name string
Name of the container runtime policy
- malware
Scan GetOptions Container Runtime Policy Malware Scan Option[] Configuration for Real-Time Malware Protection.
- name str
Name of the container runtime policy
- malware_
scan_ Sequence[Getoptions Container Runtime Policy Malware Scan Option] Configuration for Real-Time Malware Protection.
- name String
Name of the container runtime policy
- malware
Scan List<Property Map>Options Configuration for Real-Time Malware Protection.
getContainerRuntimePolicy Result
The following output properties are available:
- Allowed
Executables List<string> List of executables that are allowed for the user.
- Allowed
Registries List<string> List of registries that allowed for running containers.
- Application
Scopes List<string> Indicates the application scope of the service.
- Audit
All boolNetwork Activity If true, all network activity will be audited.
- Audit
All boolProcesses Activity If true, all process activity will be audited.
- Audit
Full boolCommand Arguments If true, full command arguments will be audited.
- string
Username of the account that created the service.
- Block
Access boolHost Network If true, prevent containers from running with access to host network.
- Block
Adding boolCapabilities If true, prevent containers from running with adding capabilities with
--cap-addprivilege.- Block
Container boolExec If true, exec into a container is prevented.
- Block
Cryptocurrency boolMining Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- Block
Fileless boolExec Detect and prevent running in-memory execution
- Block
Low boolPort Binding If true, prevent containers from running with the capability to bind in port lower than 1024.
- Block
Non boolCompliant Images If true, running non-compliant image in the container is prevented.
- Block
Non boolCompliant Workloads If true, running containers in non-compliant pods is prevented.
- Block
Non boolK8s Containers If true, running non-kubernetes containers is prevented.
- Block
Privileged boolContainers If true, prevent containers from running with privileged container capability.
- Block
Reverse boolShell If true, reverse shell is prevented.
- Block
Root boolUser If true, prevent containers from running with root user.
- Block
Unregistered boolImages If true, running images in the container that are not registered in Aqua is prevented.
- Block
Use boolIpc Namespace If true, prevent containers from running with the privilege to use the IPC namespace.
- Block
Use boolPid Namespace If true, prevent containers from running with the privilege to use the PID namespace.
- Block
Use boolUser Namespace If true, prevent containers from running with the privilege to use the user namespace.
- Block
Use boolUts Namespace If true, prevent containers from running with the privilege to use the UTS namespace.
- Blocked
Capabilities List<string> If true, prevents containers from using specific Unix capabilities.
- Blocked
Executables List<string> List of executables that are prevented from running in containers.
- Blocked
Files List<string> List of files that are prevented from being read, modified and executed in the containers.
- Blocked
Inbound List<string>Ports List of blocked inbound ports.
- Blocked
Outbound List<string>Ports List of blocked outbound ports.
- Blocked
Packages List<string> Prevent containers from reading, writing, or executing all files in the list of packages.
- Blocked
Volumes List<string> List of volumes that are prevented from being mounted in the containers.
- Container
Exec List<string>Allowed Processes List of processes that will be allowed.
- Description string
The description of the container runtime policy
- Enable
Drift boolPrevention If true, executables that are not in the original image is prevented from running.
- Enable
Fork boolGuard If true, fork bombs are prevented in the containers.
- Enable
Ip boolReputation Security If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- Enable
Port boolScan Detection If true, detects port scanning behavior in the container.
- Enabled bool
Indicates if the runtime policy is enabled or not.
- Enforce bool
Indicates that policy should effect container execution (not just for audit).
- Enforce
After intDays Indicates the number of days after which the runtime policy will be changed to enforce mode.
- Exceptional
Readonly List<string>Files And Directories List of files and directories to be excluded from the read-only list.
- Exec
Lockdown List<string>White Lists Specify processes that will be allowed
- File
Integrity List<Pulumiverse.Monitorings Aquasec. Outputs. Get Container Runtime Policy File Integrity Monitoring> Configuration for file integrity monitoring.
- Fork
Guard intProcess Limit Process limit for the fork guard.
- Id string
The provider-assigned unique ID for this managed resource.
- Limit
New boolPrivileges If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- Malware
Scan List<Pulumiverse.Options Aquasec. Outputs. Get Container Runtime Policy Malware Scan Option> Configuration for Real-Time Malware Protection.
- Monitor
System boolTime Changes If true, system time changes will be monitored.
- Name string
Name of the container runtime policy
- Readonly
Files List<string>And Directories List of files and directories to be restricted as read-only
- Reverse
Shell List<string>Allowed Ips List of IPs/ CIDRs that will be allowed
- Reverse
Shell List<string>Allowed Processes List of processes that will be allowed
- Scope
Expression string Logical expression of how to compute the dependency of the scope variables.
- Scope
Variables List<Pulumiverse.Aquasec. Outputs. Get Container Runtime Policy Scope Variable> List of scope attributes.
- Allowed
Executables []string List of executables that are allowed for the user.
- Allowed
Registries []string List of registries that allowed for running containers.
- Application
Scopes []string Indicates the application scope of the service.
- Audit
All boolNetwork Activity If true, all network activity will be audited.
- Audit
All boolProcesses Activity If true, all process activity will be audited.
- Audit
Full boolCommand Arguments If true, full command arguments will be audited.
- string
Username of the account that created the service.
- Block
Access boolHost Network If true, prevent containers from running with access to host network.
- Block
Adding boolCapabilities If true, prevent containers from running with adding capabilities with
--cap-addprivilege.- Block
Container boolExec If true, exec into a container is prevented.
- Block
Cryptocurrency boolMining Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- Block
Fileless boolExec Detect and prevent running in-memory execution
- Block
Low boolPort Binding If true, prevent containers from running with the capability to bind in port lower than 1024.
- Block
Non boolCompliant Images If true, running non-compliant image in the container is prevented.
- Block
Non boolCompliant Workloads If true, running containers in non-compliant pods is prevented.
- Block
Non boolK8s Containers If true, running non-kubernetes containers is prevented.
- Block
Privileged boolContainers If true, prevent containers from running with privileged container capability.
- Block
Reverse boolShell If true, reverse shell is prevented.
- Block
Root boolUser If true, prevent containers from running with root user.
- Block
Unregistered boolImages If true, running images in the container that are not registered in Aqua is prevented.
- Block
Use boolIpc Namespace If true, prevent containers from running with the privilege to use the IPC namespace.
- Block
Use boolPid Namespace If true, prevent containers from running with the privilege to use the PID namespace.
- Block
Use boolUser Namespace If true, prevent containers from running with the privilege to use the user namespace.
- Block
Use boolUts Namespace If true, prevent containers from running with the privilege to use the UTS namespace.
- Blocked
Capabilities []string If true, prevents containers from using specific Unix capabilities.
- Blocked
Executables []string List of executables that are prevented from running in containers.
- Blocked
Files []string List of files that are prevented from being read, modified and executed in the containers.
- Blocked
Inbound []stringPorts List of blocked inbound ports.
- Blocked
Outbound []stringPorts List of blocked outbound ports.
- Blocked
Packages []string Prevent containers from reading, writing, or executing all files in the list of packages.
- Blocked
Volumes []string List of volumes that are prevented from being mounted in the containers.
- Container
Exec []stringAllowed Processes List of processes that will be allowed.
- Description string
The description of the container runtime policy
- Enable
Drift boolPrevention If true, executables that are not in the original image is prevented from running.
- Enable
Fork boolGuard If true, fork bombs are prevented in the containers.
- Enable
Ip boolReputation Security If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- Enable
Port boolScan Detection If true, detects port scanning behavior in the container.
- Enabled bool
Indicates if the runtime policy is enabled or not.
- Enforce bool
Indicates that policy should effect container execution (not just for audit).
- Enforce
After intDays Indicates the number of days after which the runtime policy will be changed to enforce mode.
- Exceptional
Readonly []stringFiles And Directories List of files and directories to be excluded from the read-only list.
- Exec
Lockdown []stringWhite Lists Specify processes that will be allowed
- File
Integrity []GetMonitorings Container Runtime Policy File Integrity Monitoring Configuration for file integrity monitoring.
- Fork
Guard intProcess Limit Process limit for the fork guard.
- Id string
The provider-assigned unique ID for this managed resource.
- Limit
New boolPrivileges If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- Malware
Scan []GetOptions Container Runtime Policy Malware Scan Option Configuration for Real-Time Malware Protection.
- Monitor
System boolTime Changes If true, system time changes will be monitored.
- Name string
Name of the container runtime policy
- Readonly
Files []stringAnd Directories List of files and directories to be restricted as read-only
- Reverse
Shell []stringAllowed Ips List of IPs/ CIDRs that will be allowed
- Reverse
Shell []stringAllowed Processes List of processes that will be allowed
- Scope
Expression string Logical expression of how to compute the dependency of the scope variables.
- Scope
Variables []GetContainer Runtime Policy Scope Variable List of scope attributes.
- allowed
Executables List<String> List of executables that are allowed for the user.
- allowed
Registries List<String> List of registries that allowed for running containers.
- application
Scopes List<String> Indicates the application scope of the service.
- audit
All BooleanNetwork Activity If true, all network activity will be audited.
- audit
All BooleanProcesses Activity If true, all process activity will be audited.
- audit
Full BooleanCommand Arguments If true, full command arguments will be audited.
- String
Username of the account that created the service.
- block
Access BooleanHost Network If true, prevent containers from running with access to host network.
- block
Adding BooleanCapabilities If true, prevent containers from running with adding capabilities with
--cap-addprivilege.- block
Container BooleanExec If true, exec into a container is prevented.
- block
Cryptocurrency BooleanMining Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block
Fileless BooleanExec Detect and prevent running in-memory execution
- block
Low BooleanPort Binding If true, prevent containers from running with the capability to bind in port lower than 1024.
- block
Non BooleanCompliant Images If true, running non-compliant image in the container is prevented.
- block
Non BooleanCompliant Workloads If true, running containers in non-compliant pods is prevented.
- block
Non BooleanK8s Containers If true, running non-kubernetes containers is prevented.
- block
Privileged BooleanContainers If true, prevent containers from running with privileged container capability.
- block
Reverse BooleanShell If true, reverse shell is prevented.
- block
Root BooleanUser If true, prevent containers from running with root user.
- block
Unregistered BooleanImages If true, running images in the container that are not registered in Aqua is prevented.
- block
Use BooleanIpc Namespace If true, prevent containers from running with the privilege to use the IPC namespace.
- block
Use BooleanPid Namespace If true, prevent containers from running with the privilege to use the PID namespace.
- block
Use BooleanUser Namespace If true, prevent containers from running with the privilege to use the user namespace.
- block
Use BooleanUts Namespace If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked
Capabilities List<String> If true, prevents containers from using specific Unix capabilities.
- blocked
Executables List<String> List of executables that are prevented from running in containers.
- blocked
Files List<String> List of files that are prevented from being read, modified and executed in the containers.
- blocked
Inbound List<String>Ports List of blocked inbound ports.
- blocked
Outbound List<String>Ports List of blocked outbound ports.
- blocked
Packages List<String> Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked
Volumes List<String> List of volumes that are prevented from being mounted in the containers.
- container
Exec List<String>Allowed Processes List of processes that will be allowed.
- description String
The description of the container runtime policy
- enable
Drift BooleanPrevention If true, executables that are not in the original image is prevented from running.
- enable
Fork BooleanGuard If true, fork bombs are prevented in the containers.
- enable
Ip BooleanReputation Security If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- enable
Port BooleanScan Detection If true, detects port scanning behavior in the container.
- enabled Boolean
Indicates if the runtime policy is enabled or not.
- enforce Boolean
Indicates that policy should effect container execution (not just for audit).
- enforce
After IntegerDays Indicates the number of days after which the runtime policy will be changed to enforce mode.
- exceptional
Readonly List<String>Files And Directories List of files and directories to be excluded from the read-only list.
- exec
Lockdown List<String>White Lists Specify processes that will be allowed
- file
Integrity List<GetMonitorings Container Runtime Policy File Integrity Monitoring> Configuration for file integrity monitoring.
- fork
Guard IntegerProcess Limit Process limit for the fork guard.
- id String
The provider-assigned unique ID for this managed resource.
- limit
New BooleanPrivileges If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- malware
Scan List<GetOptions Container Runtime Policy Malware Scan Option> Configuration for Real-Time Malware Protection.
- monitor
System BooleanTime Changes If true, system time changes will be monitored.
- name String
Name of the container runtime policy
- readonly
Files List<String>And Directories List of files and directories to be restricted as read-only
- reverse
Shell List<String>Allowed Ips List of IPs/ CIDRs that will be allowed
- reverse
Shell List<String>Allowed Processes List of processes that will be allowed
- scope
Expression String Logical expression of how to compute the dependency of the scope variables.
- scope
Variables List<GetContainer Runtime Policy Scope Variable> List of scope attributes.
- allowed
Executables string[] List of executables that are allowed for the user.
- allowed
Registries string[] List of registries that allowed for running containers.
- application
Scopes string[] Indicates the application scope of the service.
- audit
All booleanNetwork Activity If true, all network activity will be audited.
- audit
All booleanProcesses Activity If true, all process activity will be audited.
- audit
Full booleanCommand Arguments If true, full command arguments will be audited.
- string
Username of the account that created the service.
- block
Access booleanHost Network If true, prevent containers from running with access to host network.
- block
Adding booleanCapabilities If true, prevent containers from running with adding capabilities with
--cap-addprivilege.- block
Container booleanExec If true, exec into a container is prevented.
- block
Cryptocurrency booleanMining Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block
Fileless booleanExec Detect and prevent running in-memory execution
- block
Low booleanPort Binding If true, prevent containers from running with the capability to bind in port lower than 1024.
- block
Non booleanCompliant Images If true, running non-compliant image in the container is prevented.
- block
Non booleanCompliant Workloads If true, running containers in non-compliant pods is prevented.
- block
Non booleanK8s Containers If true, running non-kubernetes containers is prevented.
- block
Privileged booleanContainers If true, prevent containers from running with privileged container capability.
- block
Reverse booleanShell If true, reverse shell is prevented.
- block
Root booleanUser If true, prevent containers from running with root user.
- block
Unregistered booleanImages If true, running images in the container that are not registered in Aqua is prevented.
- block
Use booleanIpc Namespace If true, prevent containers from running with the privilege to use the IPC namespace.
- block
Use booleanPid Namespace If true, prevent containers from running with the privilege to use the PID namespace.
- block
Use booleanUser Namespace If true, prevent containers from running with the privilege to use the user namespace.
- block
Use booleanUts Namespace If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked
Capabilities string[] If true, prevents containers from using specific Unix capabilities.
- blocked
Executables string[] List of executables that are prevented from running in containers.
- blocked
Files string[] List of files that are prevented from being read, modified and executed in the containers.
- blocked
Inbound string[]Ports List of blocked inbound ports.
- blocked
Outbound string[]Ports List of blocked outbound ports.
- blocked
Packages string[] Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked
Volumes string[] List of volumes that are prevented from being mounted in the containers.
- container
Exec string[]Allowed Processes List of processes that will be allowed.
- description string
The description of the container runtime policy
- enable
Drift booleanPrevention If true, executables that are not in the original image is prevented from running.
- enable
Fork booleanGuard If true, fork bombs are prevented in the containers.
- enable
Ip booleanReputation Security If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- enable
Port booleanScan Detection If true, detects port scanning behavior in the container.
- enabled boolean
Indicates if the runtime policy is enabled or not.
- enforce boolean
Indicates that policy should effect container execution (not just for audit).
- enforce
After numberDays Indicates the number of days after which the runtime policy will be changed to enforce mode.
- exceptional
Readonly string[]Files And Directories List of files and directories to be excluded from the read-only list.
- exec
Lockdown string[]White Lists Specify processes that will be allowed
- file
Integrity GetMonitorings Container Runtime Policy File Integrity Monitoring[] Configuration for file integrity monitoring.
- fork
Guard numberProcess Limit Process limit for the fork guard.
- id string
The provider-assigned unique ID for this managed resource.
- limit
New booleanPrivileges If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- malware
Scan GetOptions Container Runtime Policy Malware Scan Option[] Configuration for Real-Time Malware Protection.
- monitor
System booleanTime Changes If true, system time changes will be monitored.
- name string
Name of the container runtime policy
- readonly
Files string[]And Directories List of files and directories to be restricted as read-only
- reverse
Shell string[]Allowed Ips List of IPs/ CIDRs that will be allowed
- reverse
Shell string[]Allowed Processes List of processes that will be allowed
- scope
Expression string Logical expression of how to compute the dependency of the scope variables.
- scope
Variables GetContainer Runtime Policy Scope Variable[] List of scope attributes.
- allowed_
executables Sequence[str] List of executables that are allowed for the user.
- allowed_
registries Sequence[str] List of registries that allowed for running containers.
- application_
scopes Sequence[str] Indicates the application scope of the service.
- audit_
all_ boolnetwork_ activity If true, all network activity will be audited.
- audit_
all_ boolprocesses_ activity If true, all process activity will be audited.
- audit_
full_ boolcommand_ arguments If true, full command arguments will be audited.
- str
Username of the account that created the service.
- block_
access_ boolhost_ network If true, prevent containers from running with access to host network.
- block_
adding_ boolcapabilities If true, prevent containers from running with adding capabilities with
--cap-addprivilege.- block_
container_ boolexec If true, exec into a container is prevented.
- block_
cryptocurrency_ boolmining Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block_
fileless_ boolexec Detect and prevent running in-memory execution
- block_
low_ boolport_ binding If true, prevent containers from running with the capability to bind in port lower than 1024.
- block_
non_ boolcompliant_ images If true, running non-compliant image in the container is prevented.
- block_
non_ boolcompliant_ workloads If true, running containers in non-compliant pods is prevented.
- block_
non_ boolk8s_ containers If true, running non-kubernetes containers is prevented.
- block_
privileged_ boolcontainers If true, prevent containers from running with privileged container capability.
- block_
reverse_ boolshell If true, reverse shell is prevented.
- block_
root_ booluser If true, prevent containers from running with root user.
- block_
unregistered_ boolimages If true, running images in the container that are not registered in Aqua is prevented.
- block_
use_ boolipc_ namespace If true, prevent containers from running with the privilege to use the IPC namespace.
- block_
use_ boolpid_ namespace If true, prevent containers from running with the privilege to use the PID namespace.
- block_
use_ booluser_ namespace If true, prevent containers from running with the privilege to use the user namespace.
- block_
use_ booluts_ namespace If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked_
capabilities Sequence[str] If true, prevents containers from using specific Unix capabilities.
- blocked_
executables Sequence[str] List of executables that are prevented from running in containers.
- blocked_
files Sequence[str] List of files that are prevented from being read, modified and executed in the containers.
- blocked_
inbound_ Sequence[str]ports List of blocked inbound ports.
- blocked_
outbound_ Sequence[str]ports List of blocked outbound ports.
- blocked_
packages Sequence[str] Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked_
volumes Sequence[str] List of volumes that are prevented from being mounted in the containers.
- container_
exec_ Sequence[str]allowed_ processes List of processes that will be allowed.
- description str
The description of the container runtime policy
- enable_
drift_ boolprevention If true, executables that are not in the original image is prevented from running.
- enable_
fork_ boolguard If true, fork bombs are prevented in the containers.
- enable_
ip_ boolreputation_ security If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- enable_
port_ boolscan_ detection If true, detects port scanning behavior in the container.
- enabled bool
Indicates if the runtime policy is enabled or not.
- enforce bool
Indicates that policy should effect container execution (not just for audit).
- enforce_
after_ intdays Indicates the number of days after which the runtime policy will be changed to enforce mode.
- exceptional_
readonly_ Sequence[str]files_ and_ directories List of files and directories to be excluded from the read-only list.
- exec_
lockdown_ Sequence[str]white_ lists Specify processes that will be allowed
- file_
integrity_ Sequence[Getmonitorings Container Runtime Policy File Integrity Monitoring] Configuration for file integrity monitoring.
- fork_
guard_ intprocess_ limit Process limit for the fork guard.
- id str
The provider-assigned unique ID for this managed resource.
- limit_
new_ boolprivileges If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- malware_
scan_ Sequence[Getoptions Container Runtime Policy Malware Scan Option] Configuration for Real-Time Malware Protection.
- monitor_
system_ booltime_ changes If true, system time changes will be monitored.
- name str
Name of the container runtime policy
- readonly_
files_ Sequence[str]and_ directories List of files and directories to be restricted as read-only
- reverse_
shell_ Sequence[str]allowed_ ips List of IPs/ CIDRs that will be allowed
- reverse_
shell_ Sequence[str]allowed_ processes List of processes that will be allowed
- scope_
expression str Logical expression of how to compute the dependency of the scope variables.
- scope_
variables Sequence[GetContainer Runtime Policy Scope Variable] List of scope attributes.
- allowed
Executables List<String> List of executables that are allowed for the user.
- allowed
Registries List<String> List of registries that allowed for running containers.
- application
Scopes List<String> Indicates the application scope of the service.
- audit
All BooleanNetwork Activity If true, all network activity will be audited.
- audit
All BooleanProcesses Activity If true, all process activity will be audited.
- audit
Full BooleanCommand Arguments If true, full command arguments will be audited.
- String
Username of the account that created the service.
- block
Access BooleanHost Network If true, prevent containers from running with access to host network.
- block
Adding BooleanCapabilities If true, prevent containers from running with adding capabilities with
--cap-addprivilege.- block
Container BooleanExec If true, exec into a container is prevented.
- block
Cryptocurrency BooleanMining Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block
Fileless BooleanExec Detect and prevent running in-memory execution
- block
Low BooleanPort Binding If true, prevent containers from running with the capability to bind in port lower than 1024.
- block
Non BooleanCompliant Images If true, running non-compliant image in the container is prevented.
- block
Non BooleanCompliant Workloads If true, running containers in non-compliant pods is prevented.
- block
Non BooleanK8s Containers If true, running non-kubernetes containers is prevented.
- block
Privileged BooleanContainers If true, prevent containers from running with privileged container capability.
- block
Reverse BooleanShell If true, reverse shell is prevented.
- block
Root BooleanUser If true, prevent containers from running with root user.
- block
Unregistered BooleanImages If true, running images in the container that are not registered in Aqua is prevented.
- block
Use BooleanIpc Namespace If true, prevent containers from running with the privilege to use the IPC namespace.
- block
Use BooleanPid Namespace If true, prevent containers from running with the privilege to use the PID namespace.
- block
Use BooleanUser Namespace If true, prevent containers from running with the privilege to use the user namespace.
- block
Use BooleanUts Namespace If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked
Capabilities List<String> If true, prevents containers from using specific Unix capabilities.
- blocked
Executables List<String> List of executables that are prevented from running in containers.
- blocked
Files List<String> List of files that are prevented from being read, modified and executed in the containers.
- blocked
Inbound List<String>Ports List of blocked inbound ports.
- blocked
Outbound List<String>Ports List of blocked outbound ports.
- blocked
Packages List<String> Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked
Volumes List<String> List of volumes that are prevented from being mounted in the containers.
- container
Exec List<String>Allowed Processes List of processes that will be allowed.
- description String
The description of the container runtime policy
- enable
Drift BooleanPrevention If true, executables that are not in the original image is prevented from running.
- enable
Fork BooleanGuard If true, fork bombs are prevented in the containers.
- enable
Ip BooleanReputation Security If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- enable
Port BooleanScan Detection If true, detects port scanning behavior in the container.
- enabled Boolean
Indicates if the runtime policy is enabled or not.
- enforce Boolean
Indicates that policy should effect container execution (not just for audit).
- enforce
After NumberDays Indicates the number of days after which the runtime policy will be changed to enforce mode.
- exceptional
Readonly List<String>Files And Directories List of files and directories to be excluded from the read-only list.
- exec
Lockdown List<String>White Lists Specify processes that will be allowed
- file
Integrity List<Property Map>Monitorings Configuration for file integrity monitoring.
- fork
Guard NumberProcess Limit Process limit for the fork guard.
- id String
The provider-assigned unique ID for this managed resource.
- limit
New BooleanPrivileges If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- malware
Scan List<Property Map>Options Configuration for Real-Time Malware Protection.
- monitor
System BooleanTime Changes If true, system time changes will be monitored.
- name String
Name of the container runtime policy
- readonly
Files List<String>And Directories List of files and directories to be restricted as read-only
- reverse
Shell List<String>Allowed Ips List of IPs/ CIDRs that will be allowed
- reverse
Shell List<String>Allowed Processes List of processes that will be allowed
- scope
Expression String Logical expression of how to compute the dependency of the scope variables.
- scope
Variables List<Property Map> List of scope attributes.
Supporting Types
GetContainerRuntimePolicyFileIntegrityMonitoring
- Excluded
Paths List<string> - Excluded
Processes List<string> - Excluded
Users List<string> - Monitor
Attributes bool - Monitor
Create bool - Monitor
Delete bool - Monitor
Modify bool - Monitor
Read bool - Monitored
Paths List<string> - Monitored
Processes List<string> - Monitored
Users List<string>
- Excluded
Paths []string - Excluded
Processes []string - Excluded
Users []string - Monitor
Attributes bool - Monitor
Create bool - Monitor
Delete bool - Monitor
Modify bool - Monitor
Read bool - Monitored
Paths []string - Monitored
Processes []string - Monitored
Users []string
- excluded
Paths List<String> - excluded
Processes List<String> - excluded
Users List<String> - monitor
Attributes Boolean - monitor
Create Boolean - monitor
Delete Boolean - monitor
Modify Boolean - monitor
Read Boolean - monitored
Paths List<String> - monitored
Processes List<String> - monitored
Users List<String>
- excluded
Paths string[] - excluded
Processes string[] - excluded
Users string[] - monitor
Attributes boolean - monitor
Create boolean - monitor
Delete boolean - monitor
Modify boolean - monitor
Read boolean - monitored
Paths string[] - monitored
Processes string[] - monitored
Users string[]
- excluded_
paths Sequence[str] - excluded_
processes Sequence[str] - excluded_
users Sequence[str] - monitor_
attributes bool - monitor_
create bool - monitor_
delete bool - monitor_
modify bool - monitor_
read bool - monitored_
paths Sequence[str] - monitored_
processes Sequence[str] - monitored_
users Sequence[str]
- excluded
Paths List<String> - excluded
Processes List<String> - excluded
Users List<String> - monitor
Attributes Boolean - monitor
Create Boolean - monitor
Delete Boolean - monitor
Modify Boolean - monitor
Read Boolean - monitored
Paths List<String> - monitored
Processes List<String> - monitored
Users List<String>
GetContainerRuntimePolicyMalwareScanOption
- Action string
Set Action, Defaults to 'Alert' when empty
- Enabled bool
Defines if enabled or not
- Exclude
Directories List<string> List of registry paths to be excluded from being protected.
- Exclude
Processes List<string> List of registry processes to be excluded from being protected.
- Action string
Set Action, Defaults to 'Alert' when empty
- Enabled bool
Defines if enabled or not
- Exclude
Directories []string List of registry paths to be excluded from being protected.
- Exclude
Processes []string List of registry processes to be excluded from being protected.
- action String
Set Action, Defaults to 'Alert' when empty
- enabled Boolean
Defines if enabled or not
- exclude
Directories List<String> List of registry paths to be excluded from being protected.
- exclude
Processes List<String> List of registry processes to be excluded from being protected.
- action string
Set Action, Defaults to 'Alert' when empty
- enabled boolean
Defines if enabled or not
- exclude
Directories string[] List of registry paths to be excluded from being protected.
- exclude
Processes string[] List of registry processes to be excluded from being protected.
- action str
Set Action, Defaults to 'Alert' when empty
- enabled bool
Defines if enabled or not
- exclude_
directories Sequence[str] List of registry paths to be excluded from being protected.
- exclude_
processes Sequence[str] List of registry processes to be excluded from being protected.
- action String
Set Action, Defaults to 'Alert' when empty
- enabled Boolean
Defines if enabled or not
- exclude
Directories List<String> List of registry paths to be excluded from being protected.
- exclude
Processes List<String> List of registry processes to be excluded from being protected.
GetContainerRuntimePolicyScopeVariable
Package Details
- Repository
- aquasec pulumiverse/pulumi-aquasec
- License
- Apache-2.0
- Notes
This Pulumi package is based on the
aquasecTerraform Provider.