Aquasec v0.8.29 published on Monday, Jul 22, 2024 by Pulumiverse
aquasec.getContainerRuntimePolicy
Explore with Pulumi AI
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as aquasec from "@pulumi/aquasec";
const containerRuntimePolicy = aquasec.getContainerRuntimePolicy({
name: "FunctionRuntimePolicyName",
});
export const containerRuntimePolicyDetails = containerRuntimePolicy;
import pulumi
import pulumi_aquasec as aquasec
container_runtime_policy = aquasec.get_container_runtime_policy(name="FunctionRuntimePolicyName")
pulumi.export("containerRuntimePolicyDetails", container_runtime_policy)
package main
import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
"github.com/pulumiverse/pulumi-aquasec/sdk/go/aquasec"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
containerRuntimePolicy, err := aquasec.LookupContainerRuntimePolicy(ctx, &aquasec.LookupContainerRuntimePolicyArgs{
Name: "FunctionRuntimePolicyName",
}, nil)
if err != nil {
return err
}
ctx.Export("containerRuntimePolicyDetails", containerRuntimePolicy)
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aquasec = Pulumi.Aquasec;
return await Deployment.RunAsync(() =>
{
var containerRuntimePolicy = Aquasec.GetContainerRuntimePolicy.Invoke(new()
{
Name = "FunctionRuntimePolicyName",
});
return new Dictionary<string, object?>
{
["containerRuntimePolicyDetails"] = containerRuntimePolicy,
};
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aquasec.AquasecFunctions;
import com.pulumi.aquasec.inputs.GetContainerRuntimePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var containerRuntimePolicy = AquasecFunctions.getContainerRuntimePolicy(GetContainerRuntimePolicyArgs.builder()
.name("FunctionRuntimePolicyName")
.build());
ctx.export("containerRuntimePolicyDetails", containerRuntimePolicy.applyValue(getContainerRuntimePolicyResult -> getContainerRuntimePolicyResult));
}
}
variables:
containerRuntimePolicy:
fn::invoke:
Function: aquasec:getContainerRuntimePolicy
Arguments:
name: FunctionRuntimePolicyName
outputs:
containerRuntimePolicyDetails: ${containerRuntimePolicy}
Using getContainerRuntimePolicy
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getContainerRuntimePolicy(args: GetContainerRuntimePolicyArgs, opts?: InvokeOptions): Promise<GetContainerRuntimePolicyResult>
function getContainerRuntimePolicyOutput(args: GetContainerRuntimePolicyOutputArgs, opts?: InvokeOptions): Output<GetContainerRuntimePolicyResult>
def get_container_runtime_policy(allowed_executables: Optional[Sequence[GetContainerRuntimePolicyAllowedExecutable]] = None,
allowed_registries: Optional[Sequence[GetContainerRuntimePolicyAllowedRegistry]] = None,
auditing: Optional[GetContainerRuntimePolicyAuditing] = None,
container_exec: Optional[GetContainerRuntimePolicyContainerExec] = None,
file_block: Optional[GetContainerRuntimePolicyFileBlock] = None,
file_integrity_monitorings: Optional[Sequence[GetContainerRuntimePolicyFileIntegrityMonitoring]] = None,
limit_container_privileges: Optional[Sequence[GetContainerRuntimePolicyLimitContainerPrivilege]] = None,
malware_scan_options: Optional[Sequence[GetContainerRuntimePolicyMalwareScanOption]] = None,
name: Optional[str] = None,
port_block: Optional[GetContainerRuntimePolicyPortBlock] = None,
readonly_files: Optional[GetContainerRuntimePolicyReadonlyFiles] = None,
restricted_volumes: Optional[Sequence[GetContainerRuntimePolicyRestrictedVolume]] = None,
opts: Optional[InvokeOptions] = None) -> GetContainerRuntimePolicyResult
def get_container_runtime_policy_output(allowed_executables: Optional[pulumi.Input[Sequence[pulumi.Input[GetContainerRuntimePolicyAllowedExecutableArgs]]]] = None,
allowed_registries: Optional[pulumi.Input[Sequence[pulumi.Input[GetContainerRuntimePolicyAllowedRegistryArgs]]]] = None,
auditing: Optional[pulumi.Input[GetContainerRuntimePolicyAuditingArgs]] = None,
container_exec: Optional[pulumi.Input[GetContainerRuntimePolicyContainerExecArgs]] = None,
file_block: Optional[pulumi.Input[GetContainerRuntimePolicyFileBlockArgs]] = None,
file_integrity_monitorings: Optional[pulumi.Input[Sequence[pulumi.Input[GetContainerRuntimePolicyFileIntegrityMonitoringArgs]]]] = None,
limit_container_privileges: Optional[pulumi.Input[Sequence[pulumi.Input[GetContainerRuntimePolicyLimitContainerPrivilegeArgs]]]] = None,
malware_scan_options: Optional[pulumi.Input[Sequence[pulumi.Input[GetContainerRuntimePolicyMalwareScanOptionArgs]]]] = None,
name: Optional[pulumi.Input[str]] = None,
port_block: Optional[pulumi.Input[GetContainerRuntimePolicyPortBlockArgs]] = None,
readonly_files: Optional[pulumi.Input[GetContainerRuntimePolicyReadonlyFilesArgs]] = None,
restricted_volumes: Optional[pulumi.Input[Sequence[pulumi.Input[GetContainerRuntimePolicyRestrictedVolumeArgs]]]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetContainerRuntimePolicyResult]
func LookupContainerRuntimePolicy(ctx *Context, args *LookupContainerRuntimePolicyArgs, opts ...InvokeOption) (*LookupContainerRuntimePolicyResult, error)
func LookupContainerRuntimePolicyOutput(ctx *Context, args *LookupContainerRuntimePolicyOutputArgs, opts ...InvokeOption) LookupContainerRuntimePolicyResultOutput
> Note: This function is named LookupContainerRuntimePolicy
in the Go SDK.
public static class GetContainerRuntimePolicy
{
public static Task<GetContainerRuntimePolicyResult> InvokeAsync(GetContainerRuntimePolicyArgs args, InvokeOptions? opts = null)
public static Output<GetContainerRuntimePolicyResult> Invoke(GetContainerRuntimePolicyInvokeArgs args, InvokeOptions? opts = null)
}
public static CompletableFuture<GetContainerRuntimePolicyResult> getContainerRuntimePolicy(GetContainerRuntimePolicyArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
function: aquasec:index/getContainerRuntimePolicy:getContainerRuntimePolicy
arguments:
# arguments dictionary
The following arguments are supported:
- Name string
- Name of the container runtime policy
- Allowed
Executables List<Pulumiverse.Aquasec. Inputs. Get Container Runtime Policy Allowed Executable> - Allowed executables configuration.
- Allowed
Registries List<Pulumiverse.Aquasec. Inputs. Get Container Runtime Policy Allowed Registry> - Allowed registries configuration.
- Auditing
Pulumiverse.
Aquasec. Inputs. Get Container Runtime Policy Auditing - Container
Exec Pulumiverse.Aquasec. Inputs. Get Container Runtime Policy Container Exec - File
Block Pulumiverse.Aquasec. Inputs. Get Container Runtime Policy File Block - File
Integrity List<Pulumiverse.Monitorings Aquasec. Inputs. Get Container Runtime Policy File Integrity Monitoring> - Configuration for file integrity monitoring.
- Limit
Container List<Pulumiverse.Privileges Aquasec. Inputs. Get Container Runtime Policy Limit Container Privilege> - Container privileges configuration.
- Malware
Scan List<Pulumiverse.Options Aquasec. Inputs. Get Container Runtime Policy Malware Scan Option> - Configuration for Real-Time Malware Protection.
- Port
Block Pulumiverse.Aquasec. Inputs. Get Container Runtime Policy Port Block - Readonly
Files Pulumiverse.Aquasec. Inputs. Get Container Runtime Policy Readonly Files - Restricted
Volumes List<Pulumiverse.Aquasec. Inputs. Get Container Runtime Policy Restricted Volume> - Restricted volumes configuration.
- Name string
- Name of the container runtime policy
- Allowed
Executables []GetContainer Runtime Policy Allowed Executable - Allowed executables configuration.
- Allowed
Registries []GetContainer Runtime Policy Allowed Registry - Allowed registries configuration.
- Auditing
Get
Container Runtime Policy Auditing - Container
Exec GetContainer Runtime Policy Container Exec - File
Block GetContainer Runtime Policy File Block - File
Integrity []GetMonitorings Container Runtime Policy File Integrity Monitoring - Configuration for file integrity monitoring.
- Limit
Container []GetPrivileges Container Runtime Policy Limit Container Privilege - Container privileges configuration.
- Malware
Scan []GetOptions Container Runtime Policy Malware Scan Option - Configuration for Real-Time Malware Protection.
- Port
Block GetContainer Runtime Policy Port Block - Readonly
Files GetContainer Runtime Policy Readonly Files - Restricted
Volumes []GetContainer Runtime Policy Restricted Volume - Restricted volumes configuration.
- name String
- Name of the container runtime policy
- allowed
Executables List<GetContainer Runtime Policy Allowed Executable> - Allowed executables configuration.
- allowed
Registries List<GetContainer Runtime Policy Allowed Registry> - Allowed registries configuration.
- auditing
Get
Container Runtime Policy Auditing - container
Exec GetContainer Runtime Policy Container Exec - file
Block GetContainer Runtime Policy File Block - file
Integrity List<GetMonitorings Container Runtime Policy File Integrity Monitoring> - Configuration for file integrity monitoring.
- limit
Container List<GetPrivileges Container Runtime Policy Limit Container Privilege> - Container privileges configuration.
- malware
Scan List<GetOptions Container Runtime Policy Malware Scan Option> - Configuration for Real-Time Malware Protection.
- port
Block GetContainer Runtime Policy Port Block - readonly
Files GetContainer Runtime Policy Readonly Files - restricted
Volumes List<GetContainer Runtime Policy Restricted Volume> - Restricted volumes configuration.
- name string
- Name of the container runtime policy
- allowed
Executables GetContainer Runtime Policy Allowed Executable[] - Allowed executables configuration.
- allowed
Registries GetContainer Runtime Policy Allowed Registry[] - Allowed registries configuration.
- auditing
Get
Container Runtime Policy Auditing - container
Exec GetContainer Runtime Policy Container Exec - file
Block GetContainer Runtime Policy File Block - file
Integrity GetMonitorings Container Runtime Policy File Integrity Monitoring[] - Configuration for file integrity monitoring.
- limit
Container GetPrivileges Container Runtime Policy Limit Container Privilege[] - Container privileges configuration.
- malware
Scan GetOptions Container Runtime Policy Malware Scan Option[] - Configuration for Real-Time Malware Protection.
- port
Block GetContainer Runtime Policy Port Block - readonly
Files GetContainer Runtime Policy Readonly Files - restricted
Volumes GetContainer Runtime Policy Restricted Volume[] - Restricted volumes configuration.
- name str
- Name of the container runtime policy
- allowed_
executables Sequence[GetContainer Runtime Policy Allowed Executable] - Allowed executables configuration.
- allowed_
registries Sequence[GetContainer Runtime Policy Allowed Registry] - Allowed registries configuration.
- auditing
Get
Container Runtime Policy Auditing - container_
exec GetContainer Runtime Policy Container Exec - file_
block GetContainer Runtime Policy File Block - file_
integrity_ Sequence[Getmonitorings Container Runtime Policy File Integrity Monitoring] - Configuration for file integrity monitoring.
- limit_
container_ Sequence[Getprivileges Container Runtime Policy Limit Container Privilege] - Container privileges configuration.
- malware_
scan_ Sequence[Getoptions Container Runtime Policy Malware Scan Option] - Configuration for Real-Time Malware Protection.
- port_
block GetContainer Runtime Policy Port Block - readonly_
files GetContainer Runtime Policy Readonly Files - restricted_
volumes Sequence[GetContainer Runtime Policy Restricted Volume] - Restricted volumes configuration.
- name String
- Name of the container runtime policy
- allowed
Executables List<Property Map> - Allowed executables configuration.
- allowed
Registries List<Property Map> - Allowed registries configuration.
- auditing Property Map
- container
Exec Property Map - file
Block Property Map - file
Integrity List<Property Map>Monitorings - Configuration for file integrity monitoring.
- limit
Container List<Property Map>Privileges - Container privileges configuration.
- malware
Scan List<Property Map>Options - Configuration for Real-Time Malware Protection.
- port
Block Property Map - readonly
Files Property Map - restricted
Volumes List<Property Map> - Restricted volumes configuration.
getContainerRuntimePolicy Result
The following output properties are available:
- Application
Scopes List<string> - Indicates the application scope of the service.
- Audit
All boolNetwork Activity - If true, all network activity will be audited.
- Audit
All boolProcesses Activity - If true, all process activity will be audited.
- Audit
Full boolCommand Arguments - If true, full command arguments will be audited.
- string
- Username of the account that created the service.
- Block
Access boolHost Network - If true, prevent containers from running with access to host network.
- Block
Adding boolCapabilities - If true, prevent containers from running with adding capabilities with
--cap-add
privilege. - Block
Container boolExec - If true, exec into a container is prevented.
- Block
Cryptocurrency boolMining - Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- Block
Fileless boolExec - Detect and prevent running in-memory execution
- Block
Low boolPort Binding - If true, prevent containers from running with the capability to bind in port lower than 1024.
- Block
Non boolCompliant Images - If true, running non-compliant image in the container is prevented.
- Block
Non boolCompliant Workloads - If true, running containers in non-compliant pods is prevented.
- Block
Non boolK8s Containers - If true, running non-kubernetes containers is prevented.
- Block
Privileged boolContainers - If true, prevent containers from running with privileged container capability.
- Block
Reverse boolShell - If true, reverse shell is prevented.
- Block
Root boolUser - If true, prevent containers from running with root user.
- Block
Unregistered boolImages - If true, running images in the container that are not registered in Aqua is prevented.
- Block
Use boolIpc Namespace - If true, prevent containers from running with the privilege to use the IPC namespace.
- Block
Use boolPid Namespace - If true, prevent containers from running with the privilege to use the PID namespace.
- Block
Use boolUser Namespace - If true, prevent containers from running with the privilege to use the user namespace.
- Block
Use boolUts Namespace - If true, prevent containers from running with the privilege to use the UTS namespace.
- Blocked
Capabilities List<string> - If true, prevents containers from using specific Unix capabilities.
- Blocked
Executables List<string> - List of executables that are prevented from running in containers.
- Blocked
Files List<string> - List of files that are prevented from being read, modified and executed in the containers.
- Blocked
Inbound List<string>Ports - List of blocked inbound ports.
- Blocked
Outbound List<string>Ports - List of blocked outbound ports.
- Blocked
Packages List<string> - Prevent containers from reading, writing, or executing all files in the list of packages.
- Blocked
Volumes List<string> - List of volumes that are prevented from being mounted in the containers.
- Container
Exec List<string>Allowed Processes - List of processes that will be allowed.
- Description string
- The description of the container runtime policy
- Enable
Drift boolPrevention - If true, executables that are not in the original image is prevented from running.
- Enable
Fork boolGuard - If true, fork bombs are prevented in the containers.
- Enable
Ip boolReputation Security - If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- Enable
Port boolScan Detection - If true, detects port scanning behavior in the container.
- Enabled bool
- Indicates if the runtime policy is enabled or not.
- Enforce bool
- Indicates that policy should effect container execution (not just for audit).
- Enforce
After intDays - Indicates the number of days after which the runtime policy will be changed to enforce mode.
- Exceptional
Readonly List<string>Files And Directories - List of files and directories to be excluded from the read-only list.
- Exec
Lockdown List<string>White Lists - Specify processes that will be allowed
- Fork
Guard intProcess Limit - Process limit for the fork guard.
- Id string
- The provider-assigned unique ID for this managed resource.
- Limit
New boolPrivileges - If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- Monitor
System boolTime Changes - If true, system time changes will be monitored.
- Name string
- Name of the container runtime policy
- Readonly
Files List<string>And Directories - List of files and directories to be restricted as read-only
- Reverse
Shell List<string>Allowed Ips - List of IPs/ CIDRs that will be allowed
- Reverse
Shell List<string>Allowed Processes - List of processes that will be allowed
- Scope
Expression string - Logical expression of how to compute the dependency of the scope variables.
- Scope
Variables List<Pulumiverse.Aquasec. Outputs. Get Container Runtime Policy Scope Variable> - List of scope attributes.
- Allowed
Executables List<Pulumiverse.Aquasec. Outputs. Get Container Runtime Policy Allowed Executable> - Allowed executables configuration.
- Allowed
Registries List<Pulumiverse.Aquasec. Outputs. Get Container Runtime Policy Allowed Registry> - Allowed registries configuration.
- Auditing
Pulumiverse.
Aquasec. Outputs. Get Container Runtime Policy Auditing - Container
Exec Pulumiverse.Aquasec. Outputs. Get Container Runtime Policy Container Exec - File
Block Pulumiverse.Aquasec. Outputs. Get Container Runtime Policy File Block - File
Integrity List<Pulumiverse.Monitorings Aquasec. Outputs. Get Container Runtime Policy File Integrity Monitoring> - Configuration for file integrity monitoring.
- Limit
Container List<Pulumiverse.Privileges Aquasec. Outputs. Get Container Runtime Policy Limit Container Privilege> - Container privileges configuration.
- Malware
Scan List<Pulumiverse.Options Aquasec. Outputs. Get Container Runtime Policy Malware Scan Option> - Configuration for Real-Time Malware Protection.
- Port
Block Pulumiverse.Aquasec. Outputs. Get Container Runtime Policy Port Block - Readonly
Files Pulumiverse.Aquasec. Outputs. Get Container Runtime Policy Readonly Files - Restricted
Volumes List<Pulumiverse.Aquasec. Outputs. Get Container Runtime Policy Restricted Volume> - Restricted volumes configuration.
- Application
Scopes []string - Indicates the application scope of the service.
- Audit
All boolNetwork Activity - If true, all network activity will be audited.
- Audit
All boolProcesses Activity - If true, all process activity will be audited.
- Audit
Full boolCommand Arguments - If true, full command arguments will be audited.
- string
- Username of the account that created the service.
- Block
Access boolHost Network - If true, prevent containers from running with access to host network.
- Block
Adding boolCapabilities - If true, prevent containers from running with adding capabilities with
--cap-add
privilege. - Block
Container boolExec - If true, exec into a container is prevented.
- Block
Cryptocurrency boolMining - Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- Block
Fileless boolExec - Detect and prevent running in-memory execution
- Block
Low boolPort Binding - If true, prevent containers from running with the capability to bind in port lower than 1024.
- Block
Non boolCompliant Images - If true, running non-compliant image in the container is prevented.
- Block
Non boolCompliant Workloads - If true, running containers in non-compliant pods is prevented.
- Block
Non boolK8s Containers - If true, running non-kubernetes containers is prevented.
- Block
Privileged boolContainers - If true, prevent containers from running with privileged container capability.
- Block
Reverse boolShell - If true, reverse shell is prevented.
- Block
Root boolUser - If true, prevent containers from running with root user.
- Block
Unregistered boolImages - If true, running images in the container that are not registered in Aqua is prevented.
- Block
Use boolIpc Namespace - If true, prevent containers from running with the privilege to use the IPC namespace.
- Block
Use boolPid Namespace - If true, prevent containers from running with the privilege to use the PID namespace.
- Block
Use boolUser Namespace - If true, prevent containers from running with the privilege to use the user namespace.
- Block
Use boolUts Namespace - If true, prevent containers from running with the privilege to use the UTS namespace.
- Blocked
Capabilities []string - If true, prevents containers from using specific Unix capabilities.
- Blocked
Executables []string - List of executables that are prevented from running in containers.
- Blocked
Files []string - List of files that are prevented from being read, modified and executed in the containers.
- Blocked
Inbound []stringPorts - List of blocked inbound ports.
- Blocked
Outbound []stringPorts - List of blocked outbound ports.
- Blocked
Packages []string - Prevent containers from reading, writing, or executing all files in the list of packages.
- Blocked
Volumes []string - List of volumes that are prevented from being mounted in the containers.
- Container
Exec []stringAllowed Processes - List of processes that will be allowed.
- Description string
- The description of the container runtime policy
- Enable
Drift boolPrevention - If true, executables that are not in the original image is prevented from running.
- Enable
Fork boolGuard - If true, fork bombs are prevented in the containers.
- Enable
Ip boolReputation Security - If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- Enable
Port boolScan Detection - If true, detects port scanning behavior in the container.
- Enabled bool
- Indicates if the runtime policy is enabled or not.
- Enforce bool
- Indicates that policy should effect container execution (not just for audit).
- Enforce
After intDays - Indicates the number of days after which the runtime policy will be changed to enforce mode.
- Exceptional
Readonly []stringFiles And Directories - List of files and directories to be excluded from the read-only list.
- Exec
Lockdown []stringWhite Lists - Specify processes that will be allowed
- Fork
Guard intProcess Limit - Process limit for the fork guard.
- Id string
- The provider-assigned unique ID for this managed resource.
- Limit
New boolPrivileges - If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- Monitor
System boolTime Changes - If true, system time changes will be monitored.
- Name string
- Name of the container runtime policy
- Readonly
Files []stringAnd Directories - List of files and directories to be restricted as read-only
- Reverse
Shell []stringAllowed Ips - List of IPs/ CIDRs that will be allowed
- Reverse
Shell []stringAllowed Processes - List of processes that will be allowed
- Scope
Expression string - Logical expression of how to compute the dependency of the scope variables.
- Scope
Variables []GetContainer Runtime Policy Scope Variable - List of scope attributes.
- Allowed
Executables []GetContainer Runtime Policy Allowed Executable - Allowed executables configuration.
- Allowed
Registries []GetContainer Runtime Policy Allowed Registry - Allowed registries configuration.
- Auditing
Get
Container Runtime Policy Auditing - Container
Exec GetContainer Runtime Policy Container Exec - File
Block GetContainer Runtime Policy File Block - File
Integrity []GetMonitorings Container Runtime Policy File Integrity Monitoring - Configuration for file integrity monitoring.
- Limit
Container []GetPrivileges Container Runtime Policy Limit Container Privilege - Container privileges configuration.
- Malware
Scan []GetOptions Container Runtime Policy Malware Scan Option - Configuration for Real-Time Malware Protection.
- Port
Block GetContainer Runtime Policy Port Block - Readonly
Files GetContainer Runtime Policy Readonly Files - Restricted
Volumes []GetContainer Runtime Policy Restricted Volume - Restricted volumes configuration.
- application
Scopes List<String> - Indicates the application scope of the service.
- audit
All BooleanNetwork Activity - If true, all network activity will be audited.
- audit
All BooleanProcesses Activity - If true, all process activity will be audited.
- audit
Full BooleanCommand Arguments - If true, full command arguments will be audited.
- String
- Username of the account that created the service.
- block
Access BooleanHost Network - If true, prevent containers from running with access to host network.
- block
Adding BooleanCapabilities - If true, prevent containers from running with adding capabilities with
--cap-add
privilege. - block
Container BooleanExec - If true, exec into a container is prevented.
- block
Cryptocurrency BooleanMining - Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block
Fileless BooleanExec - Detect and prevent running in-memory execution
- block
Low BooleanPort Binding - If true, prevent containers from running with the capability to bind in port lower than 1024.
- block
Non BooleanCompliant Images - If true, running non-compliant image in the container is prevented.
- block
Non BooleanCompliant Workloads - If true, running containers in non-compliant pods is prevented.
- block
Non BooleanK8s Containers - If true, running non-kubernetes containers is prevented.
- block
Privileged BooleanContainers - If true, prevent containers from running with privileged container capability.
- block
Reverse BooleanShell - If true, reverse shell is prevented.
- block
Root BooleanUser - If true, prevent containers from running with root user.
- block
Unregistered BooleanImages - If true, running images in the container that are not registered in Aqua is prevented.
- block
Use BooleanIpc Namespace - If true, prevent containers from running with the privilege to use the IPC namespace.
- block
Use BooleanPid Namespace - If true, prevent containers from running with the privilege to use the PID namespace.
- block
Use BooleanUser Namespace - If true, prevent containers from running with the privilege to use the user namespace.
- block
Use BooleanUts Namespace - If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked
Capabilities List<String> - If true, prevents containers from using specific Unix capabilities.
- blocked
Executables List<String> - List of executables that are prevented from running in containers.
- blocked
Files List<String> - List of files that are prevented from being read, modified and executed in the containers.
- blocked
Inbound List<String>Ports - List of blocked inbound ports.
- blocked
Outbound List<String>Ports - List of blocked outbound ports.
- blocked
Packages List<String> - Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked
Volumes List<String> - List of volumes that are prevented from being mounted in the containers.
- container
Exec List<String>Allowed Processes - List of processes that will be allowed.
- description String
- The description of the container runtime policy
- enable
Drift BooleanPrevention - If true, executables that are not in the original image is prevented from running.
- enable
Fork BooleanGuard - If true, fork bombs are prevented in the containers.
- enable
Ip BooleanReputation Security - If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- enable
Port BooleanScan Detection - If true, detects port scanning behavior in the container.
- enabled Boolean
- Indicates if the runtime policy is enabled or not.
- enforce Boolean
- Indicates that policy should effect container execution (not just for audit).
- enforce
After IntegerDays - Indicates the number of days after which the runtime policy will be changed to enforce mode.
- exceptional
Readonly List<String>Files And Directories - List of files and directories to be excluded from the read-only list.
- exec
Lockdown List<String>White Lists - Specify processes that will be allowed
- fork
Guard IntegerProcess Limit - Process limit for the fork guard.
- id String
- The provider-assigned unique ID for this managed resource.
- limit
New BooleanPrivileges - If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- monitor
System BooleanTime Changes - If true, system time changes will be monitored.
- name String
- Name of the container runtime policy
- readonly
Files List<String>And Directories - List of files and directories to be restricted as read-only
- reverse
Shell List<String>Allowed Ips - List of IPs/ CIDRs that will be allowed
- reverse
Shell List<String>Allowed Processes - List of processes that will be allowed
- scope
Expression String - Logical expression of how to compute the dependency of the scope variables.
- scope
Variables List<GetContainer Runtime Policy Scope Variable> - List of scope attributes.
- allowed
Executables List<GetContainer Runtime Policy Allowed Executable> - Allowed executables configuration.
- allowed
Registries List<GetContainer Runtime Policy Allowed Registry> - Allowed registries configuration.
- auditing
Get
Container Runtime Policy Auditing - container
Exec GetContainer Runtime Policy Container Exec - file
Block GetContainer Runtime Policy File Block - file
Integrity List<GetMonitorings Container Runtime Policy File Integrity Monitoring> - Configuration for file integrity monitoring.
- limit
Container List<GetPrivileges Container Runtime Policy Limit Container Privilege> - Container privileges configuration.
- malware
Scan List<GetOptions Container Runtime Policy Malware Scan Option> - Configuration for Real-Time Malware Protection.
- port
Block GetContainer Runtime Policy Port Block - readonly
Files GetContainer Runtime Policy Readonly Files - restricted
Volumes List<GetContainer Runtime Policy Restricted Volume> - Restricted volumes configuration.
- application
Scopes string[] - Indicates the application scope of the service.
- audit
All booleanNetwork Activity - If true, all network activity will be audited.
- audit
All booleanProcesses Activity - If true, all process activity will be audited.
- audit
Full booleanCommand Arguments - If true, full command arguments will be audited.
- string
- Username of the account that created the service.
- block
Access booleanHost Network - If true, prevent containers from running with access to host network.
- block
Adding booleanCapabilities - If true, prevent containers from running with adding capabilities with
--cap-add
privilege. - block
Container booleanExec - If true, exec into a container is prevented.
- block
Cryptocurrency booleanMining - Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block
Fileless booleanExec - Detect and prevent running in-memory execution
- block
Low booleanPort Binding - If true, prevent containers from running with the capability to bind in port lower than 1024.
- block
Non booleanCompliant Images - If true, running non-compliant image in the container is prevented.
- block
Non booleanCompliant Workloads - If true, running containers in non-compliant pods is prevented.
- block
Non booleanK8s Containers - If true, running non-kubernetes containers is prevented.
- block
Privileged booleanContainers - If true, prevent containers from running with privileged container capability.
- block
Reverse booleanShell - If true, reverse shell is prevented.
- block
Root booleanUser - If true, prevent containers from running with root user.
- block
Unregistered booleanImages - If true, running images in the container that are not registered in Aqua is prevented.
- block
Use booleanIpc Namespace - If true, prevent containers from running with the privilege to use the IPC namespace.
- block
Use booleanPid Namespace - If true, prevent containers from running with the privilege to use the PID namespace.
- block
Use booleanUser Namespace - If true, prevent containers from running with the privilege to use the user namespace.
- block
Use booleanUts Namespace - If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked
Capabilities string[] - If true, prevents containers from using specific Unix capabilities.
- blocked
Executables string[] - List of executables that are prevented from running in containers.
- blocked
Files string[] - List of files that are prevented from being read, modified and executed in the containers.
- blocked
Inbound string[]Ports - List of blocked inbound ports.
- blocked
Outbound string[]Ports - List of blocked outbound ports.
- blocked
Packages string[] - Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked
Volumes string[] - List of volumes that are prevented from being mounted in the containers.
- container
Exec string[]Allowed Processes - List of processes that will be allowed.
- description string
- The description of the container runtime policy
- enable
Drift booleanPrevention - If true, executables that are not in the original image is prevented from running.
- enable
Fork booleanGuard - If true, fork bombs are prevented in the containers.
- enable
Ip booleanReputation Security - If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- enable
Port booleanScan Detection - If true, detects port scanning behavior in the container.
- enabled boolean
- Indicates if the runtime policy is enabled or not.
- enforce boolean
- Indicates that policy should effect container execution (not just for audit).
- enforce
After numberDays - Indicates the number of days after which the runtime policy will be changed to enforce mode.
- exceptional
Readonly string[]Files And Directories - List of files and directories to be excluded from the read-only list.
- exec
Lockdown string[]White Lists - Specify processes that will be allowed
- fork
Guard numberProcess Limit - Process limit for the fork guard.
- id string
- The provider-assigned unique ID for this managed resource.
- limit
New booleanPrivileges - If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- monitor
System booleanTime Changes - If true, system time changes will be monitored.
- name string
- Name of the container runtime policy
- readonly
Files string[]And Directories - List of files and directories to be restricted as read-only
- reverse
Shell string[]Allowed Ips - List of IPs/ CIDRs that will be allowed
- reverse
Shell string[]Allowed Processes - List of processes that will be allowed
- scope
Expression string - Logical expression of how to compute the dependency of the scope variables.
- scope
Variables GetContainer Runtime Policy Scope Variable[] - List of scope attributes.
- allowed
Executables GetContainer Runtime Policy Allowed Executable[] - Allowed executables configuration.
- allowed
Registries GetContainer Runtime Policy Allowed Registry[] - Allowed registries configuration.
- auditing
Get
Container Runtime Policy Auditing - container
Exec GetContainer Runtime Policy Container Exec - file
Block GetContainer Runtime Policy File Block - file
Integrity GetMonitorings Container Runtime Policy File Integrity Monitoring[] - Configuration for file integrity monitoring.
- limit
Container GetPrivileges Container Runtime Policy Limit Container Privilege[] - Container privileges configuration.
- malware
Scan GetOptions Container Runtime Policy Malware Scan Option[] - Configuration for Real-Time Malware Protection.
- port
Block GetContainer Runtime Policy Port Block - readonly
Files GetContainer Runtime Policy Readonly Files - restricted
Volumes GetContainer Runtime Policy Restricted Volume[] - Restricted volumes configuration.
- application_
scopes Sequence[str] - Indicates the application scope of the service.
- audit_
all_ boolnetwork_ activity - If true, all network activity will be audited.
- audit_
all_ boolprocesses_ activity - If true, all process activity will be audited.
- audit_
full_ boolcommand_ arguments - If true, full command arguments will be audited.
- str
- Username of the account that created the service.
- block_
access_ boolhost_ network - If true, prevent containers from running with access to host network.
- block_
adding_ boolcapabilities - If true, prevent containers from running with adding capabilities with
--cap-add
privilege. - block_
container_ boolexec - If true, exec into a container is prevented.
- block_
cryptocurrency_ boolmining - Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block_
fileless_ boolexec - Detect and prevent running in-memory execution
- block_
low_ boolport_ binding - If true, prevent containers from running with the capability to bind in port lower than 1024.
- block_
non_ boolcompliant_ images - If true, running non-compliant image in the container is prevented.
- block_
non_ boolcompliant_ workloads - If true, running containers in non-compliant pods is prevented.
- block_
non_ boolk8s_ containers - If true, running non-kubernetes containers is prevented.
- block_
privileged_ boolcontainers - If true, prevent containers from running with privileged container capability.
- block_
reverse_ boolshell - If true, reverse shell is prevented.
- block_
root_ booluser - If true, prevent containers from running with root user.
- block_
unregistered_ boolimages - If true, running images in the container that are not registered in Aqua is prevented.
- block_
use_ boolipc_ namespace - If true, prevent containers from running with the privilege to use the IPC namespace.
- block_
use_ boolpid_ namespace - If true, prevent containers from running with the privilege to use the PID namespace.
- block_
use_ booluser_ namespace - If true, prevent containers from running with the privilege to use the user namespace.
- block_
use_ booluts_ namespace - If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked_
capabilities Sequence[str] - If true, prevents containers from using specific Unix capabilities.
- blocked_
executables Sequence[str] - List of executables that are prevented from running in containers.
- blocked_
files Sequence[str] - List of files that are prevented from being read, modified and executed in the containers.
- blocked_
inbound_ Sequence[str]ports - List of blocked inbound ports.
- blocked_
outbound_ Sequence[str]ports - List of blocked outbound ports.
- blocked_
packages Sequence[str] - Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked_
volumes Sequence[str] - List of volumes that are prevented from being mounted in the containers.
- container_
exec_ Sequence[str]allowed_ processes - List of processes that will be allowed.
- description str
- The description of the container runtime policy
- enable_
drift_ boolprevention - If true, executables that are not in the original image is prevented from running.
- enable_
fork_ boolguard - If true, fork bombs are prevented in the containers.
- enable_
ip_ boolreputation_ security - If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- enable_
port_ boolscan_ detection - If true, detects port scanning behavior in the container.
- enabled bool
- Indicates if the runtime policy is enabled or not.
- enforce bool
- Indicates that policy should effect container execution (not just for audit).
- enforce_
after_ intdays - Indicates the number of days after which the runtime policy will be changed to enforce mode.
- exceptional_
readonly_ Sequence[str]files_ and_ directories - List of files and directories to be excluded from the read-only list.
- exec_
lockdown_ Sequence[str]white_ lists - Specify processes that will be allowed
- fork_
guard_ intprocess_ limit - Process limit for the fork guard.
- id str
- The provider-assigned unique ID for this managed resource.
- limit_
new_ boolprivileges - If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- monitor_
system_ booltime_ changes - If true, system time changes will be monitored.
- name str
- Name of the container runtime policy
- readonly_
files_ Sequence[str]and_ directories - List of files and directories to be restricted as read-only
- reverse_
shell_ Sequence[str]allowed_ ips - List of IPs/ CIDRs that will be allowed
- reverse_
shell_ Sequence[str]allowed_ processes - List of processes that will be allowed
- scope_
expression str - Logical expression of how to compute the dependency of the scope variables.
- scope_
variables Sequence[GetContainer Runtime Policy Scope Variable] - List of scope attributes.
- allowed_
executables Sequence[GetContainer Runtime Policy Allowed Executable] - Allowed executables configuration.
- allowed_
registries Sequence[GetContainer Runtime Policy Allowed Registry] - Allowed registries configuration.
- auditing
Get
Container Runtime Policy Auditing - container_
exec GetContainer Runtime Policy Container Exec - file_
block GetContainer Runtime Policy File Block - file_
integrity_ Sequence[Getmonitorings Container Runtime Policy File Integrity Monitoring] - Configuration for file integrity monitoring.
- limit_
container_ Sequence[Getprivileges Container Runtime Policy Limit Container Privilege] - Container privileges configuration.
- malware_
scan_ Sequence[Getoptions Container Runtime Policy Malware Scan Option] - Configuration for Real-Time Malware Protection.
- port_
block GetContainer Runtime Policy Port Block - readonly_
files GetContainer Runtime Policy Readonly Files - restricted_
volumes Sequence[GetContainer Runtime Policy Restricted Volume] - Restricted volumes configuration.
- application
Scopes List<String> - Indicates the application scope of the service.
- audit
All BooleanNetwork Activity - If true, all network activity will be audited.
- audit
All BooleanProcesses Activity - If true, all process activity will be audited.
- audit
Full BooleanCommand Arguments - If true, full command arguments will be audited.
- String
- Username of the account that created the service.
- block
Access BooleanHost Network - If true, prevent containers from running with access to host network.
- block
Adding BooleanCapabilities - If true, prevent containers from running with adding capabilities with
--cap-add
privilege. - block
Container BooleanExec - If true, exec into a container is prevented.
- block
Cryptocurrency BooleanMining - Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
- block
Fileless BooleanExec - Detect and prevent running in-memory execution
- block
Low BooleanPort Binding - If true, prevent containers from running with the capability to bind in port lower than 1024.
- block
Non BooleanCompliant Images - If true, running non-compliant image in the container is prevented.
- block
Non BooleanCompliant Workloads - If true, running containers in non-compliant pods is prevented.
- block
Non BooleanK8s Containers - If true, running non-kubernetes containers is prevented.
- block
Privileged BooleanContainers - If true, prevent containers from running with privileged container capability.
- block
Reverse BooleanShell - If true, reverse shell is prevented.
- block
Root BooleanUser - If true, prevent containers from running with root user.
- block
Unregistered BooleanImages - If true, running images in the container that are not registered in Aqua is prevented.
- block
Use BooleanIpc Namespace - If true, prevent containers from running with the privilege to use the IPC namespace.
- block
Use BooleanPid Namespace - If true, prevent containers from running with the privilege to use the PID namespace.
- block
Use BooleanUser Namespace - If true, prevent containers from running with the privilege to use the user namespace.
- block
Use BooleanUts Namespace - If true, prevent containers from running with the privilege to use the UTS namespace.
- blocked
Capabilities List<String> - If true, prevents containers from using specific Unix capabilities.
- blocked
Executables List<String> - List of executables that are prevented from running in containers.
- blocked
Files List<String> - List of files that are prevented from being read, modified and executed in the containers.
- blocked
Inbound List<String>Ports - List of blocked inbound ports.
- blocked
Outbound List<String>Ports - List of blocked outbound ports.
- blocked
Packages List<String> - Prevent containers from reading, writing, or executing all files in the list of packages.
- blocked
Volumes List<String> - List of volumes that are prevented from being mounted in the containers.
- container
Exec List<String>Allowed Processes - List of processes that will be allowed.
- description String
- The description of the container runtime policy
- enable
Drift BooleanPrevention - If true, executables that are not in the original image is prevented from running.
- enable
Fork BooleanGuard - If true, fork bombs are prevented in the containers.
- enable
Ip BooleanReputation Security - If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
- enable
Port BooleanScan Detection - If true, detects port scanning behavior in the container.
- enabled Boolean
- Indicates if the runtime policy is enabled or not.
- enforce Boolean
- Indicates that policy should effect container execution (not just for audit).
- enforce
After NumberDays - Indicates the number of days after which the runtime policy will be changed to enforce mode.
- exceptional
Readonly List<String>Files And Directories - List of files and directories to be excluded from the read-only list.
- exec
Lockdown List<String>White Lists - Specify processes that will be allowed
- fork
Guard NumberProcess Limit - Process limit for the fork guard.
- id String
- The provider-assigned unique ID for this managed resource.
- limit
New BooleanPrivileges - If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
- monitor
System BooleanTime Changes - If true, system time changes will be monitored.
- name String
- Name of the container runtime policy
- readonly
Files List<String>And Directories - List of files and directories to be restricted as read-only
- reverse
Shell List<String>Allowed Ips - List of IPs/ CIDRs that will be allowed
- reverse
Shell List<String>Allowed Processes - List of processes that will be allowed
- scope
Expression String - Logical expression of how to compute the dependency of the scope variables.
- scope
Variables List<Property Map> - List of scope attributes.
- allowed
Executables List<Property Map> - Allowed executables configuration.
- allowed
Registries List<Property Map> - Allowed registries configuration.
- auditing Property Map
- container
Exec Property Map - file
Block Property Map - file
Integrity List<Property Map>Monitorings - Configuration for file integrity monitoring.
- limit
Container List<Property Map>Privileges - Container privileges configuration.
- malware
Scan List<Property Map>Options - Configuration for Real-Time Malware Protection.
- port
Block Property Map - readonly
Files Property Map - restricted
Volumes List<Property Map> - Restricted volumes configuration.
Supporting Types
GetContainerRuntimePolicyAllowedExecutable
- Allow
Executables List<string> - List of allowed executables.
- Allow
Root List<string>Executables - List of allowed root executables.
- Enabled bool
- Whether allowed executables configuration is enabled.
- Separate
Executables bool - Whether to treat executables separately.
- Allow
Executables []string - List of allowed executables.
- Allow
Root []stringExecutables - List of allowed root executables.
- Enabled bool
- Whether allowed executables configuration is enabled.
- Separate
Executables bool - Whether to treat executables separately.
- allow
Executables List<String> - List of allowed executables.
- allow
Root List<String>Executables - List of allowed root executables.
- enabled Boolean
- Whether allowed executables configuration is enabled.
- separate
Executables Boolean - Whether to treat executables separately.
- allow
Executables string[] - List of allowed executables.
- allow
Root string[]Executables - List of allowed root executables.
- enabled boolean
- Whether allowed executables configuration is enabled.
- separate
Executables boolean - Whether to treat executables separately.
- allow_
executables Sequence[str] - List of allowed executables.
- allow_
root_ Sequence[str]executables - List of allowed root executables.
- enabled bool
- Whether allowed executables configuration is enabled.
- separate_
executables bool - Whether to treat executables separately.
- allow
Executables List<String> - List of allowed executables.
- allow
Root List<String>Executables - List of allowed root executables.
- enabled Boolean
- Whether allowed executables configuration is enabled.
- separate
Executables Boolean - Whether to treat executables separately.
GetContainerRuntimePolicyAllowedRegistry
- Allowed
Registries List<string> - List of allowed registries.
- Enabled bool
- Whether allowed registries are enabled.
- Allowed
Registries []string - List of allowed registries.
- Enabled bool
- Whether allowed registries are enabled.
- allowed
Registries List<String> - List of allowed registries.
- enabled Boolean
- Whether allowed registries are enabled.
- allowed
Registries string[] - List of allowed registries.
- enabled boolean
- Whether allowed registries are enabled.
- allowed_
registries Sequence[str] - List of allowed registries.
- enabled bool
- Whether allowed registries are enabled.
- allowed
Registries List<String> - List of allowed registries.
- enabled Boolean
- Whether allowed registries are enabled.
GetContainerRuntimePolicyAuditing
- Audit
All boolNetwork - Audit
All boolProcesses - Audit
Failed boolLogin - Audit
Os boolUser Activity - Audit
Process boolCmdline - Audit
Success boolLogin - Audit
User boolAccount Management - Enabled bool
- Audit
All boolNetwork - Audit
All boolProcesses - Audit
Failed boolLogin - Audit
Os boolUser Activity - Audit
Process boolCmdline - Audit
Success boolLogin - Audit
User boolAccount Management - Enabled bool
- audit
All BooleanNetwork - audit
All BooleanProcesses - audit
Failed BooleanLogin - audit
Os BooleanUser Activity - audit
Process BooleanCmdline - audit
Success BooleanLogin - audit
User BooleanAccount Management - enabled Boolean
- audit
All booleanNetwork - audit
All booleanProcesses - audit
Failed booleanLogin - audit
Os booleanUser Activity - audit
Process booleanCmdline - audit
Success booleanLogin - audit
User booleanAccount Management - enabled boolean
- audit_
all_ boolnetwork - audit_
all_ boolprocesses - audit_
failed_ boollogin - audit_
os_ booluser_ activity - audit_
process_ boolcmdline - audit_
success_ boollogin - audit_
user_ boolaccount_ management - enabled bool
- audit
All BooleanNetwork - audit
All BooleanProcesses - audit
Failed BooleanLogin - audit
Os BooleanUser Activity - audit
Process BooleanCmdline - audit
Success BooleanLogin - audit
User BooleanAccount Management - enabled Boolean
GetContainerRuntimePolicyContainerExec
- Block
Container boolExec - Container
Exec List<string>Proc White Lists - Enabled bool
- Reverse
Shell List<string>Ip White Lists
- Block
Container boolExec - Container
Exec []stringProc White Lists - Enabled bool
- Reverse
Shell []stringIp White Lists
- block
Container BooleanExec - container
Exec List<String>Proc White Lists - enabled Boolean
- reverse
Shell List<String>Ip White Lists
- block
Container booleanExec - container
Exec string[]Proc White Lists - enabled boolean
- reverse
Shell string[]Ip White Lists
- block_
container_ boolexec - container_
exec_ Sequence[str]proc_ white_ lists - enabled bool
- reverse_
shell_ Sequence[str]ip_ white_ lists
- block
Container BooleanExec - container
Exec List<String>Proc White Lists - enabled Boolean
- reverse
Shell List<String>Ip White Lists
GetContainerRuntimePolicyFileBlock
- Block
Files List<string>Processes - Block
Files List<string>Users - Enabled bool
- Exceptional
Block List<string>Files - Exceptional
Block List<string>Files Processes - Exceptional
Block List<string>Files Users - Filename
Block List<string>Lists
- Block
Files []stringProcesses - Block
Files []stringUsers - Enabled bool
- Exceptional
Block []stringFiles - Exceptional
Block []stringFiles Processes - Exceptional
Block []stringFiles Users - Filename
Block []stringLists
- block
Files List<String>Processes - block
Files List<String>Users - enabled Boolean
- exceptional
Block List<String>Files - exceptional
Block List<String>Files Processes - exceptional
Block List<String>Files Users - filename
Block List<String>Lists
- block
Files string[]Processes - block
Files string[]Users - enabled boolean
- exceptional
Block string[]Files - exceptional
Block string[]Files Processes - exceptional
Block string[]Files Users - filename
Block string[]Lists
- block_
files_ Sequence[str]processes - block_
files_ Sequence[str]users - enabled bool
- exceptional_
block_ Sequence[str]files - exceptional_
block_ Sequence[str]files_ processes - exceptional_
block_ Sequence[str]files_ users - filename_
block_ Sequence[str]lists
- block
Files List<String>Processes - block
Files List<String>Users - enabled Boolean
- exceptional
Block List<String>Files - exceptional
Block List<String>Files Processes - exceptional
Block List<String>Files Users - filename
Block List<String>Lists
GetContainerRuntimePolicyFileIntegrityMonitoring
- Enabled bool
- If true, file integrity monitoring is enabled.
- Exceptional
Monitored List<string>Files - List of paths to be excluded from monitoring.
- Exceptional
Monitored List<string>Files Processes - List of processes to be excluded from monitoring.
- Exceptional
Monitored List<string>Files Users - List of users to be excluded from monitoring.
- Monitored
Files List<string> - List of paths to be monitored.
- Monitored
Files boolAttributes - Whether to monitor file attribute operations.
- Monitored
Files boolCreate - Whether to monitor file create operations.
- Monitored
Files boolDelete - Whether to monitor file delete operations.
- Monitored
Files boolModify - Whether to monitor file modify operations.
- Monitored
Files List<string>Processes - List of processes associated with monitored files.
- Monitored
Files boolRead - Whether to monitor file read operations.
- Monitored
Files List<string>Users - List of users associated with monitored files.
- Enabled bool
- If true, file integrity monitoring is enabled.
- Exceptional
Monitored []stringFiles - List of paths to be excluded from monitoring.
- Exceptional
Monitored []stringFiles Processes - List of processes to be excluded from monitoring.
- Exceptional
Monitored []stringFiles Users - List of users to be excluded from monitoring.
- Monitored
Files []string - List of paths to be monitored.
- Monitored
Files boolAttributes - Whether to monitor file attribute operations.
- Monitored
Files boolCreate - Whether to monitor file create operations.
- Monitored
Files boolDelete - Whether to monitor file delete operations.
- Monitored
Files boolModify - Whether to monitor file modify operations.
- Monitored
Files []stringProcesses - List of processes associated with monitored files.
- Monitored
Files boolRead - Whether to monitor file read operations.
- Monitored
Files []stringUsers - List of users associated with monitored files.
- enabled Boolean
- If true, file integrity monitoring is enabled.
- exceptional
Monitored List<String>Files - List of paths to be excluded from monitoring.
- exceptional
Monitored List<String>Files Processes - List of processes to be excluded from monitoring.
- exceptional
Monitored List<String>Files Users - List of users to be excluded from monitoring.
- monitored
Files List<String> - List of paths to be monitored.
- monitored
Files BooleanAttributes - Whether to monitor file attribute operations.
- monitored
Files BooleanCreate - Whether to monitor file create operations.
- monitored
Files BooleanDelete - Whether to monitor file delete operations.
- monitored
Files BooleanModify - Whether to monitor file modify operations.
- monitored
Files List<String>Processes - List of processes associated with monitored files.
- monitored
Files BooleanRead - Whether to monitor file read operations.
- monitored
Files List<String>Users - List of users associated with monitored files.
- enabled boolean
- If true, file integrity monitoring is enabled.
- exceptional
Monitored string[]Files - List of paths to be excluded from monitoring.
- exceptional
Monitored string[]Files Processes - List of processes to be excluded from monitoring.
- exceptional
Monitored string[]Files Users - List of users to be excluded from monitoring.
- monitored
Files string[] - List of paths to be monitored.
- monitored
Files booleanAttributes - Whether to monitor file attribute operations.
- monitored
Files booleanCreate - Whether to monitor file create operations.
- monitored
Files booleanDelete - Whether to monitor file delete operations.
- monitored
Files booleanModify - Whether to monitor file modify operations.
- monitored
Files string[]Processes - List of processes associated with monitored files.
- monitored
Files booleanRead - Whether to monitor file read operations.
- monitored
Files string[]Users - List of users associated with monitored files.
- enabled bool
- If true, file integrity monitoring is enabled.
- exceptional_
monitored_ Sequence[str]files - List of paths to be excluded from monitoring.
- exceptional_
monitored_ Sequence[str]files_ processes - List of processes to be excluded from monitoring.
- exceptional_
monitored_ Sequence[str]files_ users - List of users to be excluded from monitoring.
- monitored_
files Sequence[str] - List of paths to be monitored.
- monitored_
files_ boolattributes - Whether to monitor file attribute operations.
- monitored_
files_ boolcreate - Whether to monitor file create operations.
- monitored_
files_ booldelete - Whether to monitor file delete operations.
- monitored_
files_ boolmodify - Whether to monitor file modify operations.
- monitored_
files_ Sequence[str]processes - List of processes associated with monitored files.
- monitored_
files_ boolread - Whether to monitor file read operations.
- monitored_
files_ Sequence[str]users - List of users associated with monitored files.
- enabled Boolean
- If true, file integrity monitoring is enabled.
- exceptional
Monitored List<String>Files - List of paths to be excluded from monitoring.
- exceptional
Monitored List<String>Files Processes - List of processes to be excluded from monitoring.
- exceptional
Monitored List<String>Files Users - List of users to be excluded from monitoring.
- monitored
Files List<String> - List of paths to be monitored.
- monitored
Files BooleanAttributes - Whether to monitor file attribute operations.
- monitored
Files BooleanCreate - Whether to monitor file create operations.
- monitored
Files BooleanDelete - Whether to monitor file delete operations.
- monitored
Files BooleanModify - Whether to monitor file modify operations.
- monitored
Files List<String>Processes - List of processes associated with monitored files.
- monitored
Files BooleanRead - Whether to monitor file read operations.
- monitored
Files List<String>Users - List of users associated with monitored files.
GetContainerRuntimePolicyLimitContainerPrivilege
- Block
Add boolCapabilities - Whether to block adding capabilities.
- Enabled bool
- Whether container privilege limitations are enabled.
- Ipcmode bool
- Whether to limit IPC-related capabilities.
- Netmode bool
- Whether to limit network-related capabilities.
- Pidmode bool
- Whether to limit process-related capabilities.
- Prevent
Low boolPort Binding - Whether to prevent low port binding.
- Prevent
Root boolUser - Whether to prevent the use of the root user.
- Privileged bool
- Whether the container is run in privileged mode.
- Use
Host boolUser - Whether to use the host user.
- Usermode bool
- Whether to limit user-related capabilities.
- Utsmode bool
- Whether to limit UTS-related capabilities.
- Block
Add boolCapabilities - Whether to block adding capabilities.
- Enabled bool
- Whether container privilege limitations are enabled.
- Ipcmode bool
- Whether to limit IPC-related capabilities.
- Netmode bool
- Whether to limit network-related capabilities.
- Pidmode bool
- Whether to limit process-related capabilities.
- Prevent
Low boolPort Binding - Whether to prevent low port binding.
- Prevent
Root boolUser - Whether to prevent the use of the root user.
- Privileged bool
- Whether the container is run in privileged mode.
- Use
Host boolUser - Whether to use the host user.
- Usermode bool
- Whether to limit user-related capabilities.
- Utsmode bool
- Whether to limit UTS-related capabilities.
- block
Add BooleanCapabilities - Whether to block adding capabilities.
- enabled Boolean
- Whether container privilege limitations are enabled.
- ipcmode Boolean
- Whether to limit IPC-related capabilities.
- netmode Boolean
- Whether to limit network-related capabilities.
- pidmode Boolean
- Whether to limit process-related capabilities.
- prevent
Low BooleanPort Binding - Whether to prevent low port binding.
- prevent
Root BooleanUser - Whether to prevent the use of the root user.
- privileged Boolean
- Whether the container is run in privileged mode.
- use
Host BooleanUser - Whether to use the host user.
- usermode Boolean
- Whether to limit user-related capabilities.
- utsmode Boolean
- Whether to limit UTS-related capabilities.
- block
Add booleanCapabilities - Whether to block adding capabilities.
- enabled boolean
- Whether container privilege limitations are enabled.
- ipcmode boolean
- Whether to limit IPC-related capabilities.
- netmode boolean
- Whether to limit network-related capabilities.
- pidmode boolean
- Whether to limit process-related capabilities.
- prevent
Low booleanPort Binding - Whether to prevent low port binding.
- prevent
Root booleanUser - Whether to prevent the use of the root user.
- privileged boolean
- Whether the container is run in privileged mode.
- use
Host booleanUser - Whether to use the host user.
- usermode boolean
- Whether to limit user-related capabilities.
- utsmode boolean
- Whether to limit UTS-related capabilities.
- block_
add_ boolcapabilities - Whether to block adding capabilities.
- enabled bool
- Whether container privilege limitations are enabled.
- ipcmode bool
- Whether to limit IPC-related capabilities.
- netmode bool
- Whether to limit network-related capabilities.
- pidmode bool
- Whether to limit process-related capabilities.
- prevent_
low_ boolport_ binding - Whether to prevent low port binding.
- prevent_
root_ booluser - Whether to prevent the use of the root user.
- privileged bool
- Whether the container is run in privileged mode.
- use_
host_ booluser - Whether to use the host user.
- usermode bool
- Whether to limit user-related capabilities.
- utsmode bool
- Whether to limit UTS-related capabilities.
- block
Add BooleanCapabilities - Whether to block adding capabilities.
- enabled Boolean
- Whether container privilege limitations are enabled.
- ipcmode Boolean
- Whether to limit IPC-related capabilities.
- netmode Boolean
- Whether to limit network-related capabilities.
- pidmode Boolean
- Whether to limit process-related capabilities.
- prevent
Low BooleanPort Binding - Whether to prevent low port binding.
- prevent
Root BooleanUser - Whether to prevent the use of the root user.
- privileged Boolean
- Whether the container is run in privileged mode.
- use
Host BooleanUser - Whether to use the host user.
- usermode Boolean
- Whether to limit user-related capabilities.
- utsmode Boolean
- Whether to limit UTS-related capabilities.
GetContainerRuntimePolicyMalwareScanOption
- Action string
- Set Action, Defaults to 'Alert' when empty
- Enabled bool
- Defines if enabled or not
- Exclude
Directories List<string> - List of registry paths to be excluded from being protected.
- Exclude
Processes List<string> - List of registry processes to be excluded from being protected.
- Include
Directories List<string> - List of registry paths to be excluded from being protected.
- Action string
- Set Action, Defaults to 'Alert' when empty
- Enabled bool
- Defines if enabled or not
- Exclude
Directories []string - List of registry paths to be excluded from being protected.
- Exclude
Processes []string - List of registry processes to be excluded from being protected.
- Include
Directories []string - List of registry paths to be excluded from being protected.
- action String
- Set Action, Defaults to 'Alert' when empty
- enabled Boolean
- Defines if enabled or not
- exclude
Directories List<String> - List of registry paths to be excluded from being protected.
- exclude
Processes List<String> - List of registry processes to be excluded from being protected.
- include
Directories List<String> - List of registry paths to be excluded from being protected.
- action string
- Set Action, Defaults to 'Alert' when empty
- enabled boolean
- Defines if enabled or not
- exclude
Directories string[] - List of registry paths to be excluded from being protected.
- exclude
Processes string[] - List of registry processes to be excluded from being protected.
- include
Directories string[] - List of registry paths to be excluded from being protected.
- action str
- Set Action, Defaults to 'Alert' when empty
- enabled bool
- Defines if enabled or not
- exclude_
directories Sequence[str] - List of registry paths to be excluded from being protected.
- exclude_
processes Sequence[str] - List of registry processes to be excluded from being protected.
- include_
directories Sequence[str] - List of registry paths to be excluded from being protected.
- action String
- Set Action, Defaults to 'Alert' when empty
- enabled Boolean
- Defines if enabled or not
- exclude
Directories List<String> - List of registry paths to be excluded from being protected.
- exclude
Processes List<String> - List of registry processes to be excluded from being protected.
- include
Directories List<String> - List of registry paths to be excluded from being protected.
GetContainerRuntimePolicyPortBlock
- Block
Inbound List<string>Ports - Block
Outbound List<string>Ports - Enabled bool
- Block
Inbound []stringPorts - Block
Outbound []stringPorts - Enabled bool
- block
Inbound List<String>Ports - block
Outbound List<String>Ports - enabled Boolean
- block
Inbound string[]Ports - block
Outbound string[]Ports - enabled boolean
- block_
inbound_ Sequence[str]ports - block_
outbound_ Sequence[str]ports - enabled bool
- block
Inbound List<String>Ports - block
Outbound List<String>Ports - enabled Boolean
GetContainerRuntimePolicyReadonlyFiles
- Enabled bool
- Exceptional
Readonly List<string>Files - Exceptional
Readonly List<string>Files Processes - Exceptional
Readonly List<string>Files Users - Readonly
Files List<string> - Readonly
Files List<string>Processes - Readonly
Files List<string>Users
- Enabled bool
- Exceptional
Readonly []stringFiles - Exceptional
Readonly []stringFiles Processes - Exceptional
Readonly []stringFiles Users - Readonly
Files []string - Readonly
Files []stringProcesses - Readonly
Files []stringUsers
- enabled Boolean
- exceptional
Readonly List<String>Files - exceptional
Readonly List<String>Files Processes - exceptional
Readonly List<String>Files Users - readonly
Files List<String> - readonly
Files List<String>Processes - readonly
Files List<String>Users
- enabled boolean
- exceptional
Readonly string[]Files - exceptional
Readonly string[]Files Processes - exceptional
Readonly string[]Files Users - readonly
Files string[] - readonly
Files string[]Processes - readonly
Files string[]Users
- enabled bool
- exceptional_
readonly_ Sequence[str]files - exceptional_
readonly_ Sequence[str]files_ processes - exceptional_
readonly_ Sequence[str]files_ users - readonly_
files Sequence[str] - readonly_
files_ Sequence[str]processes - readonly_
files_ Sequence[str]users
- enabled Boolean
- exceptional
Readonly List<String>Files - exceptional
Readonly List<String>Files Processes - exceptional
Readonly List<String>Files Users - readonly
Files List<String> - readonly
Files List<String>Processes - readonly
Files List<String>Users
GetContainerRuntimePolicyRestrictedVolume
GetContainerRuntimePolicyScopeVariable
Package Details
- Repository
- aquasec pulumiverse/pulumi-aquasec
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
aquasec
Terraform Provider.