1. Packages
  2. Aquasec
  3. API Docs
  4. KubernetesAssurancePolicy
Aquasec v0.8.29 published on Monday, Jul 22, 2024 by Pulumiverse

aquasec.KubernetesAssurancePolicy

Explore with Pulumi AI

aquasec logo
Aquasec v0.8.29 published on Monday, Jul 22, 2024 by Pulumiverse

    Kubernetes Assurance is responsible for checking the security of workload configurations at the pod level, with respect to your organization’s security requirements.

    Create KubernetesAssurancePolicy Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new KubernetesAssurancePolicy(name: string, args: KubernetesAssurancePolicyArgs, opts?: CustomResourceOptions);
    @overload
    def KubernetesAssurancePolicy(resource_name: str,
                                  args: KubernetesAssurancePolicyArgs,
                                  opts: Optional[ResourceOptions] = None)
    
    @overload
    def KubernetesAssurancePolicy(resource_name: str,
                                  opts: Optional[ResourceOptions] = None,
                                  application_scopes: Optional[Sequence[str]] = None,
                                  aggregated_vulnerability: Optional[Mapping[str, str]] = None,
                                  allowed_images: Optional[Sequence[str]] = None,
                                  assurance_type: Optional[str] = None,
                                  audit_on_failure: Optional[bool] = None,
                                  author: Optional[str] = None,
                                  auto_scan_configured: Optional[bool] = None,
                                  auto_scan_enabled: Optional[bool] = None,
                                  auto_scan_times: Optional[Sequence[KubernetesAssurancePolicyAutoScanTimeArgs]] = None,
                                  blacklist_permissions: Optional[Sequence[str]] = None,
                                  blacklist_permissions_enabled: Optional[bool] = None,
                                  blacklisted_licenses: Optional[Sequence[str]] = None,
                                  blacklisted_licenses_enabled: Optional[bool] = None,
                                  block_failed: Optional[bool] = None,
                                  control_exclude_no_fix: Optional[bool] = None,
                                  custom_checks: Optional[Sequence[KubernetesAssurancePolicyCustomCheckArgs]] = None,
                                  custom_checks_enabled: Optional[bool] = None,
                                  custom_severity: Optional[str] = None,
                                  custom_severity_enabled: Optional[bool] = None,
                                  cves_black_list_enabled: Optional[bool] = None,
                                  cves_black_lists: Optional[Sequence[str]] = None,
                                  cves_white_list_enabled: Optional[bool] = None,
                                  cves_white_lists: Optional[Sequence[str]] = None,
                                  cvss_severity: Optional[str] = None,
                                  cvss_severity_enabled: Optional[bool] = None,
                                  cvss_severity_exclude_no_fix: Optional[bool] = None,
                                  description: Optional[str] = None,
                                  disallow_exploit_types: Optional[Sequence[str]] = None,
                                  disallow_malware: Optional[bool] = None,
                                  docker_cis_enabled: Optional[bool] = None,
                                  domain: Optional[str] = None,
                                  domain_name: Optional[str] = None,
                                  dta_enabled: Optional[bool] = None,
                                  dta_severity: Optional[str] = None,
                                  enabled: Optional[bool] = None,
                                  enforce: Optional[bool] = None,
                                  enforce_after_days: Optional[int] = None,
                                  enforce_excessive_permissions: Optional[bool] = None,
                                  exceptional_monitored_malware_paths: Optional[Sequence[str]] = None,
                                  exclude_application_scopes: Optional[Sequence[str]] = None,
                                  fail_cicd: Optional[bool] = None,
                                  forbidden_labels: Optional[Sequence[KubernetesAssurancePolicyForbiddenLabelArgs]] = None,
                                  forbidden_labels_enabled: Optional[bool] = None,
                                  force_microenforcer: Optional[bool] = None,
                                  function_integrity_enabled: Optional[bool] = None,
                                  ignore_base_image_vln: Optional[bool] = None,
                                  ignore_recently_published_vln: Optional[bool] = None,
                                  ignore_recently_published_vln_period: Optional[int] = None,
                                  ignore_risk_resources_enabled: Optional[bool] = None,
                                  ignored_risk_resources: Optional[Sequence[str]] = None,
                                  ignored_sensitive_resources: Optional[Sequence[str]] = None,
                                  images: Optional[Sequence[str]] = None,
                                  kube_cis_enabled: Optional[bool] = None,
                                  kubernetes_controls: Optional[Sequence[KubernetesAssurancePolicyKubernetesControlArgs]] = None,
                                  kubernetes_controls_avd_ids: Optional[Sequence[str]] = None,
                                  kubernetes_controls_names: Optional[Sequence[str]] = None,
                                  labels: Optional[Sequence[str]] = None,
                                  lastupdate: Optional[str] = None,
                                  linux_cis_enabled: Optional[bool] = None,
                                  malware_action: Optional[str] = None,
                                  maximum_score: Optional[float] = None,
                                  maximum_score_enabled: Optional[bool] = None,
                                  maximum_score_exclude_no_fix: Optional[bool] = None,
                                  monitored_malware_paths: Optional[Sequence[str]] = None,
                                  name: Optional[str] = None,
                                  only_none_root_users: Optional[bool] = None,
                                  openshift_hardening_enabled: Optional[bool] = None,
                                  packages_black_list_enabled: Optional[bool] = None,
                                  packages_black_lists: Optional[Sequence[KubernetesAssurancePolicyPackagesBlackListArgs]] = None,
                                  packages_white_list_enabled: Optional[bool] = None,
                                  packages_white_lists: Optional[Sequence[KubernetesAssurancePolicyPackagesWhiteListArgs]] = None,
                                  partial_results_image_fail: Optional[bool] = None,
                                  permission: Optional[str] = None,
                                  policy_settings: Optional[KubernetesAssurancePolicyPolicySettingsArgs] = None,
                                  read_only: Optional[bool] = None,
                                  registries: Optional[Sequence[str]] = None,
                                  registry: Optional[str] = None,
                                  required_labels: Optional[Sequence[KubernetesAssurancePolicyRequiredLabelArgs]] = None,
                                  required_labels_enabled: Optional[bool] = None,
                                  scan_malware_in_archives: Optional[bool] = None,
                                  scan_nfs_mounts: Optional[bool] = None,
                                  scan_process_memory: Optional[bool] = None,
                                  scan_sensitive_data: Optional[bool] = None,
                                  scan_windows_registry: Optional[bool] = None,
                                  scap_enabled: Optional[bool] = None,
                                  scap_files: Optional[Sequence[str]] = None,
                                  scopes: Optional[Sequence[KubernetesAssurancePolicyScopeArgs]] = None,
                                  trusted_base_images: Optional[Sequence[KubernetesAssurancePolicyTrustedBaseImageArgs]] = None,
                                  trusted_base_images_enabled: Optional[bool] = None,
                                  vulnerability_exploitability: Optional[bool] = None,
                                  vulnerability_score_ranges: Optional[Sequence[int]] = None,
                                  whitelisted_licenses: Optional[Sequence[str]] = None,
                                  whitelisted_licenses_enabled: Optional[bool] = None)
    func NewKubernetesAssurancePolicy(ctx *Context, name string, args KubernetesAssurancePolicyArgs, opts ...ResourceOption) (*KubernetesAssurancePolicy, error)
    public KubernetesAssurancePolicy(string name, KubernetesAssurancePolicyArgs args, CustomResourceOptions? opts = null)
    public KubernetesAssurancePolicy(String name, KubernetesAssurancePolicyArgs args)
    public KubernetesAssurancePolicy(String name, KubernetesAssurancePolicyArgs args, CustomResourceOptions options)
    
    type: aquasec:KubernetesAssurancePolicy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args KubernetesAssurancePolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args KubernetesAssurancePolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args KubernetesAssurancePolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args KubernetesAssurancePolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args KubernetesAssurancePolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var kubernetesAssurancePolicyResource = new Aquasec.KubernetesAssurancePolicy("kubernetesAssurancePolicyResource", new()
    {
        ApplicationScopes = new[]
        {
            "string",
        },
        AggregatedVulnerability = 
        {
            { "string", "string" },
        },
        AllowedImages = new[]
        {
            "string",
        },
        AssuranceType = "string",
        AuditOnFailure = false,
        Author = "string",
        AutoScanConfigured = false,
        AutoScanEnabled = false,
        AutoScanTimes = new[]
        {
            new Aquasec.Inputs.KubernetesAssurancePolicyAutoScanTimeArgs
            {
                Iteration = 0,
                IterationType = "string",
                Time = "string",
                WeekDays = new[]
                {
                    "string",
                },
            },
        },
        BlacklistPermissions = new[]
        {
            "string",
        },
        BlacklistPermissionsEnabled = false,
        BlacklistedLicenses = new[]
        {
            "string",
        },
        BlacklistedLicensesEnabled = false,
        BlockFailed = false,
        ControlExcludeNoFix = false,
        CustomChecks = new[]
        {
            new Aquasec.Inputs.KubernetesAssurancePolicyCustomCheckArgs
            {
                Author = "string",
                Description = "string",
                Engine = "string",
                LastModified = 0,
                Name = "string",
                Path = "string",
                ReadOnly = false,
                ScriptId = "string",
                Severity = "string",
                Snippet = "string",
            },
        },
        CustomChecksEnabled = false,
        CustomSeverity = "string",
        CustomSeverityEnabled = false,
        CvesBlackListEnabled = false,
        CvesBlackLists = new[]
        {
            "string",
        },
        CvesWhiteListEnabled = false,
        CvesWhiteLists = new[]
        {
            "string",
        },
        CvssSeverity = "string",
        CvssSeverityEnabled = false,
        CvssSeverityExcludeNoFix = false,
        Description = "string",
        DisallowExploitTypes = new[]
        {
            "string",
        },
        DisallowMalware = false,
        DockerCisEnabled = false,
        Domain = "string",
        DomainName = "string",
        DtaEnabled = false,
        DtaSeverity = "string",
        Enabled = false,
        Enforce = false,
        EnforceAfterDays = 0,
        EnforceExcessivePermissions = false,
        ExceptionalMonitoredMalwarePaths = new[]
        {
            "string",
        },
        ExcludeApplicationScopes = new[]
        {
            "string",
        },
        FailCicd = false,
        ForbiddenLabels = new[]
        {
            new Aquasec.Inputs.KubernetesAssurancePolicyForbiddenLabelArgs
            {
                Key = "string",
                Value = "string",
            },
        },
        ForbiddenLabelsEnabled = false,
        ForceMicroenforcer = false,
        FunctionIntegrityEnabled = false,
        IgnoreBaseImageVln = false,
        IgnoreRecentlyPublishedVln = false,
        IgnoreRecentlyPublishedVlnPeriod = 0,
        IgnoreRiskResourcesEnabled = false,
        IgnoredRiskResources = new[]
        {
            "string",
        },
        IgnoredSensitiveResources = new[]
        {
            "string",
        },
        Images = new[]
        {
            "string",
        },
        KubeCisEnabled = false,
        KubernetesControls = new[]
        {
            new Aquasec.Inputs.KubernetesAssurancePolicyKubernetesControlArgs
            {
                AvdId = "string",
                Description = "string",
                Enabled = false,
                Kind = "string",
                Name = "string",
                Ootb = false,
                ScriptId = 0,
                Severity = "string",
            },
        },
        KubernetesControlsAvdIds = new[]
        {
            "string",
        },
        KubernetesControlsNames = new[]
        {
            "string",
        },
        Labels = new[]
        {
            "string",
        },
        Lastupdate = "string",
        LinuxCisEnabled = false,
        MalwareAction = "string",
        MaximumScore = 0,
        MaximumScoreEnabled = false,
        MaximumScoreExcludeNoFix = false,
        MonitoredMalwarePaths = new[]
        {
            "string",
        },
        Name = "string",
        OnlyNoneRootUsers = false,
        OpenshiftHardeningEnabled = false,
        PackagesBlackListEnabled = false,
        PackagesBlackLists = new[]
        {
            new Aquasec.Inputs.KubernetesAssurancePolicyPackagesBlackListArgs
            {
                Arch = "string",
                Display = "string",
                Epoch = "string",
                Format = "string",
                License = "string",
                Name = "string",
                Release = "string",
                Version = "string",
                VersionRange = "string",
            },
        },
        PackagesWhiteListEnabled = false,
        PackagesWhiteLists = new[]
        {
            new Aquasec.Inputs.KubernetesAssurancePolicyPackagesWhiteListArgs
            {
                Arch = "string",
                Display = "string",
                Epoch = "string",
                Format = "string",
                License = "string",
                Name = "string",
                Release = "string",
                Version = "string",
                VersionRange = "string",
            },
        },
        PartialResultsImageFail = false,
        Permission = "string",
        PolicySettings = new Aquasec.Inputs.KubernetesAssurancePolicyPolicySettingsArgs
        {
            Enforce = false,
            IsAuditChecked = false,
            Warn = false,
            WarningMessage = "string",
        },
        ReadOnly = false,
        Registries = new[]
        {
            "string",
        },
        Registry = "string",
        RequiredLabels = new[]
        {
            new Aquasec.Inputs.KubernetesAssurancePolicyRequiredLabelArgs
            {
                Key = "string",
                Value = "string",
            },
        },
        RequiredLabelsEnabled = false,
        ScanMalwareInArchives = false,
        ScanNfsMounts = false,
        ScanProcessMemory = false,
        ScanSensitiveData = false,
        ScanWindowsRegistry = false,
        ScapEnabled = false,
        ScapFiles = new[]
        {
            "string",
        },
        Scopes = new[]
        {
            new Aquasec.Inputs.KubernetesAssurancePolicyScopeArgs
            {
                Expression = "string",
                Variables = new[]
                {
                    new Aquasec.Inputs.KubernetesAssurancePolicyScopeVariableArgs
                    {
                        Attribute = "string",
                        Name = "string",
                        Value = "string",
                    },
                },
            },
        },
        TrustedBaseImages = new[]
        {
            new Aquasec.Inputs.KubernetesAssurancePolicyTrustedBaseImageArgs
            {
                Imagename = "string",
                Registry = "string",
            },
        },
        TrustedBaseImagesEnabled = false,
        VulnerabilityExploitability = false,
        VulnerabilityScoreRanges = new[]
        {
            0,
        },
        WhitelistedLicenses = new[]
        {
            "string",
        },
        WhitelistedLicensesEnabled = false,
    });
    
    example, err := aquasec.NewKubernetesAssurancePolicy(ctx, "kubernetesAssurancePolicyResource", &aquasec.KubernetesAssurancePolicyArgs{
    	ApplicationScopes: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	AggregatedVulnerability: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    	AllowedImages: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	AssuranceType:      pulumi.String("string"),
    	AuditOnFailure:     pulumi.Bool(false),
    	Author:             pulumi.String("string"),
    	AutoScanConfigured: pulumi.Bool(false),
    	AutoScanEnabled:    pulumi.Bool(false),
    	AutoScanTimes: aquasec.KubernetesAssurancePolicyAutoScanTimeArray{
    		&aquasec.KubernetesAssurancePolicyAutoScanTimeArgs{
    			Iteration:     pulumi.Int(0),
    			IterationType: pulumi.String("string"),
    			Time:          pulumi.String("string"),
    			WeekDays: pulumi.StringArray{
    				pulumi.String("string"),
    			},
    		},
    	},
    	BlacklistPermissions: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	BlacklistPermissionsEnabled: pulumi.Bool(false),
    	BlacklistedLicenses: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	BlacklistedLicensesEnabled: pulumi.Bool(false),
    	BlockFailed:                pulumi.Bool(false),
    	ControlExcludeNoFix:        pulumi.Bool(false),
    	CustomChecks: aquasec.KubernetesAssurancePolicyCustomCheckArray{
    		&aquasec.KubernetesAssurancePolicyCustomCheckArgs{
    			Author:       pulumi.String("string"),
    			Description:  pulumi.String("string"),
    			Engine:       pulumi.String("string"),
    			LastModified: pulumi.Int(0),
    			Name:         pulumi.String("string"),
    			Path:         pulumi.String("string"),
    			ReadOnly:     pulumi.Bool(false),
    			ScriptId:     pulumi.String("string"),
    			Severity:     pulumi.String("string"),
    			Snippet:      pulumi.String("string"),
    		},
    	},
    	CustomChecksEnabled:   pulumi.Bool(false),
    	CustomSeverity:        pulumi.String("string"),
    	CustomSeverityEnabled: pulumi.Bool(false),
    	CvesBlackListEnabled:  pulumi.Bool(false),
    	CvesBlackLists: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	CvesWhiteListEnabled: pulumi.Bool(false),
    	CvesWhiteLists: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	CvssSeverity:             pulumi.String("string"),
    	CvssSeverityEnabled:      pulumi.Bool(false),
    	CvssSeverityExcludeNoFix: pulumi.Bool(false),
    	Description:              pulumi.String("string"),
    	DisallowExploitTypes: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	DisallowMalware:             pulumi.Bool(false),
    	DockerCisEnabled:            pulumi.Bool(false),
    	Domain:                      pulumi.String("string"),
    	DomainName:                  pulumi.String("string"),
    	DtaEnabled:                  pulumi.Bool(false),
    	DtaSeverity:                 pulumi.String("string"),
    	Enabled:                     pulumi.Bool(false),
    	Enforce:                     pulumi.Bool(false),
    	EnforceAfterDays:            pulumi.Int(0),
    	EnforceExcessivePermissions: pulumi.Bool(false),
    	ExceptionalMonitoredMalwarePaths: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	ExcludeApplicationScopes: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	FailCicd: pulumi.Bool(false),
    	ForbiddenLabels: aquasec.KubernetesAssurancePolicyForbiddenLabelArray{
    		&aquasec.KubernetesAssurancePolicyForbiddenLabelArgs{
    			Key:   pulumi.String("string"),
    			Value: pulumi.String("string"),
    		},
    	},
    	ForbiddenLabelsEnabled:           pulumi.Bool(false),
    	ForceMicroenforcer:               pulumi.Bool(false),
    	FunctionIntegrityEnabled:         pulumi.Bool(false),
    	IgnoreBaseImageVln:               pulumi.Bool(false),
    	IgnoreRecentlyPublishedVln:       pulumi.Bool(false),
    	IgnoreRecentlyPublishedVlnPeriod: pulumi.Int(0),
    	IgnoreRiskResourcesEnabled:       pulumi.Bool(false),
    	IgnoredRiskResources: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	IgnoredSensitiveResources: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	Images: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	KubeCisEnabled: pulumi.Bool(false),
    	KubernetesControls: aquasec.KubernetesAssurancePolicyKubernetesControlArray{
    		&aquasec.KubernetesAssurancePolicyKubernetesControlArgs{
    			AvdId:       pulumi.String("string"),
    			Description: pulumi.String("string"),
    			Enabled:     pulumi.Bool(false),
    			Kind:        pulumi.String("string"),
    			Name:        pulumi.String("string"),
    			Ootb:        pulumi.Bool(false),
    			ScriptId:    pulumi.Int(0),
    			Severity:    pulumi.String("string"),
    		},
    	},
    	KubernetesControlsAvdIds: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	KubernetesControlsNames: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	Labels: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	Lastupdate:               pulumi.String("string"),
    	LinuxCisEnabled:          pulumi.Bool(false),
    	MalwareAction:            pulumi.String("string"),
    	MaximumScore:             pulumi.Float64(0),
    	MaximumScoreEnabled:      pulumi.Bool(false),
    	MaximumScoreExcludeNoFix: pulumi.Bool(false),
    	MonitoredMalwarePaths: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	Name:                      pulumi.String("string"),
    	OnlyNoneRootUsers:         pulumi.Bool(false),
    	OpenshiftHardeningEnabled: pulumi.Bool(false),
    	PackagesBlackListEnabled:  pulumi.Bool(false),
    	PackagesBlackLists: aquasec.KubernetesAssurancePolicyPackagesBlackListArray{
    		&aquasec.KubernetesAssurancePolicyPackagesBlackListArgs{
    			Arch:         pulumi.String("string"),
    			Display:      pulumi.String("string"),
    			Epoch:        pulumi.String("string"),
    			Format:       pulumi.String("string"),
    			License:      pulumi.String("string"),
    			Name:         pulumi.String("string"),
    			Release:      pulumi.String("string"),
    			Version:      pulumi.String("string"),
    			VersionRange: pulumi.String("string"),
    		},
    	},
    	PackagesWhiteListEnabled: pulumi.Bool(false),
    	PackagesWhiteLists: aquasec.KubernetesAssurancePolicyPackagesWhiteListArray{
    		&aquasec.KubernetesAssurancePolicyPackagesWhiteListArgs{
    			Arch:         pulumi.String("string"),
    			Display:      pulumi.String("string"),
    			Epoch:        pulumi.String("string"),
    			Format:       pulumi.String("string"),
    			License:      pulumi.String("string"),
    			Name:         pulumi.String("string"),
    			Release:      pulumi.String("string"),
    			Version:      pulumi.String("string"),
    			VersionRange: pulumi.String("string"),
    		},
    	},
    	PartialResultsImageFail: pulumi.Bool(false),
    	Permission:              pulumi.String("string"),
    	PolicySettings: &aquasec.KubernetesAssurancePolicyPolicySettingsArgs{
    		Enforce:        pulumi.Bool(false),
    		IsAuditChecked: pulumi.Bool(false),
    		Warn:           pulumi.Bool(false),
    		WarningMessage: pulumi.String("string"),
    	},
    	ReadOnly: pulumi.Bool(false),
    	Registries: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	Registry: pulumi.String("string"),
    	RequiredLabels: aquasec.KubernetesAssurancePolicyRequiredLabelArray{
    		&aquasec.KubernetesAssurancePolicyRequiredLabelArgs{
    			Key:   pulumi.String("string"),
    			Value: pulumi.String("string"),
    		},
    	},
    	RequiredLabelsEnabled: pulumi.Bool(false),
    	ScanMalwareInArchives: pulumi.Bool(false),
    	ScanNfsMounts:         pulumi.Bool(false),
    	ScanProcessMemory:     pulumi.Bool(false),
    	ScanSensitiveData:     pulumi.Bool(false),
    	ScanWindowsRegistry:   pulumi.Bool(false),
    	ScapEnabled:           pulumi.Bool(false),
    	ScapFiles: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	Scopes: aquasec.KubernetesAssurancePolicyScopeArray{
    		&aquasec.KubernetesAssurancePolicyScopeArgs{
    			Expression: pulumi.String("string"),
    			Variables: aquasec.KubernetesAssurancePolicyScopeVariableArray{
    				&aquasec.KubernetesAssurancePolicyScopeVariableArgs{
    					Attribute: pulumi.String("string"),
    					Name:      pulumi.String("string"),
    					Value:     pulumi.String("string"),
    				},
    			},
    		},
    	},
    	TrustedBaseImages: aquasec.KubernetesAssurancePolicyTrustedBaseImageArray{
    		&aquasec.KubernetesAssurancePolicyTrustedBaseImageArgs{
    			Imagename: pulumi.String("string"),
    			Registry:  pulumi.String("string"),
    		},
    	},
    	TrustedBaseImagesEnabled:    pulumi.Bool(false),
    	VulnerabilityExploitability: pulumi.Bool(false),
    	VulnerabilityScoreRanges: pulumi.IntArray{
    		pulumi.Int(0),
    	},
    	WhitelistedLicenses: pulumi.StringArray{
    		pulumi.String("string"),
    	},
    	WhitelistedLicensesEnabled: pulumi.Bool(false),
    })
    
    var kubernetesAssurancePolicyResource = new KubernetesAssurancePolicy("kubernetesAssurancePolicyResource", KubernetesAssurancePolicyArgs.builder()
        .applicationScopes("string")
        .aggregatedVulnerability(Map.of("string", "string"))
        .allowedImages("string")
        .assuranceType("string")
        .auditOnFailure(false)
        .author("string")
        .autoScanConfigured(false)
        .autoScanEnabled(false)
        .autoScanTimes(KubernetesAssurancePolicyAutoScanTimeArgs.builder()
            .iteration(0)
            .iterationType("string")
            .time("string")
            .weekDays("string")
            .build())
        .blacklistPermissions("string")
        .blacklistPermissionsEnabled(false)
        .blacklistedLicenses("string")
        .blacklistedLicensesEnabled(false)
        .blockFailed(false)
        .controlExcludeNoFix(false)
        .customChecks(KubernetesAssurancePolicyCustomCheckArgs.builder()
            .author("string")
            .description("string")
            .engine("string")
            .lastModified(0)
            .name("string")
            .path("string")
            .readOnly(false)
            .scriptId("string")
            .severity("string")
            .snippet("string")
            .build())
        .customChecksEnabled(false)
        .customSeverity("string")
        .customSeverityEnabled(false)
        .cvesBlackListEnabled(false)
        .cvesBlackLists("string")
        .cvesWhiteListEnabled(false)
        .cvesWhiteLists("string")
        .cvssSeverity("string")
        .cvssSeverityEnabled(false)
        .cvssSeverityExcludeNoFix(false)
        .description("string")
        .disallowExploitTypes("string")
        .disallowMalware(false)
        .dockerCisEnabled(false)
        .domain("string")
        .domainName("string")
        .dtaEnabled(false)
        .dtaSeverity("string")
        .enabled(false)
        .enforce(false)
        .enforceAfterDays(0)
        .enforceExcessivePermissions(false)
        .exceptionalMonitoredMalwarePaths("string")
        .excludeApplicationScopes("string")
        .failCicd(false)
        .forbiddenLabels(KubernetesAssurancePolicyForbiddenLabelArgs.builder()
            .key("string")
            .value("string")
            .build())
        .forbiddenLabelsEnabled(false)
        .forceMicroenforcer(false)
        .functionIntegrityEnabled(false)
        .ignoreBaseImageVln(false)
        .ignoreRecentlyPublishedVln(false)
        .ignoreRecentlyPublishedVlnPeriod(0)
        .ignoreRiskResourcesEnabled(false)
        .ignoredRiskResources("string")
        .ignoredSensitiveResources("string")
        .images("string")
        .kubeCisEnabled(false)
        .kubernetesControls(KubernetesAssurancePolicyKubernetesControlArgs.builder()
            .avdId("string")
            .description("string")
            .enabled(false)
            .kind("string")
            .name("string")
            .ootb(false)
            .scriptId(0)
            .severity("string")
            .build())
        .kubernetesControlsAvdIds("string")
        .kubernetesControlsNames("string")
        .labels("string")
        .lastupdate("string")
        .linuxCisEnabled(false)
        .malwareAction("string")
        .maximumScore(0)
        .maximumScoreEnabled(false)
        .maximumScoreExcludeNoFix(false)
        .monitoredMalwarePaths("string")
        .name("string")
        .onlyNoneRootUsers(false)
        .openshiftHardeningEnabled(false)
        .packagesBlackListEnabled(false)
        .packagesBlackLists(KubernetesAssurancePolicyPackagesBlackListArgs.builder()
            .arch("string")
            .display("string")
            .epoch("string")
            .format("string")
            .license("string")
            .name("string")
            .release("string")
            .version("string")
            .versionRange("string")
            .build())
        .packagesWhiteListEnabled(false)
        .packagesWhiteLists(KubernetesAssurancePolicyPackagesWhiteListArgs.builder()
            .arch("string")
            .display("string")
            .epoch("string")
            .format("string")
            .license("string")
            .name("string")
            .release("string")
            .version("string")
            .versionRange("string")
            .build())
        .partialResultsImageFail(false)
        .permission("string")
        .policySettings(KubernetesAssurancePolicyPolicySettingsArgs.builder()
            .enforce(false)
            .isAuditChecked(false)
            .warn(false)
            .warningMessage("string")
            .build())
        .readOnly(false)
        .registries("string")
        .registry("string")
        .requiredLabels(KubernetesAssurancePolicyRequiredLabelArgs.builder()
            .key("string")
            .value("string")
            .build())
        .requiredLabelsEnabled(false)
        .scanMalwareInArchives(false)
        .scanNfsMounts(false)
        .scanProcessMemory(false)
        .scanSensitiveData(false)
        .scanWindowsRegistry(false)
        .scapEnabled(false)
        .scapFiles("string")
        .scopes(KubernetesAssurancePolicyScopeArgs.builder()
            .expression("string")
            .variables(KubernetesAssurancePolicyScopeVariableArgs.builder()
                .attribute("string")
                .name("string")
                .value("string")
                .build())
            .build())
        .trustedBaseImages(KubernetesAssurancePolicyTrustedBaseImageArgs.builder()
            .imagename("string")
            .registry("string")
            .build())
        .trustedBaseImagesEnabled(false)
        .vulnerabilityExploitability(false)
        .vulnerabilityScoreRanges(0)
        .whitelistedLicenses("string")
        .whitelistedLicensesEnabled(false)
        .build());
    
    kubernetes_assurance_policy_resource = aquasec.KubernetesAssurancePolicy("kubernetesAssurancePolicyResource",
        application_scopes=["string"],
        aggregated_vulnerability={
            "string": "string",
        },
        allowed_images=["string"],
        assurance_type="string",
        audit_on_failure=False,
        author="string",
        auto_scan_configured=False,
        auto_scan_enabled=False,
        auto_scan_times=[{
            "iteration": 0,
            "iteration_type": "string",
            "time": "string",
            "week_days": ["string"],
        }],
        blacklist_permissions=["string"],
        blacklist_permissions_enabled=False,
        blacklisted_licenses=["string"],
        blacklisted_licenses_enabled=False,
        block_failed=False,
        control_exclude_no_fix=False,
        custom_checks=[{
            "author": "string",
            "description": "string",
            "engine": "string",
            "last_modified": 0,
            "name": "string",
            "path": "string",
            "read_only": False,
            "script_id": "string",
            "severity": "string",
            "snippet": "string",
        }],
        custom_checks_enabled=False,
        custom_severity="string",
        custom_severity_enabled=False,
        cves_black_list_enabled=False,
        cves_black_lists=["string"],
        cves_white_list_enabled=False,
        cves_white_lists=["string"],
        cvss_severity="string",
        cvss_severity_enabled=False,
        cvss_severity_exclude_no_fix=False,
        description="string",
        disallow_exploit_types=["string"],
        disallow_malware=False,
        docker_cis_enabled=False,
        domain="string",
        domain_name="string",
        dta_enabled=False,
        dta_severity="string",
        enabled=False,
        enforce=False,
        enforce_after_days=0,
        enforce_excessive_permissions=False,
        exceptional_monitored_malware_paths=["string"],
        exclude_application_scopes=["string"],
        fail_cicd=False,
        forbidden_labels=[{
            "key": "string",
            "value": "string",
        }],
        forbidden_labels_enabled=False,
        force_microenforcer=False,
        function_integrity_enabled=False,
        ignore_base_image_vln=False,
        ignore_recently_published_vln=False,
        ignore_recently_published_vln_period=0,
        ignore_risk_resources_enabled=False,
        ignored_risk_resources=["string"],
        ignored_sensitive_resources=["string"],
        images=["string"],
        kube_cis_enabled=False,
        kubernetes_controls=[{
            "avd_id": "string",
            "description": "string",
            "enabled": False,
            "kind": "string",
            "name": "string",
            "ootb": False,
            "script_id": 0,
            "severity": "string",
        }],
        kubernetes_controls_avd_ids=["string"],
        kubernetes_controls_names=["string"],
        labels=["string"],
        lastupdate="string",
        linux_cis_enabled=False,
        malware_action="string",
        maximum_score=0,
        maximum_score_enabled=False,
        maximum_score_exclude_no_fix=False,
        monitored_malware_paths=["string"],
        name="string",
        only_none_root_users=False,
        openshift_hardening_enabled=False,
        packages_black_list_enabled=False,
        packages_black_lists=[{
            "arch": "string",
            "display": "string",
            "epoch": "string",
            "format": "string",
            "license": "string",
            "name": "string",
            "release": "string",
            "version": "string",
            "version_range": "string",
        }],
        packages_white_list_enabled=False,
        packages_white_lists=[{
            "arch": "string",
            "display": "string",
            "epoch": "string",
            "format": "string",
            "license": "string",
            "name": "string",
            "release": "string",
            "version": "string",
            "version_range": "string",
        }],
        partial_results_image_fail=False,
        permission="string",
        policy_settings={
            "enforce": False,
            "is_audit_checked": False,
            "warn": False,
            "warning_message": "string",
        },
        read_only=False,
        registries=["string"],
        registry="string",
        required_labels=[{
            "key": "string",
            "value": "string",
        }],
        required_labels_enabled=False,
        scan_malware_in_archives=False,
        scan_nfs_mounts=False,
        scan_process_memory=False,
        scan_sensitive_data=False,
        scan_windows_registry=False,
        scap_enabled=False,
        scap_files=["string"],
        scopes=[{
            "expression": "string",
            "variables": [{
                "attribute": "string",
                "name": "string",
                "value": "string",
            }],
        }],
        trusted_base_images=[{
            "imagename": "string",
            "registry": "string",
        }],
        trusted_base_images_enabled=False,
        vulnerability_exploitability=False,
        vulnerability_score_ranges=[0],
        whitelisted_licenses=["string"],
        whitelisted_licenses_enabled=False)
    
    const kubernetesAssurancePolicyResource = new aquasec.KubernetesAssurancePolicy("kubernetesAssurancePolicyResource", {
        applicationScopes: ["string"],
        aggregatedVulnerability: {
            string: "string",
        },
        allowedImages: ["string"],
        assuranceType: "string",
        auditOnFailure: false,
        author: "string",
        autoScanConfigured: false,
        autoScanEnabled: false,
        autoScanTimes: [{
            iteration: 0,
            iterationType: "string",
            time: "string",
            weekDays: ["string"],
        }],
        blacklistPermissions: ["string"],
        blacklistPermissionsEnabled: false,
        blacklistedLicenses: ["string"],
        blacklistedLicensesEnabled: false,
        blockFailed: false,
        controlExcludeNoFix: false,
        customChecks: [{
            author: "string",
            description: "string",
            engine: "string",
            lastModified: 0,
            name: "string",
            path: "string",
            readOnly: false,
            scriptId: "string",
            severity: "string",
            snippet: "string",
        }],
        customChecksEnabled: false,
        customSeverity: "string",
        customSeverityEnabled: false,
        cvesBlackListEnabled: false,
        cvesBlackLists: ["string"],
        cvesWhiteListEnabled: false,
        cvesWhiteLists: ["string"],
        cvssSeverity: "string",
        cvssSeverityEnabled: false,
        cvssSeverityExcludeNoFix: false,
        description: "string",
        disallowExploitTypes: ["string"],
        disallowMalware: false,
        dockerCisEnabled: false,
        domain: "string",
        domainName: "string",
        dtaEnabled: false,
        dtaSeverity: "string",
        enabled: false,
        enforce: false,
        enforceAfterDays: 0,
        enforceExcessivePermissions: false,
        exceptionalMonitoredMalwarePaths: ["string"],
        excludeApplicationScopes: ["string"],
        failCicd: false,
        forbiddenLabels: [{
            key: "string",
            value: "string",
        }],
        forbiddenLabelsEnabled: false,
        forceMicroenforcer: false,
        functionIntegrityEnabled: false,
        ignoreBaseImageVln: false,
        ignoreRecentlyPublishedVln: false,
        ignoreRecentlyPublishedVlnPeriod: 0,
        ignoreRiskResourcesEnabled: false,
        ignoredRiskResources: ["string"],
        ignoredSensitiveResources: ["string"],
        images: ["string"],
        kubeCisEnabled: false,
        kubernetesControls: [{
            avdId: "string",
            description: "string",
            enabled: false,
            kind: "string",
            name: "string",
            ootb: false,
            scriptId: 0,
            severity: "string",
        }],
        kubernetesControlsAvdIds: ["string"],
        kubernetesControlsNames: ["string"],
        labels: ["string"],
        lastupdate: "string",
        linuxCisEnabled: false,
        malwareAction: "string",
        maximumScore: 0,
        maximumScoreEnabled: false,
        maximumScoreExcludeNoFix: false,
        monitoredMalwarePaths: ["string"],
        name: "string",
        onlyNoneRootUsers: false,
        openshiftHardeningEnabled: false,
        packagesBlackListEnabled: false,
        packagesBlackLists: [{
            arch: "string",
            display: "string",
            epoch: "string",
            format: "string",
            license: "string",
            name: "string",
            release: "string",
            version: "string",
            versionRange: "string",
        }],
        packagesWhiteListEnabled: false,
        packagesWhiteLists: [{
            arch: "string",
            display: "string",
            epoch: "string",
            format: "string",
            license: "string",
            name: "string",
            release: "string",
            version: "string",
            versionRange: "string",
        }],
        partialResultsImageFail: false,
        permission: "string",
        policySettings: {
            enforce: false,
            isAuditChecked: false,
            warn: false,
            warningMessage: "string",
        },
        readOnly: false,
        registries: ["string"],
        registry: "string",
        requiredLabels: [{
            key: "string",
            value: "string",
        }],
        requiredLabelsEnabled: false,
        scanMalwareInArchives: false,
        scanNfsMounts: false,
        scanProcessMemory: false,
        scanSensitiveData: false,
        scanWindowsRegistry: false,
        scapEnabled: false,
        scapFiles: ["string"],
        scopes: [{
            expression: "string",
            variables: [{
                attribute: "string",
                name: "string",
                value: "string",
            }],
        }],
        trustedBaseImages: [{
            imagename: "string",
            registry: "string",
        }],
        trustedBaseImagesEnabled: false,
        vulnerabilityExploitability: false,
        vulnerabilityScoreRanges: [0],
        whitelistedLicenses: ["string"],
        whitelistedLicensesEnabled: false,
    });
    
    type: aquasec:KubernetesAssurancePolicy
    properties:
        aggregatedVulnerability:
            string: string
        allowedImages:
            - string
        applicationScopes:
            - string
        assuranceType: string
        auditOnFailure: false
        author: string
        autoScanConfigured: false
        autoScanEnabled: false
        autoScanTimes:
            - iteration: 0
              iterationType: string
              time: string
              weekDays:
                - string
        blacklistPermissions:
            - string
        blacklistPermissionsEnabled: false
        blacklistedLicenses:
            - string
        blacklistedLicensesEnabled: false
        blockFailed: false
        controlExcludeNoFix: false
        customChecks:
            - author: string
              description: string
              engine: string
              lastModified: 0
              name: string
              path: string
              readOnly: false
              scriptId: string
              severity: string
              snippet: string
        customChecksEnabled: false
        customSeverity: string
        customSeverityEnabled: false
        cvesBlackListEnabled: false
        cvesBlackLists:
            - string
        cvesWhiteListEnabled: false
        cvesWhiteLists:
            - string
        cvssSeverity: string
        cvssSeverityEnabled: false
        cvssSeverityExcludeNoFix: false
        description: string
        disallowExploitTypes:
            - string
        disallowMalware: false
        dockerCisEnabled: false
        domain: string
        domainName: string
        dtaEnabled: false
        dtaSeverity: string
        enabled: false
        enforce: false
        enforceAfterDays: 0
        enforceExcessivePermissions: false
        exceptionalMonitoredMalwarePaths:
            - string
        excludeApplicationScopes:
            - string
        failCicd: false
        forbiddenLabels:
            - key: string
              value: string
        forbiddenLabelsEnabled: false
        forceMicroenforcer: false
        functionIntegrityEnabled: false
        ignoreBaseImageVln: false
        ignoreRecentlyPublishedVln: false
        ignoreRecentlyPublishedVlnPeriod: 0
        ignoreRiskResourcesEnabled: false
        ignoredRiskResources:
            - string
        ignoredSensitiveResources:
            - string
        images:
            - string
        kubeCisEnabled: false
        kubernetesControls:
            - avdId: string
              description: string
              enabled: false
              kind: string
              name: string
              ootb: false
              scriptId: 0
              severity: string
        kubernetesControlsAvdIds:
            - string
        kubernetesControlsNames:
            - string
        labels:
            - string
        lastupdate: string
        linuxCisEnabled: false
        malwareAction: string
        maximumScore: 0
        maximumScoreEnabled: false
        maximumScoreExcludeNoFix: false
        monitoredMalwarePaths:
            - string
        name: string
        onlyNoneRootUsers: false
        openshiftHardeningEnabled: false
        packagesBlackListEnabled: false
        packagesBlackLists:
            - arch: string
              display: string
              epoch: string
              format: string
              license: string
              name: string
              release: string
              version: string
              versionRange: string
        packagesWhiteListEnabled: false
        packagesWhiteLists:
            - arch: string
              display: string
              epoch: string
              format: string
              license: string
              name: string
              release: string
              version: string
              versionRange: string
        partialResultsImageFail: false
        permission: string
        policySettings:
            enforce: false
            isAuditChecked: false
            warn: false
            warningMessage: string
        readOnly: false
        registries:
            - string
        registry: string
        requiredLabels:
            - key: string
              value: string
        requiredLabelsEnabled: false
        scanMalwareInArchives: false
        scanNfsMounts: false
        scanProcessMemory: false
        scanSensitiveData: false
        scanWindowsRegistry: false
        scapEnabled: false
        scapFiles:
            - string
        scopes:
            - expression: string
              variables:
                - attribute: string
                  name: string
                  value: string
        trustedBaseImages:
            - imagename: string
              registry: string
        trustedBaseImagesEnabled: false
        vulnerabilityExploitability: false
        vulnerabilityScoreRanges:
            - 0
        whitelistedLicenses:
            - string
        whitelistedLicensesEnabled: false
    

    KubernetesAssurancePolicy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The KubernetesAssurancePolicy resource accepts the following input properties:

    ApplicationScopes List<string>
    AggregatedVulnerability Dictionary<string, string>
    Aggregated vulnerability information.
    AllowedImages List<string>
    List of explicitly allowed images.
    AssuranceType string
    What type of assurance policy is described.
    AuditOnFailure bool
    Indicates if auditing for failures.
    Author string
    Name of user account that created the policy.
    AutoScanConfigured bool
    AutoScanEnabled bool
    AutoScanTimes List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyAutoScanTime>
    BlacklistPermissions List<string>
    List of function's forbidden permissions.
    BlacklistPermissionsEnabled bool
    Indicates if blacklist permissions is relevant.
    BlacklistedLicenses List<string>
    List of blacklisted licenses.
    BlacklistedLicensesEnabled bool
    Indicates if license blacklist is relevant.
    BlockFailed bool
    Indicates if failed images are blocked.
    ControlExcludeNoFix bool
    CustomChecks List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyCustomCheck>
    List of Custom user scripts for checks.
    CustomChecksEnabled bool
    Indicates if scanning should include custom checks.
    CustomSeverity string
    CustomSeverityEnabled bool
    CvesBlackListEnabled bool
    Indicates if CVEs blacklist is relevant.
    CvesBlackLists List<string>
    List of CVEs blacklisted items.
    CvesWhiteListEnabled bool
    Indicates if CVEs whitelist is relevant.
    CvesWhiteLists List<string>
    List of cves whitelisted licenses
    CvssSeverity string
    Identifier of the cvss severity.
    CvssSeverityEnabled bool
    Indicates if the cvss severity is scanned.
    CvssSeverityExcludeNoFix bool
    Indicates that policy should ignore cvss cases that do not have a known fix.
    Description string
    DisallowExploitTypes List<string>
    DisallowMalware bool
    Indicates if malware should block the image.
    DockerCisEnabled bool
    Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
    Domain string
    Name of the container image.
    DomainName string
    DtaEnabled bool
    DtaSeverity string
    Enabled bool
    Enforce bool
    EnforceAfterDays int
    EnforceExcessivePermissions bool
    ExceptionalMonitoredMalwarePaths List<string>
    ExcludeApplicationScopes List<string>
    FailCicd bool
    Indicates if cicd failures will fail the image.
    ForbiddenLabels List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyForbiddenLabel>
    ForbiddenLabelsEnabled bool
    ForceMicroenforcer bool
    FunctionIntegrityEnabled bool
    IgnoreBaseImageVln bool
    IgnoreRecentlyPublishedVln bool
    IgnoreRecentlyPublishedVlnPeriod int
    IgnoreRiskResourcesEnabled bool
    Indicates if risk resources are ignored.
    IgnoredRiskResources List<string>
    List of ignored risk resources.
    IgnoredSensitiveResources List<string>
    Images List<string>
    List of images.
    KubeCisEnabled bool
    Performs a Kubernetes CIS benchmark check for the host.
    KubernetesControls List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyKubernetesControl>
    List of Kubernetes controls.
    KubernetesControlsAvdIds List<string>
    KubernetesControlsNames List<string>
    List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
    Labels List<string>
    List of labels.
    Lastupdate string
    LinuxCisEnabled bool
    MalwareAction string
    MaximumScore double
    Value of allowed maximum score.
    MaximumScoreEnabled bool
    Indicates if exceeding the maximum score is scanned.
    MaximumScoreExcludeNoFix bool
    Indicates that policy should ignore cases that do not have a known fix.
    MonitoredMalwarePaths List<string>
    Name string
    OnlyNoneRootUsers bool
    Indicates if raise a warning for images that should only be run as root.
    OpenshiftHardeningEnabled bool
    PackagesBlackListEnabled bool
    Indicates if packages blacklist is relevant.
    PackagesBlackLists List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyPackagesBlackList>
    List of blacklisted images.
    PackagesWhiteListEnabled bool
    Indicates if packages whitelist is relevant.
    PackagesWhiteLists List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyPackagesWhiteList>
    List of whitelisted images.
    PartialResultsImageFail bool
    Permission string
    PolicySettings Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyPolicySettings
    ReadOnly bool
    Registries List<string>
    List of registries.
    Registry string
    RequiredLabels List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyRequiredLabel>
    RequiredLabelsEnabled bool
    ScanMalwareInArchives bool
    ScanNfsMounts bool
    ScanProcessMemory bool
    ScanSensitiveData bool
    Indicates if scan should include sensitive data in the image.
    ScanWindowsRegistry bool
    ScapEnabled bool
    Indicates if scanning should include scap.
    ScapFiles List<string>
    List of SCAP user scripts for checks.
    Scopes List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyScope>
    TrustedBaseImages List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyTrustedBaseImage>
    List of trusted images.
    TrustedBaseImagesEnabled bool
    Indicates if list of trusted base images is relevant.
    VulnerabilityExploitability bool
    VulnerabilityScoreRanges List<int>
    WhitelistedLicenses List<string>
    List of whitelisted licenses.
    WhitelistedLicensesEnabled bool
    Indicates if license blacklist is relevant.
    ApplicationScopes []string
    AggregatedVulnerability map[string]string
    Aggregated vulnerability information.
    AllowedImages []string
    List of explicitly allowed images.
    AssuranceType string
    What type of assurance policy is described.
    AuditOnFailure bool
    Indicates if auditing for failures.
    Author string
    Name of user account that created the policy.
    AutoScanConfigured bool
    AutoScanEnabled bool
    AutoScanTimes []KubernetesAssurancePolicyAutoScanTimeArgs
    BlacklistPermissions []string
    List of function's forbidden permissions.
    BlacklistPermissionsEnabled bool
    Indicates if blacklist permissions is relevant.
    BlacklistedLicenses []string
    List of blacklisted licenses.
    BlacklistedLicensesEnabled bool
    Indicates if license blacklist is relevant.
    BlockFailed bool
    Indicates if failed images are blocked.
    ControlExcludeNoFix bool
    CustomChecks []KubernetesAssurancePolicyCustomCheckArgs
    List of Custom user scripts for checks.
    CustomChecksEnabled bool
    Indicates if scanning should include custom checks.
    CustomSeverity string
    CustomSeverityEnabled bool
    CvesBlackListEnabled bool
    Indicates if CVEs blacklist is relevant.
    CvesBlackLists []string
    List of CVEs blacklisted items.
    CvesWhiteListEnabled bool
    Indicates if CVEs whitelist is relevant.
    CvesWhiteLists []string
    List of cves whitelisted licenses
    CvssSeverity string
    Identifier of the cvss severity.
    CvssSeverityEnabled bool
    Indicates if the cvss severity is scanned.
    CvssSeverityExcludeNoFix bool
    Indicates that policy should ignore cvss cases that do not have a known fix.
    Description string
    DisallowExploitTypes []string
    DisallowMalware bool
    Indicates if malware should block the image.
    DockerCisEnabled bool
    Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
    Domain string
    Name of the container image.
    DomainName string
    DtaEnabled bool
    DtaSeverity string
    Enabled bool
    Enforce bool
    EnforceAfterDays int
    EnforceExcessivePermissions bool
    ExceptionalMonitoredMalwarePaths []string
    ExcludeApplicationScopes []string
    FailCicd bool
    Indicates if cicd failures will fail the image.
    ForbiddenLabels []KubernetesAssurancePolicyForbiddenLabelArgs
    ForbiddenLabelsEnabled bool
    ForceMicroenforcer bool
    FunctionIntegrityEnabled bool
    IgnoreBaseImageVln bool
    IgnoreRecentlyPublishedVln bool
    IgnoreRecentlyPublishedVlnPeriod int
    IgnoreRiskResourcesEnabled bool
    Indicates if risk resources are ignored.
    IgnoredRiskResources []string
    List of ignored risk resources.
    IgnoredSensitiveResources []string
    Images []string
    List of images.
    KubeCisEnabled bool
    Performs a Kubernetes CIS benchmark check for the host.
    KubernetesControls []KubernetesAssurancePolicyKubernetesControlArgs
    List of Kubernetes controls.
    KubernetesControlsAvdIds []string
    KubernetesControlsNames []string
    List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
    Labels []string
    List of labels.
    Lastupdate string
    LinuxCisEnabled bool
    MalwareAction string
    MaximumScore float64
    Value of allowed maximum score.
    MaximumScoreEnabled bool
    Indicates if exceeding the maximum score is scanned.
    MaximumScoreExcludeNoFix bool
    Indicates that policy should ignore cases that do not have a known fix.
    MonitoredMalwarePaths []string
    Name string
    OnlyNoneRootUsers bool
    Indicates if raise a warning for images that should only be run as root.
    OpenshiftHardeningEnabled bool
    PackagesBlackListEnabled bool
    Indicates if packages blacklist is relevant.
    PackagesBlackLists []KubernetesAssurancePolicyPackagesBlackListArgs
    List of blacklisted images.
    PackagesWhiteListEnabled bool
    Indicates if packages whitelist is relevant.
    PackagesWhiteLists []KubernetesAssurancePolicyPackagesWhiteListArgs
    List of whitelisted images.
    PartialResultsImageFail bool
    Permission string
    PolicySettings KubernetesAssurancePolicyPolicySettingsArgs
    ReadOnly bool
    Registries []string
    List of registries.
    Registry string
    RequiredLabels []KubernetesAssurancePolicyRequiredLabelArgs
    RequiredLabelsEnabled bool
    ScanMalwareInArchives bool
    ScanNfsMounts bool
    ScanProcessMemory bool
    ScanSensitiveData bool
    Indicates if scan should include sensitive data in the image.
    ScanWindowsRegistry bool
    ScapEnabled bool
    Indicates if scanning should include scap.
    ScapFiles []string
    List of SCAP user scripts for checks.
    Scopes []KubernetesAssurancePolicyScopeArgs
    TrustedBaseImages []KubernetesAssurancePolicyTrustedBaseImageArgs
    List of trusted images.
    TrustedBaseImagesEnabled bool
    Indicates if list of trusted base images is relevant.
    VulnerabilityExploitability bool
    VulnerabilityScoreRanges []int
    WhitelistedLicenses []string
    List of whitelisted licenses.
    WhitelistedLicensesEnabled bool
    Indicates if license blacklist is relevant.
    applicationScopes List<String>
    aggregatedVulnerability Map<String,String>
    Aggregated vulnerability information.
    allowedImages List<String>
    List of explicitly allowed images.
    assuranceType String
    What type of assurance policy is described.
    auditOnFailure Boolean
    Indicates if auditing for failures.
    author String
    Name of user account that created the policy.
    autoScanConfigured Boolean
    autoScanEnabled Boolean
    autoScanTimes List<KubernetesAssurancePolicyAutoScanTime>
    blacklistPermissions List<String>
    List of function's forbidden permissions.
    blacklistPermissionsEnabled Boolean
    Indicates if blacklist permissions is relevant.
    blacklistedLicenses List<String>
    List of blacklisted licenses.
    blacklistedLicensesEnabled Boolean
    Indicates if license blacklist is relevant.
    blockFailed Boolean
    Indicates if failed images are blocked.
    controlExcludeNoFix Boolean
    customChecks List<KubernetesAssurancePolicyCustomCheck>
    List of Custom user scripts for checks.
    customChecksEnabled Boolean
    Indicates if scanning should include custom checks.
    customSeverity String
    customSeverityEnabled Boolean
    cvesBlackListEnabled Boolean
    Indicates if CVEs blacklist is relevant.
    cvesBlackLists List<String>
    List of CVEs blacklisted items.
    cvesWhiteListEnabled Boolean
    Indicates if CVEs whitelist is relevant.
    cvesWhiteLists List<String>
    List of cves whitelisted licenses
    cvssSeverity String
    Identifier of the cvss severity.
    cvssSeverityEnabled Boolean
    Indicates if the cvss severity is scanned.
    cvssSeverityExcludeNoFix Boolean
    Indicates that policy should ignore cvss cases that do not have a known fix.
    description String
    disallowExploitTypes List<String>
    disallowMalware Boolean
    Indicates if malware should block the image.
    dockerCisEnabled Boolean
    Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
    domain String
    Name of the container image.
    domainName String
    dtaEnabled Boolean
    dtaSeverity String
    enabled Boolean
    enforce Boolean
    enforceAfterDays Integer
    enforceExcessivePermissions Boolean
    exceptionalMonitoredMalwarePaths List<String>
    excludeApplicationScopes List<String>
    failCicd Boolean
    Indicates if cicd failures will fail the image.
    forbiddenLabels List<KubernetesAssurancePolicyForbiddenLabel>
    forbiddenLabelsEnabled Boolean
    forceMicroenforcer Boolean
    functionIntegrityEnabled Boolean
    ignoreBaseImageVln Boolean
    ignoreRecentlyPublishedVln Boolean
    ignoreRecentlyPublishedVlnPeriod Integer
    ignoreRiskResourcesEnabled Boolean
    Indicates if risk resources are ignored.
    ignoredRiskResources List<String>
    List of ignored risk resources.
    ignoredSensitiveResources List<String>
    images List<String>
    List of images.
    kubeCisEnabled Boolean
    Performs a Kubernetes CIS benchmark check for the host.
    kubernetesControls List<KubernetesAssurancePolicyKubernetesControl>
    List of Kubernetes controls.
    kubernetesControlsAvdIds List<String>
    kubernetesControlsNames List<String>
    List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
    labels List<String>
    List of labels.
    lastupdate String
    linuxCisEnabled Boolean
    malwareAction String
    maximumScore Double
    Value of allowed maximum score.
    maximumScoreEnabled Boolean
    Indicates if exceeding the maximum score is scanned.
    maximumScoreExcludeNoFix Boolean
    Indicates that policy should ignore cases that do not have a known fix.
    monitoredMalwarePaths List<String>
    name String
    onlyNoneRootUsers Boolean
    Indicates if raise a warning for images that should only be run as root.
    openshiftHardeningEnabled Boolean
    packagesBlackListEnabled Boolean
    Indicates if packages blacklist is relevant.
    packagesBlackLists List<KubernetesAssurancePolicyPackagesBlackList>
    List of blacklisted images.
    packagesWhiteListEnabled Boolean
    Indicates if packages whitelist is relevant.
    packagesWhiteLists List<KubernetesAssurancePolicyPackagesWhiteList>
    List of whitelisted images.
    partialResultsImageFail Boolean
    permission String
    policySettings KubernetesAssurancePolicyPolicySettings
    readOnly Boolean
    registries List<String>
    List of registries.
    registry String
    requiredLabels List<KubernetesAssurancePolicyRequiredLabel>
    requiredLabelsEnabled Boolean
    scanMalwareInArchives Boolean
    scanNfsMounts Boolean
    scanProcessMemory Boolean
    scanSensitiveData Boolean
    Indicates if scan should include sensitive data in the image.
    scanWindowsRegistry Boolean
    scapEnabled Boolean
    Indicates if scanning should include scap.
    scapFiles List<String>
    List of SCAP user scripts for checks.
    scopes List<KubernetesAssurancePolicyScope>
    trustedBaseImages List<KubernetesAssurancePolicyTrustedBaseImage>
    List of trusted images.
    trustedBaseImagesEnabled Boolean
    Indicates if list of trusted base images is relevant.
    vulnerabilityExploitability Boolean
    vulnerabilityScoreRanges List<Integer>
    whitelistedLicenses List<String>
    List of whitelisted licenses.
    whitelistedLicensesEnabled Boolean
    Indicates if license blacklist is relevant.
    applicationScopes string[]
    aggregatedVulnerability {[key: string]: string}
    Aggregated vulnerability information.
    allowedImages string[]
    List of explicitly allowed images.
    assuranceType string
    What type of assurance policy is described.
    auditOnFailure boolean
    Indicates if auditing for failures.
    author string
    Name of user account that created the policy.
    autoScanConfigured boolean
    autoScanEnabled boolean
    autoScanTimes KubernetesAssurancePolicyAutoScanTime[]
    blacklistPermissions string[]
    List of function's forbidden permissions.
    blacklistPermissionsEnabled boolean
    Indicates if blacklist permissions is relevant.
    blacklistedLicenses string[]
    List of blacklisted licenses.
    blacklistedLicensesEnabled boolean
    Indicates if license blacklist is relevant.
    blockFailed boolean
    Indicates if failed images are blocked.
    controlExcludeNoFix boolean
    customChecks KubernetesAssurancePolicyCustomCheck[]
    List of Custom user scripts for checks.
    customChecksEnabled boolean
    Indicates if scanning should include custom checks.
    customSeverity string
    customSeverityEnabled boolean
    cvesBlackListEnabled boolean
    Indicates if CVEs blacklist is relevant.
    cvesBlackLists string[]
    List of CVEs blacklisted items.
    cvesWhiteListEnabled boolean
    Indicates if CVEs whitelist is relevant.
    cvesWhiteLists string[]
    List of cves whitelisted licenses
    cvssSeverity string
    Identifier of the cvss severity.
    cvssSeverityEnabled boolean
    Indicates if the cvss severity is scanned.
    cvssSeverityExcludeNoFix boolean
    Indicates that policy should ignore cvss cases that do not have a known fix.
    description string
    disallowExploitTypes string[]
    disallowMalware boolean
    Indicates if malware should block the image.
    dockerCisEnabled boolean
    Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
    domain string
    Name of the container image.
    domainName string
    dtaEnabled boolean
    dtaSeverity string
    enabled boolean
    enforce boolean
    enforceAfterDays number
    enforceExcessivePermissions boolean
    exceptionalMonitoredMalwarePaths string[]
    excludeApplicationScopes string[]
    failCicd boolean
    Indicates if cicd failures will fail the image.
    forbiddenLabels KubernetesAssurancePolicyForbiddenLabel[]
    forbiddenLabelsEnabled boolean
    forceMicroenforcer boolean
    functionIntegrityEnabled boolean
    ignoreBaseImageVln boolean
    ignoreRecentlyPublishedVln boolean
    ignoreRecentlyPublishedVlnPeriod number
    ignoreRiskResourcesEnabled boolean
    Indicates if risk resources are ignored.
    ignoredRiskResources string[]
    List of ignored risk resources.
    ignoredSensitiveResources string[]
    images string[]
    List of images.
    kubeCisEnabled boolean
    Performs a Kubernetes CIS benchmark check for the host.
    kubernetesControls KubernetesAssurancePolicyKubernetesControl[]
    List of Kubernetes controls.
    kubernetesControlsAvdIds string[]
    kubernetesControlsNames string[]
    List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
    labels string[]
    List of labels.
    lastupdate string
    linuxCisEnabled boolean
    malwareAction string
    maximumScore number
    Value of allowed maximum score.
    maximumScoreEnabled boolean
    Indicates if exceeding the maximum score is scanned.
    maximumScoreExcludeNoFix boolean
    Indicates that policy should ignore cases that do not have a known fix.
    monitoredMalwarePaths string[]
    name string
    onlyNoneRootUsers boolean
    Indicates if raise a warning for images that should only be run as root.
    openshiftHardeningEnabled boolean
    packagesBlackListEnabled boolean
    Indicates if packages blacklist is relevant.
    packagesBlackLists KubernetesAssurancePolicyPackagesBlackList[]
    List of blacklisted images.
    packagesWhiteListEnabled boolean
    Indicates if packages whitelist is relevant.
    packagesWhiteLists KubernetesAssurancePolicyPackagesWhiteList[]
    List of whitelisted images.
    partialResultsImageFail boolean
    permission string
    policySettings KubernetesAssurancePolicyPolicySettings
    readOnly boolean
    registries string[]
    List of registries.
    registry string
    requiredLabels KubernetesAssurancePolicyRequiredLabel[]
    requiredLabelsEnabled boolean
    scanMalwareInArchives boolean
    scanNfsMounts boolean
    scanProcessMemory boolean
    scanSensitiveData boolean
    Indicates if scan should include sensitive data in the image.
    scanWindowsRegistry boolean
    scapEnabled boolean
    Indicates if scanning should include scap.
    scapFiles string[]
    List of SCAP user scripts for checks.
    scopes KubernetesAssurancePolicyScope[]
    trustedBaseImages KubernetesAssurancePolicyTrustedBaseImage[]
    List of trusted images.
    trustedBaseImagesEnabled boolean
    Indicates if list of trusted base images is relevant.
    vulnerabilityExploitability boolean
    vulnerabilityScoreRanges number[]
    whitelistedLicenses string[]
    List of whitelisted licenses.
    whitelistedLicensesEnabled boolean
    Indicates if license blacklist is relevant.
    application_scopes Sequence[str]
    aggregated_vulnerability Mapping[str, str]
    Aggregated vulnerability information.
    allowed_images Sequence[str]
    List of explicitly allowed images.
    assurance_type str
    What type of assurance policy is described.
    audit_on_failure bool
    Indicates if auditing for failures.
    author str
    Name of user account that created the policy.
    auto_scan_configured bool
    auto_scan_enabled bool
    auto_scan_times Sequence[KubernetesAssurancePolicyAutoScanTimeArgs]
    blacklist_permissions Sequence[str]
    List of function's forbidden permissions.
    blacklist_permissions_enabled bool
    Indicates if blacklist permissions is relevant.
    blacklisted_licenses Sequence[str]
    List of blacklisted licenses.
    blacklisted_licenses_enabled bool
    Indicates if license blacklist is relevant.
    block_failed bool
    Indicates if failed images are blocked.
    control_exclude_no_fix bool
    custom_checks Sequence[KubernetesAssurancePolicyCustomCheckArgs]
    List of Custom user scripts for checks.
    custom_checks_enabled bool
    Indicates if scanning should include custom checks.
    custom_severity str
    custom_severity_enabled bool
    cves_black_list_enabled bool
    Indicates if CVEs blacklist is relevant.
    cves_black_lists Sequence[str]
    List of CVEs blacklisted items.
    cves_white_list_enabled bool
    Indicates if CVEs whitelist is relevant.
    cves_white_lists Sequence[str]
    List of cves whitelisted licenses
    cvss_severity str
    Identifier of the cvss severity.
    cvss_severity_enabled bool
    Indicates if the cvss severity is scanned.
    cvss_severity_exclude_no_fix bool
    Indicates that policy should ignore cvss cases that do not have a known fix.
    description str
    disallow_exploit_types Sequence[str]
    disallow_malware bool
    Indicates if malware should block the image.
    docker_cis_enabled bool
    Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
    domain str
    Name of the container image.
    domain_name str
    dta_enabled bool
    dta_severity str
    enabled bool
    enforce bool
    enforce_after_days int
    enforce_excessive_permissions bool
    exceptional_monitored_malware_paths Sequence[str]
    exclude_application_scopes Sequence[str]
    fail_cicd bool
    Indicates if cicd failures will fail the image.
    forbidden_labels Sequence[KubernetesAssurancePolicyForbiddenLabelArgs]
    forbidden_labels_enabled bool
    force_microenforcer bool
    function_integrity_enabled bool
    ignore_base_image_vln bool
    ignore_recently_published_vln bool
    ignore_recently_published_vln_period int
    ignore_risk_resources_enabled bool
    Indicates if risk resources are ignored.
    ignored_risk_resources Sequence[str]
    List of ignored risk resources.
    ignored_sensitive_resources Sequence[str]
    images Sequence[str]
    List of images.
    kube_cis_enabled bool
    Performs a Kubernetes CIS benchmark check for the host.
    kubernetes_controls Sequence[KubernetesAssurancePolicyKubernetesControlArgs]
    List of Kubernetes controls.
    kubernetes_controls_avd_ids Sequence[str]
    kubernetes_controls_names Sequence[str]
    List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
    labels Sequence[str]
    List of labels.
    lastupdate str
    linux_cis_enabled bool
    malware_action str
    maximum_score float
    Value of allowed maximum score.
    maximum_score_enabled bool
    Indicates if exceeding the maximum score is scanned.
    maximum_score_exclude_no_fix bool
    Indicates that policy should ignore cases that do not have a known fix.
    monitored_malware_paths Sequence[str]
    name str
    only_none_root_users bool
    Indicates if raise a warning for images that should only be run as root.
    openshift_hardening_enabled bool
    packages_black_list_enabled bool
    Indicates if packages blacklist is relevant.
    packages_black_lists Sequence[KubernetesAssurancePolicyPackagesBlackListArgs]
    List of blacklisted images.
    packages_white_list_enabled bool
    Indicates if packages whitelist is relevant.
    packages_white_lists Sequence[KubernetesAssurancePolicyPackagesWhiteListArgs]
    List of whitelisted images.
    partial_results_image_fail bool
    permission str
    policy_settings KubernetesAssurancePolicyPolicySettingsArgs
    read_only bool
    registries Sequence[str]
    List of registries.
    registry str
    required_labels Sequence[KubernetesAssurancePolicyRequiredLabelArgs]
    required_labels_enabled bool
    scan_malware_in_archives bool
    scan_nfs_mounts bool
    scan_process_memory bool
    scan_sensitive_data bool
    Indicates if scan should include sensitive data in the image.
    scan_windows_registry bool
    scap_enabled bool
    Indicates if scanning should include scap.
    scap_files Sequence[str]
    List of SCAP user scripts for checks.
    scopes Sequence[KubernetesAssurancePolicyScopeArgs]
    trusted_base_images Sequence[KubernetesAssurancePolicyTrustedBaseImageArgs]
    List of trusted images.
    trusted_base_images_enabled bool
    Indicates if list of trusted base images is relevant.
    vulnerability_exploitability bool
    vulnerability_score_ranges Sequence[int]
    whitelisted_licenses Sequence[str]
    List of whitelisted licenses.
    whitelisted_licenses_enabled bool
    Indicates if license blacklist is relevant.
    applicationScopes List<String>
    aggregatedVulnerability Map<String>
    Aggregated vulnerability information.
    allowedImages List<String>
    List of explicitly allowed images.
    assuranceType String
    What type of assurance policy is described.
    auditOnFailure Boolean
    Indicates if auditing for failures.
    author String
    Name of user account that created the policy.
    autoScanConfigured Boolean
    autoScanEnabled Boolean
    autoScanTimes List<Property Map>
    blacklistPermissions List<String>
    List of function's forbidden permissions.
    blacklistPermissionsEnabled Boolean
    Indicates if blacklist permissions is relevant.
    blacklistedLicenses List<String>
    List of blacklisted licenses.
    blacklistedLicensesEnabled Boolean
    Indicates if license blacklist is relevant.
    blockFailed Boolean
    Indicates if failed images are blocked.
    controlExcludeNoFix Boolean
    customChecks List<Property Map>
    List of Custom user scripts for checks.
    customChecksEnabled Boolean
    Indicates if scanning should include custom checks.
    customSeverity String
    customSeverityEnabled Boolean
    cvesBlackListEnabled Boolean
    Indicates if CVEs blacklist is relevant.
    cvesBlackLists List<String>
    List of CVEs blacklisted items.
    cvesWhiteListEnabled Boolean
    Indicates if CVEs whitelist is relevant.
    cvesWhiteLists List<String>
    List of cves whitelisted licenses
    cvssSeverity String
    Identifier of the cvss severity.
    cvssSeverityEnabled Boolean
    Indicates if the cvss severity is scanned.
    cvssSeverityExcludeNoFix Boolean
    Indicates that policy should ignore cvss cases that do not have a known fix.
    description String
    disallowExploitTypes List<String>
    disallowMalware Boolean
    Indicates if malware should block the image.
    dockerCisEnabled Boolean
    Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
    domain String
    Name of the container image.
    domainName String
    dtaEnabled Boolean
    dtaSeverity String
    enabled Boolean
    enforce Boolean
    enforceAfterDays Number
    enforceExcessivePermissions Boolean
    exceptionalMonitoredMalwarePaths List<String>
    excludeApplicationScopes List<String>
    failCicd Boolean
    Indicates if cicd failures will fail the image.
    forbiddenLabels List<Property Map>
    forbiddenLabelsEnabled Boolean
    forceMicroenforcer Boolean
    functionIntegrityEnabled Boolean
    ignoreBaseImageVln Boolean
    ignoreRecentlyPublishedVln Boolean
    ignoreRecentlyPublishedVlnPeriod Number
    ignoreRiskResourcesEnabled Boolean
    Indicates if risk resources are ignored.
    ignoredRiskResources List<String>
    List of ignored risk resources.
    ignoredSensitiveResources List<String>
    images List<String>
    List of images.
    kubeCisEnabled Boolean
    Performs a Kubernetes CIS benchmark check for the host.
    kubernetesControls List<Property Map>
    List of Kubernetes controls.
    kubernetesControlsAvdIds List<String>
    kubernetesControlsNames List<String>
    List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
    labels List<String>
    List of labels.
    lastupdate String
    linuxCisEnabled Boolean
    malwareAction String
    maximumScore Number
    Value of allowed maximum score.
    maximumScoreEnabled Boolean
    Indicates if exceeding the maximum score is scanned.
    maximumScoreExcludeNoFix Boolean
    Indicates that policy should ignore cases that do not have a known fix.
    monitoredMalwarePaths List<String>
    name String
    onlyNoneRootUsers Boolean
    Indicates if raise a warning for images that should only be run as root.
    openshiftHardeningEnabled Boolean
    packagesBlackListEnabled Boolean
    Indicates if packages blacklist is relevant.
    packagesBlackLists List<Property Map>
    List of blacklisted images.
    packagesWhiteListEnabled Boolean
    Indicates if packages whitelist is relevant.
    packagesWhiteLists List<Property Map>
    List of whitelisted images.
    partialResultsImageFail Boolean
    permission String
    policySettings Property Map
    readOnly Boolean
    registries List<String>
    List of registries.
    registry String
    requiredLabels List<Property Map>
    requiredLabelsEnabled Boolean
    scanMalwareInArchives Boolean
    scanNfsMounts Boolean
    scanProcessMemory Boolean
    scanSensitiveData Boolean
    Indicates if scan should include sensitive data in the image.
    scanWindowsRegistry Boolean
    scapEnabled Boolean
    Indicates if scanning should include scap.
    scapFiles List<String>
    List of SCAP user scripts for checks.
    scopes List<Property Map>
    trustedBaseImages List<Property Map>
    List of trusted images.
    trustedBaseImagesEnabled Boolean
    Indicates if list of trusted base images is relevant.
    vulnerabilityExploitability Boolean
    vulnerabilityScoreRanges List<Number>
    whitelistedLicenses List<String>
    List of whitelisted licenses.
    whitelistedLicensesEnabled Boolean
    Indicates if license blacklist is relevant.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the KubernetesAssurancePolicy resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Id string
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.
    id string
    The provider-assigned unique ID for this managed resource.
    id str
    The provider-assigned unique ID for this managed resource.
    id String
    The provider-assigned unique ID for this managed resource.

    Look up Existing KubernetesAssurancePolicy Resource

    Get an existing KubernetesAssurancePolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: KubernetesAssurancePolicyState, opts?: CustomResourceOptions): KubernetesAssurancePolicy
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            aggregated_vulnerability: Optional[Mapping[str, str]] = None,
            allowed_images: Optional[Sequence[str]] = None,
            application_scopes: Optional[Sequence[str]] = None,
            assurance_type: Optional[str] = None,
            audit_on_failure: Optional[bool] = None,
            author: Optional[str] = None,
            auto_scan_configured: Optional[bool] = None,
            auto_scan_enabled: Optional[bool] = None,
            auto_scan_times: Optional[Sequence[KubernetesAssurancePolicyAutoScanTimeArgs]] = None,
            blacklist_permissions: Optional[Sequence[str]] = None,
            blacklist_permissions_enabled: Optional[bool] = None,
            blacklisted_licenses: Optional[Sequence[str]] = None,
            blacklisted_licenses_enabled: Optional[bool] = None,
            block_failed: Optional[bool] = None,
            control_exclude_no_fix: Optional[bool] = None,
            custom_checks: Optional[Sequence[KubernetesAssurancePolicyCustomCheckArgs]] = None,
            custom_checks_enabled: Optional[bool] = None,
            custom_severity: Optional[str] = None,
            custom_severity_enabled: Optional[bool] = None,
            cves_black_list_enabled: Optional[bool] = None,
            cves_black_lists: Optional[Sequence[str]] = None,
            cves_white_list_enabled: Optional[bool] = None,
            cves_white_lists: Optional[Sequence[str]] = None,
            cvss_severity: Optional[str] = None,
            cvss_severity_enabled: Optional[bool] = None,
            cvss_severity_exclude_no_fix: Optional[bool] = None,
            description: Optional[str] = None,
            disallow_exploit_types: Optional[Sequence[str]] = None,
            disallow_malware: Optional[bool] = None,
            docker_cis_enabled: Optional[bool] = None,
            domain: Optional[str] = None,
            domain_name: Optional[str] = None,
            dta_enabled: Optional[bool] = None,
            dta_severity: Optional[str] = None,
            enabled: Optional[bool] = None,
            enforce: Optional[bool] = None,
            enforce_after_days: Optional[int] = None,
            enforce_excessive_permissions: Optional[bool] = None,
            exceptional_monitored_malware_paths: Optional[Sequence[str]] = None,
            exclude_application_scopes: Optional[Sequence[str]] = None,
            fail_cicd: Optional[bool] = None,
            forbidden_labels: Optional[Sequence[KubernetesAssurancePolicyForbiddenLabelArgs]] = None,
            forbidden_labels_enabled: Optional[bool] = None,
            force_microenforcer: Optional[bool] = None,
            function_integrity_enabled: Optional[bool] = None,
            ignore_base_image_vln: Optional[bool] = None,
            ignore_recently_published_vln: Optional[bool] = None,
            ignore_recently_published_vln_period: Optional[int] = None,
            ignore_risk_resources_enabled: Optional[bool] = None,
            ignored_risk_resources: Optional[Sequence[str]] = None,
            ignored_sensitive_resources: Optional[Sequence[str]] = None,
            images: Optional[Sequence[str]] = None,
            kube_cis_enabled: Optional[bool] = None,
            kubernetes_controls: Optional[Sequence[KubernetesAssurancePolicyKubernetesControlArgs]] = None,
            kubernetes_controls_avd_ids: Optional[Sequence[str]] = None,
            kubernetes_controls_names: Optional[Sequence[str]] = None,
            labels: Optional[Sequence[str]] = None,
            lastupdate: Optional[str] = None,
            linux_cis_enabled: Optional[bool] = None,
            malware_action: Optional[str] = None,
            maximum_score: Optional[float] = None,
            maximum_score_enabled: Optional[bool] = None,
            maximum_score_exclude_no_fix: Optional[bool] = None,
            monitored_malware_paths: Optional[Sequence[str]] = None,
            name: Optional[str] = None,
            only_none_root_users: Optional[bool] = None,
            openshift_hardening_enabled: Optional[bool] = None,
            packages_black_list_enabled: Optional[bool] = None,
            packages_black_lists: Optional[Sequence[KubernetesAssurancePolicyPackagesBlackListArgs]] = None,
            packages_white_list_enabled: Optional[bool] = None,
            packages_white_lists: Optional[Sequence[KubernetesAssurancePolicyPackagesWhiteListArgs]] = None,
            partial_results_image_fail: Optional[bool] = None,
            permission: Optional[str] = None,
            policy_settings: Optional[KubernetesAssurancePolicyPolicySettingsArgs] = None,
            read_only: Optional[bool] = None,
            registries: Optional[Sequence[str]] = None,
            registry: Optional[str] = None,
            required_labels: Optional[Sequence[KubernetesAssurancePolicyRequiredLabelArgs]] = None,
            required_labels_enabled: Optional[bool] = None,
            scan_malware_in_archives: Optional[bool] = None,
            scan_nfs_mounts: Optional[bool] = None,
            scan_process_memory: Optional[bool] = None,
            scan_sensitive_data: Optional[bool] = None,
            scan_windows_registry: Optional[bool] = None,
            scap_enabled: Optional[bool] = None,
            scap_files: Optional[Sequence[str]] = None,
            scopes: Optional[Sequence[KubernetesAssurancePolicyScopeArgs]] = None,
            trusted_base_images: Optional[Sequence[KubernetesAssurancePolicyTrustedBaseImageArgs]] = None,
            trusted_base_images_enabled: Optional[bool] = None,
            vulnerability_exploitability: Optional[bool] = None,
            vulnerability_score_ranges: Optional[Sequence[int]] = None,
            whitelisted_licenses: Optional[Sequence[str]] = None,
            whitelisted_licenses_enabled: Optional[bool] = None) -> KubernetesAssurancePolicy
    func GetKubernetesAssurancePolicy(ctx *Context, name string, id IDInput, state *KubernetesAssurancePolicyState, opts ...ResourceOption) (*KubernetesAssurancePolicy, error)
    public static KubernetesAssurancePolicy Get(string name, Input<string> id, KubernetesAssurancePolicyState? state, CustomResourceOptions? opts = null)
    public static KubernetesAssurancePolicy get(String name, Output<String> id, KubernetesAssurancePolicyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AggregatedVulnerability Dictionary<string, string>
    Aggregated vulnerability information.
    AllowedImages List<string>
    List of explicitly allowed images.
    ApplicationScopes List<string>
    AssuranceType string
    What type of assurance policy is described.
    AuditOnFailure bool
    Indicates if auditing for failures.
    Author string
    Name of user account that created the policy.
    AutoScanConfigured bool
    AutoScanEnabled bool
    AutoScanTimes List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyAutoScanTime>
    BlacklistPermissions List<string>
    List of function's forbidden permissions.
    BlacklistPermissionsEnabled bool
    Indicates if blacklist permissions is relevant.
    BlacklistedLicenses List<string>
    List of blacklisted licenses.
    BlacklistedLicensesEnabled bool
    Indicates if license blacklist is relevant.
    BlockFailed bool
    Indicates if failed images are blocked.
    ControlExcludeNoFix bool
    CustomChecks List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyCustomCheck>
    List of Custom user scripts for checks.
    CustomChecksEnabled bool
    Indicates if scanning should include custom checks.
    CustomSeverity string
    CustomSeverityEnabled bool
    CvesBlackListEnabled bool
    Indicates if CVEs blacklist is relevant.
    CvesBlackLists List<string>
    List of CVEs blacklisted items.
    CvesWhiteListEnabled bool
    Indicates if CVEs whitelist is relevant.
    CvesWhiteLists List<string>
    List of cves whitelisted licenses
    CvssSeverity string
    Identifier of the cvss severity.
    CvssSeverityEnabled bool
    Indicates if the cvss severity is scanned.
    CvssSeverityExcludeNoFix bool
    Indicates that policy should ignore cvss cases that do not have a known fix.
    Description string
    DisallowExploitTypes List<string>
    DisallowMalware bool
    Indicates if malware should block the image.
    DockerCisEnabled bool
    Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
    Domain string
    Name of the container image.
    DomainName string
    DtaEnabled bool
    DtaSeverity string
    Enabled bool
    Enforce bool
    EnforceAfterDays int
    EnforceExcessivePermissions bool
    ExceptionalMonitoredMalwarePaths List<string>
    ExcludeApplicationScopes List<string>
    FailCicd bool
    Indicates if cicd failures will fail the image.
    ForbiddenLabels List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyForbiddenLabel>
    ForbiddenLabelsEnabled bool
    ForceMicroenforcer bool
    FunctionIntegrityEnabled bool
    IgnoreBaseImageVln bool
    IgnoreRecentlyPublishedVln bool
    IgnoreRecentlyPublishedVlnPeriod int
    IgnoreRiskResourcesEnabled bool
    Indicates if risk resources are ignored.
    IgnoredRiskResources List<string>
    List of ignored risk resources.
    IgnoredSensitiveResources List<string>
    Images List<string>
    List of images.
    KubeCisEnabled bool
    Performs a Kubernetes CIS benchmark check for the host.
    KubernetesControls List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyKubernetesControl>
    List of Kubernetes controls.
    KubernetesControlsAvdIds List<string>
    KubernetesControlsNames List<string>
    List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
    Labels List<string>
    List of labels.
    Lastupdate string
    LinuxCisEnabled bool
    MalwareAction string
    MaximumScore double
    Value of allowed maximum score.
    MaximumScoreEnabled bool
    Indicates if exceeding the maximum score is scanned.
    MaximumScoreExcludeNoFix bool
    Indicates that policy should ignore cases that do not have a known fix.
    MonitoredMalwarePaths List<string>
    Name string
    OnlyNoneRootUsers bool
    Indicates if raise a warning for images that should only be run as root.
    OpenshiftHardeningEnabled bool
    PackagesBlackListEnabled bool
    Indicates if packages blacklist is relevant.
    PackagesBlackLists List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyPackagesBlackList>
    List of blacklisted images.
    PackagesWhiteListEnabled bool
    Indicates if packages whitelist is relevant.
    PackagesWhiteLists List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyPackagesWhiteList>
    List of whitelisted images.
    PartialResultsImageFail bool
    Permission string
    PolicySettings Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyPolicySettings
    ReadOnly bool
    Registries List<string>
    List of registries.
    Registry string
    RequiredLabels List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyRequiredLabel>
    RequiredLabelsEnabled bool
    ScanMalwareInArchives bool
    ScanNfsMounts bool
    ScanProcessMemory bool
    ScanSensitiveData bool
    Indicates if scan should include sensitive data in the image.
    ScanWindowsRegistry bool
    ScapEnabled bool
    Indicates if scanning should include scap.
    ScapFiles List<string>
    List of SCAP user scripts for checks.
    Scopes List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyScope>
    TrustedBaseImages List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyTrustedBaseImage>
    List of trusted images.
    TrustedBaseImagesEnabled bool
    Indicates if list of trusted base images is relevant.
    VulnerabilityExploitability bool
    VulnerabilityScoreRanges List<int>
    WhitelistedLicenses List<string>
    List of whitelisted licenses.
    WhitelistedLicensesEnabled bool
    Indicates if license blacklist is relevant.
    AggregatedVulnerability map[string]string
    Aggregated vulnerability information.
    AllowedImages []string
    List of explicitly allowed images.
    ApplicationScopes []string
    AssuranceType string
    What type of assurance policy is described.
    AuditOnFailure bool
    Indicates if auditing for failures.
    Author string
    Name of user account that created the policy.
    AutoScanConfigured bool
    AutoScanEnabled bool
    AutoScanTimes []KubernetesAssurancePolicyAutoScanTimeArgs
    BlacklistPermissions []string
    List of function's forbidden permissions.
    BlacklistPermissionsEnabled bool
    Indicates if blacklist permissions is relevant.
    BlacklistedLicenses []string
    List of blacklisted licenses.
    BlacklistedLicensesEnabled bool
    Indicates if license blacklist is relevant.
    BlockFailed bool
    Indicates if failed images are blocked.
    ControlExcludeNoFix bool
    CustomChecks []KubernetesAssurancePolicyCustomCheckArgs
    List of Custom user scripts for checks.
    CustomChecksEnabled bool
    Indicates if scanning should include custom checks.
    CustomSeverity string
    CustomSeverityEnabled bool
    CvesBlackListEnabled bool
    Indicates if CVEs blacklist is relevant.
    CvesBlackLists []string
    List of CVEs blacklisted items.
    CvesWhiteListEnabled bool
    Indicates if CVEs whitelist is relevant.
    CvesWhiteLists []string
    List of cves whitelisted licenses
    CvssSeverity string
    Identifier of the cvss severity.
    CvssSeverityEnabled bool
    Indicates if the cvss severity is scanned.
    CvssSeverityExcludeNoFix bool
    Indicates that policy should ignore cvss cases that do not have a known fix.
    Description string
    DisallowExploitTypes []string
    DisallowMalware bool
    Indicates if malware should block the image.
    DockerCisEnabled bool
    Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
    Domain string
    Name of the container image.
    DomainName string
    DtaEnabled bool
    DtaSeverity string
    Enabled bool
    Enforce bool
    EnforceAfterDays int
    EnforceExcessivePermissions bool
    ExceptionalMonitoredMalwarePaths []string
    ExcludeApplicationScopes []string
    FailCicd bool
    Indicates if cicd failures will fail the image.
    ForbiddenLabels []KubernetesAssurancePolicyForbiddenLabelArgs
    ForbiddenLabelsEnabled bool
    ForceMicroenforcer bool
    FunctionIntegrityEnabled bool
    IgnoreBaseImageVln bool
    IgnoreRecentlyPublishedVln bool
    IgnoreRecentlyPublishedVlnPeriod int
    IgnoreRiskResourcesEnabled bool
    Indicates if risk resources are ignored.
    IgnoredRiskResources []string
    List of ignored risk resources.
    IgnoredSensitiveResources []string
    Images []string
    List of images.
    KubeCisEnabled bool
    Performs a Kubernetes CIS benchmark check for the host.
    KubernetesControls []KubernetesAssurancePolicyKubernetesControlArgs
    List of Kubernetes controls.
    KubernetesControlsAvdIds []string
    KubernetesControlsNames []string
    List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
    Labels []string
    List of labels.
    Lastupdate string
    LinuxCisEnabled bool
    MalwareAction string
    MaximumScore float64
    Value of allowed maximum score.
    MaximumScoreEnabled bool
    Indicates if exceeding the maximum score is scanned.
    MaximumScoreExcludeNoFix bool
    Indicates that policy should ignore cases that do not have a known fix.
    MonitoredMalwarePaths []string
    Name string
    OnlyNoneRootUsers bool
    Indicates if raise a warning for images that should only be run as root.
    OpenshiftHardeningEnabled bool
    PackagesBlackListEnabled bool
    Indicates if packages blacklist is relevant.
    PackagesBlackLists []KubernetesAssurancePolicyPackagesBlackListArgs
    List of blacklisted images.
    PackagesWhiteListEnabled bool
    Indicates if packages whitelist is relevant.
    PackagesWhiteLists []KubernetesAssurancePolicyPackagesWhiteListArgs
    List of whitelisted images.
    PartialResultsImageFail bool
    Permission string
    PolicySettings KubernetesAssurancePolicyPolicySettingsArgs
    ReadOnly bool
    Registries []string
    List of registries.
    Registry string
    RequiredLabels []KubernetesAssurancePolicyRequiredLabelArgs
    RequiredLabelsEnabled bool
    ScanMalwareInArchives bool
    ScanNfsMounts bool
    ScanProcessMemory bool
    ScanSensitiveData bool
    Indicates if scan should include sensitive data in the image.
    ScanWindowsRegistry bool
    ScapEnabled bool
    Indicates if scanning should include scap.
    ScapFiles []string
    List of SCAP user scripts for checks.
    Scopes []KubernetesAssurancePolicyScopeArgs
    TrustedBaseImages []KubernetesAssurancePolicyTrustedBaseImageArgs
    List of trusted images.
    TrustedBaseImagesEnabled bool
    Indicates if list of trusted base images is relevant.
    VulnerabilityExploitability bool
    VulnerabilityScoreRanges []int
    WhitelistedLicenses []string
    List of whitelisted licenses.
    WhitelistedLicensesEnabled bool
    Indicates if license blacklist is relevant.
    aggregatedVulnerability Map<String,String>
    Aggregated vulnerability information.
    allowedImages List<String>
    List of explicitly allowed images.
    applicationScopes List<String>
    assuranceType String
    What type of assurance policy is described.
    auditOnFailure Boolean
    Indicates if auditing for failures.
    author String
    Name of user account that created the policy.
    autoScanConfigured Boolean
    autoScanEnabled Boolean
    autoScanTimes List<KubernetesAssurancePolicyAutoScanTime>
    blacklistPermissions List<String>
    List of function's forbidden permissions.
    blacklistPermissionsEnabled Boolean
    Indicates if blacklist permissions is relevant.
    blacklistedLicenses List<String>
    List of blacklisted licenses.
    blacklistedLicensesEnabled Boolean
    Indicates if license blacklist is relevant.
    blockFailed Boolean
    Indicates if failed images are blocked.
    controlExcludeNoFix Boolean
    customChecks List<KubernetesAssurancePolicyCustomCheck>
    List of Custom user scripts for checks.
    customChecksEnabled Boolean
    Indicates if scanning should include custom checks.
    customSeverity String
    customSeverityEnabled Boolean
    cvesBlackListEnabled Boolean
    Indicates if CVEs blacklist is relevant.
    cvesBlackLists List<String>
    List of CVEs blacklisted items.
    cvesWhiteListEnabled Boolean
    Indicates if CVEs whitelist is relevant.
    cvesWhiteLists List<String>
    List of cves whitelisted licenses
    cvssSeverity String
    Identifier of the cvss severity.
    cvssSeverityEnabled Boolean
    Indicates if the cvss severity is scanned.
    cvssSeverityExcludeNoFix Boolean
    Indicates that policy should ignore cvss cases that do not have a known fix.
    description String
    disallowExploitTypes List<String>
    disallowMalware Boolean
    Indicates if malware should block the image.
    dockerCisEnabled Boolean
    Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
    domain String
    Name of the container image.
    domainName String
    dtaEnabled Boolean
    dtaSeverity String
    enabled Boolean
    enforce Boolean
    enforceAfterDays Integer
    enforceExcessivePermissions Boolean
    exceptionalMonitoredMalwarePaths List<String>
    excludeApplicationScopes List<String>
    failCicd Boolean
    Indicates if cicd failures will fail the image.
    forbiddenLabels List<KubernetesAssurancePolicyForbiddenLabel>
    forbiddenLabelsEnabled Boolean
    forceMicroenforcer Boolean
    functionIntegrityEnabled Boolean
    ignoreBaseImageVln Boolean
    ignoreRecentlyPublishedVln Boolean
    ignoreRecentlyPublishedVlnPeriod Integer
    ignoreRiskResourcesEnabled Boolean
    Indicates if risk resources are ignored.
    ignoredRiskResources List<String>
    List of ignored risk resources.
    ignoredSensitiveResources List<String>
    images List<String>
    List of images.
    kubeCisEnabled Boolean
    Performs a Kubernetes CIS benchmark check for the host.
    kubernetesControls List<KubernetesAssurancePolicyKubernetesControl>
    List of Kubernetes controls.
    kubernetesControlsAvdIds List<String>
    kubernetesControlsNames List<String>
    List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
    labels List<String>
    List of labels.
    lastupdate String
    linuxCisEnabled Boolean
    malwareAction String
    maximumScore Double
    Value of allowed maximum score.
    maximumScoreEnabled Boolean
    Indicates if exceeding the maximum score is scanned.
    maximumScoreExcludeNoFix Boolean
    Indicates that policy should ignore cases that do not have a known fix.
    monitoredMalwarePaths List<String>
    name String
    onlyNoneRootUsers Boolean
    Indicates if raise a warning for images that should only be run as root.
    openshiftHardeningEnabled Boolean
    packagesBlackListEnabled Boolean
    Indicates if packages blacklist is relevant.
    packagesBlackLists List<KubernetesAssurancePolicyPackagesBlackList>
    List of blacklisted images.
    packagesWhiteListEnabled Boolean
    Indicates if packages whitelist is relevant.
    packagesWhiteLists List<KubernetesAssurancePolicyPackagesWhiteList>
    List of whitelisted images.
    partialResultsImageFail Boolean
    permission String
    policySettings KubernetesAssurancePolicyPolicySettings
    readOnly Boolean
    registries List<String>
    List of registries.
    registry String
    requiredLabels List<KubernetesAssurancePolicyRequiredLabel>
    requiredLabelsEnabled Boolean
    scanMalwareInArchives Boolean
    scanNfsMounts Boolean
    scanProcessMemory Boolean
    scanSensitiveData Boolean
    Indicates if scan should include sensitive data in the image.
    scanWindowsRegistry Boolean
    scapEnabled Boolean
    Indicates if scanning should include scap.
    scapFiles List<String>
    List of SCAP user scripts for checks.
    scopes List<KubernetesAssurancePolicyScope>
    trustedBaseImages List<KubernetesAssurancePolicyTrustedBaseImage>
    List of trusted images.
    trustedBaseImagesEnabled Boolean
    Indicates if list of trusted base images is relevant.
    vulnerabilityExploitability Boolean
    vulnerabilityScoreRanges List<Integer>
    whitelistedLicenses List<String>
    List of whitelisted licenses.
    whitelistedLicensesEnabled Boolean
    Indicates if license blacklist is relevant.
    aggregatedVulnerability {[key: string]: string}
    Aggregated vulnerability information.
    allowedImages string[]
    List of explicitly allowed images.
    applicationScopes string[]
    assuranceType string
    What type of assurance policy is described.
    auditOnFailure boolean
    Indicates if auditing for failures.
    author string
    Name of user account that created the policy.
    autoScanConfigured boolean
    autoScanEnabled boolean
    autoScanTimes KubernetesAssurancePolicyAutoScanTime[]
    blacklistPermissions string[]
    List of function's forbidden permissions.
    blacklistPermissionsEnabled boolean
    Indicates if blacklist permissions is relevant.
    blacklistedLicenses string[]
    List of blacklisted licenses.
    blacklistedLicensesEnabled boolean
    Indicates if license blacklist is relevant.
    blockFailed boolean
    Indicates if failed images are blocked.
    controlExcludeNoFix boolean
    customChecks KubernetesAssurancePolicyCustomCheck[]
    List of Custom user scripts for checks.
    customChecksEnabled boolean
    Indicates if scanning should include custom checks.
    customSeverity string
    customSeverityEnabled boolean
    cvesBlackListEnabled boolean
    Indicates if CVEs blacklist is relevant.
    cvesBlackLists string[]
    List of CVEs blacklisted items.
    cvesWhiteListEnabled boolean
    Indicates if CVEs whitelist is relevant.
    cvesWhiteLists string[]
    List of cves whitelisted licenses
    cvssSeverity string
    Identifier of the cvss severity.
    cvssSeverityEnabled boolean
    Indicates if the cvss severity is scanned.
    cvssSeverityExcludeNoFix boolean
    Indicates that policy should ignore cvss cases that do not have a known fix.
    description string
    disallowExploitTypes string[]
    disallowMalware boolean
    Indicates if malware should block the image.
    dockerCisEnabled boolean
    Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
    domain string
    Name of the container image.
    domainName string
    dtaEnabled boolean
    dtaSeverity string
    enabled boolean
    enforce boolean
    enforceAfterDays number
    enforceExcessivePermissions boolean
    exceptionalMonitoredMalwarePaths string[]
    excludeApplicationScopes string[]
    failCicd boolean
    Indicates if cicd failures will fail the image.
    forbiddenLabels KubernetesAssurancePolicyForbiddenLabel[]
    forbiddenLabelsEnabled boolean
    forceMicroenforcer boolean
    functionIntegrityEnabled boolean
    ignoreBaseImageVln boolean
    ignoreRecentlyPublishedVln boolean
    ignoreRecentlyPublishedVlnPeriod number
    ignoreRiskResourcesEnabled boolean
    Indicates if risk resources are ignored.
    ignoredRiskResources string[]
    List of ignored risk resources.
    ignoredSensitiveResources string[]
    images string[]
    List of images.
    kubeCisEnabled boolean
    Performs a Kubernetes CIS benchmark check for the host.
    kubernetesControls KubernetesAssurancePolicyKubernetesControl[]
    List of Kubernetes controls.
    kubernetesControlsAvdIds string[]
    kubernetesControlsNames string[]
    List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
    labels string[]
    List of labels.
    lastupdate string
    linuxCisEnabled boolean
    malwareAction string
    maximumScore number
    Value of allowed maximum score.
    maximumScoreEnabled boolean
    Indicates if exceeding the maximum score is scanned.
    maximumScoreExcludeNoFix boolean
    Indicates that policy should ignore cases that do not have a known fix.
    monitoredMalwarePaths string[]
    name string
    onlyNoneRootUsers boolean
    Indicates if raise a warning for images that should only be run as root.
    openshiftHardeningEnabled boolean
    packagesBlackListEnabled boolean
    Indicates if packages blacklist is relevant.
    packagesBlackLists KubernetesAssurancePolicyPackagesBlackList[]
    List of blacklisted images.
    packagesWhiteListEnabled boolean
    Indicates if packages whitelist is relevant.
    packagesWhiteLists KubernetesAssurancePolicyPackagesWhiteList[]
    List of whitelisted images.
    partialResultsImageFail boolean
    permission string
    policySettings KubernetesAssurancePolicyPolicySettings
    readOnly boolean
    registries string[]
    List of registries.
    registry string
    requiredLabels KubernetesAssurancePolicyRequiredLabel[]
    requiredLabelsEnabled boolean
    scanMalwareInArchives boolean
    scanNfsMounts boolean
    scanProcessMemory boolean
    scanSensitiveData boolean
    Indicates if scan should include sensitive data in the image.
    scanWindowsRegistry boolean
    scapEnabled boolean
    Indicates if scanning should include scap.
    scapFiles string[]
    List of SCAP user scripts for checks.
    scopes KubernetesAssurancePolicyScope[]
    trustedBaseImages KubernetesAssurancePolicyTrustedBaseImage[]
    List of trusted images.
    trustedBaseImagesEnabled boolean
    Indicates if list of trusted base images is relevant.
    vulnerabilityExploitability boolean
    vulnerabilityScoreRanges number[]
    whitelistedLicenses string[]
    List of whitelisted licenses.
    whitelistedLicensesEnabled boolean
    Indicates if license blacklist is relevant.
    aggregated_vulnerability Mapping[str, str]
    Aggregated vulnerability information.
    allowed_images Sequence[str]
    List of explicitly allowed images.
    application_scopes Sequence[str]
    assurance_type str
    What type of assurance policy is described.
    audit_on_failure bool
    Indicates if auditing for failures.
    author str
    Name of user account that created the policy.
    auto_scan_configured bool
    auto_scan_enabled bool
    auto_scan_times Sequence[KubernetesAssurancePolicyAutoScanTimeArgs]
    blacklist_permissions Sequence[str]
    List of function's forbidden permissions.
    blacklist_permissions_enabled bool
    Indicates if blacklist permissions is relevant.
    blacklisted_licenses Sequence[str]
    List of blacklisted licenses.
    blacklisted_licenses_enabled bool
    Indicates if license blacklist is relevant.
    block_failed bool
    Indicates if failed images are blocked.
    control_exclude_no_fix bool
    custom_checks Sequence[KubernetesAssurancePolicyCustomCheckArgs]
    List of Custom user scripts for checks.
    custom_checks_enabled bool
    Indicates if scanning should include custom checks.
    custom_severity str
    custom_severity_enabled bool
    cves_black_list_enabled bool
    Indicates if CVEs blacklist is relevant.
    cves_black_lists Sequence[str]
    List of CVEs blacklisted items.
    cves_white_list_enabled bool
    Indicates if CVEs whitelist is relevant.
    cves_white_lists Sequence[str]
    List of cves whitelisted licenses
    cvss_severity str
    Identifier of the cvss severity.
    cvss_severity_enabled bool
    Indicates if the cvss severity is scanned.
    cvss_severity_exclude_no_fix bool
    Indicates that policy should ignore cvss cases that do not have a known fix.
    description str
    disallow_exploit_types Sequence[str]
    disallow_malware bool
    Indicates if malware should block the image.
    docker_cis_enabled bool
    Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
    domain str
    Name of the container image.
    domain_name str
    dta_enabled bool
    dta_severity str
    enabled bool
    enforce bool
    enforce_after_days int
    enforce_excessive_permissions bool
    exceptional_monitored_malware_paths Sequence[str]
    exclude_application_scopes Sequence[str]
    fail_cicd bool
    Indicates if cicd failures will fail the image.
    forbidden_labels Sequence[KubernetesAssurancePolicyForbiddenLabelArgs]
    forbidden_labels_enabled bool
    force_microenforcer bool
    function_integrity_enabled bool
    ignore_base_image_vln bool
    ignore_recently_published_vln bool
    ignore_recently_published_vln_period int
    ignore_risk_resources_enabled bool
    Indicates if risk resources are ignored.
    ignored_risk_resources Sequence[str]
    List of ignored risk resources.
    ignored_sensitive_resources Sequence[str]
    images Sequence[str]
    List of images.
    kube_cis_enabled bool
    Performs a Kubernetes CIS benchmark check for the host.
    kubernetes_controls Sequence[KubernetesAssurancePolicyKubernetesControlArgs]
    List of Kubernetes controls.
    kubernetes_controls_avd_ids Sequence[str]
    kubernetes_controls_names Sequence[str]
    List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
    labels Sequence[str]
    List of labels.
    lastupdate str
    linux_cis_enabled bool
    malware_action str
    maximum_score float
    Value of allowed maximum score.
    maximum_score_enabled bool
    Indicates if exceeding the maximum score is scanned.
    maximum_score_exclude_no_fix bool
    Indicates that policy should ignore cases that do not have a known fix.
    monitored_malware_paths Sequence[str]
    name str
    only_none_root_users bool
    Indicates if raise a warning for images that should only be run as root.
    openshift_hardening_enabled bool
    packages_black_list_enabled bool
    Indicates if packages blacklist is relevant.
    packages_black_lists Sequence[KubernetesAssurancePolicyPackagesBlackListArgs]
    List of blacklisted images.
    packages_white_list_enabled bool
    Indicates if packages whitelist is relevant.
    packages_white_lists Sequence[KubernetesAssurancePolicyPackagesWhiteListArgs]
    List of whitelisted images.
    partial_results_image_fail bool
    permission str
    policy_settings KubernetesAssurancePolicyPolicySettingsArgs
    read_only bool
    registries Sequence[str]
    List of registries.
    registry str
    required_labels Sequence[KubernetesAssurancePolicyRequiredLabelArgs]
    required_labels_enabled bool
    scan_malware_in_archives bool
    scan_nfs_mounts bool
    scan_process_memory bool
    scan_sensitive_data bool
    Indicates if scan should include sensitive data in the image.
    scan_windows_registry bool
    scap_enabled bool
    Indicates if scanning should include scap.
    scap_files Sequence[str]
    List of SCAP user scripts for checks.
    scopes Sequence[KubernetesAssurancePolicyScopeArgs]
    trusted_base_images Sequence[KubernetesAssurancePolicyTrustedBaseImageArgs]
    List of trusted images.
    trusted_base_images_enabled bool
    Indicates if list of trusted base images is relevant.
    vulnerability_exploitability bool
    vulnerability_score_ranges Sequence[int]
    whitelisted_licenses Sequence[str]
    List of whitelisted licenses.
    whitelisted_licenses_enabled bool
    Indicates if license blacklist is relevant.
    aggregatedVulnerability Map<String>
    Aggregated vulnerability information.
    allowedImages List<String>
    List of explicitly allowed images.
    applicationScopes List<String>
    assuranceType String
    What type of assurance policy is described.
    auditOnFailure Boolean
    Indicates if auditing for failures.
    author String
    Name of user account that created the policy.
    autoScanConfigured Boolean
    autoScanEnabled Boolean
    autoScanTimes List<Property Map>
    blacklistPermissions List<String>
    List of function's forbidden permissions.
    blacklistPermissionsEnabled Boolean
    Indicates if blacklist permissions is relevant.
    blacklistedLicenses List<String>
    List of blacklisted licenses.
    blacklistedLicensesEnabled Boolean
    Indicates if license blacklist is relevant.
    blockFailed Boolean
    Indicates if failed images are blocked.
    controlExcludeNoFix Boolean
    customChecks List<Property Map>
    List of Custom user scripts for checks.
    customChecksEnabled Boolean
    Indicates if scanning should include custom checks.
    customSeverity String
    customSeverityEnabled Boolean
    cvesBlackListEnabled Boolean
    Indicates if CVEs blacklist is relevant.
    cvesBlackLists List<String>
    List of CVEs blacklisted items.
    cvesWhiteListEnabled Boolean
    Indicates if CVEs whitelist is relevant.
    cvesWhiteLists List<String>
    List of cves whitelisted licenses
    cvssSeverity String
    Identifier of the cvss severity.
    cvssSeverityEnabled Boolean
    Indicates if the cvss severity is scanned.
    cvssSeverityExcludeNoFix Boolean
    Indicates that policy should ignore cvss cases that do not have a known fix.
    description String
    disallowExploitTypes List<String>
    disallowMalware Boolean
    Indicates if malware should block the image.
    dockerCisEnabled Boolean
    Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
    domain String
    Name of the container image.
    domainName String
    dtaEnabled Boolean
    dtaSeverity String
    enabled Boolean
    enforce Boolean
    enforceAfterDays Number
    enforceExcessivePermissions Boolean
    exceptionalMonitoredMalwarePaths List<String>
    excludeApplicationScopes List<String>
    failCicd Boolean
    Indicates if cicd failures will fail the image.
    forbiddenLabels List<Property Map>
    forbiddenLabelsEnabled Boolean
    forceMicroenforcer Boolean
    functionIntegrityEnabled Boolean
    ignoreBaseImageVln Boolean
    ignoreRecentlyPublishedVln Boolean
    ignoreRecentlyPublishedVlnPeriod Number
    ignoreRiskResourcesEnabled Boolean
    Indicates if risk resources are ignored.
    ignoredRiskResources List<String>
    List of ignored risk resources.
    ignoredSensitiveResources List<String>
    images List<String>
    List of images.
    kubeCisEnabled Boolean
    Performs a Kubernetes CIS benchmark check for the host.
    kubernetesControls List<Property Map>
    List of Kubernetes controls.
    kubernetesControlsAvdIds List<String>
    kubernetesControlsNames List<String>
    List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
    labels List<String>
    List of labels.
    lastupdate String
    linuxCisEnabled Boolean
    malwareAction String
    maximumScore Number
    Value of allowed maximum score.
    maximumScoreEnabled Boolean
    Indicates if exceeding the maximum score is scanned.
    maximumScoreExcludeNoFix Boolean
    Indicates that policy should ignore cases that do not have a known fix.
    monitoredMalwarePaths List<String>
    name String
    onlyNoneRootUsers Boolean
    Indicates if raise a warning for images that should only be run as root.
    openshiftHardeningEnabled Boolean
    packagesBlackListEnabled Boolean
    Indicates if packages blacklist is relevant.
    packagesBlackLists List<Property Map>
    List of blacklisted images.
    packagesWhiteListEnabled Boolean
    Indicates if packages whitelist is relevant.
    packagesWhiteLists List<Property Map>
    List of whitelisted images.
    partialResultsImageFail Boolean
    permission String
    policySettings Property Map
    readOnly Boolean
    registries List<String>
    List of registries.
    registry String
    requiredLabels List<Property Map>
    requiredLabelsEnabled Boolean
    scanMalwareInArchives Boolean
    scanNfsMounts Boolean
    scanProcessMemory Boolean
    scanSensitiveData Boolean
    Indicates if scan should include sensitive data in the image.
    scanWindowsRegistry Boolean
    scapEnabled Boolean
    Indicates if scanning should include scap.
    scapFiles List<String>
    List of SCAP user scripts for checks.
    scopes List<Property Map>
    trustedBaseImages List<Property Map>
    List of trusted images.
    trustedBaseImagesEnabled Boolean
    Indicates if list of trusted base images is relevant.
    vulnerabilityExploitability Boolean
    vulnerabilityScoreRanges List<Number>
    whitelistedLicenses List<String>
    List of whitelisted licenses.
    whitelistedLicensesEnabled Boolean
    Indicates if license blacklist is relevant.

    Supporting Types

    KubernetesAssurancePolicyAutoScanTime, KubernetesAssurancePolicyAutoScanTimeArgs

    Iteration int
    IterationType string
    Time string
    WeekDays List<string>
    Iteration int
    IterationType string
    Time string
    WeekDays []string
    iteration Integer
    iterationType String
    time String
    weekDays List<String>
    iteration number
    iterationType string
    time string
    weekDays string[]
    iteration int
    iteration_type str
    time str
    week_days Sequence[str]
    iteration Number
    iterationType String
    time String
    weekDays List<String>

    KubernetesAssurancePolicyCustomCheck, KubernetesAssurancePolicyCustomCheckArgs

    Author string
    Name of user account that created the policy.
    Description string
    Engine string
    LastModified int
    Name string
    Path string
    ReadOnly bool
    ScriptId string
    Severity string
    Snippet string
    Author string
    Name of user account that created the policy.
    Description string
    Engine string
    LastModified int
    Name string
    Path string
    ReadOnly bool
    ScriptId string
    Severity string
    Snippet string
    author String
    Name of user account that created the policy.
    description String
    engine String
    lastModified Integer
    name String
    path String
    readOnly Boolean
    scriptId String
    severity String
    snippet String
    author string
    Name of user account that created the policy.
    description string
    engine string
    lastModified number
    name string
    path string
    readOnly boolean
    scriptId string
    severity string
    snippet string
    author str
    Name of user account that created the policy.
    description str
    engine str
    last_modified int
    name str
    path str
    read_only bool
    script_id str
    severity str
    snippet str
    author String
    Name of user account that created the policy.
    description String
    engine String
    lastModified Number
    name String
    path String
    readOnly Boolean
    scriptId String
    severity String
    snippet String

    KubernetesAssurancePolicyForbiddenLabel, KubernetesAssurancePolicyForbiddenLabelArgs

    Key string
    Value string
    Key string
    Value string
    key String
    value String
    key string
    value string
    key str
    value str
    key String
    value String

    KubernetesAssurancePolicyKubernetesControl, KubernetesAssurancePolicyKubernetesControlArgs

    AvdId string
    AVD ID.
    Description string
    Description of the control.
    Enabled bool
    Is the control enabled?
    Kind string
    Kind of the control.
    Name string
    Name of the control.
    Ootb bool
    Out-of-the-box status of the control.
    ScriptId int
    Script ID.
    Severity string
    Severity of the control.
    AvdId string
    AVD ID.
    Description string
    Description of the control.
    Enabled bool
    Is the control enabled?
    Kind string
    Kind of the control.
    Name string
    Name of the control.
    Ootb bool
    Out-of-the-box status of the control.
    ScriptId int
    Script ID.
    Severity string
    Severity of the control.
    avdId String
    AVD ID.
    description String
    Description of the control.
    enabled Boolean
    Is the control enabled?
    kind String
    Kind of the control.
    name String
    Name of the control.
    ootb Boolean
    Out-of-the-box status of the control.
    scriptId Integer
    Script ID.
    severity String
    Severity of the control.
    avdId string
    AVD ID.
    description string
    Description of the control.
    enabled boolean
    Is the control enabled?
    kind string
    Kind of the control.
    name string
    Name of the control.
    ootb boolean
    Out-of-the-box status of the control.
    scriptId number
    Script ID.
    severity string
    Severity of the control.
    avd_id str
    AVD ID.
    description str
    Description of the control.
    enabled bool
    Is the control enabled?
    kind str
    Kind of the control.
    name str
    Name of the control.
    ootb bool
    Out-of-the-box status of the control.
    script_id int
    Script ID.
    severity str
    Severity of the control.
    avdId String
    AVD ID.
    description String
    Description of the control.
    enabled Boolean
    Is the control enabled?
    kind String
    Kind of the control.
    name String
    Name of the control.
    ootb Boolean
    Out-of-the-box status of the control.
    scriptId Number
    Script ID.
    severity String
    Severity of the control.

    KubernetesAssurancePolicyPackagesBlackList, KubernetesAssurancePolicyPackagesBlackListArgs

    Arch string
    Display string
    Epoch string
    Format string
    License string
    Name string
    Release string
    Version string
    VersionRange string
    Arch string
    Display string
    Epoch string
    Format string
    License string
    Name string
    Release string
    Version string
    VersionRange string
    arch String
    display String
    epoch String
    format String
    license String
    name String
    release String
    version String
    versionRange String
    arch string
    display string
    epoch string
    format string
    license string
    name string
    release string
    version string
    versionRange string
    arch String
    display String
    epoch String
    format String
    license String
    name String
    release String
    version String
    versionRange String

    KubernetesAssurancePolicyPackagesWhiteList, KubernetesAssurancePolicyPackagesWhiteListArgs

    Arch string
    Display string
    Epoch string
    Format string
    License string
    Name string
    Release string
    Version string
    VersionRange string
    Arch string
    Display string
    Epoch string
    Format string
    License string
    Name string
    Release string
    Version string
    VersionRange string
    arch String
    display String
    epoch String
    format String
    license String
    name String
    release String
    version String
    versionRange String
    arch string
    display string
    epoch string
    format string
    license string
    name string
    release string
    version string
    versionRange string
    arch String
    display String
    epoch String
    format String
    license String
    name String
    release String
    version String
    versionRange String

    KubernetesAssurancePolicyPolicySettings, KubernetesAssurancePolicyPolicySettingsArgs

    enforce Boolean
    isAuditChecked Boolean
    warn Boolean
    warningMessage String
    enforce boolean
    isAuditChecked boolean
    warn boolean
    warningMessage string
    enforce Boolean
    isAuditChecked Boolean
    warn Boolean
    warningMessage String

    KubernetesAssurancePolicyRequiredLabel, KubernetesAssurancePolicyRequiredLabelArgs

    Key string
    Value string
    Key string
    Value string
    key String
    value String
    key string
    value string
    key str
    value str
    key String
    value String

    KubernetesAssurancePolicyScope, KubernetesAssurancePolicyScopeArgs

    KubernetesAssurancePolicyScopeVariable, KubernetesAssurancePolicyScopeVariableArgs

    Attribute string
    Name string
    Value string
    Attribute string
    Name string
    Value string
    attribute String
    name String
    value String
    attribute string
    name string
    value string
    attribute str
    name str
    value str
    attribute String
    name String
    value String

    KubernetesAssurancePolicyTrustedBaseImage, KubernetesAssurancePolicyTrustedBaseImageArgs

    Imagename string
    Registry string
    Imagename string
    Registry string
    imagename String
    registry String
    imagename string
    registry string
    imagename String
    registry String

    Package Details

    Repository
    aquasec pulumiverse/pulumi-aquasec
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aquasec Terraform Provider.
    aquasec logo
    Aquasec v0.8.29 published on Monday, Jul 22, 2024 by Pulumiverse