1. Packages
  2. Aquasec
  3. API Docs
  4. ContainerRuntimePolicy
Aquasec v0.8.29 published on Monday, Jul 22, 2024 by Pulumiverse

aquasec.ContainerRuntimePolicy

Explore with Pulumi AI

Example Usage

Coming soon!
Coming soon!
Coming soon!
Coming soon!
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aquasec.ContainerRuntimePolicy;
import com.pulumi.aquasec.ContainerRuntimePolicyArgs;
import com.pulumi.aquasec.inputs.ContainerRuntimePolicyFileIntegrityMonitoringArgs;
import com.pulumi.aquasec.inputs.ContainerRuntimePolicyMalwareScanOptionsArgs;
import com.pulumi.aquasec.inputs.ContainerRuntimePolicyScopeVariableArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var containerRuntimePolicy = new ContainerRuntimePolicy("containerRuntimePolicy", ContainerRuntimePolicyArgs.builder()
            .allowedExecutables(            
                "exe",
                "bin")
            .allowedRegistries(            
                "registry1",
                "registry2")
            .applicationScopes("Global")
            .auditAllNetworkActivity(true)
            .auditAllProcessesActivity(true)
            .auditFullCommandArguments(true)
            .blockAccessHostNetwork(true)
            .blockAddingCapabilities(true)
            .blockContainerExec(true)
            .blockCryptocurrencyMining(true)
            .blockFilelessExec(true)
            .blockLowPortBinding(true)
            .blockNonCompliantWorkloads(true)
            .blockNonK8sContainers(true)
            .blockPrivilegedContainers(true)
            .blockRootUser(true)
            .blockUseIpcNamespace(true)
            .blockUsePidNamespace(true)
            .blockUseUserNamespace(true)
            .blockUseUtsNamespace(true)
            .blockedCapabilities(            
                "AUDIT_CONTROL",
                "AUDIT_WRITE")
            .blockedExecutables(            
                "exe1",
                "exe2")
            .blockedFiles(            
                "test1",
                "test2")
            .blockedInboundPorts(            
                "80",
                "8080")
            .blockedOutboundPorts(            
                "90",
                "9090")
            .blockedPackages(            
                "pkg",
                "pkg2")
            .blockedVolumes(            
                "blocked",
                "vol")
            .containerExecAllowedProcesses(            
                "proc1",
                "proc2")
            .description("container_runtime_policy")
            .enableForkGuard(true)
            .enabled(true)
            .enforce(false)
            .fileIntegrityMonitoring(ContainerRuntimePolicyFileIntegrityMonitoringArgs.builder()
                .excludedPaths("expaths")
                .excludedProcesses("exprocess")
                .excludedUsers("expuser")
                .monitorAttributes(true)
                .monitorCreate(true)
                .monitorDelete(true)
                .monitorModify(true)
                .monitorRead(true)
                .monitoredPaths("paths")
                .monitoredProcesses("process")
                .monitoredUsers("user")
                .build())
            .forkGuardProcessLimit(13)
            .limitNewPrivileges(true)
            .malwareScanOptions(ContainerRuntimePolicyMalwareScanOptionsArgs.builder()
                .action("alert")
                .enabled(true)
                .build())
            .monitorSystemTimeChanges("true")
            .scopeExpression("v1 || v2")
            .scopeVariables(            
                ContainerRuntimePolicyScopeVariableArgs.builder()
                    .attribute("kubernetes.cluster")
                    .value("default")
                    .build(),
                ContainerRuntimePolicyScopeVariableArgs.builder()
                    .attribute("kubernetes.label")
                    .name("app")
                    .value("aqua")
                    .build())
            .build());

    }
}
Copy
resources:
  containerRuntimePolicy:
    type: aquasec:ContainerRuntimePolicy
    properties:
      allowedExecutables:
        - exe
        - bin
      allowedRegistries:
        - registry1
        - registry2
      applicationScopes:
        - Global
      auditAllNetworkActivity: true
      auditAllProcessesActivity: true
      auditFullCommandArguments: true
      blockAccessHostNetwork: true
      blockAddingCapabilities: true
      blockContainerExec: true
      blockCryptocurrencyMining: true
      blockFilelessExec: true
      blockLowPortBinding: true
      blockNonCompliantWorkloads: true
      blockNonK8sContainers: true
      blockPrivilegedContainers: true
      blockRootUser: true
      blockUseIpcNamespace: true
      blockUsePidNamespace: true
      blockUseUserNamespace: true
      blockUseUtsNamespace: true
      blockedCapabilities:
        - AUDIT_CONTROL
        - AUDIT_WRITE
      blockedExecutables:
        - exe1
        - exe2
      blockedFiles:
        - test1
        - test2
      blockedInboundPorts:
        - '80'
        - '8080'
      blockedOutboundPorts:
        - '90'
        - '9090'
      blockedPackages:
        - pkg
        - pkg2
      blockedVolumes:
        - blocked
        - vol
      containerExecAllowedProcesses:
        - proc1
        - proc2
      description: container_runtime_policy
      enableForkGuard: true
      enabled: true
      enforce: false
      fileIntegrityMonitoring:
        excludedPaths:
          - expaths
        excludedProcesses:
          - exprocess
        excludedUsers:
          - expuser
        monitorAttributes: true
        monitorCreate: true
        monitorDelete: true
        monitorModify: true
        monitorRead: true
        monitoredPaths:
          - paths
        monitoredProcesses:
          - process
        monitoredUsers:
          - user
      forkGuardProcessLimit: 13
      limitNewPrivileges: true
      malwareScanOptions:
        action: alert
        enabled: true
      monitorSystemTimeChanges: 'true'
      scopeExpression: v1 || v2
      scopeVariables:
        - attribute: kubernetes.cluster
          value: default
        - attribute: kubernetes.label
          name: app
          value: aqua
Copy

Create ContainerRuntimePolicy Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new ContainerRuntimePolicy(name: string, args?: ContainerRuntimePolicyArgs, opts?: CustomResourceOptions);
@overload
def ContainerRuntimePolicy(resource_name: str,
                           args: Optional[ContainerRuntimePolicyArgs] = None,
                           opts: Optional[ResourceOptions] = None)

@overload
def ContainerRuntimePolicy(resource_name: str,
                           opts: Optional[ResourceOptions] = None,
                           allowed_executables: Optional[Sequence[ContainerRuntimePolicyAllowedExecutableArgs]] = None,
                           allowed_registries: Optional[Sequence[ContainerRuntimePolicyAllowedRegistryArgs]] = None,
                           application_scopes: Optional[Sequence[str]] = None,
                           audit_all_network_activity: Optional[bool] = None,
                           audit_all_processes_activity: Optional[bool] = None,
                           audit_brute_force_login: Optional[bool] = None,
                           audit_full_command_arguments: Optional[bool] = None,
                           auditing: Optional[ContainerRuntimePolicyAuditingArgs] = None,
                           author: Optional[str] = None,
                           blacklisted_os_users: Optional[ContainerRuntimePolicyBlacklistedOsUsersArgs] = None,
                           block_access_host_network: Optional[bool] = None,
                           block_adding_capabilities: Optional[bool] = None,
                           block_container_exec: Optional[bool] = None,
                           block_cryptocurrency_mining: Optional[bool] = None,
                           block_disallowed_images: Optional[bool] = None,
                           block_fileless_exec: Optional[bool] = None,
                           block_low_port_binding: Optional[bool] = None,
                           block_non_compliant_workloads: Optional[bool] = None,
                           block_non_k8s_containers: Optional[bool] = None,
                           block_privileged_containers: Optional[bool] = None,
                           block_root_user: Optional[bool] = None,
                           block_use_ipc_namespace: Optional[bool] = None,
                           block_use_pid_namespace: Optional[bool] = None,
                           block_use_user_namespace: Optional[bool] = None,
                           block_use_uts_namespace: Optional[bool] = None,
                           blocked_capabilities: Optional[Sequence[str]] = None,
                           blocked_executables: Optional[Sequence[str]] = None,
                           blocked_files: Optional[Sequence[str]] = None,
                           blocked_inbound_ports: Optional[Sequence[str]] = None,
                           blocked_outbound_ports: Optional[Sequence[str]] = None,
                           blocked_packages: Optional[Sequence[str]] = None,
                           blocked_volumes: Optional[Sequence[str]] = None,
                           bypass_scopes: Optional[Sequence[ContainerRuntimePolicyBypassScopeArgs]] = None,
                           container_exec: Optional[ContainerRuntimePolicyContainerExecArgs] = None,
                           container_exec_allowed_processes: Optional[Sequence[str]] = None,
                           created: Optional[str] = None,
                           cve: Optional[str] = None,
                           default_security_profile: Optional[str] = None,
                           description: Optional[str] = None,
                           digest: Optional[str] = None,
                           drift_preventions: Optional[Sequence[ContainerRuntimePolicyDriftPreventionArgs]] = None,
                           enable_crypto_mining_dns: Optional[bool] = None,
                           enable_fork_guard: Optional[bool] = None,
                           enable_ip_reputation: Optional[bool] = None,
                           enable_port_scan_protection: Optional[bool] = None,
                           enabled: Optional[bool] = None,
                           enforce: Optional[bool] = None,
                           enforce_after_days: Optional[int] = None,
                           enforce_scheduler_added_on: Optional[int] = None,
                           exclude_application_scopes: Optional[Sequence[str]] = None,
                           executable_blacklists: Optional[Sequence[ContainerRuntimePolicyExecutableBlacklistArgs]] = None,
                           failed_kubernetes_checks: Optional[ContainerRuntimePolicyFailedKubernetesChecksArgs] = None,
                           file_block: Optional[ContainerRuntimePolicyFileBlockArgs] = None,
                           file_integrity_monitoring: Optional[ContainerRuntimePolicyFileIntegrityMonitoringArgs] = None,
                           fork_guard_process_limit: Optional[int] = None,
                           image_name: Optional[str] = None,
                           is_audit_checked: Optional[bool] = None,
                           is_auto_generated: Optional[bool] = None,
                           is_ootb_policy: Optional[bool] = None,
                           lastupdate: Optional[int] = None,
                           limit_container_privileges: Optional[Sequence[ContainerRuntimePolicyLimitContainerPrivilegeArgs]] = None,
                           limit_new_privileges: Optional[bool] = None,
                           linux_capabilities: Optional[ContainerRuntimePolicyLinuxCapabilitiesArgs] = None,
                           malware_scan_options: Optional[ContainerRuntimePolicyMalwareScanOptionsArgs] = None,
                           monitor_system_time_changes: Optional[bool] = None,
                           name: Optional[str] = None,
                           no_new_privileges: Optional[bool] = None,
                           only_registered_images: Optional[bool] = None,
                           package_block: Optional[ContainerRuntimePolicyPackageBlockArgs] = None,
                           permission: Optional[str] = None,
                           port_block: Optional[ContainerRuntimePolicyPortBlockArgs] = None,
                           readonly_files: Optional[ContainerRuntimePolicyReadonlyFilesArgs] = None,
                           readonly_registry: Optional[ContainerRuntimePolicyReadonlyRegistryArgs] = None,
                           registry: Optional[str] = None,
                           registry_access_monitoring: Optional[ContainerRuntimePolicyRegistryAccessMonitoringArgs] = None,
                           repo_name: Optional[str] = None,
                           resource_name_: Optional[str] = None,
                           resource_type: Optional[str] = None,
                           restricted_volumes: Optional[Sequence[ContainerRuntimePolicyRestrictedVolumeArgs]] = None,
                           reverse_shell: Optional[ContainerRuntimePolicyReverseShellArgs] = None,
                           runtime_mode: Optional[int] = None,
                           runtime_type: Optional[str] = None,
                           scope_expression: Optional[str] = None,
                           scope_variables: Optional[Sequence[ContainerRuntimePolicyScopeVariableArgs]] = None,
                           scopes: Optional[Sequence[ContainerRuntimePolicyScopeArgs]] = None,
                           system_integrity_protection: Optional[ContainerRuntimePolicySystemIntegrityProtectionArgs] = None,
                           tripwire: Optional[ContainerRuntimePolicyTripwireArgs] = None,
                           type: Optional[str] = None,
                           updated: Optional[str] = None,
                           version: Optional[str] = None,
                           vpatch_version: Optional[str] = None,
                           whitelisted_os_users: Optional[ContainerRuntimePolicyWhitelistedOsUsersArgs] = None)
func NewContainerRuntimePolicy(ctx *Context, name string, args *ContainerRuntimePolicyArgs, opts ...ResourceOption) (*ContainerRuntimePolicy, error)
public ContainerRuntimePolicy(string name, ContainerRuntimePolicyArgs? args = null, CustomResourceOptions? opts = null)
public ContainerRuntimePolicy(String name, ContainerRuntimePolicyArgs args)
public ContainerRuntimePolicy(String name, ContainerRuntimePolicyArgs args, CustomResourceOptions options)
type: aquasec:ContainerRuntimePolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args ContainerRuntimePolicyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args ContainerRuntimePolicyArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args ContainerRuntimePolicyArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args ContainerRuntimePolicyArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. ContainerRuntimePolicyArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var containerRuntimePolicyResource = new Aquasec.ContainerRuntimePolicy("containerRuntimePolicyResource", new()
{
    AllowedExecutables = new[]
    {
        new Aquasec.Inputs.ContainerRuntimePolicyAllowedExecutableArgs
        {
            AllowExecutables = new[]
            {
                "string",
            },
            AllowRootExecutables = new[]
            {
                "string",
            },
            Enabled = false,
            SeparateExecutables = false,
        },
    },
    AllowedRegistries = new[]
    {
        new Aquasec.Inputs.ContainerRuntimePolicyAllowedRegistryArgs
        {
            AllowedRegistries = new[]
            {
                "string",
            },
            Enabled = false,
        },
    },
    ApplicationScopes = new[]
    {
        "string",
    },
    AuditAllNetworkActivity = false,
    AuditAllProcessesActivity = false,
    AuditBruteForceLogin = false,
    AuditFullCommandArguments = false,
    Auditing = new Aquasec.Inputs.ContainerRuntimePolicyAuditingArgs
    {
        AuditAllNetwork = false,
        AuditAllProcesses = false,
        AuditFailedLogin = false,
        AuditOsUserActivity = false,
        AuditProcessCmdline = false,
        AuditSuccessLogin = false,
        AuditUserAccountManagement = false,
        Enabled = false,
    },
    Author = "string",
    BlacklistedOsUsers = new Aquasec.Inputs.ContainerRuntimePolicyBlacklistedOsUsersArgs
    {
        Enabled = false,
        GroupBlackLists = new[]
        {
            "string",
        },
        UserBlackLists = new[]
        {
            "string",
        },
    },
    BlockAccessHostNetwork = false,
    BlockAddingCapabilities = false,
    BlockContainerExec = false,
    BlockCryptocurrencyMining = false,
    BlockDisallowedImages = false,
    BlockFilelessExec = false,
    BlockLowPortBinding = false,
    BlockNonCompliantWorkloads = false,
    BlockNonK8sContainers = false,
    BlockPrivilegedContainers = false,
    BlockRootUser = false,
    BlockUseIpcNamespace = false,
    BlockUsePidNamespace = false,
    BlockUseUserNamespace = false,
    BlockUseUtsNamespace = false,
    BlockedCapabilities = new[]
    {
        "string",
    },
    BlockedExecutables = new[]
    {
        "string",
    },
    BlockedFiles = new[]
    {
        "string",
    },
    BlockedInboundPorts = new[]
    {
        "string",
    },
    BlockedOutboundPorts = new[]
    {
        "string",
    },
    BlockedPackages = new[]
    {
        "string",
    },
    BlockedVolumes = new[]
    {
        "string",
    },
    BypassScopes = new[]
    {
        new Aquasec.Inputs.ContainerRuntimePolicyBypassScopeArgs
        {
            Enabled = false,
            Scopes = new[]
            {
                new Aquasec.Inputs.ContainerRuntimePolicyBypassScopeScopeArgs
                {
                    Expression = "string",
                    Variables = new[]
                    {
                        new Aquasec.Inputs.ContainerRuntimePolicyBypassScopeScopeVariableArgs
                        {
                            Attribute = "string",
                            Value = "string",
                        },
                    },
                },
            },
        },
    },
    ContainerExec = new Aquasec.Inputs.ContainerRuntimePolicyContainerExecArgs
    {
        BlockContainerExec = false,
        ContainerExecProcWhiteLists = new[]
        {
            "string",
        },
        Enabled = false,
        ReverseShellIpWhiteLists = new[]
        {
            "string",
        },
    },
    ContainerExecAllowedProcesses = new[]
    {
        "string",
    },
    Created = "string",
    Cve = "string",
    DefaultSecurityProfile = "string",
    Description = "string",
    Digest = "string",
    DriftPreventions = new[]
    {
        new Aquasec.Inputs.ContainerRuntimePolicyDriftPreventionArgs
        {
            Enabled = false,
            ExecLockdown = false,
            ExecLockdownWhiteLists = new[]
            {
                "string",
            },
            ImageLockdown = false,
        },
    },
    EnableCryptoMiningDns = false,
    EnableForkGuard = false,
    EnableIpReputation = false,
    EnablePortScanProtection = false,
    Enabled = false,
    Enforce = false,
    EnforceAfterDays = 0,
    EnforceSchedulerAddedOn = 0,
    ExcludeApplicationScopes = new[]
    {
        "string",
    },
    ExecutableBlacklists = new[]
    {
        new Aquasec.Inputs.ContainerRuntimePolicyExecutableBlacklistArgs
        {
            Enabled = false,
            Executables = new[]
            {
                "string",
            },
        },
    },
    FailedKubernetesChecks = new Aquasec.Inputs.ContainerRuntimePolicyFailedKubernetesChecksArgs
    {
        Enabled = false,
        FailedChecks = new[]
        {
            "string",
        },
    },
    FileBlock = new Aquasec.Inputs.ContainerRuntimePolicyFileBlockArgs
    {
        BlockFilesProcesses = new[]
        {
            "string",
        },
        BlockFilesUsers = new[]
        {
            "string",
        },
        Enabled = false,
        ExceptionalBlockFiles = new[]
        {
            "string",
        },
        ExceptionalBlockFilesProcesses = new[]
        {
            "string",
        },
        ExceptionalBlockFilesUsers = new[]
        {
            "string",
        },
        FilenameBlockLists = new[]
        {
            "string",
        },
    },
    FileIntegrityMonitoring = new Aquasec.Inputs.ContainerRuntimePolicyFileIntegrityMonitoringArgs
    {
        Enabled = false,
        ExceptionalMonitoredFiles = new[]
        {
            "string",
        },
        ExceptionalMonitoredFilesProcesses = new[]
        {
            "string",
        },
        ExceptionalMonitoredFilesUsers = new[]
        {
            "string",
        },
        MonitoredFiles = new[]
        {
            "string",
        },
        MonitoredFilesAttributes = false,
        MonitoredFilesCreate = false,
        MonitoredFilesDelete = false,
        MonitoredFilesModify = false,
        MonitoredFilesProcesses = new[]
        {
            "string",
        },
        MonitoredFilesRead = false,
        MonitoredFilesUsers = new[]
        {
            "string",
        },
    },
    ForkGuardProcessLimit = 0,
    ImageName = "string",
    IsAuditChecked = false,
    IsAutoGenerated = false,
    IsOotbPolicy = false,
    Lastupdate = 0,
    LimitContainerPrivileges = new[]
    {
        new Aquasec.Inputs.ContainerRuntimePolicyLimitContainerPrivilegeArgs
        {
            BlockAddCapabilities = false,
            Enabled = false,
            Ipcmode = false,
            Netmode = false,
            Pidmode = false,
            PreventLowPortBinding = false,
            PreventRootUser = false,
            Privileged = false,
            UseHostUser = false,
            Usermode = false,
            Utsmode = false,
        },
    },
    LimitNewPrivileges = false,
    LinuxCapabilities = new Aquasec.Inputs.ContainerRuntimePolicyLinuxCapabilitiesArgs
    {
        Enabled = false,
        RemoveLinuxCapabilities = new[]
        {
            "string",
        },
    },
    MalwareScanOptions = new Aquasec.Inputs.ContainerRuntimePolicyMalwareScanOptionsArgs
    {
        Action = "string",
        Enabled = false,
        ExcludeDirectories = new[]
        {
            "string",
        },
        ExcludeProcesses = new[]
        {
            "string",
        },
        IncludeDirectories = new[]
        {
            "string",
        },
    },
    MonitorSystemTimeChanges = false,
    Name = "string",
    NoNewPrivileges = false,
    OnlyRegisteredImages = false,
    PackageBlock = new Aquasec.Inputs.ContainerRuntimePolicyPackageBlockArgs
    {
        BlockPackagesProcesses = new[]
        {
            "string",
        },
        BlockPackagesUsers = new[]
        {
            "string",
        },
        Enabled = false,
        ExceptionalBlockPackagesFiles = new[]
        {
            "string",
        },
        ExceptionalBlockPackagesProcesses = new[]
        {
            "string",
        },
        ExceptionalBlockPackagesUsers = new[]
        {
            "string",
        },
        PackagesBlackLists = new[]
        {
            "string",
        },
    },
    Permission = "string",
    PortBlock = new Aquasec.Inputs.ContainerRuntimePolicyPortBlockArgs
    {
        BlockInboundPorts = new[]
        {
            "string",
        },
        BlockOutboundPorts = new[]
        {
            "string",
        },
        Enabled = false,
    },
    ReadonlyFiles = new Aquasec.Inputs.ContainerRuntimePolicyReadonlyFilesArgs
    {
        Enabled = false,
        ExceptionalReadonlyFiles = new[]
        {
            "string",
        },
        ExceptionalReadonlyFilesProcesses = new[]
        {
            "string",
        },
        ExceptionalReadonlyFilesUsers = new[]
        {
            "string",
        },
        ReadonlyFiles = new[]
        {
            "string",
        },
        ReadonlyFilesProcesses = new[]
        {
            "string",
        },
        ReadonlyFilesUsers = new[]
        {
            "string",
        },
    },
    ReadonlyRegistry = new Aquasec.Inputs.ContainerRuntimePolicyReadonlyRegistryArgs
    {
        Enabled = false,
        ExceptionalReadonlyRegistryPaths = new[]
        {
            "string",
        },
        ExceptionalReadonlyRegistryProcesses = new[]
        {
            "string",
        },
        ExceptionalReadonlyRegistryUsers = new[]
        {
            "string",
        },
        ReadonlyRegistryPaths = new[]
        {
            "string",
        },
        ReadonlyRegistryProcesses = new[]
        {
            "string",
        },
        ReadonlyRegistryUsers = new[]
        {
            "string",
        },
    },
    Registry = "string",
    RegistryAccessMonitoring = new Aquasec.Inputs.ContainerRuntimePolicyRegistryAccessMonitoringArgs
    {
        Enabled = false,
        ExceptionalMonitoredRegistryPaths = new[]
        {
            "string",
        },
        ExceptionalMonitoredRegistryProcesses = new[]
        {
            "string",
        },
        ExceptionalMonitoredRegistryUsers = new[]
        {
            "string",
        },
        MonitoredRegistryAttributes = false,
        MonitoredRegistryCreate = false,
        MonitoredRegistryDelete = false,
        MonitoredRegistryModify = false,
        MonitoredRegistryPaths = new[]
        {
            "string",
        },
        MonitoredRegistryProcesses = new[]
        {
            "string",
        },
        MonitoredRegistryRead = false,
        MonitoredRegistryUsers = new[]
        {
            "string",
        },
    },
    RepoName = "string",
    ResourceName = "string",
    ResourceType = "string",
    RestrictedVolumes = new[]
    {
        new Aquasec.Inputs.ContainerRuntimePolicyRestrictedVolumeArgs
        {
            Enabled = false,
            Volumes = new[]
            {
                "string",
            },
        },
    },
    ReverseShell = new Aquasec.Inputs.ContainerRuntimePolicyReverseShellArgs
    {
        BlockReverseShell = false,
        Enabled = false,
        ReverseShellIpWhiteLists = new[]
        {
            "string",
        },
        ReverseShellProcWhiteLists = new[]
        {
            "string",
        },
    },
    RuntimeMode = 0,
    RuntimeType = "string",
    ScopeExpression = "string",
    ScopeVariables = new[]
    {
        new Aquasec.Inputs.ContainerRuntimePolicyScopeVariableArgs
        {
            Attribute = "string",
            Value = "string",
            Name = "string",
        },
    },
    Scopes = new[]
    {
        new Aquasec.Inputs.ContainerRuntimePolicyScopeArgs
        {
            Expression = "string",
            Variables = new[]
            {
                new Aquasec.Inputs.ContainerRuntimePolicyScopeVariableArgs
                {
                    Attribute = "string",
                    Value = "string",
                    Name = "string",
                },
            },
        },
    },
    SystemIntegrityProtection = new Aquasec.Inputs.ContainerRuntimePolicySystemIntegrityProtectionArgs
    {
        AuditSystemtimeChange = false,
        Enabled = false,
        MonitorAuditLogIntegrity = false,
        WindowsServicesMonitoring = false,
    },
    Tripwire = new Aquasec.Inputs.ContainerRuntimePolicyTripwireArgs
    {
        ApplyOns = new[]
        {
            "string",
        },
        Enabled = false,
        ServerlessApp = "string",
        UserId = "string",
        UserPassword = "string",
    },
    Type = "string",
    Updated = "string",
    Version = "string",
    VpatchVersion = "string",
    WhitelistedOsUsers = new Aquasec.Inputs.ContainerRuntimePolicyWhitelistedOsUsersArgs
    {
        Enabled = false,
        GroupWhiteLists = new[]
        {
            "string",
        },
        UserWhiteLists = new[]
        {
            "string",
        },
    },
});
Copy
example, err := aquasec.NewContainerRuntimePolicy(ctx, "containerRuntimePolicyResource", &aquasec.ContainerRuntimePolicyArgs{
	AllowedExecutables: aquasec.ContainerRuntimePolicyAllowedExecutableArray{
		&aquasec.ContainerRuntimePolicyAllowedExecutableArgs{
			AllowExecutables: pulumi.StringArray{
				pulumi.String("string"),
			},
			AllowRootExecutables: pulumi.StringArray{
				pulumi.String("string"),
			},
			Enabled:             pulumi.Bool(false),
			SeparateExecutables: pulumi.Bool(false),
		},
	},
	AllowedRegistries: aquasec.ContainerRuntimePolicyAllowedRegistryArray{
		&aquasec.ContainerRuntimePolicyAllowedRegistryArgs{
			AllowedRegistries: pulumi.StringArray{
				pulumi.String("string"),
			},
			Enabled: pulumi.Bool(false),
		},
	},
	ApplicationScopes: pulumi.StringArray{
		pulumi.String("string"),
	},
	AuditAllNetworkActivity:   pulumi.Bool(false),
	AuditAllProcessesActivity: pulumi.Bool(false),
	AuditBruteForceLogin:      pulumi.Bool(false),
	AuditFullCommandArguments: pulumi.Bool(false),
	Auditing: &aquasec.ContainerRuntimePolicyAuditingArgs{
		AuditAllNetwork:            pulumi.Bool(false),
		AuditAllProcesses:          pulumi.Bool(false),
		AuditFailedLogin:           pulumi.Bool(false),
		AuditOsUserActivity:        pulumi.Bool(false),
		AuditProcessCmdline:        pulumi.Bool(false),
		AuditSuccessLogin:          pulumi.Bool(false),
		AuditUserAccountManagement: pulumi.Bool(false),
		Enabled:                    pulumi.Bool(false),
	},
	Author: pulumi.String("string"),
	BlacklistedOsUsers: &aquasec.ContainerRuntimePolicyBlacklistedOsUsersArgs{
		Enabled: pulumi.Bool(false),
		GroupBlackLists: pulumi.StringArray{
			pulumi.String("string"),
		},
		UserBlackLists: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
	BlockAccessHostNetwork:     pulumi.Bool(false),
	BlockAddingCapabilities:    pulumi.Bool(false),
	BlockContainerExec:         pulumi.Bool(false),
	BlockCryptocurrencyMining:  pulumi.Bool(false),
	BlockDisallowedImages:      pulumi.Bool(false),
	BlockFilelessExec:          pulumi.Bool(false),
	BlockLowPortBinding:        pulumi.Bool(false),
	BlockNonCompliantWorkloads: pulumi.Bool(false),
	BlockNonK8sContainers:      pulumi.Bool(false),
	BlockPrivilegedContainers:  pulumi.Bool(false),
	BlockRootUser:              pulumi.Bool(false),
	BlockUseIpcNamespace:       pulumi.Bool(false),
	BlockUsePidNamespace:       pulumi.Bool(false),
	BlockUseUserNamespace:      pulumi.Bool(false),
	BlockUseUtsNamespace:       pulumi.Bool(false),
	BlockedCapabilities: pulumi.StringArray{
		pulumi.String("string"),
	},
	BlockedExecutables: pulumi.StringArray{
		pulumi.String("string"),
	},
	BlockedFiles: pulumi.StringArray{
		pulumi.String("string"),
	},
	BlockedInboundPorts: pulumi.StringArray{
		pulumi.String("string"),
	},
	BlockedOutboundPorts: pulumi.StringArray{
		pulumi.String("string"),
	},
	BlockedPackages: pulumi.StringArray{
		pulumi.String("string"),
	},
	BlockedVolumes: pulumi.StringArray{
		pulumi.String("string"),
	},
	BypassScopes: aquasec.ContainerRuntimePolicyBypassScopeArray{
		&aquasec.ContainerRuntimePolicyBypassScopeArgs{
			Enabled: pulumi.Bool(false),
			Scopes: aquasec.ContainerRuntimePolicyBypassScopeScopeArray{
				&aquasec.ContainerRuntimePolicyBypassScopeScopeArgs{
					Expression: pulumi.String("string"),
					Variables: aquasec.ContainerRuntimePolicyBypassScopeScopeVariableArray{
						&aquasec.ContainerRuntimePolicyBypassScopeScopeVariableArgs{
							Attribute: pulumi.String("string"),
							Value:     pulumi.String("string"),
						},
					},
				},
			},
		},
	},
	ContainerExec: &aquasec.ContainerRuntimePolicyContainerExecArgs{
		BlockContainerExec: pulumi.Bool(false),
		ContainerExecProcWhiteLists: pulumi.StringArray{
			pulumi.String("string"),
		},
		Enabled: pulumi.Bool(false),
		ReverseShellIpWhiteLists: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
	ContainerExecAllowedProcesses: pulumi.StringArray{
		pulumi.String("string"),
	},
	Created:                pulumi.String("string"),
	Cve:                    pulumi.String("string"),
	DefaultSecurityProfile: pulumi.String("string"),
	Description:            pulumi.String("string"),
	Digest:                 pulumi.String("string"),
	DriftPreventions: aquasec.ContainerRuntimePolicyDriftPreventionArray{
		&aquasec.ContainerRuntimePolicyDriftPreventionArgs{
			Enabled:      pulumi.Bool(false),
			ExecLockdown: pulumi.Bool(false),
			ExecLockdownWhiteLists: pulumi.StringArray{
				pulumi.String("string"),
			},
			ImageLockdown: pulumi.Bool(false),
		},
	},
	EnableCryptoMiningDns:    pulumi.Bool(false),
	EnableForkGuard:          pulumi.Bool(false),
	EnableIpReputation:       pulumi.Bool(false),
	EnablePortScanProtection: pulumi.Bool(false),
	Enabled:                  pulumi.Bool(false),
	Enforce:                  pulumi.Bool(false),
	EnforceAfterDays:         pulumi.Int(0),
	EnforceSchedulerAddedOn:  pulumi.Int(0),
	ExcludeApplicationScopes: pulumi.StringArray{
		pulumi.String("string"),
	},
	ExecutableBlacklists: aquasec.ContainerRuntimePolicyExecutableBlacklistArray{
		&aquasec.ContainerRuntimePolicyExecutableBlacklistArgs{
			Enabled: pulumi.Bool(false),
			Executables: pulumi.StringArray{
				pulumi.String("string"),
			},
		},
	},
	FailedKubernetesChecks: &aquasec.ContainerRuntimePolicyFailedKubernetesChecksArgs{
		Enabled: pulumi.Bool(false),
		FailedChecks: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
	FileBlock: &aquasec.ContainerRuntimePolicyFileBlockArgs{
		BlockFilesProcesses: pulumi.StringArray{
			pulumi.String("string"),
		},
		BlockFilesUsers: pulumi.StringArray{
			pulumi.String("string"),
		},
		Enabled: pulumi.Bool(false),
		ExceptionalBlockFiles: pulumi.StringArray{
			pulumi.String("string"),
		},
		ExceptionalBlockFilesProcesses: pulumi.StringArray{
			pulumi.String("string"),
		},
		ExceptionalBlockFilesUsers: pulumi.StringArray{
			pulumi.String("string"),
		},
		FilenameBlockLists: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
	FileIntegrityMonitoring: &aquasec.ContainerRuntimePolicyFileIntegrityMonitoringArgs{
		Enabled: pulumi.Bool(false),
		ExceptionalMonitoredFiles: pulumi.StringArray{
			pulumi.String("string"),
		},
		ExceptionalMonitoredFilesProcesses: pulumi.StringArray{
			pulumi.String("string"),
		},
		ExceptionalMonitoredFilesUsers: pulumi.StringArray{
			pulumi.String("string"),
		},
		MonitoredFiles: pulumi.StringArray{
			pulumi.String("string"),
		},
		MonitoredFilesAttributes: pulumi.Bool(false),
		MonitoredFilesCreate:     pulumi.Bool(false),
		MonitoredFilesDelete:     pulumi.Bool(false),
		MonitoredFilesModify:     pulumi.Bool(false),
		MonitoredFilesProcesses: pulumi.StringArray{
			pulumi.String("string"),
		},
		MonitoredFilesRead: pulumi.Bool(false),
		MonitoredFilesUsers: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
	ForkGuardProcessLimit: pulumi.Int(0),
	ImageName:             pulumi.String("string"),
	IsAuditChecked:        pulumi.Bool(false),
	IsAutoGenerated:       pulumi.Bool(false),
	IsOotbPolicy:          pulumi.Bool(false),
	Lastupdate:            pulumi.Int(0),
	LimitContainerPrivileges: aquasec.ContainerRuntimePolicyLimitContainerPrivilegeArray{
		&aquasec.ContainerRuntimePolicyLimitContainerPrivilegeArgs{
			BlockAddCapabilities:  pulumi.Bool(false),
			Enabled:               pulumi.Bool(false),
			Ipcmode:               pulumi.Bool(false),
			Netmode:               pulumi.Bool(false),
			Pidmode:               pulumi.Bool(false),
			PreventLowPortBinding: pulumi.Bool(false),
			PreventRootUser:       pulumi.Bool(false),
			Privileged:            pulumi.Bool(false),
			UseHostUser:           pulumi.Bool(false),
			Usermode:              pulumi.Bool(false),
			Utsmode:               pulumi.Bool(false),
		},
	},
	LimitNewPrivileges: pulumi.Bool(false),
	LinuxCapabilities: &aquasec.ContainerRuntimePolicyLinuxCapabilitiesArgs{
		Enabled: pulumi.Bool(false),
		RemoveLinuxCapabilities: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
	MalwareScanOptions: &aquasec.ContainerRuntimePolicyMalwareScanOptionsArgs{
		Action:  pulumi.String("string"),
		Enabled: pulumi.Bool(false),
		ExcludeDirectories: pulumi.StringArray{
			pulumi.String("string"),
		},
		ExcludeProcesses: pulumi.StringArray{
			pulumi.String("string"),
		},
		IncludeDirectories: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
	MonitorSystemTimeChanges: pulumi.Bool(false),
	Name:                     pulumi.String("string"),
	NoNewPrivileges:          pulumi.Bool(false),
	OnlyRegisteredImages:     pulumi.Bool(false),
	PackageBlock: &aquasec.ContainerRuntimePolicyPackageBlockArgs{
		BlockPackagesProcesses: pulumi.StringArray{
			pulumi.String("string"),
		},
		BlockPackagesUsers: pulumi.StringArray{
			pulumi.String("string"),
		},
		Enabled: pulumi.Bool(false),
		ExceptionalBlockPackagesFiles: pulumi.StringArray{
			pulumi.String("string"),
		},
		ExceptionalBlockPackagesProcesses: pulumi.StringArray{
			pulumi.String("string"),
		},
		ExceptionalBlockPackagesUsers: pulumi.StringArray{
			pulumi.String("string"),
		},
		PackagesBlackLists: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
	Permission: pulumi.String("string"),
	PortBlock: &aquasec.ContainerRuntimePolicyPortBlockArgs{
		BlockInboundPorts: pulumi.StringArray{
			pulumi.String("string"),
		},
		BlockOutboundPorts: pulumi.StringArray{
			pulumi.String("string"),
		},
		Enabled: pulumi.Bool(false),
	},
	ReadonlyFiles: &aquasec.ContainerRuntimePolicyReadonlyFilesArgs{
		Enabled: pulumi.Bool(false),
		ExceptionalReadonlyFiles: pulumi.StringArray{
			pulumi.String("string"),
		},
		ExceptionalReadonlyFilesProcesses: pulumi.StringArray{
			pulumi.String("string"),
		},
		ExceptionalReadonlyFilesUsers: pulumi.StringArray{
			pulumi.String("string"),
		},
		ReadonlyFiles: pulumi.StringArray{
			pulumi.String("string"),
		},
		ReadonlyFilesProcesses: pulumi.StringArray{
			pulumi.String("string"),
		},
		ReadonlyFilesUsers: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
	ReadonlyRegistry: &aquasec.ContainerRuntimePolicyReadonlyRegistryArgs{
		Enabled: pulumi.Bool(false),
		ExceptionalReadonlyRegistryPaths: pulumi.StringArray{
			pulumi.String("string"),
		},
		ExceptionalReadonlyRegistryProcesses: pulumi.StringArray{
			pulumi.String("string"),
		},
		ExceptionalReadonlyRegistryUsers: pulumi.StringArray{
			pulumi.String("string"),
		},
		ReadonlyRegistryPaths: pulumi.StringArray{
			pulumi.String("string"),
		},
		ReadonlyRegistryProcesses: pulumi.StringArray{
			pulumi.String("string"),
		},
		ReadonlyRegistryUsers: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
	Registry: pulumi.String("string"),
	RegistryAccessMonitoring: &aquasec.ContainerRuntimePolicyRegistryAccessMonitoringArgs{
		Enabled: pulumi.Bool(false),
		ExceptionalMonitoredRegistryPaths: pulumi.StringArray{
			pulumi.String("string"),
		},
		ExceptionalMonitoredRegistryProcesses: pulumi.StringArray{
			pulumi.String("string"),
		},
		ExceptionalMonitoredRegistryUsers: pulumi.StringArray{
			pulumi.String("string"),
		},
		MonitoredRegistryAttributes: pulumi.Bool(false),
		MonitoredRegistryCreate:     pulumi.Bool(false),
		MonitoredRegistryDelete:     pulumi.Bool(false),
		MonitoredRegistryModify:     pulumi.Bool(false),
		MonitoredRegistryPaths: pulumi.StringArray{
			pulumi.String("string"),
		},
		MonitoredRegistryProcesses: pulumi.StringArray{
			pulumi.String("string"),
		},
		MonitoredRegistryRead: pulumi.Bool(false),
		MonitoredRegistryUsers: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
	RepoName:     pulumi.String("string"),
	ResourceName: pulumi.String("string"),
	ResourceType: pulumi.String("string"),
	RestrictedVolumes: aquasec.ContainerRuntimePolicyRestrictedVolumeArray{
		&aquasec.ContainerRuntimePolicyRestrictedVolumeArgs{
			Enabled: pulumi.Bool(false),
			Volumes: pulumi.StringArray{
				pulumi.String("string"),
			},
		},
	},
	ReverseShell: &aquasec.ContainerRuntimePolicyReverseShellArgs{
		BlockReverseShell: pulumi.Bool(false),
		Enabled:           pulumi.Bool(false),
		ReverseShellIpWhiteLists: pulumi.StringArray{
			pulumi.String("string"),
		},
		ReverseShellProcWhiteLists: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
	RuntimeMode:     pulumi.Int(0),
	RuntimeType:     pulumi.String("string"),
	ScopeExpression: pulumi.String("string"),
	ScopeVariables: aquasec.ContainerRuntimePolicyScopeVariableArray{
		&aquasec.ContainerRuntimePolicyScopeVariableArgs{
			Attribute: pulumi.String("string"),
			Value:     pulumi.String("string"),
			Name:      pulumi.String("string"),
		},
	},
	Scopes: aquasec.ContainerRuntimePolicyScopeArray{
		&aquasec.ContainerRuntimePolicyScopeArgs{
			Expression: pulumi.String("string"),
			Variables: aquasec.ContainerRuntimePolicyScopeVariableArray{
				&aquasec.ContainerRuntimePolicyScopeVariableArgs{
					Attribute: pulumi.String("string"),
					Value:     pulumi.String("string"),
					Name:      pulumi.String("string"),
				},
			},
		},
	},
	SystemIntegrityProtection: &aquasec.ContainerRuntimePolicySystemIntegrityProtectionArgs{
		AuditSystemtimeChange:     pulumi.Bool(false),
		Enabled:                   pulumi.Bool(false),
		MonitorAuditLogIntegrity:  pulumi.Bool(false),
		WindowsServicesMonitoring: pulumi.Bool(false),
	},
	Tripwire: &aquasec.ContainerRuntimePolicyTripwireArgs{
		ApplyOns: pulumi.StringArray{
			pulumi.String("string"),
		},
		Enabled:       pulumi.Bool(false),
		ServerlessApp: pulumi.String("string"),
		UserId:        pulumi.String("string"),
		UserPassword:  pulumi.String("string"),
	},
	Type:          pulumi.String("string"),
	Updated:       pulumi.String("string"),
	Version:       pulumi.String("string"),
	VpatchVersion: pulumi.String("string"),
	WhitelistedOsUsers: &aquasec.ContainerRuntimePolicyWhitelistedOsUsersArgs{
		Enabled: pulumi.Bool(false),
		GroupWhiteLists: pulumi.StringArray{
			pulumi.String("string"),
		},
		UserWhiteLists: pulumi.StringArray{
			pulumi.String("string"),
		},
	},
})
Copy
var containerRuntimePolicyResource = new ContainerRuntimePolicy("containerRuntimePolicyResource", ContainerRuntimePolicyArgs.builder()
    .allowedExecutables(ContainerRuntimePolicyAllowedExecutableArgs.builder()
        .allowExecutables("string")
        .allowRootExecutables("string")
        .enabled(false)
        .separateExecutables(false)
        .build())
    .allowedRegistries(ContainerRuntimePolicyAllowedRegistryArgs.builder()
        .allowedRegistries("string")
        .enabled(false)
        .build())
    .applicationScopes("string")
    .auditAllNetworkActivity(false)
    .auditAllProcessesActivity(false)
    .auditBruteForceLogin(false)
    .auditFullCommandArguments(false)
    .auditing(ContainerRuntimePolicyAuditingArgs.builder()
        .auditAllNetwork(false)
        .auditAllProcesses(false)
        .auditFailedLogin(false)
        .auditOsUserActivity(false)
        .auditProcessCmdline(false)
        .auditSuccessLogin(false)
        .auditUserAccountManagement(false)
        .enabled(false)
        .build())
    .author("string")
    .blacklistedOsUsers(ContainerRuntimePolicyBlacklistedOsUsersArgs.builder()
        .enabled(false)
        .groupBlackLists("string")
        .userBlackLists("string")
        .build())
    .blockAccessHostNetwork(false)
    .blockAddingCapabilities(false)
    .blockContainerExec(false)
    .blockCryptocurrencyMining(false)
    .blockDisallowedImages(false)
    .blockFilelessExec(false)
    .blockLowPortBinding(false)
    .blockNonCompliantWorkloads(false)
    .blockNonK8sContainers(false)
    .blockPrivilegedContainers(false)
    .blockRootUser(false)
    .blockUseIpcNamespace(false)
    .blockUsePidNamespace(false)
    .blockUseUserNamespace(false)
    .blockUseUtsNamespace(false)
    .blockedCapabilities("string")
    .blockedExecutables("string")
    .blockedFiles("string")
    .blockedInboundPorts("string")
    .blockedOutboundPorts("string")
    .blockedPackages("string")
    .blockedVolumes("string")
    .bypassScopes(ContainerRuntimePolicyBypassScopeArgs.builder()
        .enabled(false)
        .scopes(ContainerRuntimePolicyBypassScopeScopeArgs.builder()
            .expression("string")
            .variables(ContainerRuntimePolicyBypassScopeScopeVariableArgs.builder()
                .attribute("string")
                .value("string")
                .build())
            .build())
        .build())
    .containerExec(ContainerRuntimePolicyContainerExecArgs.builder()
        .blockContainerExec(false)
        .containerExecProcWhiteLists("string")
        .enabled(false)
        .reverseShellIpWhiteLists("string")
        .build())
    .containerExecAllowedProcesses("string")
    .created("string")
    .cve("string")
    .defaultSecurityProfile("string")
    .description("string")
    .digest("string")
    .driftPreventions(ContainerRuntimePolicyDriftPreventionArgs.builder()
        .enabled(false)
        .execLockdown(false)
        .execLockdownWhiteLists("string")
        .imageLockdown(false)
        .build())
    .enableCryptoMiningDns(false)
    .enableForkGuard(false)
    .enableIpReputation(false)
    .enablePortScanProtection(false)
    .enabled(false)
    .enforce(false)
    .enforceAfterDays(0)
    .enforceSchedulerAddedOn(0)
    .excludeApplicationScopes("string")
    .executableBlacklists(ContainerRuntimePolicyExecutableBlacklistArgs.builder()
        .enabled(false)
        .executables("string")
        .build())
    .failedKubernetesChecks(ContainerRuntimePolicyFailedKubernetesChecksArgs.builder()
        .enabled(false)
        .failedChecks("string")
        .build())
    .fileBlock(ContainerRuntimePolicyFileBlockArgs.builder()
        .blockFilesProcesses("string")
        .blockFilesUsers("string")
        .enabled(false)
        .exceptionalBlockFiles("string")
        .exceptionalBlockFilesProcesses("string")
        .exceptionalBlockFilesUsers("string")
        .filenameBlockLists("string")
        .build())
    .fileIntegrityMonitoring(ContainerRuntimePolicyFileIntegrityMonitoringArgs.builder()
        .enabled(false)
        .exceptionalMonitoredFiles("string")
        .exceptionalMonitoredFilesProcesses("string")
        .exceptionalMonitoredFilesUsers("string")
        .monitoredFiles("string")
        .monitoredFilesAttributes(false)
        .monitoredFilesCreate(false)
        .monitoredFilesDelete(false)
        .monitoredFilesModify(false)
        .monitoredFilesProcesses("string")
        .monitoredFilesRead(false)
        .monitoredFilesUsers("string")
        .build())
    .forkGuardProcessLimit(0)
    .imageName("string")
    .isAuditChecked(false)
    .isAutoGenerated(false)
    .isOotbPolicy(false)
    .lastupdate(0)
    .limitContainerPrivileges(ContainerRuntimePolicyLimitContainerPrivilegeArgs.builder()
        .blockAddCapabilities(false)
        .enabled(false)
        .ipcmode(false)
        .netmode(false)
        .pidmode(false)
        .preventLowPortBinding(false)
        .preventRootUser(false)
        .privileged(false)
        .useHostUser(false)
        .usermode(false)
        .utsmode(false)
        .build())
    .limitNewPrivileges(false)
    .linuxCapabilities(ContainerRuntimePolicyLinuxCapabilitiesArgs.builder()
        .enabled(false)
        .removeLinuxCapabilities("string")
        .build())
    .malwareScanOptions(ContainerRuntimePolicyMalwareScanOptionsArgs.builder()
        .action("string")
        .enabled(false)
        .excludeDirectories("string")
        .excludeProcesses("string")
        .includeDirectories("string")
        .build())
    .monitorSystemTimeChanges(false)
    .name("string")
    .noNewPrivileges(false)
    .onlyRegisteredImages(false)
    .packageBlock(ContainerRuntimePolicyPackageBlockArgs.builder()
        .blockPackagesProcesses("string")
        .blockPackagesUsers("string")
        .enabled(false)
        .exceptionalBlockPackagesFiles("string")
        .exceptionalBlockPackagesProcesses("string")
        .exceptionalBlockPackagesUsers("string")
        .packagesBlackLists("string")
        .build())
    .permission("string")
    .portBlock(ContainerRuntimePolicyPortBlockArgs.builder()
        .blockInboundPorts("string")
        .blockOutboundPorts("string")
        .enabled(false)
        .build())
    .readonlyFiles(ContainerRuntimePolicyReadonlyFilesArgs.builder()
        .enabled(false)
        .exceptionalReadonlyFiles("string")
        .exceptionalReadonlyFilesProcesses("string")
        .exceptionalReadonlyFilesUsers("string")
        .readonlyFiles("string")
        .readonlyFilesProcesses("string")
        .readonlyFilesUsers("string")
        .build())
    .readonlyRegistry(ContainerRuntimePolicyReadonlyRegistryArgs.builder()
        .enabled(false)
        .exceptionalReadonlyRegistryPaths("string")
        .exceptionalReadonlyRegistryProcesses("string")
        .exceptionalReadonlyRegistryUsers("string")
        .readonlyRegistryPaths("string")
        .readonlyRegistryProcesses("string")
        .readonlyRegistryUsers("string")
        .build())
    .registry("string")
    .registryAccessMonitoring(ContainerRuntimePolicyRegistryAccessMonitoringArgs.builder()
        .enabled(false)
        .exceptionalMonitoredRegistryPaths("string")
        .exceptionalMonitoredRegistryProcesses("string")
        .exceptionalMonitoredRegistryUsers("string")
        .monitoredRegistryAttributes(false)
        .monitoredRegistryCreate(false)
        .monitoredRegistryDelete(false)
        .monitoredRegistryModify(false)
        .monitoredRegistryPaths("string")
        .monitoredRegistryProcesses("string")
        .monitoredRegistryRead(false)
        .monitoredRegistryUsers("string")
        .build())
    .repoName("string")
    .resourceName("string")
    .resourceType("string")
    .restrictedVolumes(ContainerRuntimePolicyRestrictedVolumeArgs.builder()
        .enabled(false)
        .volumes("string")
        .build())
    .reverseShell(ContainerRuntimePolicyReverseShellArgs.builder()
        .blockReverseShell(false)
        .enabled(false)
        .reverseShellIpWhiteLists("string")
        .reverseShellProcWhiteLists("string")
        .build())
    .runtimeMode(0)
    .runtimeType("string")
    .scopeExpression("string")
    .scopeVariables(ContainerRuntimePolicyScopeVariableArgs.builder()
        .attribute("string")
        .value("string")
        .name("string")
        .build())
    .scopes(ContainerRuntimePolicyScopeArgs.builder()
        .expression("string")
        .variables(ContainerRuntimePolicyScopeVariableArgs.builder()
            .attribute("string")
            .value("string")
            .name("string")
            .build())
        .build())
    .systemIntegrityProtection(ContainerRuntimePolicySystemIntegrityProtectionArgs.builder()
        .auditSystemtimeChange(false)
        .enabled(false)
        .monitorAuditLogIntegrity(false)
        .windowsServicesMonitoring(false)
        .build())
    .tripwire(ContainerRuntimePolicyTripwireArgs.builder()
        .applyOns("string")
        .enabled(false)
        .serverlessApp("string")
        .userId("string")
        .userPassword("string")
        .build())
    .type("string")
    .updated("string")
    .version("string")
    .vpatchVersion("string")
    .whitelistedOsUsers(ContainerRuntimePolicyWhitelistedOsUsersArgs.builder()
        .enabled(false)
        .groupWhiteLists("string")
        .userWhiteLists("string")
        .build())
    .build());
Copy
container_runtime_policy_resource = aquasec.ContainerRuntimePolicy("containerRuntimePolicyResource",
    allowed_executables=[{
        "allow_executables": ["string"],
        "allow_root_executables": ["string"],
        "enabled": False,
        "separate_executables": False,
    }],
    allowed_registries=[{
        "allowed_registries": ["string"],
        "enabled": False,
    }],
    application_scopes=["string"],
    audit_all_network_activity=False,
    audit_all_processes_activity=False,
    audit_brute_force_login=False,
    audit_full_command_arguments=False,
    auditing={
        "audit_all_network": False,
        "audit_all_processes": False,
        "audit_failed_login": False,
        "audit_os_user_activity": False,
        "audit_process_cmdline": False,
        "audit_success_login": False,
        "audit_user_account_management": False,
        "enabled": False,
    },
    author="string",
    blacklisted_os_users={
        "enabled": False,
        "group_black_lists": ["string"],
        "user_black_lists": ["string"],
    },
    block_access_host_network=False,
    block_adding_capabilities=False,
    block_container_exec=False,
    block_cryptocurrency_mining=False,
    block_disallowed_images=False,
    block_fileless_exec=False,
    block_low_port_binding=False,
    block_non_compliant_workloads=False,
    block_non_k8s_containers=False,
    block_privileged_containers=False,
    block_root_user=False,
    block_use_ipc_namespace=False,
    block_use_pid_namespace=False,
    block_use_user_namespace=False,
    block_use_uts_namespace=False,
    blocked_capabilities=["string"],
    blocked_executables=["string"],
    blocked_files=["string"],
    blocked_inbound_ports=["string"],
    blocked_outbound_ports=["string"],
    blocked_packages=["string"],
    blocked_volumes=["string"],
    bypass_scopes=[{
        "enabled": False,
        "scopes": [{
            "expression": "string",
            "variables": [{
                "attribute": "string",
                "value": "string",
            }],
        }],
    }],
    container_exec={
        "block_container_exec": False,
        "container_exec_proc_white_lists": ["string"],
        "enabled": False,
        "reverse_shell_ip_white_lists": ["string"],
    },
    container_exec_allowed_processes=["string"],
    created="string",
    cve="string",
    default_security_profile="string",
    description="string",
    digest="string",
    drift_preventions=[{
        "enabled": False,
        "exec_lockdown": False,
        "exec_lockdown_white_lists": ["string"],
        "image_lockdown": False,
    }],
    enable_crypto_mining_dns=False,
    enable_fork_guard=False,
    enable_ip_reputation=False,
    enable_port_scan_protection=False,
    enabled=False,
    enforce=False,
    enforce_after_days=0,
    enforce_scheduler_added_on=0,
    exclude_application_scopes=["string"],
    executable_blacklists=[{
        "enabled": False,
        "executables": ["string"],
    }],
    failed_kubernetes_checks={
        "enabled": False,
        "failed_checks": ["string"],
    },
    file_block={
        "block_files_processes": ["string"],
        "block_files_users": ["string"],
        "enabled": False,
        "exceptional_block_files": ["string"],
        "exceptional_block_files_processes": ["string"],
        "exceptional_block_files_users": ["string"],
        "filename_block_lists": ["string"],
    },
    file_integrity_monitoring={
        "enabled": False,
        "exceptional_monitored_files": ["string"],
        "exceptional_monitored_files_processes": ["string"],
        "exceptional_monitored_files_users": ["string"],
        "monitored_files": ["string"],
        "monitored_files_attributes": False,
        "monitored_files_create": False,
        "monitored_files_delete": False,
        "monitored_files_modify": False,
        "monitored_files_processes": ["string"],
        "monitored_files_read": False,
        "monitored_files_users": ["string"],
    },
    fork_guard_process_limit=0,
    image_name="string",
    is_audit_checked=False,
    is_auto_generated=False,
    is_ootb_policy=False,
    lastupdate=0,
    limit_container_privileges=[{
        "block_add_capabilities": False,
        "enabled": False,
        "ipcmode": False,
        "netmode": False,
        "pidmode": False,
        "prevent_low_port_binding": False,
        "prevent_root_user": False,
        "privileged": False,
        "use_host_user": False,
        "usermode": False,
        "utsmode": False,
    }],
    limit_new_privileges=False,
    linux_capabilities={
        "enabled": False,
        "remove_linux_capabilities": ["string"],
    },
    malware_scan_options={
        "action": "string",
        "enabled": False,
        "exclude_directories": ["string"],
        "exclude_processes": ["string"],
        "include_directories": ["string"],
    },
    monitor_system_time_changes=False,
    name="string",
    no_new_privileges=False,
    only_registered_images=False,
    package_block={
        "block_packages_processes": ["string"],
        "block_packages_users": ["string"],
        "enabled": False,
        "exceptional_block_packages_files": ["string"],
        "exceptional_block_packages_processes": ["string"],
        "exceptional_block_packages_users": ["string"],
        "packages_black_lists": ["string"],
    },
    permission="string",
    port_block={
        "block_inbound_ports": ["string"],
        "block_outbound_ports": ["string"],
        "enabled": False,
    },
    readonly_files={
        "enabled": False,
        "exceptional_readonly_files": ["string"],
        "exceptional_readonly_files_processes": ["string"],
        "exceptional_readonly_files_users": ["string"],
        "readonly_files": ["string"],
        "readonly_files_processes": ["string"],
        "readonly_files_users": ["string"],
    },
    readonly_registry={
        "enabled": False,
        "exceptional_readonly_registry_paths": ["string"],
        "exceptional_readonly_registry_processes": ["string"],
        "exceptional_readonly_registry_users": ["string"],
        "readonly_registry_paths": ["string"],
        "readonly_registry_processes": ["string"],
        "readonly_registry_users": ["string"],
    },
    registry="string",
    registry_access_monitoring={
        "enabled": False,
        "exceptional_monitored_registry_paths": ["string"],
        "exceptional_monitored_registry_processes": ["string"],
        "exceptional_monitored_registry_users": ["string"],
        "monitored_registry_attributes": False,
        "monitored_registry_create": False,
        "monitored_registry_delete": False,
        "monitored_registry_modify": False,
        "monitored_registry_paths": ["string"],
        "monitored_registry_processes": ["string"],
        "monitored_registry_read": False,
        "monitored_registry_users": ["string"],
    },
    repo_name="string",
    resource_name_="string",
    resource_type="string",
    restricted_volumes=[{
        "enabled": False,
        "volumes": ["string"],
    }],
    reverse_shell={
        "block_reverse_shell": False,
        "enabled": False,
        "reverse_shell_ip_white_lists": ["string"],
        "reverse_shell_proc_white_lists": ["string"],
    },
    runtime_mode=0,
    runtime_type="string",
    scope_expression="string",
    scope_variables=[{
        "attribute": "string",
        "value": "string",
        "name": "string",
    }],
    scopes=[{
        "expression": "string",
        "variables": [{
            "attribute": "string",
            "value": "string",
            "name": "string",
        }],
    }],
    system_integrity_protection={
        "audit_systemtime_change": False,
        "enabled": False,
        "monitor_audit_log_integrity": False,
        "windows_services_monitoring": False,
    },
    tripwire={
        "apply_ons": ["string"],
        "enabled": False,
        "serverless_app": "string",
        "user_id": "string",
        "user_password": "string",
    },
    type="string",
    updated="string",
    version="string",
    vpatch_version="string",
    whitelisted_os_users={
        "enabled": False,
        "group_white_lists": ["string"],
        "user_white_lists": ["string"],
    })
Copy
const containerRuntimePolicyResource = new aquasec.ContainerRuntimePolicy("containerRuntimePolicyResource", {
    allowedExecutables: [{
        allowExecutables: ["string"],
        allowRootExecutables: ["string"],
        enabled: false,
        separateExecutables: false,
    }],
    allowedRegistries: [{
        allowedRegistries: ["string"],
        enabled: false,
    }],
    applicationScopes: ["string"],
    auditAllNetworkActivity: false,
    auditAllProcessesActivity: false,
    auditBruteForceLogin: false,
    auditFullCommandArguments: false,
    auditing: {
        auditAllNetwork: false,
        auditAllProcesses: false,
        auditFailedLogin: false,
        auditOsUserActivity: false,
        auditProcessCmdline: false,
        auditSuccessLogin: false,
        auditUserAccountManagement: false,
        enabled: false,
    },
    author: "string",
    blacklistedOsUsers: {
        enabled: false,
        groupBlackLists: ["string"],
        userBlackLists: ["string"],
    },
    blockAccessHostNetwork: false,
    blockAddingCapabilities: false,
    blockContainerExec: false,
    blockCryptocurrencyMining: false,
    blockDisallowedImages: false,
    blockFilelessExec: false,
    blockLowPortBinding: false,
    blockNonCompliantWorkloads: false,
    blockNonK8sContainers: false,
    blockPrivilegedContainers: false,
    blockRootUser: false,
    blockUseIpcNamespace: false,
    blockUsePidNamespace: false,
    blockUseUserNamespace: false,
    blockUseUtsNamespace: false,
    blockedCapabilities: ["string"],
    blockedExecutables: ["string"],
    blockedFiles: ["string"],
    blockedInboundPorts: ["string"],
    blockedOutboundPorts: ["string"],
    blockedPackages: ["string"],
    blockedVolumes: ["string"],
    bypassScopes: [{
        enabled: false,
        scopes: [{
            expression: "string",
            variables: [{
                attribute: "string",
                value: "string",
            }],
        }],
    }],
    containerExec: {
        blockContainerExec: false,
        containerExecProcWhiteLists: ["string"],
        enabled: false,
        reverseShellIpWhiteLists: ["string"],
    },
    containerExecAllowedProcesses: ["string"],
    created: "string",
    cve: "string",
    defaultSecurityProfile: "string",
    description: "string",
    digest: "string",
    driftPreventions: [{
        enabled: false,
        execLockdown: false,
        execLockdownWhiteLists: ["string"],
        imageLockdown: false,
    }],
    enableCryptoMiningDns: false,
    enableForkGuard: false,
    enableIpReputation: false,
    enablePortScanProtection: false,
    enabled: false,
    enforce: false,
    enforceAfterDays: 0,
    enforceSchedulerAddedOn: 0,
    excludeApplicationScopes: ["string"],
    executableBlacklists: [{
        enabled: false,
        executables: ["string"],
    }],
    failedKubernetesChecks: {
        enabled: false,
        failedChecks: ["string"],
    },
    fileBlock: {
        blockFilesProcesses: ["string"],
        blockFilesUsers: ["string"],
        enabled: false,
        exceptionalBlockFiles: ["string"],
        exceptionalBlockFilesProcesses: ["string"],
        exceptionalBlockFilesUsers: ["string"],
        filenameBlockLists: ["string"],
    },
    fileIntegrityMonitoring: {
        enabled: false,
        exceptionalMonitoredFiles: ["string"],
        exceptionalMonitoredFilesProcesses: ["string"],
        exceptionalMonitoredFilesUsers: ["string"],
        monitoredFiles: ["string"],
        monitoredFilesAttributes: false,
        monitoredFilesCreate: false,
        monitoredFilesDelete: false,
        monitoredFilesModify: false,
        monitoredFilesProcesses: ["string"],
        monitoredFilesRead: false,
        monitoredFilesUsers: ["string"],
    },
    forkGuardProcessLimit: 0,
    imageName: "string",
    isAuditChecked: false,
    isAutoGenerated: false,
    isOotbPolicy: false,
    lastupdate: 0,
    limitContainerPrivileges: [{
        blockAddCapabilities: false,
        enabled: false,
        ipcmode: false,
        netmode: false,
        pidmode: false,
        preventLowPortBinding: false,
        preventRootUser: false,
        privileged: false,
        useHostUser: false,
        usermode: false,
        utsmode: false,
    }],
    limitNewPrivileges: false,
    linuxCapabilities: {
        enabled: false,
        removeLinuxCapabilities: ["string"],
    },
    malwareScanOptions: {
        action: "string",
        enabled: false,
        excludeDirectories: ["string"],
        excludeProcesses: ["string"],
        includeDirectories: ["string"],
    },
    monitorSystemTimeChanges: false,
    name: "string",
    noNewPrivileges: false,
    onlyRegisteredImages: false,
    packageBlock: {
        blockPackagesProcesses: ["string"],
        blockPackagesUsers: ["string"],
        enabled: false,
        exceptionalBlockPackagesFiles: ["string"],
        exceptionalBlockPackagesProcesses: ["string"],
        exceptionalBlockPackagesUsers: ["string"],
        packagesBlackLists: ["string"],
    },
    permission: "string",
    portBlock: {
        blockInboundPorts: ["string"],
        blockOutboundPorts: ["string"],
        enabled: false,
    },
    readonlyFiles: {
        enabled: false,
        exceptionalReadonlyFiles: ["string"],
        exceptionalReadonlyFilesProcesses: ["string"],
        exceptionalReadonlyFilesUsers: ["string"],
        readonlyFiles: ["string"],
        readonlyFilesProcesses: ["string"],
        readonlyFilesUsers: ["string"],
    },
    readonlyRegistry: {
        enabled: false,
        exceptionalReadonlyRegistryPaths: ["string"],
        exceptionalReadonlyRegistryProcesses: ["string"],
        exceptionalReadonlyRegistryUsers: ["string"],
        readonlyRegistryPaths: ["string"],
        readonlyRegistryProcesses: ["string"],
        readonlyRegistryUsers: ["string"],
    },
    registry: "string",
    registryAccessMonitoring: {
        enabled: false,
        exceptionalMonitoredRegistryPaths: ["string"],
        exceptionalMonitoredRegistryProcesses: ["string"],
        exceptionalMonitoredRegistryUsers: ["string"],
        monitoredRegistryAttributes: false,
        monitoredRegistryCreate: false,
        monitoredRegistryDelete: false,
        monitoredRegistryModify: false,
        monitoredRegistryPaths: ["string"],
        monitoredRegistryProcesses: ["string"],
        monitoredRegistryRead: false,
        monitoredRegistryUsers: ["string"],
    },
    repoName: "string",
    resourceName: "string",
    resourceType: "string",
    restrictedVolumes: [{
        enabled: false,
        volumes: ["string"],
    }],
    reverseShell: {
        blockReverseShell: false,
        enabled: false,
        reverseShellIpWhiteLists: ["string"],
        reverseShellProcWhiteLists: ["string"],
    },
    runtimeMode: 0,
    runtimeType: "string",
    scopeExpression: "string",
    scopeVariables: [{
        attribute: "string",
        value: "string",
        name: "string",
    }],
    scopes: [{
        expression: "string",
        variables: [{
            attribute: "string",
            value: "string",
            name: "string",
        }],
    }],
    systemIntegrityProtection: {
        auditSystemtimeChange: false,
        enabled: false,
        monitorAuditLogIntegrity: false,
        windowsServicesMonitoring: false,
    },
    tripwire: {
        applyOns: ["string"],
        enabled: false,
        serverlessApp: "string",
        userId: "string",
        userPassword: "string",
    },
    type: "string",
    updated: "string",
    version: "string",
    vpatchVersion: "string",
    whitelistedOsUsers: {
        enabled: false,
        groupWhiteLists: ["string"],
        userWhiteLists: ["string"],
    },
});
Copy
type: aquasec:ContainerRuntimePolicy
properties:
    allowedExecutables:
        - allowExecutables:
            - string
          allowRootExecutables:
            - string
          enabled: false
          separateExecutables: false
    allowedRegistries:
        - allowedRegistries:
            - string
          enabled: false
    applicationScopes:
        - string
    auditAllNetworkActivity: false
    auditAllProcessesActivity: false
    auditBruteForceLogin: false
    auditFullCommandArguments: false
    auditing:
        auditAllNetwork: false
        auditAllProcesses: false
        auditFailedLogin: false
        auditOsUserActivity: false
        auditProcessCmdline: false
        auditSuccessLogin: false
        auditUserAccountManagement: false
        enabled: false
    author: string
    blacklistedOsUsers:
        enabled: false
        groupBlackLists:
            - string
        userBlackLists:
            - string
    blockAccessHostNetwork: false
    blockAddingCapabilities: false
    blockContainerExec: false
    blockCryptocurrencyMining: false
    blockDisallowedImages: false
    blockFilelessExec: false
    blockLowPortBinding: false
    blockNonCompliantWorkloads: false
    blockNonK8sContainers: false
    blockPrivilegedContainers: false
    blockRootUser: false
    blockUseIpcNamespace: false
    blockUsePidNamespace: false
    blockUseUserNamespace: false
    blockUseUtsNamespace: false
    blockedCapabilities:
        - string
    blockedExecutables:
        - string
    blockedFiles:
        - string
    blockedInboundPorts:
        - string
    blockedOutboundPorts:
        - string
    blockedPackages:
        - string
    blockedVolumes:
        - string
    bypassScopes:
        - enabled: false
          scopes:
            - expression: string
              variables:
                - attribute: string
                  value: string
    containerExec:
        blockContainerExec: false
        containerExecProcWhiteLists:
            - string
        enabled: false
        reverseShellIpWhiteLists:
            - string
    containerExecAllowedProcesses:
        - string
    created: string
    cve: string
    defaultSecurityProfile: string
    description: string
    digest: string
    driftPreventions:
        - enabled: false
          execLockdown: false
          execLockdownWhiteLists:
            - string
          imageLockdown: false
    enableCryptoMiningDns: false
    enableForkGuard: false
    enableIpReputation: false
    enablePortScanProtection: false
    enabled: false
    enforce: false
    enforceAfterDays: 0
    enforceSchedulerAddedOn: 0
    excludeApplicationScopes:
        - string
    executableBlacklists:
        - enabled: false
          executables:
            - string
    failedKubernetesChecks:
        enabled: false
        failedChecks:
            - string
    fileBlock:
        blockFilesProcesses:
            - string
        blockFilesUsers:
            - string
        enabled: false
        exceptionalBlockFiles:
            - string
        exceptionalBlockFilesProcesses:
            - string
        exceptionalBlockFilesUsers:
            - string
        filenameBlockLists:
            - string
    fileIntegrityMonitoring:
        enabled: false
        exceptionalMonitoredFiles:
            - string
        exceptionalMonitoredFilesProcesses:
            - string
        exceptionalMonitoredFilesUsers:
            - string
        monitoredFiles:
            - string
        monitoredFilesAttributes: false
        monitoredFilesCreate: false
        monitoredFilesDelete: false
        monitoredFilesModify: false
        monitoredFilesProcesses:
            - string
        monitoredFilesRead: false
        monitoredFilesUsers:
            - string
    forkGuardProcessLimit: 0
    imageName: string
    isAuditChecked: false
    isAutoGenerated: false
    isOotbPolicy: false
    lastupdate: 0
    limitContainerPrivileges:
        - blockAddCapabilities: false
          enabled: false
          ipcmode: false
          netmode: false
          pidmode: false
          preventLowPortBinding: false
          preventRootUser: false
          privileged: false
          useHostUser: false
          usermode: false
          utsmode: false
    limitNewPrivileges: false
    linuxCapabilities:
        enabled: false
        removeLinuxCapabilities:
            - string
    malwareScanOptions:
        action: string
        enabled: false
        excludeDirectories:
            - string
        excludeProcesses:
            - string
        includeDirectories:
            - string
    monitorSystemTimeChanges: false
    name: string
    noNewPrivileges: false
    onlyRegisteredImages: false
    packageBlock:
        blockPackagesProcesses:
            - string
        blockPackagesUsers:
            - string
        enabled: false
        exceptionalBlockPackagesFiles:
            - string
        exceptionalBlockPackagesProcesses:
            - string
        exceptionalBlockPackagesUsers:
            - string
        packagesBlackLists:
            - string
    permission: string
    portBlock:
        blockInboundPorts:
            - string
        blockOutboundPorts:
            - string
        enabled: false
    readonlyFiles:
        enabled: false
        exceptionalReadonlyFiles:
            - string
        exceptionalReadonlyFilesProcesses:
            - string
        exceptionalReadonlyFilesUsers:
            - string
        readonlyFiles:
            - string
        readonlyFilesProcesses:
            - string
        readonlyFilesUsers:
            - string
    readonlyRegistry:
        enabled: false
        exceptionalReadonlyRegistryPaths:
            - string
        exceptionalReadonlyRegistryProcesses:
            - string
        exceptionalReadonlyRegistryUsers:
            - string
        readonlyRegistryPaths:
            - string
        readonlyRegistryProcesses:
            - string
        readonlyRegistryUsers:
            - string
    registry: string
    registryAccessMonitoring:
        enabled: false
        exceptionalMonitoredRegistryPaths:
            - string
        exceptionalMonitoredRegistryProcesses:
            - string
        exceptionalMonitoredRegistryUsers:
            - string
        monitoredRegistryAttributes: false
        monitoredRegistryCreate: false
        monitoredRegistryDelete: false
        monitoredRegistryModify: false
        monitoredRegistryPaths:
            - string
        monitoredRegistryProcesses:
            - string
        monitoredRegistryRead: false
        monitoredRegistryUsers:
            - string
    repoName: string
    resourceName: string
    resourceType: string
    restrictedVolumes:
        - enabled: false
          volumes:
            - string
    reverseShell:
        blockReverseShell: false
        enabled: false
        reverseShellIpWhiteLists:
            - string
        reverseShellProcWhiteLists:
            - string
    runtimeMode: 0
    runtimeType: string
    scopeExpression: string
    scopeVariables:
        - attribute: string
          name: string
          value: string
    scopes:
        - expression: string
          variables:
            - attribute: string
              name: string
              value: string
    systemIntegrityProtection:
        auditSystemtimeChange: false
        enabled: false
        monitorAuditLogIntegrity: false
        windowsServicesMonitoring: false
    tripwire:
        applyOns:
            - string
        enabled: false
        serverlessApp: string
        userId: string
        userPassword: string
    type: string
    updated: string
    version: string
    vpatchVersion: string
    whitelistedOsUsers:
        enabled: false
        groupWhiteLists:
            - string
        userWhiteLists:
            - string
Copy

ContainerRuntimePolicy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The ContainerRuntimePolicy resource accepts the following input properties:

AllowedExecutables List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyAllowedExecutable>
Allowed executables configuration.
AllowedRegistries List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyAllowedRegistry>
Allowed registries configuration.
ApplicationScopes List<string>
Indicates the application scope of the service.
AuditAllNetworkActivity bool
If true, all network activity will be audited.
AuditAllProcessesActivity bool
If true, all process activity will be audited.
AuditBruteForceLogin bool
Detects brute force login attempts
AuditFullCommandArguments bool
If true, full command arguments will be audited.
Auditing Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyAuditing
Author string
Username of the account that created the service.
BlacklistedOsUsers Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyBlacklistedOsUsers
BlockAccessHostNetwork bool
If true, prevent containers from running with access to host network.
BlockAddingCapabilities bool
If true, prevent containers from running with adding capabilities with --cap-add privilege.
BlockContainerExec bool
If true, exec into a container is prevented.
BlockCryptocurrencyMining bool
Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
BlockDisallowedImages bool
BlockFilelessExec bool
Detect and prevent running in-memory execution
BlockLowPortBinding bool
If true, prevent containers from running with the capability to bind in port lower than 1024.
BlockNonCompliantWorkloads bool
If true, running containers in non-compliant pods is prevented.
BlockNonK8sContainers bool
If true, running non-kubernetes containers is prevented.
BlockPrivilegedContainers bool
If true, prevent containers from running with privileged container capability.
BlockRootUser bool
If true, prevent containers from running with root user.
BlockUseIpcNamespace bool
If true, prevent containers from running with the privilege to use the IPC namespace.
BlockUsePidNamespace bool
If true, prevent containers from running with the privilege to use the PID namespace.
BlockUseUserNamespace bool
If true, prevent containers from running with the privilege to use the user namespace.
BlockUseUtsNamespace bool
If true, prevent containers from running with the privilege to use the UTS namespace.
BlockedCapabilities List<string>
If true, prevents containers from using specific Unix capabilities.
BlockedExecutables List<string>
List of executables that are prevented from running in containers.
BlockedFiles List<string>
List of files that are prevented from being read, modified and executed in the containers.
BlockedInboundPorts List<string>
List of blocked inbound ports.
BlockedOutboundPorts List<string>
List of blocked outbound ports.
BlockedPackages List<string>
Prevent containers from reading, writing, or executing all files in the list of packages.
BlockedVolumes List<string>
List of volumes that are prevented from being mounted in the containers.
BypassScopes List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyBypassScope>
Bypass scope configuration.
ContainerExec Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyContainerExec
ContainerExecAllowedProcesses List<string>
List of processes that will be allowed.
Created string
Cve string
DefaultSecurityProfile string
Description string
The description of the container runtime policy
Digest string
DriftPreventions List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyDriftPrevention>
Drift prevention configuration.
EnableCryptoMiningDns bool
EnableForkGuard bool
If true, fork bombs are prevented in the containers.
EnableIpReputation bool
EnablePortScanProtection bool
Enabled bool
Indicates if the runtime policy is enabled or not.
Enforce bool
Indicates that policy should effect container execution (not just for audit).
EnforceAfterDays int
Indicates the number of days after which the runtime policy will be changed to enforce mode.
EnforceSchedulerAddedOn int
ExcludeApplicationScopes List<string>
List of excluded application scopes.
ExecutableBlacklists List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyExecutableBlacklist>
Executable blacklist configuration.
FailedKubernetesChecks Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyFailedKubernetesChecks
FileBlock Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyFileBlock
FileIntegrityMonitoring Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyFileIntegrityMonitoring
Configuration for file integrity monitoring.
ForkGuardProcessLimit int
Process limit for the fork guard.
ImageName string
IsAuditChecked bool
IsAutoGenerated bool
IsOotbPolicy bool
Lastupdate int
LimitContainerPrivileges List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyLimitContainerPrivilege>
Container privileges configuration.
LimitNewPrivileges bool
If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
LinuxCapabilities Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyLinuxCapabilities
MalwareScanOptions Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyMalwareScanOptions
Configuration for Real-Time Malware Protection.
MonitorSystemTimeChanges bool
If true, system time changes will be monitored.
Name Changes to this property will trigger replacement. string
Name of the container runtime policy
NoNewPrivileges bool
OnlyRegisteredImages bool
PackageBlock Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyPackageBlock
Permission string
PortBlock Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyPortBlock
ReadonlyFiles Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyReadonlyFiles
ReadonlyRegistry Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyReadonlyRegistry
Registry string
RegistryAccessMonitoring Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyRegistryAccessMonitoring
RepoName string
ResourceName string
ResourceType string
RestrictedVolumes List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyRestrictedVolume>
Restricted volumes configuration.
ReverseShell Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyReverseShell
RuntimeMode int
RuntimeType string
ScopeExpression string
Logical expression of how to compute the dependency of the scope variables.
ScopeVariables List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyScopeVariable>
List of scope attributes.
Scopes List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyScope>
Scope configuration.
SystemIntegrityProtection Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicySystemIntegrityProtection
Tripwire Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyTripwire
Type string
Updated string
Version string
VpatchVersion string
WhitelistedOsUsers Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyWhitelistedOsUsers
AllowedExecutables []ContainerRuntimePolicyAllowedExecutableArgs
Allowed executables configuration.
AllowedRegistries []ContainerRuntimePolicyAllowedRegistryArgs
Allowed registries configuration.
ApplicationScopes []string
Indicates the application scope of the service.
AuditAllNetworkActivity bool
If true, all network activity will be audited.
AuditAllProcessesActivity bool
If true, all process activity will be audited.
AuditBruteForceLogin bool
Detects brute force login attempts
AuditFullCommandArguments bool
If true, full command arguments will be audited.
Auditing ContainerRuntimePolicyAuditingArgs
Author string
Username of the account that created the service.
BlacklistedOsUsers ContainerRuntimePolicyBlacklistedOsUsersArgs
BlockAccessHostNetwork bool
If true, prevent containers from running with access to host network.
BlockAddingCapabilities bool
If true, prevent containers from running with adding capabilities with --cap-add privilege.
BlockContainerExec bool
If true, exec into a container is prevented.
BlockCryptocurrencyMining bool
Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
BlockDisallowedImages bool
BlockFilelessExec bool
Detect and prevent running in-memory execution
BlockLowPortBinding bool
If true, prevent containers from running with the capability to bind in port lower than 1024.
BlockNonCompliantWorkloads bool
If true, running containers in non-compliant pods is prevented.
BlockNonK8sContainers bool
If true, running non-kubernetes containers is prevented.
BlockPrivilegedContainers bool
If true, prevent containers from running with privileged container capability.
BlockRootUser bool
If true, prevent containers from running with root user.
BlockUseIpcNamespace bool
If true, prevent containers from running with the privilege to use the IPC namespace.
BlockUsePidNamespace bool
If true, prevent containers from running with the privilege to use the PID namespace.
BlockUseUserNamespace bool
If true, prevent containers from running with the privilege to use the user namespace.
BlockUseUtsNamespace bool
If true, prevent containers from running with the privilege to use the UTS namespace.
BlockedCapabilities []string
If true, prevents containers from using specific Unix capabilities.
BlockedExecutables []string
List of executables that are prevented from running in containers.
BlockedFiles []string
List of files that are prevented from being read, modified and executed in the containers.
BlockedInboundPorts []string
List of blocked inbound ports.
BlockedOutboundPorts []string
List of blocked outbound ports.
BlockedPackages []string
Prevent containers from reading, writing, or executing all files in the list of packages.
BlockedVolumes []string
List of volumes that are prevented from being mounted in the containers.
BypassScopes []ContainerRuntimePolicyBypassScopeArgs
Bypass scope configuration.
ContainerExec ContainerRuntimePolicyContainerExecArgs
ContainerExecAllowedProcesses []string
List of processes that will be allowed.
Created string
Cve string
DefaultSecurityProfile string
Description string
The description of the container runtime policy
Digest string
DriftPreventions []ContainerRuntimePolicyDriftPreventionArgs
Drift prevention configuration.
EnableCryptoMiningDns bool
EnableForkGuard bool
If true, fork bombs are prevented in the containers.
EnableIpReputation bool
EnablePortScanProtection bool
Enabled bool
Indicates if the runtime policy is enabled or not.
Enforce bool
Indicates that policy should effect container execution (not just for audit).
EnforceAfterDays int
Indicates the number of days after which the runtime policy will be changed to enforce mode.
EnforceSchedulerAddedOn int
ExcludeApplicationScopes []string
List of excluded application scopes.
ExecutableBlacklists []ContainerRuntimePolicyExecutableBlacklistArgs
Executable blacklist configuration.
FailedKubernetesChecks ContainerRuntimePolicyFailedKubernetesChecksArgs
FileBlock ContainerRuntimePolicyFileBlockArgs
FileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs
Configuration for file integrity monitoring.
ForkGuardProcessLimit int
Process limit for the fork guard.
ImageName string
IsAuditChecked bool
IsAutoGenerated bool
IsOotbPolicy bool
Lastupdate int
LimitContainerPrivileges []ContainerRuntimePolicyLimitContainerPrivilegeArgs
Container privileges configuration.
LimitNewPrivileges bool
If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
LinuxCapabilities ContainerRuntimePolicyLinuxCapabilitiesArgs
MalwareScanOptions ContainerRuntimePolicyMalwareScanOptionsArgs
Configuration for Real-Time Malware Protection.
MonitorSystemTimeChanges bool
If true, system time changes will be monitored.
Name Changes to this property will trigger replacement. string
Name of the container runtime policy
NoNewPrivileges bool
OnlyRegisteredImages bool
PackageBlock ContainerRuntimePolicyPackageBlockArgs
Permission string
PortBlock ContainerRuntimePolicyPortBlockArgs
ReadonlyFiles ContainerRuntimePolicyReadonlyFilesArgs
ReadonlyRegistry ContainerRuntimePolicyReadonlyRegistryArgs
Registry string
RegistryAccessMonitoring ContainerRuntimePolicyRegistryAccessMonitoringArgs
RepoName string
ResourceName string
ResourceType string
RestrictedVolumes []ContainerRuntimePolicyRestrictedVolumeArgs
Restricted volumes configuration.
ReverseShell ContainerRuntimePolicyReverseShellArgs
RuntimeMode int
RuntimeType string
ScopeExpression string
Logical expression of how to compute the dependency of the scope variables.
ScopeVariables []ContainerRuntimePolicyScopeVariableArgs
List of scope attributes.
Scopes []ContainerRuntimePolicyScopeArgs
Scope configuration.
SystemIntegrityProtection ContainerRuntimePolicySystemIntegrityProtectionArgs
Tripwire ContainerRuntimePolicyTripwireArgs
Type string
Updated string
Version string
VpatchVersion string
WhitelistedOsUsers ContainerRuntimePolicyWhitelistedOsUsersArgs
allowedExecutables List<ContainerRuntimePolicyAllowedExecutable>
Allowed executables configuration.
allowedRegistries List<ContainerRuntimePolicyAllowedRegistry>
Allowed registries configuration.
applicationScopes List<String>
Indicates the application scope of the service.
auditAllNetworkActivity Boolean
If true, all network activity will be audited.
auditAllProcessesActivity Boolean
If true, all process activity will be audited.
auditBruteForceLogin Boolean
Detects brute force login attempts
auditFullCommandArguments Boolean
If true, full command arguments will be audited.
auditing ContainerRuntimePolicyAuditing
author String
Username of the account that created the service.
blacklistedOsUsers ContainerRuntimePolicyBlacklistedOsUsers
blockAccessHostNetwork Boolean
If true, prevent containers from running with access to host network.
blockAddingCapabilities Boolean
If true, prevent containers from running with adding capabilities with --cap-add privilege.
blockContainerExec Boolean
If true, exec into a container is prevented.
blockCryptocurrencyMining Boolean
Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
blockDisallowedImages Boolean
blockFilelessExec Boolean
Detect and prevent running in-memory execution
blockLowPortBinding Boolean
If true, prevent containers from running with the capability to bind in port lower than 1024.
blockNonCompliantWorkloads Boolean
If true, running containers in non-compliant pods is prevented.
blockNonK8sContainers Boolean
If true, running non-kubernetes containers is prevented.
blockPrivilegedContainers Boolean
If true, prevent containers from running with privileged container capability.
blockRootUser Boolean
If true, prevent containers from running with root user.
blockUseIpcNamespace Boolean
If true, prevent containers from running with the privilege to use the IPC namespace.
blockUsePidNamespace Boolean
If true, prevent containers from running with the privilege to use the PID namespace.
blockUseUserNamespace Boolean
If true, prevent containers from running with the privilege to use the user namespace.
blockUseUtsNamespace Boolean
If true, prevent containers from running with the privilege to use the UTS namespace.
blockedCapabilities List<String>
If true, prevents containers from using specific Unix capabilities.
blockedExecutables List<String>
List of executables that are prevented from running in containers.
blockedFiles List<String>
List of files that are prevented from being read, modified and executed in the containers.
blockedInboundPorts List<String>
List of blocked inbound ports.
blockedOutboundPorts List<String>
List of blocked outbound ports.
blockedPackages List<String>
Prevent containers from reading, writing, or executing all files in the list of packages.
blockedVolumes List<String>
List of volumes that are prevented from being mounted in the containers.
bypassScopes List<ContainerRuntimePolicyBypassScope>
Bypass scope configuration.
containerExec ContainerRuntimePolicyContainerExec
containerExecAllowedProcesses List<String>
List of processes that will be allowed.
created String
cve String
defaultSecurityProfile String
description String
The description of the container runtime policy
digest String
driftPreventions List<ContainerRuntimePolicyDriftPrevention>
Drift prevention configuration.
enableCryptoMiningDns Boolean
enableForkGuard Boolean
If true, fork bombs are prevented in the containers.
enableIpReputation Boolean
enablePortScanProtection Boolean
enabled Boolean
Indicates if the runtime policy is enabled or not.
enforce Boolean
Indicates that policy should effect container execution (not just for audit).
enforceAfterDays Integer
Indicates the number of days after which the runtime policy will be changed to enforce mode.
enforceSchedulerAddedOn Integer
excludeApplicationScopes List<String>
List of excluded application scopes.
executableBlacklists List<ContainerRuntimePolicyExecutableBlacklist>
Executable blacklist configuration.
failedKubernetesChecks ContainerRuntimePolicyFailedKubernetesChecks
fileBlock ContainerRuntimePolicyFileBlock
fileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoring
Configuration for file integrity monitoring.
forkGuardProcessLimit Integer
Process limit for the fork guard.
imageName String
isAuditChecked Boolean
isAutoGenerated Boolean
isOotbPolicy Boolean
lastupdate Integer
limitContainerPrivileges List<ContainerRuntimePolicyLimitContainerPrivilege>
Container privileges configuration.
limitNewPrivileges Boolean
If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
linuxCapabilities ContainerRuntimePolicyLinuxCapabilities
malwareScanOptions ContainerRuntimePolicyMalwareScanOptions
Configuration for Real-Time Malware Protection.
monitorSystemTimeChanges Boolean
If true, system time changes will be monitored.
name Changes to this property will trigger replacement. String
Name of the container runtime policy
noNewPrivileges Boolean
onlyRegisteredImages Boolean
packageBlock ContainerRuntimePolicyPackageBlock
permission String
portBlock ContainerRuntimePolicyPortBlock
readonlyFiles ContainerRuntimePolicyReadonlyFiles
readonlyRegistry ContainerRuntimePolicyReadonlyRegistry
registry String
registryAccessMonitoring ContainerRuntimePolicyRegistryAccessMonitoring
repoName String
resourceName String
resourceType String
restrictedVolumes List<ContainerRuntimePolicyRestrictedVolume>
Restricted volumes configuration.
reverseShell ContainerRuntimePolicyReverseShell
runtimeMode Integer
runtimeType String
scopeExpression String
Logical expression of how to compute the dependency of the scope variables.
scopeVariables List<ContainerRuntimePolicyScopeVariable>
List of scope attributes.
scopes List<ContainerRuntimePolicyScope>
Scope configuration.
systemIntegrityProtection ContainerRuntimePolicySystemIntegrityProtection
tripwire ContainerRuntimePolicyTripwire
type String
updated String
version String
vpatchVersion String
whitelistedOsUsers ContainerRuntimePolicyWhitelistedOsUsers
allowedExecutables ContainerRuntimePolicyAllowedExecutable[]
Allowed executables configuration.
allowedRegistries ContainerRuntimePolicyAllowedRegistry[]
Allowed registries configuration.
applicationScopes string[]
Indicates the application scope of the service.
auditAllNetworkActivity boolean
If true, all network activity will be audited.
auditAllProcessesActivity boolean
If true, all process activity will be audited.
auditBruteForceLogin boolean
Detects brute force login attempts
auditFullCommandArguments boolean
If true, full command arguments will be audited.
auditing ContainerRuntimePolicyAuditing
author string
Username of the account that created the service.
blacklistedOsUsers ContainerRuntimePolicyBlacklistedOsUsers
blockAccessHostNetwork boolean
If true, prevent containers from running with access to host network.
blockAddingCapabilities boolean
If true, prevent containers from running with adding capabilities with --cap-add privilege.
blockContainerExec boolean
If true, exec into a container is prevented.
blockCryptocurrencyMining boolean
Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
blockDisallowedImages boolean
blockFilelessExec boolean
Detect and prevent running in-memory execution
blockLowPortBinding boolean
If true, prevent containers from running with the capability to bind in port lower than 1024.
blockNonCompliantWorkloads boolean
If true, running containers in non-compliant pods is prevented.
blockNonK8sContainers boolean
If true, running non-kubernetes containers is prevented.
blockPrivilegedContainers boolean
If true, prevent containers from running with privileged container capability.
blockRootUser boolean
If true, prevent containers from running with root user.
blockUseIpcNamespace boolean
If true, prevent containers from running with the privilege to use the IPC namespace.
blockUsePidNamespace boolean
If true, prevent containers from running with the privilege to use the PID namespace.
blockUseUserNamespace boolean
If true, prevent containers from running with the privilege to use the user namespace.
blockUseUtsNamespace boolean
If true, prevent containers from running with the privilege to use the UTS namespace.
blockedCapabilities string[]
If true, prevents containers from using specific Unix capabilities.
blockedExecutables string[]
List of executables that are prevented from running in containers.
blockedFiles string[]
List of files that are prevented from being read, modified and executed in the containers.
blockedInboundPorts string[]
List of blocked inbound ports.
blockedOutboundPorts string[]
List of blocked outbound ports.
blockedPackages string[]
Prevent containers from reading, writing, or executing all files in the list of packages.
blockedVolumes string[]
List of volumes that are prevented from being mounted in the containers.
bypassScopes ContainerRuntimePolicyBypassScope[]
Bypass scope configuration.
containerExec ContainerRuntimePolicyContainerExec
containerExecAllowedProcesses string[]
List of processes that will be allowed.
created string
cve string
defaultSecurityProfile string
description string
The description of the container runtime policy
digest string
driftPreventions ContainerRuntimePolicyDriftPrevention[]
Drift prevention configuration.
enableCryptoMiningDns boolean
enableForkGuard boolean
If true, fork bombs are prevented in the containers.
enableIpReputation boolean
enablePortScanProtection boolean
enabled boolean
Indicates if the runtime policy is enabled or not.
enforce boolean
Indicates that policy should effect container execution (not just for audit).
enforceAfterDays number
Indicates the number of days after which the runtime policy will be changed to enforce mode.
enforceSchedulerAddedOn number
excludeApplicationScopes string[]
List of excluded application scopes.
executableBlacklists ContainerRuntimePolicyExecutableBlacklist[]
Executable blacklist configuration.
failedKubernetesChecks ContainerRuntimePolicyFailedKubernetesChecks
fileBlock ContainerRuntimePolicyFileBlock
fileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoring
Configuration for file integrity monitoring.
forkGuardProcessLimit number
Process limit for the fork guard.
imageName string
isAuditChecked boolean
isAutoGenerated boolean
isOotbPolicy boolean
lastupdate number
limitContainerPrivileges ContainerRuntimePolicyLimitContainerPrivilege[]
Container privileges configuration.
limitNewPrivileges boolean
If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
linuxCapabilities ContainerRuntimePolicyLinuxCapabilities
malwareScanOptions ContainerRuntimePolicyMalwareScanOptions
Configuration for Real-Time Malware Protection.
monitorSystemTimeChanges boolean
If true, system time changes will be monitored.
name Changes to this property will trigger replacement. string
Name of the container runtime policy
noNewPrivileges boolean
onlyRegisteredImages boolean
packageBlock ContainerRuntimePolicyPackageBlock
permission string
portBlock ContainerRuntimePolicyPortBlock
readonlyFiles ContainerRuntimePolicyReadonlyFiles
readonlyRegistry ContainerRuntimePolicyReadonlyRegistry
registry string
registryAccessMonitoring ContainerRuntimePolicyRegistryAccessMonitoring
repoName string
resourceName string
resourceType string
restrictedVolumes ContainerRuntimePolicyRestrictedVolume[]
Restricted volumes configuration.
reverseShell ContainerRuntimePolicyReverseShell
runtimeMode number
runtimeType string
scopeExpression string
Logical expression of how to compute the dependency of the scope variables.
scopeVariables ContainerRuntimePolicyScopeVariable[]
List of scope attributes.
scopes ContainerRuntimePolicyScope[]
Scope configuration.
systemIntegrityProtection ContainerRuntimePolicySystemIntegrityProtection
tripwire ContainerRuntimePolicyTripwire
type string
updated string
version string
vpatchVersion string
whitelistedOsUsers ContainerRuntimePolicyWhitelistedOsUsers
allowed_executables Sequence[ContainerRuntimePolicyAllowedExecutableArgs]
Allowed executables configuration.
allowed_registries Sequence[ContainerRuntimePolicyAllowedRegistryArgs]
Allowed registries configuration.
application_scopes Sequence[str]
Indicates the application scope of the service.
audit_all_network_activity bool
If true, all network activity will be audited.
audit_all_processes_activity bool
If true, all process activity will be audited.
audit_brute_force_login bool
Detects brute force login attempts
audit_full_command_arguments bool
If true, full command arguments will be audited.
auditing ContainerRuntimePolicyAuditingArgs
author str
Username of the account that created the service.
blacklisted_os_users ContainerRuntimePolicyBlacklistedOsUsersArgs
block_access_host_network bool
If true, prevent containers from running with access to host network.
block_adding_capabilities bool
If true, prevent containers from running with adding capabilities with --cap-add privilege.
block_container_exec bool
If true, exec into a container is prevented.
block_cryptocurrency_mining bool
Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
block_disallowed_images bool
block_fileless_exec bool
Detect and prevent running in-memory execution
block_low_port_binding bool
If true, prevent containers from running with the capability to bind in port lower than 1024.
block_non_compliant_workloads bool
If true, running containers in non-compliant pods is prevented.
block_non_k8s_containers bool
If true, running non-kubernetes containers is prevented.
block_privileged_containers bool
If true, prevent containers from running with privileged container capability.
block_root_user bool
If true, prevent containers from running with root user.
block_use_ipc_namespace bool
If true, prevent containers from running with the privilege to use the IPC namespace.
block_use_pid_namespace bool
If true, prevent containers from running with the privilege to use the PID namespace.
block_use_user_namespace bool
If true, prevent containers from running with the privilege to use the user namespace.
block_use_uts_namespace bool
If true, prevent containers from running with the privilege to use the UTS namespace.
blocked_capabilities Sequence[str]
If true, prevents containers from using specific Unix capabilities.
blocked_executables Sequence[str]
List of executables that are prevented from running in containers.
blocked_files Sequence[str]
List of files that are prevented from being read, modified and executed in the containers.
blocked_inbound_ports Sequence[str]
List of blocked inbound ports.
blocked_outbound_ports Sequence[str]
List of blocked outbound ports.
blocked_packages Sequence[str]
Prevent containers from reading, writing, or executing all files in the list of packages.
blocked_volumes Sequence[str]
List of volumes that are prevented from being mounted in the containers.
bypass_scopes Sequence[ContainerRuntimePolicyBypassScopeArgs]
Bypass scope configuration.
container_exec ContainerRuntimePolicyContainerExecArgs
container_exec_allowed_processes Sequence[str]
List of processes that will be allowed.
created str
cve str
default_security_profile str
description str
The description of the container runtime policy
digest str
drift_preventions Sequence[ContainerRuntimePolicyDriftPreventionArgs]
Drift prevention configuration.
enable_crypto_mining_dns bool
enable_fork_guard bool
If true, fork bombs are prevented in the containers.
enable_ip_reputation bool
enable_port_scan_protection bool
enabled bool
Indicates if the runtime policy is enabled or not.
enforce bool
Indicates that policy should effect container execution (not just for audit).
enforce_after_days int
Indicates the number of days after which the runtime policy will be changed to enforce mode.
enforce_scheduler_added_on int
exclude_application_scopes Sequence[str]
List of excluded application scopes.
executable_blacklists Sequence[ContainerRuntimePolicyExecutableBlacklistArgs]
Executable blacklist configuration.
failed_kubernetes_checks ContainerRuntimePolicyFailedKubernetesChecksArgs
file_block ContainerRuntimePolicyFileBlockArgs
file_integrity_monitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs
Configuration for file integrity monitoring.
fork_guard_process_limit int
Process limit for the fork guard.
image_name str
is_audit_checked bool
is_auto_generated bool
is_ootb_policy bool
lastupdate int
limit_container_privileges Sequence[ContainerRuntimePolicyLimitContainerPrivilegeArgs]
Container privileges configuration.
limit_new_privileges bool
If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
linux_capabilities ContainerRuntimePolicyLinuxCapabilitiesArgs
malware_scan_options ContainerRuntimePolicyMalwareScanOptionsArgs
Configuration for Real-Time Malware Protection.
monitor_system_time_changes bool
If true, system time changes will be monitored.
name Changes to this property will trigger replacement. str
Name of the container runtime policy
no_new_privileges bool
only_registered_images bool
package_block ContainerRuntimePolicyPackageBlockArgs
permission str
port_block ContainerRuntimePolicyPortBlockArgs
readonly_files ContainerRuntimePolicyReadonlyFilesArgs
readonly_registry ContainerRuntimePolicyReadonlyRegistryArgs
registry str
registry_access_monitoring ContainerRuntimePolicyRegistryAccessMonitoringArgs
repo_name str
resource_name str
resource_type str
restricted_volumes Sequence[ContainerRuntimePolicyRestrictedVolumeArgs]
Restricted volumes configuration.
reverse_shell ContainerRuntimePolicyReverseShellArgs
runtime_mode int
runtime_type str
scope_expression str
Logical expression of how to compute the dependency of the scope variables.
scope_variables Sequence[ContainerRuntimePolicyScopeVariableArgs]
List of scope attributes.
scopes Sequence[ContainerRuntimePolicyScopeArgs]
Scope configuration.
system_integrity_protection ContainerRuntimePolicySystemIntegrityProtectionArgs
tripwire ContainerRuntimePolicyTripwireArgs
type str
updated str
version str
vpatch_version str
whitelisted_os_users ContainerRuntimePolicyWhitelistedOsUsersArgs
allowedExecutables List<Property Map>
Allowed executables configuration.
allowedRegistries List<Property Map>
Allowed registries configuration.
applicationScopes List<String>
Indicates the application scope of the service.
auditAllNetworkActivity Boolean
If true, all network activity will be audited.
auditAllProcessesActivity Boolean
If true, all process activity will be audited.
auditBruteForceLogin Boolean
Detects brute force login attempts
auditFullCommandArguments Boolean
If true, full command arguments will be audited.
auditing Property Map
author String
Username of the account that created the service.
blacklistedOsUsers Property Map
blockAccessHostNetwork Boolean
If true, prevent containers from running with access to host network.
blockAddingCapabilities Boolean
If true, prevent containers from running with adding capabilities with --cap-add privilege.
blockContainerExec Boolean
If true, exec into a container is prevented.
blockCryptocurrencyMining Boolean
Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
blockDisallowedImages Boolean
blockFilelessExec Boolean
Detect and prevent running in-memory execution
blockLowPortBinding Boolean
If true, prevent containers from running with the capability to bind in port lower than 1024.
blockNonCompliantWorkloads Boolean
If true, running containers in non-compliant pods is prevented.
blockNonK8sContainers Boolean
If true, running non-kubernetes containers is prevented.
blockPrivilegedContainers Boolean
If true, prevent containers from running with privileged container capability.
blockRootUser Boolean
If true, prevent containers from running with root user.
blockUseIpcNamespace Boolean
If true, prevent containers from running with the privilege to use the IPC namespace.
blockUsePidNamespace Boolean
If true, prevent containers from running with the privilege to use the PID namespace.
blockUseUserNamespace Boolean
If true, prevent containers from running with the privilege to use the user namespace.
blockUseUtsNamespace Boolean
If true, prevent containers from running with the privilege to use the UTS namespace.
blockedCapabilities List<String>
If true, prevents containers from using specific Unix capabilities.
blockedExecutables List<String>
List of executables that are prevented from running in containers.
blockedFiles List<String>
List of files that are prevented from being read, modified and executed in the containers.
blockedInboundPorts List<String>
List of blocked inbound ports.
blockedOutboundPorts List<String>
List of blocked outbound ports.
blockedPackages List<String>
Prevent containers from reading, writing, or executing all files in the list of packages.
blockedVolumes List<String>
List of volumes that are prevented from being mounted in the containers.
bypassScopes List<Property Map>
Bypass scope configuration.
containerExec Property Map
containerExecAllowedProcesses List<String>
List of processes that will be allowed.
created String
cve String
defaultSecurityProfile String
description String
The description of the container runtime policy
digest String
driftPreventions List<Property Map>
Drift prevention configuration.
enableCryptoMiningDns Boolean
enableForkGuard Boolean
If true, fork bombs are prevented in the containers.
enableIpReputation Boolean
enablePortScanProtection Boolean
enabled Boolean
Indicates if the runtime policy is enabled or not.
enforce Boolean
Indicates that policy should effect container execution (not just for audit).
enforceAfterDays Number
Indicates the number of days after which the runtime policy will be changed to enforce mode.
enforceSchedulerAddedOn Number
excludeApplicationScopes List<String>
List of excluded application scopes.
executableBlacklists List<Property Map>
Executable blacklist configuration.
failedKubernetesChecks Property Map
fileBlock Property Map
fileIntegrityMonitoring Property Map
Configuration for file integrity monitoring.
forkGuardProcessLimit Number
Process limit for the fork guard.
imageName String
isAuditChecked Boolean
isAutoGenerated Boolean
isOotbPolicy Boolean
lastupdate Number
limitContainerPrivileges List<Property Map>
Container privileges configuration.
limitNewPrivileges Boolean
If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
linuxCapabilities Property Map
malwareScanOptions Property Map
Configuration for Real-Time Malware Protection.
monitorSystemTimeChanges Boolean
If true, system time changes will be monitored.
name Changes to this property will trigger replacement. String
Name of the container runtime policy
noNewPrivileges Boolean
onlyRegisteredImages Boolean
packageBlock Property Map
permission String
portBlock Property Map
readonlyFiles Property Map
readonlyRegistry Property Map
registry String
registryAccessMonitoring Property Map
repoName String
resourceName String
resourceType String
restrictedVolumes List<Property Map>
Restricted volumes configuration.
reverseShell Property Map
runtimeMode Number
runtimeType String
scopeExpression String
Logical expression of how to compute the dependency of the scope variables.
scopeVariables List<Property Map>
List of scope attributes.
scopes List<Property Map>
Scope configuration.
systemIntegrityProtection Property Map
tripwire Property Map
type String
updated String
version String
vpatchVersion String
whitelistedOsUsers Property Map

Outputs

All input properties are implicitly available as output properties. Additionally, the ContainerRuntimePolicy resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
Id string
The provider-assigned unique ID for this managed resource.
id String
The provider-assigned unique ID for this managed resource.
id string
The provider-assigned unique ID for this managed resource.
id str
The provider-assigned unique ID for this managed resource.
id String
The provider-assigned unique ID for this managed resource.

Look up Existing ContainerRuntimePolicy Resource

Get an existing ContainerRuntimePolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ContainerRuntimePolicyState, opts?: CustomResourceOptions): ContainerRuntimePolicy
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        allowed_executables: Optional[Sequence[ContainerRuntimePolicyAllowedExecutableArgs]] = None,
        allowed_registries: Optional[Sequence[ContainerRuntimePolicyAllowedRegistryArgs]] = None,
        application_scopes: Optional[Sequence[str]] = None,
        audit_all_network_activity: Optional[bool] = None,
        audit_all_processes_activity: Optional[bool] = None,
        audit_brute_force_login: Optional[bool] = None,
        audit_full_command_arguments: Optional[bool] = None,
        auditing: Optional[ContainerRuntimePolicyAuditingArgs] = None,
        author: Optional[str] = None,
        blacklisted_os_users: Optional[ContainerRuntimePolicyBlacklistedOsUsersArgs] = None,
        block_access_host_network: Optional[bool] = None,
        block_adding_capabilities: Optional[bool] = None,
        block_container_exec: Optional[bool] = None,
        block_cryptocurrency_mining: Optional[bool] = None,
        block_disallowed_images: Optional[bool] = None,
        block_fileless_exec: Optional[bool] = None,
        block_low_port_binding: Optional[bool] = None,
        block_non_compliant_workloads: Optional[bool] = None,
        block_non_k8s_containers: Optional[bool] = None,
        block_privileged_containers: Optional[bool] = None,
        block_root_user: Optional[bool] = None,
        block_use_ipc_namespace: Optional[bool] = None,
        block_use_pid_namespace: Optional[bool] = None,
        block_use_user_namespace: Optional[bool] = None,
        block_use_uts_namespace: Optional[bool] = None,
        blocked_capabilities: Optional[Sequence[str]] = None,
        blocked_executables: Optional[Sequence[str]] = None,
        blocked_files: Optional[Sequence[str]] = None,
        blocked_inbound_ports: Optional[Sequence[str]] = None,
        blocked_outbound_ports: Optional[Sequence[str]] = None,
        blocked_packages: Optional[Sequence[str]] = None,
        blocked_volumes: Optional[Sequence[str]] = None,
        bypass_scopes: Optional[Sequence[ContainerRuntimePolicyBypassScopeArgs]] = None,
        container_exec: Optional[ContainerRuntimePolicyContainerExecArgs] = None,
        container_exec_allowed_processes: Optional[Sequence[str]] = None,
        created: Optional[str] = None,
        cve: Optional[str] = None,
        default_security_profile: Optional[str] = None,
        description: Optional[str] = None,
        digest: Optional[str] = None,
        drift_preventions: Optional[Sequence[ContainerRuntimePolicyDriftPreventionArgs]] = None,
        enable_crypto_mining_dns: Optional[bool] = None,
        enable_fork_guard: Optional[bool] = None,
        enable_ip_reputation: Optional[bool] = None,
        enable_port_scan_protection: Optional[bool] = None,
        enabled: Optional[bool] = None,
        enforce: Optional[bool] = None,
        enforce_after_days: Optional[int] = None,
        enforce_scheduler_added_on: Optional[int] = None,
        exclude_application_scopes: Optional[Sequence[str]] = None,
        executable_blacklists: Optional[Sequence[ContainerRuntimePolicyExecutableBlacklistArgs]] = None,
        failed_kubernetes_checks: Optional[ContainerRuntimePolicyFailedKubernetesChecksArgs] = None,
        file_block: Optional[ContainerRuntimePolicyFileBlockArgs] = None,
        file_integrity_monitoring: Optional[ContainerRuntimePolicyFileIntegrityMonitoringArgs] = None,
        fork_guard_process_limit: Optional[int] = None,
        image_name: Optional[str] = None,
        is_audit_checked: Optional[bool] = None,
        is_auto_generated: Optional[bool] = None,
        is_ootb_policy: Optional[bool] = None,
        lastupdate: Optional[int] = None,
        limit_container_privileges: Optional[Sequence[ContainerRuntimePolicyLimitContainerPrivilegeArgs]] = None,
        limit_new_privileges: Optional[bool] = None,
        linux_capabilities: Optional[ContainerRuntimePolicyLinuxCapabilitiesArgs] = None,
        malware_scan_options: Optional[ContainerRuntimePolicyMalwareScanOptionsArgs] = None,
        monitor_system_time_changes: Optional[bool] = None,
        name: Optional[str] = None,
        no_new_privileges: Optional[bool] = None,
        only_registered_images: Optional[bool] = None,
        package_block: Optional[ContainerRuntimePolicyPackageBlockArgs] = None,
        permission: Optional[str] = None,
        port_block: Optional[ContainerRuntimePolicyPortBlockArgs] = None,
        readonly_files: Optional[ContainerRuntimePolicyReadonlyFilesArgs] = None,
        readonly_registry: Optional[ContainerRuntimePolicyReadonlyRegistryArgs] = None,
        registry: Optional[str] = None,
        registry_access_monitoring: Optional[ContainerRuntimePolicyRegistryAccessMonitoringArgs] = None,
        repo_name: Optional[str] = None,
        resource_name: Optional[str] = None,
        resource_type: Optional[str] = None,
        restricted_volumes: Optional[Sequence[ContainerRuntimePolicyRestrictedVolumeArgs]] = None,
        reverse_shell: Optional[ContainerRuntimePolicyReverseShellArgs] = None,
        runtime_mode: Optional[int] = None,
        runtime_type: Optional[str] = None,
        scope_expression: Optional[str] = None,
        scope_variables: Optional[Sequence[ContainerRuntimePolicyScopeVariableArgs]] = None,
        scopes: Optional[Sequence[ContainerRuntimePolicyScopeArgs]] = None,
        system_integrity_protection: Optional[ContainerRuntimePolicySystemIntegrityProtectionArgs] = None,
        tripwire: Optional[ContainerRuntimePolicyTripwireArgs] = None,
        type: Optional[str] = None,
        updated: Optional[str] = None,
        version: Optional[str] = None,
        vpatch_version: Optional[str] = None,
        whitelisted_os_users: Optional[ContainerRuntimePolicyWhitelistedOsUsersArgs] = None) -> ContainerRuntimePolicy
func GetContainerRuntimePolicy(ctx *Context, name string, id IDInput, state *ContainerRuntimePolicyState, opts ...ResourceOption) (*ContainerRuntimePolicy, error)
public static ContainerRuntimePolicy Get(string name, Input<string> id, ContainerRuntimePolicyState? state, CustomResourceOptions? opts = null)
public static ContainerRuntimePolicy get(String name, Output<String> id, ContainerRuntimePolicyState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AllowedExecutables List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyAllowedExecutable>
Allowed executables configuration.
AllowedRegistries List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyAllowedRegistry>
Allowed registries configuration.
ApplicationScopes List<string>
Indicates the application scope of the service.
AuditAllNetworkActivity bool
If true, all network activity will be audited.
AuditAllProcessesActivity bool
If true, all process activity will be audited.
AuditBruteForceLogin bool
Detects brute force login attempts
AuditFullCommandArguments bool
If true, full command arguments will be audited.
Auditing Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyAuditing
Author string
Username of the account that created the service.
BlacklistedOsUsers Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyBlacklistedOsUsers
BlockAccessHostNetwork bool
If true, prevent containers from running with access to host network.
BlockAddingCapabilities bool
If true, prevent containers from running with adding capabilities with --cap-add privilege.
BlockContainerExec bool
If true, exec into a container is prevented.
BlockCryptocurrencyMining bool
Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
BlockDisallowedImages bool
BlockFilelessExec bool
Detect and prevent running in-memory execution
BlockLowPortBinding bool
If true, prevent containers from running with the capability to bind in port lower than 1024.
BlockNonCompliantWorkloads bool
If true, running containers in non-compliant pods is prevented.
BlockNonK8sContainers bool
If true, running non-kubernetes containers is prevented.
BlockPrivilegedContainers bool
If true, prevent containers from running with privileged container capability.
BlockRootUser bool
If true, prevent containers from running with root user.
BlockUseIpcNamespace bool
If true, prevent containers from running with the privilege to use the IPC namespace.
BlockUsePidNamespace bool
If true, prevent containers from running with the privilege to use the PID namespace.
BlockUseUserNamespace bool
If true, prevent containers from running with the privilege to use the user namespace.
BlockUseUtsNamespace bool
If true, prevent containers from running with the privilege to use the UTS namespace.
BlockedCapabilities List<string>
If true, prevents containers from using specific Unix capabilities.
BlockedExecutables List<string>
List of executables that are prevented from running in containers.
BlockedFiles List<string>
List of files that are prevented from being read, modified and executed in the containers.
BlockedInboundPorts List<string>
List of blocked inbound ports.
BlockedOutboundPorts List<string>
List of blocked outbound ports.
BlockedPackages List<string>
Prevent containers from reading, writing, or executing all files in the list of packages.
BlockedVolumes List<string>
List of volumes that are prevented from being mounted in the containers.
BypassScopes List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyBypassScope>
Bypass scope configuration.
ContainerExec Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyContainerExec
ContainerExecAllowedProcesses List<string>
List of processes that will be allowed.
Created string
Cve string
DefaultSecurityProfile string
Description string
The description of the container runtime policy
Digest string
DriftPreventions List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyDriftPrevention>
Drift prevention configuration.
EnableCryptoMiningDns bool
EnableForkGuard bool
If true, fork bombs are prevented in the containers.
EnableIpReputation bool
EnablePortScanProtection bool
Enabled bool
Indicates if the runtime policy is enabled or not.
Enforce bool
Indicates that policy should effect container execution (not just for audit).
EnforceAfterDays int
Indicates the number of days after which the runtime policy will be changed to enforce mode.
EnforceSchedulerAddedOn int
ExcludeApplicationScopes List<string>
List of excluded application scopes.
ExecutableBlacklists List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyExecutableBlacklist>
Executable blacklist configuration.
FailedKubernetesChecks Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyFailedKubernetesChecks
FileBlock Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyFileBlock
FileIntegrityMonitoring Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyFileIntegrityMonitoring
Configuration for file integrity monitoring.
ForkGuardProcessLimit int
Process limit for the fork guard.
ImageName string
IsAuditChecked bool
IsAutoGenerated bool
IsOotbPolicy bool
Lastupdate int
LimitContainerPrivileges List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyLimitContainerPrivilege>
Container privileges configuration.
LimitNewPrivileges bool
If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
LinuxCapabilities Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyLinuxCapabilities
MalwareScanOptions Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyMalwareScanOptions
Configuration for Real-Time Malware Protection.
MonitorSystemTimeChanges bool
If true, system time changes will be monitored.
Name Changes to this property will trigger replacement. string
Name of the container runtime policy
NoNewPrivileges bool
OnlyRegisteredImages bool
PackageBlock Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyPackageBlock
Permission string
PortBlock Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyPortBlock
ReadonlyFiles Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyReadonlyFiles
ReadonlyRegistry Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyReadonlyRegistry
Registry string
RegistryAccessMonitoring Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyRegistryAccessMonitoring
RepoName string
ResourceName string
ResourceType string
RestrictedVolumes List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyRestrictedVolume>
Restricted volumes configuration.
ReverseShell Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyReverseShell
RuntimeMode int
RuntimeType string
ScopeExpression string
Logical expression of how to compute the dependency of the scope variables.
ScopeVariables List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyScopeVariable>
List of scope attributes.
Scopes List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyScope>
Scope configuration.
SystemIntegrityProtection Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicySystemIntegrityProtection
Tripwire Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyTripwire
Type string
Updated string
Version string
VpatchVersion string
WhitelistedOsUsers Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyWhitelistedOsUsers
AllowedExecutables []ContainerRuntimePolicyAllowedExecutableArgs
Allowed executables configuration.
AllowedRegistries []ContainerRuntimePolicyAllowedRegistryArgs
Allowed registries configuration.
ApplicationScopes []string
Indicates the application scope of the service.
AuditAllNetworkActivity bool
If true, all network activity will be audited.
AuditAllProcessesActivity bool
If true, all process activity will be audited.
AuditBruteForceLogin bool
Detects brute force login attempts
AuditFullCommandArguments bool
If true, full command arguments will be audited.
Auditing ContainerRuntimePolicyAuditingArgs
Author string
Username of the account that created the service.
BlacklistedOsUsers ContainerRuntimePolicyBlacklistedOsUsersArgs
BlockAccessHostNetwork bool
If true, prevent containers from running with access to host network.
BlockAddingCapabilities bool
If true, prevent containers from running with adding capabilities with --cap-add privilege.
BlockContainerExec bool
If true, exec into a container is prevented.
BlockCryptocurrencyMining bool
Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
BlockDisallowedImages bool
BlockFilelessExec bool
Detect and prevent running in-memory execution
BlockLowPortBinding bool
If true, prevent containers from running with the capability to bind in port lower than 1024.
BlockNonCompliantWorkloads bool
If true, running containers in non-compliant pods is prevented.
BlockNonK8sContainers bool
If true, running non-kubernetes containers is prevented.
BlockPrivilegedContainers bool
If true, prevent containers from running with privileged container capability.
BlockRootUser bool
If true, prevent containers from running with root user.
BlockUseIpcNamespace bool
If true, prevent containers from running with the privilege to use the IPC namespace.
BlockUsePidNamespace bool
If true, prevent containers from running with the privilege to use the PID namespace.
BlockUseUserNamespace bool
If true, prevent containers from running with the privilege to use the user namespace.
BlockUseUtsNamespace bool
If true, prevent containers from running with the privilege to use the UTS namespace.
BlockedCapabilities []string
If true, prevents containers from using specific Unix capabilities.
BlockedExecutables []string
List of executables that are prevented from running in containers.
BlockedFiles []string
List of files that are prevented from being read, modified and executed in the containers.
BlockedInboundPorts []string
List of blocked inbound ports.
BlockedOutboundPorts []string
List of blocked outbound ports.
BlockedPackages []string
Prevent containers from reading, writing, or executing all files in the list of packages.
BlockedVolumes []string
List of volumes that are prevented from being mounted in the containers.
BypassScopes []ContainerRuntimePolicyBypassScopeArgs
Bypass scope configuration.
ContainerExec ContainerRuntimePolicyContainerExecArgs
ContainerExecAllowedProcesses []string
List of processes that will be allowed.
Created string
Cve string
DefaultSecurityProfile string
Description string
The description of the container runtime policy
Digest string
DriftPreventions []ContainerRuntimePolicyDriftPreventionArgs
Drift prevention configuration.
EnableCryptoMiningDns bool
EnableForkGuard bool
If true, fork bombs are prevented in the containers.
EnableIpReputation bool
EnablePortScanProtection bool
Enabled bool
Indicates if the runtime policy is enabled or not.
Enforce bool
Indicates that policy should effect container execution (not just for audit).
EnforceAfterDays int
Indicates the number of days after which the runtime policy will be changed to enforce mode.
EnforceSchedulerAddedOn int
ExcludeApplicationScopes []string
List of excluded application scopes.
ExecutableBlacklists []ContainerRuntimePolicyExecutableBlacklistArgs
Executable blacklist configuration.
FailedKubernetesChecks ContainerRuntimePolicyFailedKubernetesChecksArgs
FileBlock ContainerRuntimePolicyFileBlockArgs
FileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs
Configuration for file integrity monitoring.
ForkGuardProcessLimit int
Process limit for the fork guard.
ImageName string
IsAuditChecked bool
IsAutoGenerated bool
IsOotbPolicy bool
Lastupdate int
LimitContainerPrivileges []ContainerRuntimePolicyLimitContainerPrivilegeArgs
Container privileges configuration.
LimitNewPrivileges bool
If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
LinuxCapabilities ContainerRuntimePolicyLinuxCapabilitiesArgs
MalwareScanOptions ContainerRuntimePolicyMalwareScanOptionsArgs
Configuration for Real-Time Malware Protection.
MonitorSystemTimeChanges bool
If true, system time changes will be monitored.
Name Changes to this property will trigger replacement. string
Name of the container runtime policy
NoNewPrivileges bool
OnlyRegisteredImages bool
PackageBlock ContainerRuntimePolicyPackageBlockArgs
Permission string
PortBlock ContainerRuntimePolicyPortBlockArgs
ReadonlyFiles ContainerRuntimePolicyReadonlyFilesArgs
ReadonlyRegistry ContainerRuntimePolicyReadonlyRegistryArgs
Registry string
RegistryAccessMonitoring ContainerRuntimePolicyRegistryAccessMonitoringArgs
RepoName string
ResourceName string
ResourceType string
RestrictedVolumes []ContainerRuntimePolicyRestrictedVolumeArgs
Restricted volumes configuration.
ReverseShell ContainerRuntimePolicyReverseShellArgs
RuntimeMode int
RuntimeType string
ScopeExpression string
Logical expression of how to compute the dependency of the scope variables.
ScopeVariables []ContainerRuntimePolicyScopeVariableArgs
List of scope attributes.
Scopes []ContainerRuntimePolicyScopeArgs
Scope configuration.
SystemIntegrityProtection ContainerRuntimePolicySystemIntegrityProtectionArgs
Tripwire ContainerRuntimePolicyTripwireArgs
Type string
Updated string
Version string
VpatchVersion string
WhitelistedOsUsers ContainerRuntimePolicyWhitelistedOsUsersArgs
allowedExecutables List<ContainerRuntimePolicyAllowedExecutable>
Allowed executables configuration.
allowedRegistries List<ContainerRuntimePolicyAllowedRegistry>
Allowed registries configuration.
applicationScopes List<String>
Indicates the application scope of the service.
auditAllNetworkActivity Boolean
If true, all network activity will be audited.
auditAllProcessesActivity Boolean
If true, all process activity will be audited.
auditBruteForceLogin Boolean
Detects brute force login attempts
auditFullCommandArguments Boolean
If true, full command arguments will be audited.
auditing ContainerRuntimePolicyAuditing
author String
Username of the account that created the service.
blacklistedOsUsers ContainerRuntimePolicyBlacklistedOsUsers
blockAccessHostNetwork Boolean
If true, prevent containers from running with access to host network.
blockAddingCapabilities Boolean
If true, prevent containers from running with adding capabilities with --cap-add privilege.
blockContainerExec Boolean
If true, exec into a container is prevented.
blockCryptocurrencyMining Boolean
Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
blockDisallowedImages Boolean
blockFilelessExec Boolean
Detect and prevent running in-memory execution
blockLowPortBinding Boolean
If true, prevent containers from running with the capability to bind in port lower than 1024.
blockNonCompliantWorkloads Boolean
If true, running containers in non-compliant pods is prevented.
blockNonK8sContainers Boolean
If true, running non-kubernetes containers is prevented.
blockPrivilegedContainers Boolean
If true, prevent containers from running with privileged container capability.
blockRootUser Boolean
If true, prevent containers from running with root user.
blockUseIpcNamespace Boolean
If true, prevent containers from running with the privilege to use the IPC namespace.
blockUsePidNamespace Boolean
If true, prevent containers from running with the privilege to use the PID namespace.
blockUseUserNamespace Boolean
If true, prevent containers from running with the privilege to use the user namespace.
blockUseUtsNamespace Boolean
If true, prevent containers from running with the privilege to use the UTS namespace.
blockedCapabilities List<String>
If true, prevents containers from using specific Unix capabilities.
blockedExecutables List<String>
List of executables that are prevented from running in containers.
blockedFiles List<String>
List of files that are prevented from being read, modified and executed in the containers.
blockedInboundPorts List<String>
List of blocked inbound ports.
blockedOutboundPorts List<String>
List of blocked outbound ports.
blockedPackages List<String>
Prevent containers from reading, writing, or executing all files in the list of packages.
blockedVolumes List<String>
List of volumes that are prevented from being mounted in the containers.
bypassScopes List<ContainerRuntimePolicyBypassScope>
Bypass scope configuration.
containerExec ContainerRuntimePolicyContainerExec
containerExecAllowedProcesses List<String>
List of processes that will be allowed.
created String
cve String
defaultSecurityProfile String
description String
The description of the container runtime policy
digest String
driftPreventions List<ContainerRuntimePolicyDriftPrevention>
Drift prevention configuration.
enableCryptoMiningDns Boolean
enableForkGuard Boolean
If true, fork bombs are prevented in the containers.
enableIpReputation Boolean
enablePortScanProtection Boolean
enabled Boolean
Indicates if the runtime policy is enabled or not.
enforce Boolean
Indicates that policy should effect container execution (not just for audit).
enforceAfterDays Integer
Indicates the number of days after which the runtime policy will be changed to enforce mode.
enforceSchedulerAddedOn Integer
excludeApplicationScopes List<String>
List of excluded application scopes.
executableBlacklists List<ContainerRuntimePolicyExecutableBlacklist>
Executable blacklist configuration.
failedKubernetesChecks ContainerRuntimePolicyFailedKubernetesChecks
fileBlock ContainerRuntimePolicyFileBlock
fileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoring
Configuration for file integrity monitoring.
forkGuardProcessLimit Integer
Process limit for the fork guard.
imageName String
isAuditChecked Boolean
isAutoGenerated Boolean
isOotbPolicy Boolean
lastupdate Integer
limitContainerPrivileges List<ContainerRuntimePolicyLimitContainerPrivilege>
Container privileges configuration.
limitNewPrivileges Boolean
If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
linuxCapabilities ContainerRuntimePolicyLinuxCapabilities
malwareScanOptions ContainerRuntimePolicyMalwareScanOptions
Configuration for Real-Time Malware Protection.
monitorSystemTimeChanges Boolean
If true, system time changes will be monitored.
name Changes to this property will trigger replacement. String
Name of the container runtime policy
noNewPrivileges Boolean
onlyRegisteredImages Boolean
packageBlock ContainerRuntimePolicyPackageBlock
permission String
portBlock ContainerRuntimePolicyPortBlock
readonlyFiles ContainerRuntimePolicyReadonlyFiles
readonlyRegistry ContainerRuntimePolicyReadonlyRegistry
registry String
registryAccessMonitoring ContainerRuntimePolicyRegistryAccessMonitoring
repoName String
resourceName String
resourceType String
restrictedVolumes List<ContainerRuntimePolicyRestrictedVolume>
Restricted volumes configuration.
reverseShell ContainerRuntimePolicyReverseShell
runtimeMode Integer
runtimeType String
scopeExpression String
Logical expression of how to compute the dependency of the scope variables.
scopeVariables List<ContainerRuntimePolicyScopeVariable>
List of scope attributes.
scopes List<ContainerRuntimePolicyScope>
Scope configuration.
systemIntegrityProtection ContainerRuntimePolicySystemIntegrityProtection
tripwire ContainerRuntimePolicyTripwire
type String
updated String
version String
vpatchVersion String
whitelistedOsUsers ContainerRuntimePolicyWhitelistedOsUsers
allowedExecutables ContainerRuntimePolicyAllowedExecutable[]
Allowed executables configuration.
allowedRegistries ContainerRuntimePolicyAllowedRegistry[]
Allowed registries configuration.
applicationScopes string[]
Indicates the application scope of the service.
auditAllNetworkActivity boolean
If true, all network activity will be audited.
auditAllProcessesActivity boolean
If true, all process activity will be audited.
auditBruteForceLogin boolean
Detects brute force login attempts
auditFullCommandArguments boolean
If true, full command arguments will be audited.
auditing ContainerRuntimePolicyAuditing
author string
Username of the account that created the service.
blacklistedOsUsers ContainerRuntimePolicyBlacklistedOsUsers
blockAccessHostNetwork boolean
If true, prevent containers from running with access to host network.
blockAddingCapabilities boolean
If true, prevent containers from running with adding capabilities with --cap-add privilege.
blockContainerExec boolean
If true, exec into a container is prevented.
blockCryptocurrencyMining boolean
Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
blockDisallowedImages boolean
blockFilelessExec boolean
Detect and prevent running in-memory execution
blockLowPortBinding boolean
If true, prevent containers from running with the capability to bind in port lower than 1024.
blockNonCompliantWorkloads boolean
If true, running containers in non-compliant pods is prevented.
blockNonK8sContainers boolean
If true, running non-kubernetes containers is prevented.
blockPrivilegedContainers boolean
If true, prevent containers from running with privileged container capability.
blockRootUser boolean
If true, prevent containers from running with root user.
blockUseIpcNamespace boolean
If true, prevent containers from running with the privilege to use the IPC namespace.
blockUsePidNamespace boolean
If true, prevent containers from running with the privilege to use the PID namespace.
blockUseUserNamespace boolean
If true, prevent containers from running with the privilege to use the user namespace.
blockUseUtsNamespace boolean
If true, prevent containers from running with the privilege to use the UTS namespace.
blockedCapabilities string[]
If true, prevents containers from using specific Unix capabilities.
blockedExecutables string[]
List of executables that are prevented from running in containers.
blockedFiles string[]
List of files that are prevented from being read, modified and executed in the containers.
blockedInboundPorts string[]
List of blocked inbound ports.
blockedOutboundPorts string[]
List of blocked outbound ports.
blockedPackages string[]
Prevent containers from reading, writing, or executing all files in the list of packages.
blockedVolumes string[]
List of volumes that are prevented from being mounted in the containers.
bypassScopes ContainerRuntimePolicyBypassScope[]
Bypass scope configuration.
containerExec ContainerRuntimePolicyContainerExec
containerExecAllowedProcesses string[]
List of processes that will be allowed.
created string
cve string
defaultSecurityProfile string
description string
The description of the container runtime policy
digest string
driftPreventions ContainerRuntimePolicyDriftPrevention[]
Drift prevention configuration.
enableCryptoMiningDns boolean
enableForkGuard boolean
If true, fork bombs are prevented in the containers.
enableIpReputation boolean
enablePortScanProtection boolean
enabled boolean
Indicates if the runtime policy is enabled or not.
enforce boolean
Indicates that policy should effect container execution (not just for audit).
enforceAfterDays number
Indicates the number of days after which the runtime policy will be changed to enforce mode.
enforceSchedulerAddedOn number
excludeApplicationScopes string[]
List of excluded application scopes.
executableBlacklists ContainerRuntimePolicyExecutableBlacklist[]
Executable blacklist configuration.
failedKubernetesChecks ContainerRuntimePolicyFailedKubernetesChecks
fileBlock ContainerRuntimePolicyFileBlock
fileIntegrityMonitoring ContainerRuntimePolicyFileIntegrityMonitoring
Configuration for file integrity monitoring.
forkGuardProcessLimit number
Process limit for the fork guard.
imageName string
isAuditChecked boolean
isAutoGenerated boolean
isOotbPolicy boolean
lastupdate number
limitContainerPrivileges ContainerRuntimePolicyLimitContainerPrivilege[]
Container privileges configuration.
limitNewPrivileges boolean
If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
linuxCapabilities ContainerRuntimePolicyLinuxCapabilities
malwareScanOptions ContainerRuntimePolicyMalwareScanOptions
Configuration for Real-Time Malware Protection.
monitorSystemTimeChanges boolean
If true, system time changes will be monitored.
name Changes to this property will trigger replacement. string
Name of the container runtime policy
noNewPrivileges boolean
onlyRegisteredImages boolean
packageBlock ContainerRuntimePolicyPackageBlock
permission string
portBlock ContainerRuntimePolicyPortBlock
readonlyFiles ContainerRuntimePolicyReadonlyFiles
readonlyRegistry ContainerRuntimePolicyReadonlyRegistry
registry string
registryAccessMonitoring ContainerRuntimePolicyRegistryAccessMonitoring
repoName string
resourceName string
resourceType string
restrictedVolumes ContainerRuntimePolicyRestrictedVolume[]
Restricted volumes configuration.
reverseShell ContainerRuntimePolicyReverseShell
runtimeMode number
runtimeType string
scopeExpression string
Logical expression of how to compute the dependency of the scope variables.
scopeVariables ContainerRuntimePolicyScopeVariable[]
List of scope attributes.
scopes ContainerRuntimePolicyScope[]
Scope configuration.
systemIntegrityProtection ContainerRuntimePolicySystemIntegrityProtection
tripwire ContainerRuntimePolicyTripwire
type string
updated string
version string
vpatchVersion string
whitelistedOsUsers ContainerRuntimePolicyWhitelistedOsUsers
allowed_executables Sequence[ContainerRuntimePolicyAllowedExecutableArgs]
Allowed executables configuration.
allowed_registries Sequence[ContainerRuntimePolicyAllowedRegistryArgs]
Allowed registries configuration.
application_scopes Sequence[str]
Indicates the application scope of the service.
audit_all_network_activity bool
If true, all network activity will be audited.
audit_all_processes_activity bool
If true, all process activity will be audited.
audit_brute_force_login bool
Detects brute force login attempts
audit_full_command_arguments bool
If true, full command arguments will be audited.
auditing ContainerRuntimePolicyAuditingArgs
author str
Username of the account that created the service.
blacklisted_os_users ContainerRuntimePolicyBlacklistedOsUsersArgs
block_access_host_network bool
If true, prevent containers from running with access to host network.
block_adding_capabilities bool
If true, prevent containers from running with adding capabilities with --cap-add privilege.
block_container_exec bool
If true, exec into a container is prevented.
block_cryptocurrency_mining bool
Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
block_disallowed_images bool
block_fileless_exec bool
Detect and prevent running in-memory execution
block_low_port_binding bool
If true, prevent containers from running with the capability to bind in port lower than 1024.
block_non_compliant_workloads bool
If true, running containers in non-compliant pods is prevented.
block_non_k8s_containers bool
If true, running non-kubernetes containers is prevented.
block_privileged_containers bool
If true, prevent containers from running with privileged container capability.
block_root_user bool
If true, prevent containers from running with root user.
block_use_ipc_namespace bool
If true, prevent containers from running with the privilege to use the IPC namespace.
block_use_pid_namespace bool
If true, prevent containers from running with the privilege to use the PID namespace.
block_use_user_namespace bool
If true, prevent containers from running with the privilege to use the user namespace.
block_use_uts_namespace bool
If true, prevent containers from running with the privilege to use the UTS namespace.
blocked_capabilities Sequence[str]
If true, prevents containers from using specific Unix capabilities.
blocked_executables Sequence[str]
List of executables that are prevented from running in containers.
blocked_files Sequence[str]
List of files that are prevented from being read, modified and executed in the containers.
blocked_inbound_ports Sequence[str]
List of blocked inbound ports.
blocked_outbound_ports Sequence[str]
List of blocked outbound ports.
blocked_packages Sequence[str]
Prevent containers from reading, writing, or executing all files in the list of packages.
blocked_volumes Sequence[str]
List of volumes that are prevented from being mounted in the containers.
bypass_scopes Sequence[ContainerRuntimePolicyBypassScopeArgs]
Bypass scope configuration.
container_exec ContainerRuntimePolicyContainerExecArgs
container_exec_allowed_processes Sequence[str]
List of processes that will be allowed.
created str
cve str
default_security_profile str
description str
The description of the container runtime policy
digest str
drift_preventions Sequence[ContainerRuntimePolicyDriftPreventionArgs]
Drift prevention configuration.
enable_crypto_mining_dns bool
enable_fork_guard bool
If true, fork bombs are prevented in the containers.
enable_ip_reputation bool
enable_port_scan_protection bool
enabled bool
Indicates if the runtime policy is enabled or not.
enforce bool
Indicates that policy should effect container execution (not just for audit).
enforce_after_days int
Indicates the number of days after which the runtime policy will be changed to enforce mode.
enforce_scheduler_added_on int
exclude_application_scopes Sequence[str]
List of excluded application scopes.
executable_blacklists Sequence[ContainerRuntimePolicyExecutableBlacklistArgs]
Executable blacklist configuration.
failed_kubernetes_checks ContainerRuntimePolicyFailedKubernetesChecksArgs
file_block ContainerRuntimePolicyFileBlockArgs
file_integrity_monitoring ContainerRuntimePolicyFileIntegrityMonitoringArgs
Configuration for file integrity monitoring.
fork_guard_process_limit int
Process limit for the fork guard.
image_name str
is_audit_checked bool
is_auto_generated bool
is_ootb_policy bool
lastupdate int
limit_container_privileges Sequence[ContainerRuntimePolicyLimitContainerPrivilegeArgs]
Container privileges configuration.
limit_new_privileges bool
If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
linux_capabilities ContainerRuntimePolicyLinuxCapabilitiesArgs
malware_scan_options ContainerRuntimePolicyMalwareScanOptionsArgs
Configuration for Real-Time Malware Protection.
monitor_system_time_changes bool
If true, system time changes will be monitored.
name Changes to this property will trigger replacement. str
Name of the container runtime policy
no_new_privileges bool
only_registered_images bool
package_block ContainerRuntimePolicyPackageBlockArgs
permission str
port_block ContainerRuntimePolicyPortBlockArgs
readonly_files ContainerRuntimePolicyReadonlyFilesArgs
readonly_registry ContainerRuntimePolicyReadonlyRegistryArgs
registry str
registry_access_monitoring ContainerRuntimePolicyRegistryAccessMonitoringArgs
repo_name str
resource_name str
resource_type str
restricted_volumes Sequence[ContainerRuntimePolicyRestrictedVolumeArgs]
Restricted volumes configuration.
reverse_shell ContainerRuntimePolicyReverseShellArgs
runtime_mode int
runtime_type str
scope_expression str
Logical expression of how to compute the dependency of the scope variables.
scope_variables Sequence[ContainerRuntimePolicyScopeVariableArgs]
List of scope attributes.
scopes Sequence[ContainerRuntimePolicyScopeArgs]
Scope configuration.
system_integrity_protection ContainerRuntimePolicySystemIntegrityProtectionArgs
tripwire ContainerRuntimePolicyTripwireArgs
type str
updated str
version str
vpatch_version str
whitelisted_os_users ContainerRuntimePolicyWhitelistedOsUsersArgs
allowedExecutables List<Property Map>
Allowed executables configuration.
allowedRegistries List<Property Map>
Allowed registries configuration.
applicationScopes List<String>
Indicates the application scope of the service.
auditAllNetworkActivity Boolean
If true, all network activity will be audited.
auditAllProcessesActivity Boolean
If true, all process activity will be audited.
auditBruteForceLogin Boolean
Detects brute force login attempts
auditFullCommandArguments Boolean
If true, full command arguments will be audited.
auditing Property Map
author String
Username of the account that created the service.
blacklistedOsUsers Property Map
blockAccessHostNetwork Boolean
If true, prevent containers from running with access to host network.
blockAddingCapabilities Boolean
If true, prevent containers from running with adding capabilities with --cap-add privilege.
blockContainerExec Boolean
If true, exec into a container is prevented.
blockCryptocurrencyMining Boolean
Detect and prevent communication to DNS/IP addresses known to be used for Cryptocurrency Mining
blockDisallowedImages Boolean
blockFilelessExec Boolean
Detect and prevent running in-memory execution
blockLowPortBinding Boolean
If true, prevent containers from running with the capability to bind in port lower than 1024.
blockNonCompliantWorkloads Boolean
If true, running containers in non-compliant pods is prevented.
blockNonK8sContainers Boolean
If true, running non-kubernetes containers is prevented.
blockPrivilegedContainers Boolean
If true, prevent containers from running with privileged container capability.
blockRootUser Boolean
If true, prevent containers from running with root user.
blockUseIpcNamespace Boolean
If true, prevent containers from running with the privilege to use the IPC namespace.
blockUsePidNamespace Boolean
If true, prevent containers from running with the privilege to use the PID namespace.
blockUseUserNamespace Boolean
If true, prevent containers from running with the privilege to use the user namespace.
blockUseUtsNamespace Boolean
If true, prevent containers from running with the privilege to use the UTS namespace.
blockedCapabilities List<String>
If true, prevents containers from using specific Unix capabilities.
blockedExecutables List<String>
List of executables that are prevented from running in containers.
blockedFiles List<String>
List of files that are prevented from being read, modified and executed in the containers.
blockedInboundPorts List<String>
List of blocked inbound ports.
blockedOutboundPorts List<String>
List of blocked outbound ports.
blockedPackages List<String>
Prevent containers from reading, writing, or executing all files in the list of packages.
blockedVolumes List<String>
List of volumes that are prevented from being mounted in the containers.
bypassScopes List<Property Map>
Bypass scope configuration.
containerExec Property Map
containerExecAllowedProcesses List<String>
List of processes that will be allowed.
created String
cve String
defaultSecurityProfile String
description String
The description of the container runtime policy
digest String
driftPreventions List<Property Map>
Drift prevention configuration.
enableCryptoMiningDns Boolean
enableForkGuard Boolean
If true, fork bombs are prevented in the containers.
enableIpReputation Boolean
enablePortScanProtection Boolean
enabled Boolean
Indicates if the runtime policy is enabled or not.
enforce Boolean
Indicates that policy should effect container execution (not just for audit).
enforceAfterDays Number
Indicates the number of days after which the runtime policy will be changed to enforce mode.
enforceSchedulerAddedOn Number
excludeApplicationScopes List<String>
List of excluded application scopes.
executableBlacklists List<Property Map>
Executable blacklist configuration.
failedKubernetesChecks Property Map
fileBlock Property Map
fileIntegrityMonitoring Property Map
Configuration for file integrity monitoring.
forkGuardProcessLimit Number
Process limit for the fork guard.
imageName String
isAuditChecked Boolean
isAutoGenerated Boolean
isOotbPolicy Boolean
lastupdate Number
limitContainerPrivileges List<Property Map>
Container privileges configuration.
limitNewPrivileges Boolean
If true, prevents the container from obtaining new privileges at runtime. (only enabled in enforce mode)
linuxCapabilities Property Map
malwareScanOptions Property Map
Configuration for Real-Time Malware Protection.
monitorSystemTimeChanges Boolean
If true, system time changes will be monitored.
name Changes to this property will trigger replacement. String
Name of the container runtime policy
noNewPrivileges Boolean
onlyRegisteredImages Boolean
packageBlock Property Map
permission String
portBlock Property Map
readonlyFiles Property Map
readonlyRegistry Property Map
registry String
registryAccessMonitoring Property Map
repoName String
resourceName String
resourceType String
restrictedVolumes List<Property Map>
Restricted volumes configuration.
reverseShell Property Map
runtimeMode Number
runtimeType String
scopeExpression String
Logical expression of how to compute the dependency of the scope variables.
scopeVariables List<Property Map>
List of scope attributes.
scopes List<Property Map>
Scope configuration.
systemIntegrityProtection Property Map
tripwire Property Map
type String
updated String
version String
vpatchVersion String
whitelistedOsUsers Property Map

Supporting Types

ContainerRuntimePolicyAllowedExecutable
, ContainerRuntimePolicyAllowedExecutableArgs

AllowExecutables List<string>
List of allowed executables.
AllowRootExecutables List<string>
List of allowed root executables.
Enabled bool
Whether allowed executables configuration is enabled.
SeparateExecutables bool
Whether to treat executables separately.
AllowExecutables []string
List of allowed executables.
AllowRootExecutables []string
List of allowed root executables.
Enabled bool
Whether allowed executables configuration is enabled.
SeparateExecutables bool
Whether to treat executables separately.
allowExecutables List<String>
List of allowed executables.
allowRootExecutables List<String>
List of allowed root executables.
enabled Boolean
Whether allowed executables configuration is enabled.
separateExecutables Boolean
Whether to treat executables separately.
allowExecutables string[]
List of allowed executables.
allowRootExecutables string[]
List of allowed root executables.
enabled boolean
Whether allowed executables configuration is enabled.
separateExecutables boolean
Whether to treat executables separately.
allow_executables Sequence[str]
List of allowed executables.
allow_root_executables Sequence[str]
List of allowed root executables.
enabled bool
Whether allowed executables configuration is enabled.
separate_executables bool
Whether to treat executables separately.
allowExecutables List<String>
List of allowed executables.
allowRootExecutables List<String>
List of allowed root executables.
enabled Boolean
Whether allowed executables configuration is enabled.
separateExecutables Boolean
Whether to treat executables separately.

ContainerRuntimePolicyAllowedRegistry
, ContainerRuntimePolicyAllowedRegistryArgs

AllowedRegistries List<string>
List of allowed registries.
Enabled bool
Whether allowed registries are enabled.
AllowedRegistries []string
List of allowed registries.
Enabled bool
Whether allowed registries are enabled.
allowedRegistries List<String>
List of allowed registries.
enabled Boolean
Whether allowed registries are enabled.
allowedRegistries string[]
List of allowed registries.
enabled boolean
Whether allowed registries are enabled.
allowed_registries Sequence[str]
List of allowed registries.
enabled bool
Whether allowed registries are enabled.
allowedRegistries List<String>
List of allowed registries.
enabled Boolean
Whether allowed registries are enabled.

ContainerRuntimePolicyAuditing
, ContainerRuntimePolicyAuditingArgs

ContainerRuntimePolicyBlacklistedOsUsers
, ContainerRuntimePolicyBlacklistedOsUsersArgs

Enabled bool
GroupBlackLists List<string>
UserBlackLists List<string>
enabled Boolean
groupBlackLists List<String>
userBlackLists List<String>
enabled boolean
groupBlackLists string[]
userBlackLists string[]
enabled bool
group_black_lists Sequence[str]
user_black_lists Sequence[str]
enabled Boolean
groupBlackLists List<String>
userBlackLists List<String>

ContainerRuntimePolicyBypassScope
, ContainerRuntimePolicyBypassScopeArgs

Enabled bool
Whether bypassing the scope is enabled.
Scopes List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyBypassScopeScope>
Scope configuration.
Enabled bool
Whether bypassing the scope is enabled.
Scopes []ContainerRuntimePolicyBypassScopeScope
Scope configuration.
enabled Boolean
Whether bypassing the scope is enabled.
scopes List<ContainerRuntimePolicyBypassScopeScope>
Scope configuration.
enabled boolean
Whether bypassing the scope is enabled.
scopes ContainerRuntimePolicyBypassScopeScope[]
Scope configuration.
enabled bool
Whether bypassing the scope is enabled.
scopes Sequence[ContainerRuntimePolicyBypassScopeScope]
Scope configuration.
enabled Boolean
Whether bypassing the scope is enabled.
scopes List<Property Map>
Scope configuration.

ContainerRuntimePolicyBypassScopeScope
, ContainerRuntimePolicyBypassScopeScopeArgs

Expression string
Scope expression.
Variables []ContainerRuntimePolicyBypassScopeScopeVariable
List of variables in the scope.
expression String
Scope expression.
variables List<ContainerRuntimePolicyBypassScopeScopeVariable>
List of variables in the scope.
expression string
Scope expression.
variables ContainerRuntimePolicyBypassScopeScopeVariable[]
List of variables in the scope.
expression str
Scope expression.
variables Sequence[ContainerRuntimePolicyBypassScopeScopeVariable]
List of variables in the scope.
expression String
Scope expression.
variables List<Property Map>
List of variables in the scope.

ContainerRuntimePolicyBypassScopeScopeVariable
, ContainerRuntimePolicyBypassScopeScopeVariableArgs

Attribute string
Variable attribute.
Value string
Variable value.
Attribute string
Variable attribute.
Value string
Variable value.
attribute String
Variable attribute.
value String
Variable value.
attribute string
Variable attribute.
value string
Variable value.
attribute str
Variable attribute.
value str
Variable value.
attribute String
Variable attribute.
value String
Variable value.

ContainerRuntimePolicyContainerExec
, ContainerRuntimePolicyContainerExecArgs

ContainerRuntimePolicyDriftPrevention
, ContainerRuntimePolicyDriftPreventionArgs

Enabled bool
Whether drift prevention is enabled.
ExecLockdown bool
Whether to lockdown execution drift.
ExecLockdownWhiteLists List<string>
List of items in the execution lockdown white list.
ImageLockdown bool
Whether to lockdown image drift.
Enabled bool
Whether drift prevention is enabled.
ExecLockdown bool
Whether to lockdown execution drift.
ExecLockdownWhiteLists []string
List of items in the execution lockdown white list.
ImageLockdown bool
Whether to lockdown image drift.
enabled Boolean
Whether drift prevention is enabled.
execLockdown Boolean
Whether to lockdown execution drift.
execLockdownWhiteLists List<String>
List of items in the execution lockdown white list.
imageLockdown Boolean
Whether to lockdown image drift.
enabled boolean
Whether drift prevention is enabled.
execLockdown boolean
Whether to lockdown execution drift.
execLockdownWhiteLists string[]
List of items in the execution lockdown white list.
imageLockdown boolean
Whether to lockdown image drift.
enabled bool
Whether drift prevention is enabled.
exec_lockdown bool
Whether to lockdown execution drift.
exec_lockdown_white_lists Sequence[str]
List of items in the execution lockdown white list.
image_lockdown bool
Whether to lockdown image drift.
enabled Boolean
Whether drift prevention is enabled.
execLockdown Boolean
Whether to lockdown execution drift.
execLockdownWhiteLists List<String>
List of items in the execution lockdown white list.
imageLockdown Boolean
Whether to lockdown image drift.

ContainerRuntimePolicyExecutableBlacklist
, ContainerRuntimePolicyExecutableBlacklistArgs

Enabled bool
Whether the executable blacklist is enabled.
Executables List<string>
List of blacklisted executables.
Enabled bool
Whether the executable blacklist is enabled.
Executables []string
List of blacklisted executables.
enabled Boolean
Whether the executable blacklist is enabled.
executables List<String>
List of blacklisted executables.
enabled boolean
Whether the executable blacklist is enabled.
executables string[]
List of blacklisted executables.
enabled bool
Whether the executable blacklist is enabled.
executables Sequence[str]
List of blacklisted executables.
enabled Boolean
Whether the executable blacklist is enabled.
executables List<String>
List of blacklisted executables.

ContainerRuntimePolicyFailedKubernetesChecks
, ContainerRuntimePolicyFailedKubernetesChecksArgs

Enabled bool
FailedChecks List<string>
Enabled bool
FailedChecks []string
enabled Boolean
failedChecks List<String>
enabled boolean
failedChecks string[]
enabled bool
failed_checks Sequence[str]
enabled Boolean
failedChecks List<String>

ContainerRuntimePolicyFileBlock
, ContainerRuntimePolicyFileBlockArgs

ContainerRuntimePolicyFileIntegrityMonitoring
, ContainerRuntimePolicyFileIntegrityMonitoringArgs

Enabled bool
If true, file integrity monitoring is enabled.
ExceptionalMonitoredFiles List<string>
List of paths to be excluded from monitoring.
ExceptionalMonitoredFilesProcesses List<string>
List of processes to be excluded from monitoring.
ExceptionalMonitoredFilesUsers List<string>
List of users to be excluded from monitoring.
MonitoredFiles List<string>
List of paths to be monitored.
MonitoredFilesAttributes bool
Whether to monitor file attribute operations.
MonitoredFilesCreate bool
Whether to monitor file create operations.
MonitoredFilesDelete bool
Whether to monitor file delete operations.
MonitoredFilesModify bool
Whether to monitor file modify operations.
MonitoredFilesProcesses List<string>
List of processes associated with monitored files.
MonitoredFilesRead bool
Whether to monitor file read operations.
MonitoredFilesUsers List<string>
List of users associated with monitored files.
Enabled bool
If true, file integrity monitoring is enabled.
ExceptionalMonitoredFiles []string
List of paths to be excluded from monitoring.
ExceptionalMonitoredFilesProcesses []string
List of processes to be excluded from monitoring.
ExceptionalMonitoredFilesUsers []string
List of users to be excluded from monitoring.
MonitoredFiles []string
List of paths to be monitored.
MonitoredFilesAttributes bool
Whether to monitor file attribute operations.
MonitoredFilesCreate bool
Whether to monitor file create operations.
MonitoredFilesDelete bool
Whether to monitor file delete operations.
MonitoredFilesModify bool
Whether to monitor file modify operations.
MonitoredFilesProcesses []string
List of processes associated with monitored files.
MonitoredFilesRead bool
Whether to monitor file read operations.
MonitoredFilesUsers []string
List of users associated with monitored files.
enabled Boolean
If true, file integrity monitoring is enabled.
exceptionalMonitoredFiles List<String>
List of paths to be excluded from monitoring.
exceptionalMonitoredFilesProcesses List<String>
List of processes to be excluded from monitoring.
exceptionalMonitoredFilesUsers List<String>
List of users to be excluded from monitoring.
monitoredFiles List<String>
List of paths to be monitored.
monitoredFilesAttributes Boolean
Whether to monitor file attribute operations.
monitoredFilesCreate Boolean
Whether to monitor file create operations.
monitoredFilesDelete Boolean
Whether to monitor file delete operations.
monitoredFilesModify Boolean
Whether to monitor file modify operations.
monitoredFilesProcesses List<String>
List of processes associated with monitored files.
monitoredFilesRead Boolean
Whether to monitor file read operations.
monitoredFilesUsers List<String>
List of users associated with monitored files.
enabled boolean
If true, file integrity monitoring is enabled.
exceptionalMonitoredFiles string[]
List of paths to be excluded from monitoring.
exceptionalMonitoredFilesProcesses string[]
List of processes to be excluded from monitoring.
exceptionalMonitoredFilesUsers string[]
List of users to be excluded from monitoring.
monitoredFiles string[]
List of paths to be monitored.
monitoredFilesAttributes boolean
Whether to monitor file attribute operations.
monitoredFilesCreate boolean
Whether to monitor file create operations.
monitoredFilesDelete boolean
Whether to monitor file delete operations.
monitoredFilesModify boolean
Whether to monitor file modify operations.
monitoredFilesProcesses string[]
List of processes associated with monitored files.
monitoredFilesRead boolean
Whether to monitor file read operations.
monitoredFilesUsers string[]
List of users associated with monitored files.
enabled bool
If true, file integrity monitoring is enabled.
exceptional_monitored_files Sequence[str]
List of paths to be excluded from monitoring.
exceptional_monitored_files_processes Sequence[str]
List of processes to be excluded from monitoring.
exceptional_monitored_files_users Sequence[str]
List of users to be excluded from monitoring.
monitored_files Sequence[str]
List of paths to be monitored.
monitored_files_attributes bool
Whether to monitor file attribute operations.
monitored_files_create bool
Whether to monitor file create operations.
monitored_files_delete bool
Whether to monitor file delete operations.
monitored_files_modify bool
Whether to monitor file modify operations.
monitored_files_processes Sequence[str]
List of processes associated with monitored files.
monitored_files_read bool
Whether to monitor file read operations.
monitored_files_users Sequence[str]
List of users associated with monitored files.
enabled Boolean
If true, file integrity monitoring is enabled.
exceptionalMonitoredFiles List<String>
List of paths to be excluded from monitoring.
exceptionalMonitoredFilesProcesses List<String>
List of processes to be excluded from monitoring.
exceptionalMonitoredFilesUsers List<String>
List of users to be excluded from monitoring.
monitoredFiles List<String>
List of paths to be monitored.
monitoredFilesAttributes Boolean
Whether to monitor file attribute operations.
monitoredFilesCreate Boolean
Whether to monitor file create operations.
monitoredFilesDelete Boolean
Whether to monitor file delete operations.
monitoredFilesModify Boolean
Whether to monitor file modify operations.
monitoredFilesProcesses List<String>
List of processes associated with monitored files.
monitoredFilesRead Boolean
Whether to monitor file read operations.
monitoredFilesUsers List<String>
List of users associated with monitored files.

ContainerRuntimePolicyLimitContainerPrivilege
, ContainerRuntimePolicyLimitContainerPrivilegeArgs

BlockAddCapabilities bool
Whether to block adding capabilities.
Enabled bool
Whether container privilege limitations are enabled.
Ipcmode bool
Whether to limit IPC-related capabilities.
Netmode bool
Whether to limit network-related capabilities.
Pidmode bool
Whether to limit process-related capabilities.
PreventLowPortBinding bool
Whether to prevent low port binding.
PreventRootUser bool
Whether to prevent the use of the root user.
Privileged bool
Whether the container is run in privileged mode.
UseHostUser bool
Whether to use the host user.
Usermode bool
Whether to limit user-related capabilities.
Utsmode bool
Whether to limit UTS-related capabilities.
BlockAddCapabilities bool
Whether to block adding capabilities.
Enabled bool
Whether container privilege limitations are enabled.
Ipcmode bool
Whether to limit IPC-related capabilities.
Netmode bool
Whether to limit network-related capabilities.
Pidmode bool
Whether to limit process-related capabilities.
PreventLowPortBinding bool
Whether to prevent low port binding.
PreventRootUser bool
Whether to prevent the use of the root user.
Privileged bool
Whether the container is run in privileged mode.
UseHostUser bool
Whether to use the host user.
Usermode bool
Whether to limit user-related capabilities.
Utsmode bool
Whether to limit UTS-related capabilities.
blockAddCapabilities Boolean
Whether to block adding capabilities.
enabled Boolean
Whether container privilege limitations are enabled.
ipcmode Boolean
Whether to limit IPC-related capabilities.
netmode Boolean
Whether to limit network-related capabilities.
pidmode Boolean
Whether to limit process-related capabilities.
preventLowPortBinding Boolean
Whether to prevent low port binding.
preventRootUser Boolean
Whether to prevent the use of the root user.
privileged Boolean
Whether the container is run in privileged mode.
useHostUser Boolean
Whether to use the host user.
usermode Boolean
Whether to limit user-related capabilities.
utsmode Boolean
Whether to limit UTS-related capabilities.
blockAddCapabilities boolean
Whether to block adding capabilities.
enabled boolean
Whether container privilege limitations are enabled.
ipcmode boolean
Whether to limit IPC-related capabilities.
netmode boolean
Whether to limit network-related capabilities.
pidmode boolean
Whether to limit process-related capabilities.
preventLowPortBinding boolean
Whether to prevent low port binding.
preventRootUser boolean
Whether to prevent the use of the root user.
privileged boolean
Whether the container is run in privileged mode.
useHostUser boolean
Whether to use the host user.
usermode boolean
Whether to limit user-related capabilities.
utsmode boolean
Whether to limit UTS-related capabilities.
block_add_capabilities bool
Whether to block adding capabilities.
enabled bool
Whether container privilege limitations are enabled.
ipcmode bool
Whether to limit IPC-related capabilities.
netmode bool
Whether to limit network-related capabilities.
pidmode bool
Whether to limit process-related capabilities.
prevent_low_port_binding bool
Whether to prevent low port binding.
prevent_root_user bool
Whether to prevent the use of the root user.
privileged bool
Whether the container is run in privileged mode.
use_host_user bool
Whether to use the host user.
usermode bool
Whether to limit user-related capabilities.
utsmode bool
Whether to limit UTS-related capabilities.
blockAddCapabilities Boolean
Whether to block adding capabilities.
enabled Boolean
Whether container privilege limitations are enabled.
ipcmode Boolean
Whether to limit IPC-related capabilities.
netmode Boolean
Whether to limit network-related capabilities.
pidmode Boolean
Whether to limit process-related capabilities.
preventLowPortBinding Boolean
Whether to prevent low port binding.
preventRootUser Boolean
Whether to prevent the use of the root user.
privileged Boolean
Whether the container is run in privileged mode.
useHostUser Boolean
Whether to use the host user.
usermode Boolean
Whether to limit user-related capabilities.
utsmode Boolean
Whether to limit UTS-related capabilities.

ContainerRuntimePolicyLinuxCapabilities
, ContainerRuntimePolicyLinuxCapabilitiesArgs

enabled Boolean
removeLinuxCapabilities List<String>
enabled Boolean
removeLinuxCapabilities List<String>

ContainerRuntimePolicyMalwareScanOptions
, ContainerRuntimePolicyMalwareScanOptionsArgs

Action string
Set Action, Defaults to 'Alert' when empty
Enabled bool
Defines if enabled or not
ExcludeDirectories List<string>
List of registry paths to be excluded from being protected.
ExcludeProcesses List<string>
List of registry processes to be excluded from being protected.
IncludeDirectories List<string>
List of registry paths to be excluded from being protected.
Action string
Set Action, Defaults to 'Alert' when empty
Enabled bool
Defines if enabled or not
ExcludeDirectories []string
List of registry paths to be excluded from being protected.
ExcludeProcesses []string
List of registry processes to be excluded from being protected.
IncludeDirectories []string
List of registry paths to be excluded from being protected.
action String
Set Action, Defaults to 'Alert' when empty
enabled Boolean
Defines if enabled or not
excludeDirectories List<String>
List of registry paths to be excluded from being protected.
excludeProcesses List<String>
List of registry processes to be excluded from being protected.
includeDirectories List<String>
List of registry paths to be excluded from being protected.
action string
Set Action, Defaults to 'Alert' when empty
enabled boolean
Defines if enabled or not
excludeDirectories string[]
List of registry paths to be excluded from being protected.
excludeProcesses string[]
List of registry processes to be excluded from being protected.
includeDirectories string[]
List of registry paths to be excluded from being protected.
action str
Set Action, Defaults to 'Alert' when empty
enabled bool
Defines if enabled or not
exclude_directories Sequence[str]
List of registry paths to be excluded from being protected.
exclude_processes Sequence[str]
List of registry processes to be excluded from being protected.
include_directories Sequence[str]
List of registry paths to be excluded from being protected.
action String
Set Action, Defaults to 'Alert' when empty
enabled Boolean
Defines if enabled or not
excludeDirectories List<String>
List of registry paths to be excluded from being protected.
excludeProcesses List<String>
List of registry processes to be excluded from being protected.
includeDirectories List<String>
List of registry paths to be excluded from being protected.

ContainerRuntimePolicyPackageBlock
, ContainerRuntimePolicyPackageBlockArgs

ContainerRuntimePolicyPortBlock
, ContainerRuntimePolicyPortBlockArgs

BlockInboundPorts List<string>
BlockOutboundPorts List<string>
Enabled bool
blockInboundPorts List<String>
blockOutboundPorts List<String>
enabled Boolean
block_inbound_ports Sequence[str]
block_outbound_ports Sequence[str]
enabled bool
blockInboundPorts List<String>
blockOutboundPorts List<String>
enabled Boolean

ContainerRuntimePolicyReadonlyFiles
, ContainerRuntimePolicyReadonlyFilesArgs

ContainerRuntimePolicyReadonlyRegistry
, ContainerRuntimePolicyReadonlyRegistryArgs

ContainerRuntimePolicyRegistryAccessMonitoring
, ContainerRuntimePolicyRegistryAccessMonitoringArgs

ContainerRuntimePolicyRestrictedVolume
, ContainerRuntimePolicyRestrictedVolumeArgs

Enabled bool
Whether restricted volumes are enabled.
Volumes List<string>
List of restricted volumes.
Enabled bool
Whether restricted volumes are enabled.
Volumes []string
List of restricted volumes.
enabled Boolean
Whether restricted volumes are enabled.
volumes List<String>
List of restricted volumes.
enabled boolean
Whether restricted volumes are enabled.
volumes string[]
List of restricted volumes.
enabled bool
Whether restricted volumes are enabled.
volumes Sequence[str]
List of restricted volumes.
enabled Boolean
Whether restricted volumes are enabled.
volumes List<String>
List of restricted volumes.

ContainerRuntimePolicyReverseShell
, ContainerRuntimePolicyReverseShellArgs

ContainerRuntimePolicyScope
, ContainerRuntimePolicyScopeArgs

Expression This property is required. string
Scope expression.
Variables This property is required. List<Pulumiverse.Aquasec.Inputs.ContainerRuntimePolicyScopeVariable>
List of variables in the scope.
Expression This property is required. string
Scope expression.
Variables This property is required. []ContainerRuntimePolicyScopeVariable
List of variables in the scope.
expression This property is required. String
Scope expression.
variables This property is required. List<ContainerRuntimePolicyScopeVariable>
List of variables in the scope.
expression This property is required. string
Scope expression.
variables This property is required. ContainerRuntimePolicyScopeVariable[]
List of variables in the scope.
expression This property is required. str
Scope expression.
variables This property is required. Sequence[ContainerRuntimePolicyScopeVariable]
List of variables in the scope.
expression This property is required. String
Scope expression.
variables This property is required. List<Property Map>
List of variables in the scope.

ContainerRuntimePolicyScopeVariable
, ContainerRuntimePolicyScopeVariableArgs

Attribute This property is required. string
Class of supported scope.
Value This property is required. string
Value assigned to the attribute.
Name string
Name assigned to the attribute.
Attribute This property is required. string
Class of supported scope.
Value This property is required. string
Value assigned to the attribute.
Name string
Name assigned to the attribute.
attribute This property is required. String
Class of supported scope.
value This property is required. String
Value assigned to the attribute.
name String
Name assigned to the attribute.
attribute This property is required. string
Class of supported scope.
value This property is required. string
Value assigned to the attribute.
name string
Name assigned to the attribute.
attribute This property is required. str
Class of supported scope.
value This property is required. str
Value assigned to the attribute.
name str
Name assigned to the attribute.
attribute This property is required. String
Class of supported scope.
value This property is required. String
Value assigned to the attribute.
name String
Name assigned to the attribute.

ContainerRuntimePolicySystemIntegrityProtection
, ContainerRuntimePolicySystemIntegrityProtectionArgs

ContainerRuntimePolicyTripwire
, ContainerRuntimePolicyTripwireArgs

ApplyOns List<string>
Enabled bool
ServerlessApp string
UserId string
UserPassword string
ApplyOns []string
Enabled bool
ServerlessApp string
UserId string
UserPassword string
applyOns List<String>
enabled Boolean
serverlessApp String
userId String
userPassword String
applyOns string[]
enabled boolean
serverlessApp string
userId string
userPassword string
applyOns List<String>
enabled Boolean
serverlessApp String
userId String
userPassword String

ContainerRuntimePolicyWhitelistedOsUsers
, ContainerRuntimePolicyWhitelistedOsUsersArgs

Enabled bool
GroupWhiteLists List<string>
UserWhiteLists List<string>
enabled Boolean
groupWhiteLists List<String>
userWhiteLists List<String>
enabled boolean
groupWhiteLists string[]
userWhiteLists string[]
enabled bool
group_white_lists Sequence[str]
user_white_lists Sequence[str]
enabled Boolean
groupWhiteLists List<String>
userWhiteLists List<String>

Package Details

Repository
aquasec pulumiverse/pulumi-aquasec
License
Apache-2.0
Notes
This Pulumi package is based on the aquasec Terraform Provider.