Docs Home
Packages
Aquasec v0.8.29 published on Monday, Jul 22, 2024 by Pulumiverse
aquasec.KubernetesAssurancePolicy
Explore with Pulumi AI
Kubernetes Assurance is responsible for checking the security of workload configurations at the pod level, with respect to your organization’s security requirements.
Create KubernetesAssurancePolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new KubernetesAssurancePolicy(name: string, args: KubernetesAssurancePolicyArgs, opts?: CustomResourceOptions);@overload
def KubernetesAssurancePolicy(resource_name: str,
args: KubernetesAssurancePolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def KubernetesAssurancePolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
application_scopes: Optional[Sequence[str]] = None,
aggregated_vulnerability: Optional[Mapping[str, str]] = None,
allowed_images: Optional[Sequence[str]] = None,
assurance_type: Optional[str] = None,
audit_on_failure: Optional[bool] = None,
author: Optional[str] = None,
auto_scan_configured: Optional[bool] = None,
auto_scan_enabled: Optional[bool] = None,
auto_scan_times: Optional[Sequence[KubernetesAssurancePolicyAutoScanTimeArgs]] = None,
blacklist_permissions: Optional[Sequence[str]] = None,
blacklist_permissions_enabled: Optional[bool] = None,
blacklisted_licenses: Optional[Sequence[str]] = None,
blacklisted_licenses_enabled: Optional[bool] = None,
block_failed: Optional[bool] = None,
control_exclude_no_fix: Optional[bool] = None,
custom_checks: Optional[Sequence[KubernetesAssurancePolicyCustomCheckArgs]] = None,
custom_checks_enabled: Optional[bool] = None,
custom_severity: Optional[str] = None,
custom_severity_enabled: Optional[bool] = None,
cves_black_list_enabled: Optional[bool] = None,
cves_black_lists: Optional[Sequence[str]] = None,
cves_white_list_enabled: Optional[bool] = None,
cves_white_lists: Optional[Sequence[str]] = None,
cvss_severity: Optional[str] = None,
cvss_severity_enabled: Optional[bool] = None,
cvss_severity_exclude_no_fix: Optional[bool] = None,
description: Optional[str] = None,
disallow_exploit_types: Optional[Sequence[str]] = None,
disallow_malware: Optional[bool] = None,
docker_cis_enabled: Optional[bool] = None,
domain: Optional[str] = None,
domain_name: Optional[str] = None,
dta_enabled: Optional[bool] = None,
dta_severity: Optional[str] = None,
enabled: Optional[bool] = None,
enforce: Optional[bool] = None,
enforce_after_days: Optional[int] = None,
enforce_excessive_permissions: Optional[bool] = None,
exceptional_monitored_malware_paths: Optional[Sequence[str]] = None,
exclude_application_scopes: Optional[Sequence[str]] = None,
fail_cicd: Optional[bool] = None,
forbidden_labels: Optional[Sequence[KubernetesAssurancePolicyForbiddenLabelArgs]] = None,
forbidden_labels_enabled: Optional[bool] = None,
force_microenforcer: Optional[bool] = None,
function_integrity_enabled: Optional[bool] = None,
ignore_base_image_vln: Optional[bool] = None,
ignore_recently_published_vln: Optional[bool] = None,
ignore_recently_published_vln_period: Optional[int] = None,
ignore_risk_resources_enabled: Optional[bool] = None,
ignored_risk_resources: Optional[Sequence[str]] = None,
ignored_sensitive_resources: Optional[Sequence[str]] = None,
images: Optional[Sequence[str]] = None,
kube_cis_enabled: Optional[bool] = None,
kubernetes_controls: Optional[Sequence[KubernetesAssurancePolicyKubernetesControlArgs]] = None,
kubernetes_controls_avd_ids: Optional[Sequence[str]] = None,
kubernetes_controls_names: Optional[Sequence[str]] = None,
labels: Optional[Sequence[str]] = None,
lastupdate: Optional[str] = None,
linux_cis_enabled: Optional[bool] = None,
malware_action: Optional[str] = None,
maximum_score: Optional[float] = None,
maximum_score_enabled: Optional[bool] = None,
maximum_score_exclude_no_fix: Optional[bool] = None,
monitored_malware_paths: Optional[Sequence[str]] = None,
name: Optional[str] = None,
only_none_root_users: Optional[bool] = None,
openshift_hardening_enabled: Optional[bool] = None,
packages_black_list_enabled: Optional[bool] = None,
packages_black_lists: Optional[Sequence[KubernetesAssurancePolicyPackagesBlackListArgs]] = None,
packages_white_list_enabled: Optional[bool] = None,
packages_white_lists: Optional[Sequence[KubernetesAssurancePolicyPackagesWhiteListArgs]] = None,
partial_results_image_fail: Optional[bool] = None,
permission: Optional[str] = None,
policy_settings: Optional[KubernetesAssurancePolicyPolicySettingsArgs] = None,
read_only: Optional[bool] = None,
registries: Optional[Sequence[str]] = None,
registry: Optional[str] = None,
required_labels: Optional[Sequence[KubernetesAssurancePolicyRequiredLabelArgs]] = None,
required_labels_enabled: Optional[bool] = None,
scan_malware_in_archives: Optional[bool] = None,
scan_nfs_mounts: Optional[bool] = None,
scan_process_memory: Optional[bool] = None,
scan_sensitive_data: Optional[bool] = None,
scan_windows_registry: Optional[bool] = None,
scap_enabled: Optional[bool] = None,
scap_files: Optional[Sequence[str]] = None,
scopes: Optional[Sequence[KubernetesAssurancePolicyScopeArgs]] = None,
trusted_base_images: Optional[Sequence[KubernetesAssurancePolicyTrustedBaseImageArgs]] = None,
trusted_base_images_enabled: Optional[bool] = None,
vulnerability_exploitability: Optional[bool] = None,
vulnerability_score_ranges: Optional[Sequence[int]] = None,
whitelisted_licenses: Optional[Sequence[str]] = None,
whitelisted_licenses_enabled: Optional[bool] = None)func NewKubernetesAssurancePolicy(ctx *Context, name string, args KubernetesAssurancePolicyArgs, opts ...ResourceOption) (*KubernetesAssurancePolicy, error)public KubernetesAssurancePolicy(string name, KubernetesAssurancePolicyArgs args, CustomResourceOptions? opts = null)
public KubernetesAssurancePolicy(String name, KubernetesAssurancePolicyArgs args)
public KubernetesAssurancePolicy(String name, KubernetesAssurancePolicyArgs args, CustomResourceOptions options)
type: aquasec:KubernetesAssurancePolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args KubernetesAssurancePolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args KubernetesAssurancePolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args KubernetesAssurancePolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args KubernetesAssurancePolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args KubernetesAssurancePolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var kubernetesAssurancePolicyResource = new Aquasec.KubernetesAssurancePolicy("kubernetesAssurancePolicyResource", new()
{
ApplicationScopes = new[]
{
"string",
},
AggregatedVulnerability =
{
{ "string", "string" },
},
AllowedImages = new[]
{
"string",
},
AssuranceType = "string",
AuditOnFailure = false,
Author = "string",
AutoScanConfigured = false,
AutoScanEnabled = false,
AutoScanTimes = new[]
{
new Aquasec.Inputs.KubernetesAssurancePolicyAutoScanTimeArgs
{
Iteration = 0,
IterationType = "string",
Time = "string",
WeekDays = new[]
{
"string",
},
},
},
BlacklistPermissions = new[]
{
"string",
},
BlacklistPermissionsEnabled = false,
BlacklistedLicenses = new[]
{
"string",
},
BlacklistedLicensesEnabled = false,
BlockFailed = false,
ControlExcludeNoFix = false,
CustomChecks = new[]
{
new Aquasec.Inputs.KubernetesAssurancePolicyCustomCheckArgs
{
Author = "string",
Description = "string",
Engine = "string",
LastModified = 0,
Name = "string",
Path = "string",
ReadOnly = false,
ScriptId = "string",
Severity = "string",
Snippet = "string",
},
},
CustomChecksEnabled = false,
CustomSeverity = "string",
CustomSeverityEnabled = false,
CvesBlackListEnabled = false,
CvesBlackLists = new[]
{
"string",
},
CvesWhiteListEnabled = false,
CvesWhiteLists = new[]
{
"string",
},
CvssSeverity = "string",
CvssSeverityEnabled = false,
CvssSeverityExcludeNoFix = false,
Description = "string",
DisallowExploitTypes = new[]
{
"string",
},
DisallowMalware = false,
DockerCisEnabled = false,
Domain = "string",
DomainName = "string",
DtaEnabled = false,
DtaSeverity = "string",
Enabled = false,
Enforce = false,
EnforceAfterDays = 0,
EnforceExcessivePermissions = false,
ExceptionalMonitoredMalwarePaths = new[]
{
"string",
},
ExcludeApplicationScopes = new[]
{
"string",
},
FailCicd = false,
ForbiddenLabels = new[]
{
new Aquasec.Inputs.KubernetesAssurancePolicyForbiddenLabelArgs
{
Key = "string",
Value = "string",
},
},
ForbiddenLabelsEnabled = false,
ForceMicroenforcer = false,
FunctionIntegrityEnabled = false,
IgnoreBaseImageVln = false,
IgnoreRecentlyPublishedVln = false,
IgnoreRecentlyPublishedVlnPeriod = 0,
IgnoreRiskResourcesEnabled = false,
IgnoredRiskResources = new[]
{
"string",
},
IgnoredSensitiveResources = new[]
{
"string",
},
Images = new[]
{
"string",
},
KubeCisEnabled = false,
KubernetesControls = new[]
{
new Aquasec.Inputs.KubernetesAssurancePolicyKubernetesControlArgs
{
AvdId = "string",
Description = "string",
Enabled = false,
Kind = "string",
Name = "string",
Ootb = false,
ScriptId = 0,
Severity = "string",
},
},
KubernetesControlsAvdIds = new[]
{
"string",
},
KubernetesControlsNames = new[]
{
"string",
},
Labels = new[]
{
"string",
},
Lastupdate = "string",
LinuxCisEnabled = false,
MalwareAction = "string",
MaximumScore = 0,
MaximumScoreEnabled = false,
MaximumScoreExcludeNoFix = false,
MonitoredMalwarePaths = new[]
{
"string",
},
Name = "string",
OnlyNoneRootUsers = false,
OpenshiftHardeningEnabled = false,
PackagesBlackListEnabled = false,
PackagesBlackLists = new[]
{
new Aquasec.Inputs.KubernetesAssurancePolicyPackagesBlackListArgs
{
Arch = "string",
Display = "string",
Epoch = "string",
Format = "string",
License = "string",
Name = "string",
Release = "string",
Version = "string",
VersionRange = "string",
},
},
PackagesWhiteListEnabled = false,
PackagesWhiteLists = new[]
{
new Aquasec.Inputs.KubernetesAssurancePolicyPackagesWhiteListArgs
{
Arch = "string",
Display = "string",
Epoch = "string",
Format = "string",
License = "string",
Name = "string",
Release = "string",
Version = "string",
VersionRange = "string",
},
},
PartialResultsImageFail = false,
Permission = "string",
PolicySettings = new Aquasec.Inputs.KubernetesAssurancePolicyPolicySettingsArgs
{
Enforce = false,
IsAuditChecked = false,
Warn = false,
WarningMessage = "string",
},
ReadOnly = false,
Registries = new[]
{
"string",
},
Registry = "string",
RequiredLabels = new[]
{
new Aquasec.Inputs.KubernetesAssurancePolicyRequiredLabelArgs
{
Key = "string",
Value = "string",
},
},
RequiredLabelsEnabled = false,
ScanMalwareInArchives = false,
ScanNfsMounts = false,
ScanProcessMemory = false,
ScanSensitiveData = false,
ScanWindowsRegistry = false,
ScapEnabled = false,
ScapFiles = new[]
{
"string",
},
Scopes = new[]
{
new Aquasec.Inputs.KubernetesAssurancePolicyScopeArgs
{
Expression = "string",
Variables = new[]
{
new Aquasec.Inputs.KubernetesAssurancePolicyScopeVariableArgs
{
Attribute = "string",
Name = "string",
Value = "string",
},
},
},
},
TrustedBaseImages = new[]
{
new Aquasec.Inputs.KubernetesAssurancePolicyTrustedBaseImageArgs
{
Imagename = "string",
Registry = "string",
},
},
TrustedBaseImagesEnabled = false,
VulnerabilityExploitability = false,
VulnerabilityScoreRanges = new[]
{
0,
},
WhitelistedLicenses = new[]
{
"string",
},
WhitelistedLicensesEnabled = false,
});
example, err := aquasec.NewKubernetesAssurancePolicy(ctx, "kubernetesAssurancePolicyResource", &aquasec.KubernetesAssurancePolicyArgs{
ApplicationScopes: pulumi.StringArray{
pulumi.String("string"),
},
AggregatedVulnerability: pulumi.StringMap{
"string": pulumi.String("string"),
},
AllowedImages: pulumi.StringArray{
pulumi.String("string"),
},
AssuranceType: pulumi.String("string"),
AuditOnFailure: pulumi.Bool(false),
Author: pulumi.String("string"),
AutoScanConfigured: pulumi.Bool(false),
AutoScanEnabled: pulumi.Bool(false),
AutoScanTimes: aquasec.KubernetesAssurancePolicyAutoScanTimeArray{
&aquasec.KubernetesAssurancePolicyAutoScanTimeArgs{
Iteration: pulumi.Int(0),
IterationType: pulumi.String("string"),
Time: pulumi.String("string"),
WeekDays: pulumi.StringArray{
pulumi.String("string"),
},
},
},
BlacklistPermissions: pulumi.StringArray{
pulumi.String("string"),
},
BlacklistPermissionsEnabled: pulumi.Bool(false),
BlacklistedLicenses: pulumi.StringArray{
pulumi.String("string"),
},
BlacklistedLicensesEnabled: pulumi.Bool(false),
BlockFailed: pulumi.Bool(false),
ControlExcludeNoFix: pulumi.Bool(false),
CustomChecks: aquasec.KubernetesAssurancePolicyCustomCheckArray{
&aquasec.KubernetesAssurancePolicyCustomCheckArgs{
Author: pulumi.String("string"),
Description: pulumi.String("string"),
Engine: pulumi.String("string"),
LastModified: pulumi.Int(0),
Name: pulumi.String("string"),
Path: pulumi.String("string"),
ReadOnly: pulumi.Bool(false),
ScriptId: pulumi.String("string"),
Severity: pulumi.String("string"),
Snippet: pulumi.String("string"),
},
},
CustomChecksEnabled: pulumi.Bool(false),
CustomSeverity: pulumi.String("string"),
CustomSeverityEnabled: pulumi.Bool(false),
CvesBlackListEnabled: pulumi.Bool(false),
CvesBlackLists: pulumi.StringArray{
pulumi.String("string"),
},
CvesWhiteListEnabled: pulumi.Bool(false),
CvesWhiteLists: pulumi.StringArray{
pulumi.String("string"),
},
CvssSeverity: pulumi.String("string"),
CvssSeverityEnabled: pulumi.Bool(false),
CvssSeverityExcludeNoFix: pulumi.Bool(false),
Description: pulumi.String("string"),
DisallowExploitTypes: pulumi.StringArray{
pulumi.String("string"),
},
DisallowMalware: pulumi.Bool(false),
DockerCisEnabled: pulumi.Bool(false),
Domain: pulumi.String("string"),
DomainName: pulumi.String("string"),
DtaEnabled: pulumi.Bool(false),
DtaSeverity: pulumi.String("string"),
Enabled: pulumi.Bool(false),
Enforce: pulumi.Bool(false),
EnforceAfterDays: pulumi.Int(0),
EnforceExcessivePermissions: pulumi.Bool(false),
ExceptionalMonitoredMalwarePaths: pulumi.StringArray{
pulumi.String("string"),
},
ExcludeApplicationScopes: pulumi.StringArray{
pulumi.String("string"),
},
FailCicd: pulumi.Bool(false),
ForbiddenLabels: aquasec.KubernetesAssurancePolicyForbiddenLabelArray{
&aquasec.KubernetesAssurancePolicyForbiddenLabelArgs{
Key: pulumi.String("string"),
Value: pulumi.String("string"),
},
},
ForbiddenLabelsEnabled: pulumi.Bool(false),
ForceMicroenforcer: pulumi.Bool(false),
FunctionIntegrityEnabled: pulumi.Bool(false),
IgnoreBaseImageVln: pulumi.Bool(false),
IgnoreRecentlyPublishedVln: pulumi.Bool(false),
IgnoreRecentlyPublishedVlnPeriod: pulumi.Int(0),
IgnoreRiskResourcesEnabled: pulumi.Bool(false),
IgnoredRiskResources: pulumi.StringArray{
pulumi.String("string"),
},
IgnoredSensitiveResources: pulumi.StringArray{
pulumi.String("string"),
},
Images: pulumi.StringArray{
pulumi.String("string"),
},
KubeCisEnabled: pulumi.Bool(false),
KubernetesControls: aquasec.KubernetesAssurancePolicyKubernetesControlArray{
&aquasec.KubernetesAssurancePolicyKubernetesControlArgs{
AvdId: pulumi.String("string"),
Description: pulumi.String("string"),
Enabled: pulumi.Bool(false),
Kind: pulumi.String("string"),
Name: pulumi.String("string"),
Ootb: pulumi.Bool(false),
ScriptId: pulumi.Int(0),
Severity: pulumi.String("string"),
},
},
KubernetesControlsAvdIds: pulumi.StringArray{
pulumi.String("string"),
},
KubernetesControlsNames: pulumi.StringArray{
pulumi.String("string"),
},
Labels: pulumi.StringArray{
pulumi.String("string"),
},
Lastupdate: pulumi.String("string"),
LinuxCisEnabled: pulumi.Bool(false),
MalwareAction: pulumi.String("string"),
MaximumScore: pulumi.Float64(0),
MaximumScoreEnabled: pulumi.Bool(false),
MaximumScoreExcludeNoFix: pulumi.Bool(false),
MonitoredMalwarePaths: pulumi.StringArray{
pulumi.String("string"),
},
Name: pulumi.String("string"),
OnlyNoneRootUsers: pulumi.Bool(false),
OpenshiftHardeningEnabled: pulumi.Bool(false),
PackagesBlackListEnabled: pulumi.Bool(false),
PackagesBlackLists: aquasec.KubernetesAssurancePolicyPackagesBlackListArray{
&aquasec.KubernetesAssurancePolicyPackagesBlackListArgs{
Arch: pulumi.String("string"),
Display: pulumi.String("string"),
Epoch: pulumi.String("string"),
Format: pulumi.String("string"),
License: pulumi.String("string"),
Name: pulumi.String("string"),
Release: pulumi.String("string"),
Version: pulumi.String("string"),
VersionRange: pulumi.String("string"),
},
},
PackagesWhiteListEnabled: pulumi.Bool(false),
PackagesWhiteLists: aquasec.KubernetesAssurancePolicyPackagesWhiteListArray{
&aquasec.KubernetesAssurancePolicyPackagesWhiteListArgs{
Arch: pulumi.String("string"),
Display: pulumi.String("string"),
Epoch: pulumi.String("string"),
Format: pulumi.String("string"),
License: pulumi.String("string"),
Name: pulumi.String("string"),
Release: pulumi.String("string"),
Version: pulumi.String("string"),
VersionRange: pulumi.String("string"),
},
},
PartialResultsImageFail: pulumi.Bool(false),
Permission: pulumi.String("string"),
PolicySettings: &aquasec.KubernetesAssurancePolicyPolicySettingsArgs{
Enforce: pulumi.Bool(false),
IsAuditChecked: pulumi.Bool(false),
Warn: pulumi.Bool(false),
WarningMessage: pulumi.String("string"),
},
ReadOnly: pulumi.Bool(false),
Registries: pulumi.StringArray{
pulumi.String("string"),
},
Registry: pulumi.String("string"),
RequiredLabels: aquasec.KubernetesAssurancePolicyRequiredLabelArray{
&aquasec.KubernetesAssurancePolicyRequiredLabelArgs{
Key: pulumi.String("string"),
Value: pulumi.String("string"),
},
},
RequiredLabelsEnabled: pulumi.Bool(false),
ScanMalwareInArchives: pulumi.Bool(false),
ScanNfsMounts: pulumi.Bool(false),
ScanProcessMemory: pulumi.Bool(false),
ScanSensitiveData: pulumi.Bool(false),
ScanWindowsRegistry: pulumi.Bool(false),
ScapEnabled: pulumi.Bool(false),
ScapFiles: pulumi.StringArray{
pulumi.String("string"),
},
Scopes: aquasec.KubernetesAssurancePolicyScopeArray{
&aquasec.KubernetesAssurancePolicyScopeArgs{
Expression: pulumi.String("string"),
Variables: aquasec.KubernetesAssurancePolicyScopeVariableArray{
&aquasec.KubernetesAssurancePolicyScopeVariableArgs{
Attribute: pulumi.String("string"),
Name: pulumi.String("string"),
Value: pulumi.String("string"),
},
},
},
},
TrustedBaseImages: aquasec.KubernetesAssurancePolicyTrustedBaseImageArray{
&aquasec.KubernetesAssurancePolicyTrustedBaseImageArgs{
Imagename: pulumi.String("string"),
Registry: pulumi.String("string"),
},
},
TrustedBaseImagesEnabled: pulumi.Bool(false),
VulnerabilityExploitability: pulumi.Bool(false),
VulnerabilityScoreRanges: pulumi.IntArray{
pulumi.Int(0),
},
WhitelistedLicenses: pulumi.StringArray{
pulumi.String("string"),
},
WhitelistedLicensesEnabled: pulumi.Bool(false),
})
var kubernetesAssurancePolicyResource = new KubernetesAssurancePolicy("kubernetesAssurancePolicyResource", KubernetesAssurancePolicyArgs.builder()
.applicationScopes("string")
.aggregatedVulnerability(Map.of("string", "string"))
.allowedImages("string")
.assuranceType("string")
.auditOnFailure(false)
.author("string")
.autoScanConfigured(false)
.autoScanEnabled(false)
.autoScanTimes(KubernetesAssurancePolicyAutoScanTimeArgs.builder()
.iteration(0)
.iterationType("string")
.time("string")
.weekDays("string")
.build())
.blacklistPermissions("string")
.blacklistPermissionsEnabled(false)
.blacklistedLicenses("string")
.blacklistedLicensesEnabled(false)
.blockFailed(false)
.controlExcludeNoFix(false)
.customChecks(KubernetesAssurancePolicyCustomCheckArgs.builder()
.author("string")
.description("string")
.engine("string")
.lastModified(0)
.name("string")
.path("string")
.readOnly(false)
.scriptId("string")
.severity("string")
.snippet("string")
.build())
.customChecksEnabled(false)
.customSeverity("string")
.customSeverityEnabled(false)
.cvesBlackListEnabled(false)
.cvesBlackLists("string")
.cvesWhiteListEnabled(false)
.cvesWhiteLists("string")
.cvssSeverity("string")
.cvssSeverityEnabled(false)
.cvssSeverityExcludeNoFix(false)
.description("string")
.disallowExploitTypes("string")
.disallowMalware(false)
.dockerCisEnabled(false)
.domain("string")
.domainName("string")
.dtaEnabled(false)
.dtaSeverity("string")
.enabled(false)
.enforce(false)
.enforceAfterDays(0)
.enforceExcessivePermissions(false)
.exceptionalMonitoredMalwarePaths("string")
.excludeApplicationScopes("string")
.failCicd(false)
.forbiddenLabels(KubernetesAssurancePolicyForbiddenLabelArgs.builder()
.key("string")
.value("string")
.build())
.forbiddenLabelsEnabled(false)
.forceMicroenforcer(false)
.functionIntegrityEnabled(false)
.ignoreBaseImageVln(false)
.ignoreRecentlyPublishedVln(false)
.ignoreRecentlyPublishedVlnPeriod(0)
.ignoreRiskResourcesEnabled(false)
.ignoredRiskResources("string")
.ignoredSensitiveResources("string")
.images("string")
.kubeCisEnabled(false)
.kubernetesControls(KubernetesAssurancePolicyKubernetesControlArgs.builder()
.avdId("string")
.description("string")
.enabled(false)
.kind("string")
.name("string")
.ootb(false)
.scriptId(0)
.severity("string")
.build())
.kubernetesControlsAvdIds("string")
.kubernetesControlsNames("string")
.labels("string")
.lastupdate("string")
.linuxCisEnabled(false)
.malwareAction("string")
.maximumScore(0)
.maximumScoreEnabled(false)
.maximumScoreExcludeNoFix(false)
.monitoredMalwarePaths("string")
.name("string")
.onlyNoneRootUsers(false)
.openshiftHardeningEnabled(false)
.packagesBlackListEnabled(false)
.packagesBlackLists(KubernetesAssurancePolicyPackagesBlackListArgs.builder()
.arch("string")
.display("string")
.epoch("string")
.format("string")
.license("string")
.name("string")
.release("string")
.version("string")
.versionRange("string")
.build())
.packagesWhiteListEnabled(false)
.packagesWhiteLists(KubernetesAssurancePolicyPackagesWhiteListArgs.builder()
.arch("string")
.display("string")
.epoch("string")
.format("string")
.license("string")
.name("string")
.release("string")
.version("string")
.versionRange("string")
.build())
.partialResultsImageFail(false)
.permission("string")
.policySettings(KubernetesAssurancePolicyPolicySettingsArgs.builder()
.enforce(false)
.isAuditChecked(false)
.warn(false)
.warningMessage("string")
.build())
.readOnly(false)
.registries("string")
.registry("string")
.requiredLabels(KubernetesAssurancePolicyRequiredLabelArgs.builder()
.key("string")
.value("string")
.build())
.requiredLabelsEnabled(false)
.scanMalwareInArchives(false)
.scanNfsMounts(false)
.scanProcessMemory(false)
.scanSensitiveData(false)
.scanWindowsRegistry(false)
.scapEnabled(false)
.scapFiles("string")
.scopes(KubernetesAssurancePolicyScopeArgs.builder()
.expression("string")
.variables(KubernetesAssurancePolicyScopeVariableArgs.builder()
.attribute("string")
.name("string")
.value("string")
.build())
.build())
.trustedBaseImages(KubernetesAssurancePolicyTrustedBaseImageArgs.builder()
.imagename("string")
.registry("string")
.build())
.trustedBaseImagesEnabled(false)
.vulnerabilityExploitability(false)
.vulnerabilityScoreRanges(0)
.whitelistedLicenses("string")
.whitelistedLicensesEnabled(false)
.build());
kubernetes_assurance_policy_resource = aquasec.KubernetesAssurancePolicy("kubernetesAssurancePolicyResource",
application_scopes=["string"],
aggregated_vulnerability={
"string": "string",
},
allowed_images=["string"],
assurance_type="string",
audit_on_failure=False,
author="string",
auto_scan_configured=False,
auto_scan_enabled=False,
auto_scan_times=[aquasec.KubernetesAssurancePolicyAutoScanTimeArgs(
iteration=0,
iteration_type="string",
time="string",
week_days=["string"],
)],
blacklist_permissions=["string"],
blacklist_permissions_enabled=False,
blacklisted_licenses=["string"],
blacklisted_licenses_enabled=False,
block_failed=False,
control_exclude_no_fix=False,
custom_checks=[aquasec.KubernetesAssurancePolicyCustomCheckArgs(
author="string",
description="string",
engine="string",
last_modified=0,
name="string",
path="string",
read_only=False,
script_id="string",
severity="string",
snippet="string",
)],
custom_checks_enabled=False,
custom_severity="string",
custom_severity_enabled=False,
cves_black_list_enabled=False,
cves_black_lists=["string"],
cves_white_list_enabled=False,
cves_white_lists=["string"],
cvss_severity="string",
cvss_severity_enabled=False,
cvss_severity_exclude_no_fix=False,
description="string",
disallow_exploit_types=["string"],
disallow_malware=False,
docker_cis_enabled=False,
domain="string",
domain_name="string",
dta_enabled=False,
dta_severity="string",
enabled=False,
enforce=False,
enforce_after_days=0,
enforce_excessive_permissions=False,
exceptional_monitored_malware_paths=["string"],
exclude_application_scopes=["string"],
fail_cicd=False,
forbidden_labels=[aquasec.KubernetesAssurancePolicyForbiddenLabelArgs(
key="string",
value="string",
)],
forbidden_labels_enabled=False,
force_microenforcer=False,
function_integrity_enabled=False,
ignore_base_image_vln=False,
ignore_recently_published_vln=False,
ignore_recently_published_vln_period=0,
ignore_risk_resources_enabled=False,
ignored_risk_resources=["string"],
ignored_sensitive_resources=["string"],
images=["string"],
kube_cis_enabled=False,
kubernetes_controls=[aquasec.KubernetesAssurancePolicyKubernetesControlArgs(
avd_id="string",
description="string",
enabled=False,
kind="string",
name="string",
ootb=False,
script_id=0,
severity="string",
)],
kubernetes_controls_avd_ids=["string"],
kubernetes_controls_names=["string"],
labels=["string"],
lastupdate="string",
linux_cis_enabled=False,
malware_action="string",
maximum_score=0,
maximum_score_enabled=False,
maximum_score_exclude_no_fix=False,
monitored_malware_paths=["string"],
name="string",
only_none_root_users=False,
openshift_hardening_enabled=False,
packages_black_list_enabled=False,
packages_black_lists=[aquasec.KubernetesAssurancePolicyPackagesBlackListArgs(
arch="string",
display="string",
epoch="string",
format="string",
license="string",
name="string",
release="string",
version="string",
version_range="string",
)],
packages_white_list_enabled=False,
packages_white_lists=[aquasec.KubernetesAssurancePolicyPackagesWhiteListArgs(
arch="string",
display="string",
epoch="string",
format="string",
license="string",
name="string",
release="string",
version="string",
version_range="string",
)],
partial_results_image_fail=False,
permission="string",
policy_settings=aquasec.KubernetesAssurancePolicyPolicySettingsArgs(
enforce=False,
is_audit_checked=False,
warn=False,
warning_message="string",
),
read_only=False,
registries=["string"],
registry="string",
required_labels=[aquasec.KubernetesAssurancePolicyRequiredLabelArgs(
key="string",
value="string",
)],
required_labels_enabled=False,
scan_malware_in_archives=False,
scan_nfs_mounts=False,
scan_process_memory=False,
scan_sensitive_data=False,
scan_windows_registry=False,
scap_enabled=False,
scap_files=["string"],
scopes=[aquasec.KubernetesAssurancePolicyScopeArgs(
expression="string",
variables=[aquasec.KubernetesAssurancePolicyScopeVariableArgs(
attribute="string",
name="string",
value="string",
)],
)],
trusted_base_images=[aquasec.KubernetesAssurancePolicyTrustedBaseImageArgs(
imagename="string",
registry="string",
)],
trusted_base_images_enabled=False,
vulnerability_exploitability=False,
vulnerability_score_ranges=[0],
whitelisted_licenses=["string"],
whitelisted_licenses_enabled=False)
const kubernetesAssurancePolicyResource = new aquasec.KubernetesAssurancePolicy("kubernetesAssurancePolicyResource", {
applicationScopes: ["string"],
aggregatedVulnerability: {
string: "string",
},
allowedImages: ["string"],
assuranceType: "string",
auditOnFailure: false,
author: "string",
autoScanConfigured: false,
autoScanEnabled: false,
autoScanTimes: [{
iteration: 0,
iterationType: "string",
time: "string",
weekDays: ["string"],
}],
blacklistPermissions: ["string"],
blacklistPermissionsEnabled: false,
blacklistedLicenses: ["string"],
blacklistedLicensesEnabled: false,
blockFailed: false,
controlExcludeNoFix: false,
customChecks: [{
author: "string",
description: "string",
engine: "string",
lastModified: 0,
name: "string",
path: "string",
readOnly: false,
scriptId: "string",
severity: "string",
snippet: "string",
}],
customChecksEnabled: false,
customSeverity: "string",
customSeverityEnabled: false,
cvesBlackListEnabled: false,
cvesBlackLists: ["string"],
cvesWhiteListEnabled: false,
cvesWhiteLists: ["string"],
cvssSeverity: "string",
cvssSeverityEnabled: false,
cvssSeverityExcludeNoFix: false,
description: "string",
disallowExploitTypes: ["string"],
disallowMalware: false,
dockerCisEnabled: false,
domain: "string",
domainName: "string",
dtaEnabled: false,
dtaSeverity: "string",
enabled: false,
enforce: false,
enforceAfterDays: 0,
enforceExcessivePermissions: false,
exceptionalMonitoredMalwarePaths: ["string"],
excludeApplicationScopes: ["string"],
failCicd: false,
forbiddenLabels: [{
key: "string",
value: "string",
}],
forbiddenLabelsEnabled: false,
forceMicroenforcer: false,
functionIntegrityEnabled: false,
ignoreBaseImageVln: false,
ignoreRecentlyPublishedVln: false,
ignoreRecentlyPublishedVlnPeriod: 0,
ignoreRiskResourcesEnabled: false,
ignoredRiskResources: ["string"],
ignoredSensitiveResources: ["string"],
images: ["string"],
kubeCisEnabled: false,
kubernetesControls: [{
avdId: "string",
description: "string",
enabled: false,
kind: "string",
name: "string",
ootb: false,
scriptId: 0,
severity: "string",
}],
kubernetesControlsAvdIds: ["string"],
kubernetesControlsNames: ["string"],
labels: ["string"],
lastupdate: "string",
linuxCisEnabled: false,
malwareAction: "string",
maximumScore: 0,
maximumScoreEnabled: false,
maximumScoreExcludeNoFix: false,
monitoredMalwarePaths: ["string"],
name: "string",
onlyNoneRootUsers: false,
openshiftHardeningEnabled: false,
packagesBlackListEnabled: false,
packagesBlackLists: [{
arch: "string",
display: "string",
epoch: "string",
format: "string",
license: "string",
name: "string",
release: "string",
version: "string",
versionRange: "string",
}],
packagesWhiteListEnabled: false,
packagesWhiteLists: [{
arch: "string",
display: "string",
epoch: "string",
format: "string",
license: "string",
name: "string",
release: "string",
version: "string",
versionRange: "string",
}],
partialResultsImageFail: false,
permission: "string",
policySettings: {
enforce: false,
isAuditChecked: false,
warn: false,
warningMessage: "string",
},
readOnly: false,
registries: ["string"],
registry: "string",
requiredLabels: [{
key: "string",
value: "string",
}],
requiredLabelsEnabled: false,
scanMalwareInArchives: false,
scanNfsMounts: false,
scanProcessMemory: false,
scanSensitiveData: false,
scanWindowsRegistry: false,
scapEnabled: false,
scapFiles: ["string"],
scopes: [{
expression: "string",
variables: [{
attribute: "string",
name: "string",
value: "string",
}],
}],
trustedBaseImages: [{
imagename: "string",
registry: "string",
}],
trustedBaseImagesEnabled: false,
vulnerabilityExploitability: false,
vulnerabilityScoreRanges: [0],
whitelistedLicenses: ["string"],
whitelistedLicensesEnabled: false,
});
type: aquasec:KubernetesAssurancePolicy
properties:
aggregatedVulnerability:
string: string
allowedImages:
- string
applicationScopes:
- string
assuranceType: string
auditOnFailure: false
author: string
autoScanConfigured: false
autoScanEnabled: false
autoScanTimes:
- iteration: 0
iterationType: string
time: string
weekDays:
- string
blacklistPermissions:
- string
blacklistPermissionsEnabled: false
blacklistedLicenses:
- string
blacklistedLicensesEnabled: false
blockFailed: false
controlExcludeNoFix: false
customChecks:
- author: string
description: string
engine: string
lastModified: 0
name: string
path: string
readOnly: false
scriptId: string
severity: string
snippet: string
customChecksEnabled: false
customSeverity: string
customSeverityEnabled: false
cvesBlackListEnabled: false
cvesBlackLists:
- string
cvesWhiteListEnabled: false
cvesWhiteLists:
- string
cvssSeverity: string
cvssSeverityEnabled: false
cvssSeverityExcludeNoFix: false
description: string
disallowExploitTypes:
- string
disallowMalware: false
dockerCisEnabled: false
domain: string
domainName: string
dtaEnabled: false
dtaSeverity: string
enabled: false
enforce: false
enforceAfterDays: 0
enforceExcessivePermissions: false
exceptionalMonitoredMalwarePaths:
- string
excludeApplicationScopes:
- string
failCicd: false
forbiddenLabels:
- key: string
value: string
forbiddenLabelsEnabled: false
forceMicroenforcer: false
functionIntegrityEnabled: false
ignoreBaseImageVln: false
ignoreRecentlyPublishedVln: false
ignoreRecentlyPublishedVlnPeriod: 0
ignoreRiskResourcesEnabled: false
ignoredRiskResources:
- string
ignoredSensitiveResources:
- string
images:
- string
kubeCisEnabled: false
kubernetesControls:
- avdId: string
description: string
enabled: false
kind: string
name: string
ootb: false
scriptId: 0
severity: string
kubernetesControlsAvdIds:
- string
kubernetesControlsNames:
- string
labels:
- string
lastupdate: string
linuxCisEnabled: false
malwareAction: string
maximumScore: 0
maximumScoreEnabled: false
maximumScoreExcludeNoFix: false
monitoredMalwarePaths:
- string
name: string
onlyNoneRootUsers: false
openshiftHardeningEnabled: false
packagesBlackListEnabled: false
packagesBlackLists:
- arch: string
display: string
epoch: string
format: string
license: string
name: string
release: string
version: string
versionRange: string
packagesWhiteListEnabled: false
packagesWhiteLists:
- arch: string
display: string
epoch: string
format: string
license: string
name: string
release: string
version: string
versionRange: string
partialResultsImageFail: false
permission: string
policySettings:
enforce: false
isAuditChecked: false
warn: false
warningMessage: string
readOnly: false
registries:
- string
registry: string
requiredLabels:
- key: string
value: string
requiredLabelsEnabled: false
scanMalwareInArchives: false
scanNfsMounts: false
scanProcessMemory: false
scanSensitiveData: false
scanWindowsRegistry: false
scapEnabled: false
scapFiles:
- string
scopes:
- expression: string
variables:
- attribute: string
name: string
value: string
trustedBaseImages:
- imagename: string
registry: string
trustedBaseImagesEnabled: false
vulnerabilityExploitability: false
vulnerabilityScoreRanges:
- 0
whitelistedLicenses:
- string
whitelistedLicensesEnabled: false
KubernetesAssurancePolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The KubernetesAssurancePolicy resource accepts the following input properties:
- Application
Scopes List<string> - Aggregated
Vulnerability Dictionary<string, string> - Aggregated vulnerability information.
- Allowed
Images List<string> - List of explicitly allowed images.
- Assurance
Type string - What type of assurance policy is described.
- Audit
On boolFailure - Indicates if auditing for failures.
- string
- Name of user account that created the policy.
- Auto
Scan boolConfigured - Auto
Scan boolEnabled - Auto
Scan List<Pulumiverse.Times Aquasec. Inputs. Kubernetes Assurance Policy Auto Scan Time> - Blacklist
Permissions List<string> - List of function's forbidden permissions.
- Blacklist
Permissions boolEnabled - Indicates if blacklist permissions is relevant.
- Blacklisted
Licenses List<string> - List of blacklisted licenses.
- Blacklisted
Licenses boolEnabled - Indicates if license blacklist is relevant.
- Block
Failed bool - Indicates if failed images are blocked.
- Control
Exclude boolNo Fix - Custom
Checks List<Pulumiverse.Aquasec. Inputs. Kubernetes Assurance Policy Custom Check> - List of Custom user scripts for checks.
- Custom
Checks boolEnabled - Indicates if scanning should include custom checks.
- Custom
Severity string - Custom
Severity boolEnabled - Cves
Black boolList Enabled - Indicates if CVEs blacklist is relevant.
- Cves
Black List<string>Lists - List of CVEs blacklisted items.
- Cves
White boolList Enabled - Indicates if CVEs whitelist is relevant.
- Cves
White List<string>Lists - List of cves whitelisted licenses
- Cvss
Severity string - Identifier of the cvss severity.
- Cvss
Severity boolEnabled - Indicates if the cvss severity is scanned.
- Cvss
Severity boolExclude No Fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- Description string
- Disallow
Exploit List<string>Types - Disallow
Malware bool - Indicates if malware should block the image.
- Docker
Cis boolEnabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- Domain string
- Name of the container image.
- Domain
Name string - Dta
Enabled bool - Dta
Severity string - Enabled bool
- Enforce bool
- Enforce
After intDays - Enforce
Excessive boolPermissions - Exceptional
Monitored List<string>Malware Paths - Exclude
Application List<string>Scopes - Fail
Cicd bool - Indicates if cicd failures will fail the image.
- Forbidden
Labels List<Pulumiverse.Aquasec. Inputs. Kubernetes Assurance Policy Forbidden Label> - Forbidden
Labels boolEnabled - Force
Microenforcer bool - Function
Integrity boolEnabled - Ignore
Base boolImage Vln - Ignore
Recently boolPublished Vln - Ignore
Recently intPublished Vln Period - Ignore
Risk boolResources Enabled - Indicates if risk resources are ignored.
- Ignored
Risk List<string>Resources - List of ignored risk resources.
- Ignored
Sensitive List<string>Resources - Images List<string>
- List of images.
- Kube
Cis boolEnabled - Performs a Kubernetes CIS benchmark check for the host.
- Kubernetes
Controls List<Pulumiverse.Aquasec. Inputs. Kubernetes Assurance Policy Kubernetes Control> - List of Kubernetes controls.
- Kubernetes
Controls List<string>Avd Ids - Kubernetes
Controls List<string>Names - List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
- Labels List<string>
- List of labels.
- Lastupdate string
- Linux
Cis boolEnabled - Malware
Action string - Maximum
Score double - Value of allowed maximum score.
- Maximum
Score boolEnabled - Indicates if exceeding the maximum score is scanned.
- Maximum
Score boolExclude No Fix - Indicates that policy should ignore cases that do not have a known fix.
- Monitored
Malware List<string>Paths - Name string
- Only
None boolRoot Users - Indicates if raise a warning for images that should only be run as root.
- Openshift
Hardening boolEnabled - Packages
Black boolList Enabled - Indicates if packages blacklist is relevant.
- Packages
Black List<Pulumiverse.Lists Aquasec. Inputs. Kubernetes Assurance Policy Packages Black List> - List of blacklisted images.
- Packages
White boolList Enabled - Indicates if packages whitelist is relevant.
- Packages
White List<Pulumiverse.Lists Aquasec. Inputs. Kubernetes Assurance Policy Packages White List> - List of whitelisted images.
- Partial
Results boolImage Fail - Permission string
- Policy
Settings Pulumiverse.Aquasec. Inputs. Kubernetes Assurance Policy Policy Settings - Read
Only bool - Registries List<string>
- List of registries.
- Registry string
- Required
Labels List<Pulumiverse.Aquasec. Inputs. Kubernetes Assurance Policy Required Label> - Required
Labels boolEnabled - Scan
Malware boolIn Archives - Scan
Nfs boolMounts - Scan
Process boolMemory - Scan
Sensitive boolData - Indicates if scan should include sensitive data in the image.
- Scan
Windows boolRegistry - Scap
Enabled bool - Indicates if scanning should include scap.
- Scap
Files List<string> - List of SCAP user scripts for checks.
- Scopes
List<Pulumiverse.
Aquasec. Inputs. Kubernetes Assurance Policy Scope> - Trusted
Base List<Pulumiverse.Images Aquasec. Inputs. Kubernetes Assurance Policy Trusted Base Image> - List of trusted images.
- Trusted
Base boolImages Enabled - Indicates if list of trusted base images is relevant.
- Vulnerability
Exploitability bool - Vulnerability
Score List<int>Ranges - Whitelisted
Licenses List<string> - List of whitelisted licenses.
- Whitelisted
Licenses boolEnabled - Indicates if license blacklist is relevant.
- Application
Scopes []string - Aggregated
Vulnerability map[string]string - Aggregated vulnerability information.
- Allowed
Images []string - List of explicitly allowed images.
- Assurance
Type string - What type of assurance policy is described.
- Audit
On boolFailure - Indicates if auditing for failures.
- string
- Name of user account that created the policy.
- Auto
Scan boolConfigured - Auto
Scan boolEnabled - Auto
Scan []KubernetesTimes Assurance Policy Auto Scan Time Args - Blacklist
Permissions []string - List of function's forbidden permissions.
- Blacklist
Permissions boolEnabled - Indicates if blacklist permissions is relevant.
- Blacklisted
Licenses []string - List of blacklisted licenses.
- Blacklisted
Licenses boolEnabled - Indicates if license blacklist is relevant.
- Block
Failed bool - Indicates if failed images are blocked.
- Control
Exclude boolNo Fix - Custom
Checks []KubernetesAssurance Policy Custom Check Args - List of Custom user scripts for checks.
- Custom
Checks boolEnabled - Indicates if scanning should include custom checks.
- Custom
Severity string - Custom
Severity boolEnabled - Cves
Black boolList Enabled - Indicates if CVEs blacklist is relevant.
- Cves
Black []stringLists - List of CVEs blacklisted items.
- Cves
White boolList Enabled - Indicates if CVEs whitelist is relevant.
- Cves
White []stringLists - List of cves whitelisted licenses
- Cvss
Severity string - Identifier of the cvss severity.
- Cvss
Severity boolEnabled - Indicates if the cvss severity is scanned.
- Cvss
Severity boolExclude No Fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- Description string
- Disallow
Exploit []stringTypes - Disallow
Malware bool - Indicates if malware should block the image.
- Docker
Cis boolEnabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- Domain string
- Name of the container image.
- Domain
Name string - Dta
Enabled bool - Dta
Severity string - Enabled bool
- Enforce bool
- Enforce
After intDays - Enforce
Excessive boolPermissions - Exceptional
Monitored []stringMalware Paths - Exclude
Application []stringScopes - Fail
Cicd bool - Indicates if cicd failures will fail the image.
- Forbidden
Labels []KubernetesAssurance Policy Forbidden Label Args - Forbidden
Labels boolEnabled - Force
Microenforcer bool - Function
Integrity boolEnabled - Ignore
Base boolImage Vln - Ignore
Recently boolPublished Vln - Ignore
Recently intPublished Vln Period - Ignore
Risk boolResources Enabled - Indicates if risk resources are ignored.
- Ignored
Risk []stringResources - List of ignored risk resources.
- Ignored
Sensitive []stringResources - Images []string
- List of images.
- Kube
Cis boolEnabled - Performs a Kubernetes CIS benchmark check for the host.
- Kubernetes
Controls []KubernetesAssurance Policy Kubernetes Control Args - List of Kubernetes controls.
- Kubernetes
Controls []stringAvd Ids - Kubernetes
Controls []stringNames - List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
- Labels []string
- List of labels.
- Lastupdate string
- Linux
Cis boolEnabled - Malware
Action string - Maximum
Score float64 - Value of allowed maximum score.
- Maximum
Score boolEnabled - Indicates if exceeding the maximum score is scanned.
- Maximum
Score boolExclude No Fix - Indicates that policy should ignore cases that do not have a known fix.
- Monitored
Malware []stringPaths - Name string
- Only
None boolRoot Users - Indicates if raise a warning for images that should only be run as root.
- Openshift
Hardening boolEnabled - Packages
Black boolList Enabled - Indicates if packages blacklist is relevant.
- Packages
Black []KubernetesLists Assurance Policy Packages Black List Args - List of blacklisted images.
- Packages
White boolList Enabled - Indicates if packages whitelist is relevant.
- Packages
White []KubernetesLists Assurance Policy Packages White List Args - List of whitelisted images.
- Partial
Results boolImage Fail - Permission string
- Policy
Settings KubernetesAssurance Policy Policy Settings Args - Read
Only bool - Registries []string
- List of registries.
- Registry string
- Required
Labels []KubernetesAssurance Policy Required Label Args - Required
Labels boolEnabled - Scan
Malware boolIn Archives - Scan
Nfs boolMounts - Scan
Process boolMemory - Scan
Sensitive boolData - Indicates if scan should include sensitive data in the image.
- Scan
Windows boolRegistry - Scap
Enabled bool - Indicates if scanning should include scap.
- Scap
Files []string - List of SCAP user scripts for checks.
- Scopes
[]Kubernetes
Assurance Policy Scope Args - Trusted
Base []KubernetesImages Assurance Policy Trusted Base Image Args - List of trusted images.
- Trusted
Base boolImages Enabled - Indicates if list of trusted base images is relevant.
- Vulnerability
Exploitability bool - Vulnerability
Score []intRanges - Whitelisted
Licenses []string - List of whitelisted licenses.
- Whitelisted
Licenses boolEnabled - Indicates if license blacklist is relevant.
- application
Scopes List<String> - aggregated
Vulnerability Map<String,String> - Aggregated vulnerability information.
- allowed
Images List<String> - List of explicitly allowed images.
- assurance
Type String - What type of assurance policy is described.
- audit
On BooleanFailure - Indicates if auditing for failures.
- String
- Name of user account that created the policy.
- auto
Scan BooleanConfigured - auto
Scan BooleanEnabled - auto
Scan List<KubernetesTimes Assurance Policy Auto Scan Time> - blacklist
Permissions List<String> - List of function's forbidden permissions.
- blacklist
Permissions BooleanEnabled - Indicates if blacklist permissions is relevant.
- blacklisted
Licenses List<String> - List of blacklisted licenses.
- blacklisted
Licenses BooleanEnabled - Indicates if license blacklist is relevant.
- block
Failed Boolean - Indicates if failed images are blocked.
- control
Exclude BooleanNo Fix - custom
Checks List<KubernetesAssurance Policy Custom Check> - List of Custom user scripts for checks.
- custom
Checks BooleanEnabled - Indicates if scanning should include custom checks.
- custom
Severity String - custom
Severity BooleanEnabled - cves
Black BooleanList Enabled - Indicates if CVEs blacklist is relevant.
- cves
Black List<String>Lists - List of CVEs blacklisted items.
- cves
White BooleanList Enabled - Indicates if CVEs whitelist is relevant.
- cves
White List<String>Lists - List of cves whitelisted licenses
- cvss
Severity String - Identifier of the cvss severity.
- cvss
Severity BooleanEnabled - Indicates if the cvss severity is scanned.
- cvss
Severity BooleanExclude No Fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- description String
- disallow
Exploit List<String>Types - disallow
Malware Boolean - Indicates if malware should block the image.
- docker
Cis BooleanEnabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- domain String
- Name of the container image.
- domain
Name String - dta
Enabled Boolean - dta
Severity String - enabled Boolean
- enforce Boolean
- enforce
After IntegerDays - enforce
Excessive BooleanPermissions - exceptional
Monitored List<String>Malware Paths - exclude
Application List<String>Scopes - fail
Cicd Boolean - Indicates if cicd failures will fail the image.
- forbidden
Labels List<KubernetesAssurance Policy Forbidden Label> - forbidden
Labels BooleanEnabled - force
Microenforcer Boolean - function
Integrity BooleanEnabled - ignore
Base BooleanImage Vln - ignore
Recently BooleanPublished Vln - ignore
Recently IntegerPublished Vln Period - ignore
Risk BooleanResources Enabled - Indicates if risk resources are ignored.
- ignored
Risk List<String>Resources - List of ignored risk resources.
- ignored
Sensitive List<String>Resources - images List<String>
- List of images.
- kube
Cis BooleanEnabled - Performs a Kubernetes CIS benchmark check for the host.
- kubernetes
Controls List<KubernetesAssurance Policy Kubernetes Control> - List of Kubernetes controls.
- kubernetes
Controls List<String>Avd Ids - kubernetes
Controls List<String>Names - List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
- labels List<String>
- List of labels.
- lastupdate String
- linux
Cis BooleanEnabled - malware
Action String - maximum
Score Double - Value of allowed maximum score.
- maximum
Score BooleanEnabled - Indicates if exceeding the maximum score is scanned.
- maximum
Score BooleanExclude No Fix - Indicates that policy should ignore cases that do not have a known fix.
- monitored
Malware List<String>Paths - name String
- only
None BooleanRoot Users - Indicates if raise a warning for images that should only be run as root.
- openshift
Hardening BooleanEnabled - packages
Black BooleanList Enabled - Indicates if packages blacklist is relevant.
- packages
Black List<KubernetesLists Assurance Policy Packages Black List> - List of blacklisted images.
- packages
White BooleanList Enabled - Indicates if packages whitelist is relevant.
- packages
White List<KubernetesLists Assurance Policy Packages White List> - List of whitelisted images.
- partial
Results BooleanImage Fail - permission String
- policy
Settings KubernetesAssurance Policy Policy Settings - read
Only Boolean - registries List<String>
- List of registries.
- registry String
- required
Labels List<KubernetesAssurance Policy Required Label> - required
Labels BooleanEnabled - scan
Malware BooleanIn Archives - scan
Nfs BooleanMounts - scan
Process BooleanMemory - scan
Sensitive BooleanData - Indicates if scan should include sensitive data in the image.
- scan
Windows BooleanRegistry - scap
Enabled Boolean - Indicates if scanning should include scap.
- scap
Files List<String> - List of SCAP user scripts for checks.
- scopes
List<Kubernetes
Assurance Policy Scope> - trusted
Base List<KubernetesImages Assurance Policy Trusted Base Image> - List of trusted images.
- trusted
Base BooleanImages Enabled - Indicates if list of trusted base images is relevant.
- vulnerability
Exploitability Boolean - vulnerability
Score List<Integer>Ranges - whitelisted
Licenses List<String> - List of whitelisted licenses.
- whitelisted
Licenses BooleanEnabled - Indicates if license blacklist is relevant.
- application
Scopes string[] - aggregated
Vulnerability {[key: string]: string} - Aggregated vulnerability information.
- allowed
Images string[] - List of explicitly allowed images.
- assurance
Type string - What type of assurance policy is described.
- audit
On booleanFailure - Indicates if auditing for failures.
- string
- Name of user account that created the policy.
- auto
Scan booleanConfigured - auto
Scan booleanEnabled - auto
Scan KubernetesTimes Assurance Policy Auto Scan Time[] - blacklist
Permissions string[] - List of function's forbidden permissions.
- blacklist
Permissions booleanEnabled - Indicates if blacklist permissions is relevant.
- blacklisted
Licenses string[] - List of blacklisted licenses.
- blacklisted
Licenses booleanEnabled - Indicates if license blacklist is relevant.
- block
Failed boolean - Indicates if failed images are blocked.
- control
Exclude booleanNo Fix - custom
Checks KubernetesAssurance Policy Custom Check[] - List of Custom user scripts for checks.
- custom
Checks booleanEnabled - Indicates if scanning should include custom checks.
- custom
Severity string - custom
Severity booleanEnabled - cves
Black booleanList Enabled - Indicates if CVEs blacklist is relevant.
- cves
Black string[]Lists - List of CVEs blacklisted items.
- cves
White booleanList Enabled - Indicates if CVEs whitelist is relevant.
- cves
White string[]Lists - List of cves whitelisted licenses
- cvss
Severity string - Identifier of the cvss severity.
- cvss
Severity booleanEnabled - Indicates if the cvss severity is scanned.
- cvss
Severity booleanExclude No Fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- description string
- disallow
Exploit string[]Types - disallow
Malware boolean - Indicates if malware should block the image.
- docker
Cis booleanEnabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- domain string
- Name of the container image.
- domain
Name string - dta
Enabled boolean - dta
Severity string - enabled boolean
- enforce boolean
- enforce
After numberDays - enforce
Excessive booleanPermissions - exceptional
Monitored string[]Malware Paths - exclude
Application string[]Scopes - fail
Cicd boolean - Indicates if cicd failures will fail the image.
- forbidden
Labels KubernetesAssurance Policy Forbidden Label[] - forbidden
Labels booleanEnabled - force
Microenforcer boolean - function
Integrity booleanEnabled - ignore
Base booleanImage Vln - ignore
Recently booleanPublished Vln - ignore
Recently numberPublished Vln Period - ignore
Risk booleanResources Enabled - Indicates if risk resources are ignored.
- ignored
Risk string[]Resources - List of ignored risk resources.
- ignored
Sensitive string[]Resources - images string[]
- List of images.
- kube
Cis booleanEnabled - Performs a Kubernetes CIS benchmark check for the host.
- kubernetes
Controls KubernetesAssurance Policy Kubernetes Control[] - List of Kubernetes controls.
- kubernetes
Controls string[]Avd Ids - kubernetes
Controls string[]Names - List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
- labels string[]
- List of labels.
- lastupdate string
- linux
Cis booleanEnabled - malware
Action string - maximum
Score number - Value of allowed maximum score.
- maximum
Score booleanEnabled - Indicates if exceeding the maximum score is scanned.
- maximum
Score booleanExclude No Fix - Indicates that policy should ignore cases that do not have a known fix.
- monitored
Malware string[]Paths - name string
- only
None booleanRoot Users - Indicates if raise a warning for images that should only be run as root.
- openshift
Hardening booleanEnabled - packages
Black booleanList Enabled - Indicates if packages blacklist is relevant.
- packages
Black KubernetesLists Assurance Policy Packages Black List[] - List of blacklisted images.
- packages
White booleanList Enabled - Indicates if packages whitelist is relevant.
- packages
White KubernetesLists Assurance Policy Packages White List[] - List of whitelisted images.
- partial
Results booleanImage Fail - permission string
- policy
Settings KubernetesAssurance Policy Policy Settings - read
Only boolean - registries string[]
- List of registries.
- registry string
- required
Labels KubernetesAssurance Policy Required Label[] - required
Labels booleanEnabled - scan
Malware booleanIn Archives - scan
Nfs booleanMounts - scan
Process booleanMemory - scan
Sensitive booleanData - Indicates if scan should include sensitive data in the image.
- scan
Windows booleanRegistry - scap
Enabled boolean - Indicates if scanning should include scap.
- scap
Files string[] - List of SCAP user scripts for checks.
- scopes
Kubernetes
Assurance Policy Scope[] - trusted
Base KubernetesImages Assurance Policy Trusted Base Image[] - List of trusted images.
- trusted
Base booleanImages Enabled - Indicates if list of trusted base images is relevant.
- vulnerability
Exploitability boolean - vulnerability
Score number[]Ranges - whitelisted
Licenses string[] - List of whitelisted licenses.
- whitelisted
Licenses booleanEnabled - Indicates if license blacklist is relevant.
- application_
scopes Sequence[str] - aggregated_
vulnerability Mapping[str, str] - Aggregated vulnerability information.
- allowed_
images Sequence[str] - List of explicitly allowed images.
- assurance_
type str - What type of assurance policy is described.
- audit_
on_ boolfailure - Indicates if auditing for failures.
- str
- Name of user account that created the policy.
- auto_
scan_ boolconfigured - auto_
scan_ boolenabled - auto_
scan_ Sequence[Kubernetestimes Assurance Policy Auto Scan Time Args] - blacklist_
permissions Sequence[str] - List of function's forbidden permissions.
- blacklist_
permissions_ boolenabled - Indicates if blacklist permissions is relevant.
- blacklisted_
licenses Sequence[str] - List of blacklisted licenses.
- blacklisted_
licenses_ boolenabled - Indicates if license blacklist is relevant.
- block_
failed bool - Indicates if failed images are blocked.
- control_
exclude_ boolno_ fix - custom_
checks Sequence[KubernetesAssurance Policy Custom Check Args] - List of Custom user scripts for checks.
- custom_
checks_ boolenabled - Indicates if scanning should include custom checks.
- custom_
severity str - custom_
severity_ boolenabled - cves_
black_ boollist_ enabled - Indicates if CVEs blacklist is relevant.
- cves_
black_ Sequence[str]lists - List of CVEs blacklisted items.
- cves_
white_ boollist_ enabled - Indicates if CVEs whitelist is relevant.
- cves_
white_ Sequence[str]lists - List of cves whitelisted licenses
- cvss_
severity str - Identifier of the cvss severity.
- cvss_
severity_ boolenabled - Indicates if the cvss severity is scanned.
- cvss_
severity_ boolexclude_ no_ fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- description str
- disallow_
exploit_ Sequence[str]types - disallow_
malware bool - Indicates if malware should block the image.
- docker_
cis_ boolenabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- domain str
- Name of the container image.
- domain_
name str - dta_
enabled bool - dta_
severity str - enabled bool
- enforce bool
- enforce_
after_ intdays - enforce_
excessive_ boolpermissions - exceptional_
monitored_ Sequence[str]malware_ paths - exclude_
application_ Sequence[str]scopes - fail_
cicd bool - Indicates if cicd failures will fail the image.
- forbidden_
labels Sequence[KubernetesAssurance Policy Forbidden Label Args] - forbidden_
labels_ boolenabled - force_
microenforcer bool - function_
integrity_ boolenabled - ignore_
base_ boolimage_ vln - ignore_
recently_ boolpublished_ vln - ignore_
recently_ intpublished_ vln_ period - ignore_
risk_ boolresources_ enabled - Indicates if risk resources are ignored.
- ignored_
risk_ Sequence[str]resources - List of ignored risk resources.
- ignored_
sensitive_ Sequence[str]resources - images Sequence[str]
- List of images.
- kube_
cis_ boolenabled - Performs a Kubernetes CIS benchmark check for the host.
- kubernetes_
controls Sequence[KubernetesAssurance Policy Kubernetes Control Args] - List of Kubernetes controls.
- kubernetes_
controls_ Sequence[str]avd_ ids - kubernetes_
controls_ Sequence[str]names - List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
- labels Sequence[str]
- List of labels.
- lastupdate str
- linux_
cis_ boolenabled - malware_
action str - maximum_
score float - Value of allowed maximum score.
- maximum_
score_ boolenabled - Indicates if exceeding the maximum score is scanned.
- maximum_
score_ boolexclude_ no_ fix - Indicates that policy should ignore cases that do not have a known fix.
- monitored_
malware_ Sequence[str]paths - name str
- only_
none_ boolroot_ users - Indicates if raise a warning for images that should only be run as root.
- openshift_
hardening_ boolenabled - packages_
black_ boollist_ enabled - Indicates if packages blacklist is relevant.
- packages_
black_ Sequence[Kuberneteslists Assurance Policy Packages Black List Args] - List of blacklisted images.
- packages_
white_ boollist_ enabled - Indicates if packages whitelist is relevant.
- packages_
white_ Sequence[Kuberneteslists Assurance Policy Packages White List Args] - List of whitelisted images.
- partial_
results_ boolimage_ fail - permission str
- policy_
settings KubernetesAssurance Policy Policy Settings Args - read_
only bool - registries Sequence[str]
- List of registries.
- registry str
- required_
labels Sequence[KubernetesAssurance Policy Required Label Args] - required_
labels_ boolenabled - scan_
malware_ boolin_ archives - scan_
nfs_ boolmounts - scan_
process_ boolmemory - scan_
sensitive_ booldata - Indicates if scan should include sensitive data in the image.
- scan_
windows_ boolregistry - scap_
enabled bool - Indicates if scanning should include scap.
- scap_
files Sequence[str] - List of SCAP user scripts for checks.
- scopes
Sequence[Kubernetes
Assurance Policy Scope Args] - trusted_
base_ Sequence[Kubernetesimages Assurance Policy Trusted Base Image Args] - List of trusted images.
- trusted_
base_ boolimages_ enabled - Indicates if list of trusted base images is relevant.
- vulnerability_
exploitability bool - vulnerability_
score_ Sequence[int]ranges - whitelisted_
licenses Sequence[str] - List of whitelisted licenses.
- whitelisted_
licenses_ boolenabled - Indicates if license blacklist is relevant.
- application
Scopes List<String> - aggregated
Vulnerability Map<String> - Aggregated vulnerability information.
- allowed
Images List<String> - List of explicitly allowed images.
- assurance
Type String - What type of assurance policy is described.
- audit
On BooleanFailure - Indicates if auditing for failures.
- String
- Name of user account that created the policy.
- auto
Scan BooleanConfigured - auto
Scan BooleanEnabled - auto
Scan List<Property Map>Times - blacklist
Permissions List<String> - List of function's forbidden permissions.
- blacklist
Permissions BooleanEnabled - Indicates if blacklist permissions is relevant.
- blacklisted
Licenses List<String> - List of blacklisted licenses.
- blacklisted
Licenses BooleanEnabled - Indicates if license blacklist is relevant.
- block
Failed Boolean - Indicates if failed images are blocked.
- control
Exclude BooleanNo Fix - custom
Checks List<Property Map> - List of Custom user scripts for checks.
- custom
Checks BooleanEnabled - Indicates if scanning should include custom checks.
- custom
Severity String - custom
Severity BooleanEnabled - cves
Black BooleanList Enabled - Indicates if CVEs blacklist is relevant.
- cves
Black List<String>Lists - List of CVEs blacklisted items.
- cves
White BooleanList Enabled - Indicates if CVEs whitelist is relevant.
- cves
White List<String>Lists - List of cves whitelisted licenses
- cvss
Severity String - Identifier of the cvss severity.
- cvss
Severity BooleanEnabled - Indicates if the cvss severity is scanned.
- cvss
Severity BooleanExclude No Fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- description String
- disallow
Exploit List<String>Types - disallow
Malware Boolean - Indicates if malware should block the image.
- docker
Cis BooleanEnabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- domain String
- Name of the container image.
- domain
Name String - dta
Enabled Boolean - dta
Severity String - enabled Boolean
- enforce Boolean
- enforce
After NumberDays - enforce
Excessive BooleanPermissions - exceptional
Monitored List<String>Malware Paths - exclude
Application List<String>Scopes - fail
Cicd Boolean - Indicates if cicd failures will fail the image.
- forbidden
Labels List<Property Map> - forbidden
Labels BooleanEnabled - force
Microenforcer Boolean - function
Integrity BooleanEnabled - ignore
Base BooleanImage Vln - ignore
Recently BooleanPublished Vln - ignore
Recently NumberPublished Vln Period - ignore
Risk BooleanResources Enabled - Indicates if risk resources are ignored.
- ignored
Risk List<String>Resources - List of ignored risk resources.
- ignored
Sensitive List<String>Resources - images List<String>
- List of images.
- kube
Cis BooleanEnabled - Performs a Kubernetes CIS benchmark check for the host.
- kubernetes
Controls List<Property Map> - List of Kubernetes controls.
- kubernetes
Controls List<String>Avd Ids - kubernetes
Controls List<String>Names - List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
- labels List<String>
- List of labels.
- lastupdate String
- linux
Cis BooleanEnabled - malware
Action String - maximum
Score Number - Value of allowed maximum score.
- maximum
Score BooleanEnabled - Indicates if exceeding the maximum score is scanned.
- maximum
Score BooleanExclude No Fix - Indicates that policy should ignore cases that do not have a known fix.
- monitored
Malware List<String>Paths - name String
- only
None BooleanRoot Users - Indicates if raise a warning for images that should only be run as root.
- openshift
Hardening BooleanEnabled - packages
Black BooleanList Enabled - Indicates if packages blacklist is relevant.
- packages
Black List<Property Map>Lists - List of blacklisted images.
- packages
White BooleanList Enabled - Indicates if packages whitelist is relevant.
- packages
White List<Property Map>Lists - List of whitelisted images.
- partial
Results BooleanImage Fail - permission String
- policy
Settings Property Map - read
Only Boolean - registries List<String>
- List of registries.
- registry String
- required
Labels List<Property Map> - required
Labels BooleanEnabled - scan
Malware BooleanIn Archives - scan
Nfs BooleanMounts - scan
Process BooleanMemory - scan
Sensitive BooleanData - Indicates if scan should include sensitive data in the image.
- scan
Windows BooleanRegistry - scap
Enabled Boolean - Indicates if scanning should include scap.
- scap
Files List<String> - List of SCAP user scripts for checks.
- scopes List<Property Map>
- trusted
Base List<Property Map>Images - List of trusted images.
- trusted
Base BooleanImages Enabled - Indicates if list of trusted base images is relevant.
- vulnerability
Exploitability Boolean - vulnerability
Score List<Number>Ranges - whitelisted
Licenses List<String> - List of whitelisted licenses.
- whitelisted
Licenses BooleanEnabled - Indicates if license blacklist is relevant.
Outputs
All input properties are implicitly available as output properties. Additionally, the KubernetesAssurancePolicy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing KubernetesAssurancePolicy Resource
Get an existing KubernetesAssurancePolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: KubernetesAssurancePolicyState, opts?: CustomResourceOptions): KubernetesAssurancePolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
aggregated_vulnerability: Optional[Mapping[str, str]] = None,
allowed_images: Optional[Sequence[str]] = None,
application_scopes: Optional[Sequence[str]] = None,
assurance_type: Optional[str] = None,
audit_on_failure: Optional[bool] = None,
author: Optional[str] = None,
auto_scan_configured: Optional[bool] = None,
auto_scan_enabled: Optional[bool] = None,
auto_scan_times: Optional[Sequence[KubernetesAssurancePolicyAutoScanTimeArgs]] = None,
blacklist_permissions: Optional[Sequence[str]] = None,
blacklist_permissions_enabled: Optional[bool] = None,
blacklisted_licenses: Optional[Sequence[str]] = None,
blacklisted_licenses_enabled: Optional[bool] = None,
block_failed: Optional[bool] = None,
control_exclude_no_fix: Optional[bool] = None,
custom_checks: Optional[Sequence[KubernetesAssurancePolicyCustomCheckArgs]] = None,
custom_checks_enabled: Optional[bool] = None,
custom_severity: Optional[str] = None,
custom_severity_enabled: Optional[bool] = None,
cves_black_list_enabled: Optional[bool] = None,
cves_black_lists: Optional[Sequence[str]] = None,
cves_white_list_enabled: Optional[bool] = None,
cves_white_lists: Optional[Sequence[str]] = None,
cvss_severity: Optional[str] = None,
cvss_severity_enabled: Optional[bool] = None,
cvss_severity_exclude_no_fix: Optional[bool] = None,
description: Optional[str] = None,
disallow_exploit_types: Optional[Sequence[str]] = None,
disallow_malware: Optional[bool] = None,
docker_cis_enabled: Optional[bool] = None,
domain: Optional[str] = None,
domain_name: Optional[str] = None,
dta_enabled: Optional[bool] = None,
dta_severity: Optional[str] = None,
enabled: Optional[bool] = None,
enforce: Optional[bool] = None,
enforce_after_days: Optional[int] = None,
enforce_excessive_permissions: Optional[bool] = None,
exceptional_monitored_malware_paths: Optional[Sequence[str]] = None,
exclude_application_scopes: Optional[Sequence[str]] = None,
fail_cicd: Optional[bool] = None,
forbidden_labels: Optional[Sequence[KubernetesAssurancePolicyForbiddenLabelArgs]] = None,
forbidden_labels_enabled: Optional[bool] = None,
force_microenforcer: Optional[bool] = None,
function_integrity_enabled: Optional[bool] = None,
ignore_base_image_vln: Optional[bool] = None,
ignore_recently_published_vln: Optional[bool] = None,
ignore_recently_published_vln_period: Optional[int] = None,
ignore_risk_resources_enabled: Optional[bool] = None,
ignored_risk_resources: Optional[Sequence[str]] = None,
ignored_sensitive_resources: Optional[Sequence[str]] = None,
images: Optional[Sequence[str]] = None,
kube_cis_enabled: Optional[bool] = None,
kubernetes_controls: Optional[Sequence[KubernetesAssurancePolicyKubernetesControlArgs]] = None,
kubernetes_controls_avd_ids: Optional[Sequence[str]] = None,
kubernetes_controls_names: Optional[Sequence[str]] = None,
labels: Optional[Sequence[str]] = None,
lastupdate: Optional[str] = None,
linux_cis_enabled: Optional[bool] = None,
malware_action: Optional[str] = None,
maximum_score: Optional[float] = None,
maximum_score_enabled: Optional[bool] = None,
maximum_score_exclude_no_fix: Optional[bool] = None,
monitored_malware_paths: Optional[Sequence[str]] = None,
name: Optional[str] = None,
only_none_root_users: Optional[bool] = None,
openshift_hardening_enabled: Optional[bool] = None,
packages_black_list_enabled: Optional[bool] = None,
packages_black_lists: Optional[Sequence[KubernetesAssurancePolicyPackagesBlackListArgs]] = None,
packages_white_list_enabled: Optional[bool] = None,
packages_white_lists: Optional[Sequence[KubernetesAssurancePolicyPackagesWhiteListArgs]] = None,
partial_results_image_fail: Optional[bool] = None,
permission: Optional[str] = None,
policy_settings: Optional[KubernetesAssurancePolicyPolicySettingsArgs] = None,
read_only: Optional[bool] = None,
registries: Optional[Sequence[str]] = None,
registry: Optional[str] = None,
required_labels: Optional[Sequence[KubernetesAssurancePolicyRequiredLabelArgs]] = None,
required_labels_enabled: Optional[bool] = None,
scan_malware_in_archives: Optional[bool] = None,
scan_nfs_mounts: Optional[bool] = None,
scan_process_memory: Optional[bool] = None,
scan_sensitive_data: Optional[bool] = None,
scan_windows_registry: Optional[bool] = None,
scap_enabled: Optional[bool] = None,
scap_files: Optional[Sequence[str]] = None,
scopes: Optional[Sequence[KubernetesAssurancePolicyScopeArgs]] = None,
trusted_base_images: Optional[Sequence[KubernetesAssurancePolicyTrustedBaseImageArgs]] = None,
trusted_base_images_enabled: Optional[bool] = None,
vulnerability_exploitability: Optional[bool] = None,
vulnerability_score_ranges: Optional[Sequence[int]] = None,
whitelisted_licenses: Optional[Sequence[str]] = None,
whitelisted_licenses_enabled: Optional[bool] = None) -> KubernetesAssurancePolicyfunc GetKubernetesAssurancePolicy(ctx *Context, name string, id IDInput, state *KubernetesAssurancePolicyState, opts ...ResourceOption) (*KubernetesAssurancePolicy, error)public static KubernetesAssurancePolicy Get(string name, Input<string> id, KubernetesAssurancePolicyState? state, CustomResourceOptions? opts = null)public static KubernetesAssurancePolicy get(String name, Output<String> id, KubernetesAssurancePolicyState state, CustomResourceOptions options)Resource lookup is not supported in YAML- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Aggregated
Vulnerability Dictionary<string, string> - Aggregated vulnerability information.
- Allowed
Images List<string> - List of explicitly allowed images.
- Application
Scopes List<string> - Assurance
Type string - What type of assurance policy is described.
- Audit
On boolFailure - Indicates if auditing for failures.
- string
- Name of user account that created the policy.
- Auto
Scan boolConfigured - Auto
Scan boolEnabled - Auto
Scan List<Pulumiverse.Times Aquasec. Inputs. Kubernetes Assurance Policy Auto Scan Time> - Blacklist
Permissions List<string> - List of function's forbidden permissions.
- Blacklist
Permissions boolEnabled - Indicates if blacklist permissions is relevant.
- Blacklisted
Licenses List<string> - List of blacklisted licenses.
- Blacklisted
Licenses boolEnabled - Indicates if license blacklist is relevant.
- Block
Failed bool - Indicates if failed images are blocked.
- Control
Exclude boolNo Fix - Custom
Checks List<Pulumiverse.Aquasec. Inputs. Kubernetes Assurance Policy Custom Check> - List of Custom user scripts for checks.
- Custom
Checks boolEnabled - Indicates if scanning should include custom checks.
- Custom
Severity string - Custom
Severity boolEnabled - Cves
Black boolList Enabled - Indicates if CVEs blacklist is relevant.
- Cves
Black List<string>Lists - List of CVEs blacklisted items.
- Cves
White boolList Enabled - Indicates if CVEs whitelist is relevant.
- Cves
White List<string>Lists - List of cves whitelisted licenses
- Cvss
Severity string - Identifier of the cvss severity.
- Cvss
Severity boolEnabled - Indicates if the cvss severity is scanned.
- Cvss
Severity boolExclude No Fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- Description string
- Disallow
Exploit List<string>Types - Disallow
Malware bool - Indicates if malware should block the image.
- Docker
Cis boolEnabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- Domain string
- Name of the container image.
- Domain
Name string - Dta
Enabled bool - Dta
Severity string - Enabled bool
- Enforce bool
- Enforce
After intDays - Enforce
Excessive boolPermissions - Exceptional
Monitored List<string>Malware Paths - Exclude
Application List<string>Scopes - Fail
Cicd bool - Indicates if cicd failures will fail the image.
- Forbidden
Labels List<Pulumiverse.Aquasec. Inputs. Kubernetes Assurance Policy Forbidden Label> - Forbidden
Labels boolEnabled - Force
Microenforcer bool - Function
Integrity boolEnabled - Ignore
Base boolImage Vln - Ignore
Recently boolPublished Vln - Ignore
Recently intPublished Vln Period - Ignore
Risk boolResources Enabled - Indicates if risk resources are ignored.
- Ignored
Risk List<string>Resources - List of ignored risk resources.
- Ignored
Sensitive List<string>Resources - Images List<string>
- List of images.
- Kube
Cis boolEnabled - Performs a Kubernetes CIS benchmark check for the host.
- Kubernetes
Controls List<Pulumiverse.Aquasec. Inputs. Kubernetes Assurance Policy Kubernetes Control> - List of Kubernetes controls.
- Kubernetes
Controls List<string>Avd Ids - Kubernetes
Controls List<string>Names - List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
- Labels List<string>
- List of labels.
- Lastupdate string
- Linux
Cis boolEnabled - Malware
Action string - Maximum
Score double - Value of allowed maximum score.
- Maximum
Score boolEnabled - Indicates if exceeding the maximum score is scanned.
- Maximum
Score boolExclude No Fix - Indicates that policy should ignore cases that do not have a known fix.
- Monitored
Malware List<string>Paths - Name string
- Only
None boolRoot Users - Indicates if raise a warning for images that should only be run as root.
- Openshift
Hardening boolEnabled - Packages
Black boolList Enabled - Indicates if packages blacklist is relevant.
- Packages
Black List<Pulumiverse.Lists Aquasec. Inputs. Kubernetes Assurance Policy Packages Black List> - List of blacklisted images.
- Packages
White boolList Enabled - Indicates if packages whitelist is relevant.
- Packages
White List<Pulumiverse.Lists Aquasec. Inputs. Kubernetes Assurance Policy Packages White List> - List of whitelisted images.
- Partial
Results boolImage Fail - Permission string
- Policy
Settings Pulumiverse.Aquasec. Inputs. Kubernetes Assurance Policy Policy Settings - Read
Only bool - Registries List<string>
- List of registries.
- Registry string
- Required
Labels List<Pulumiverse.Aquasec. Inputs. Kubernetes Assurance Policy Required Label> - Required
Labels boolEnabled - Scan
Malware boolIn Archives - Scan
Nfs boolMounts - Scan
Process boolMemory - Scan
Sensitive boolData - Indicates if scan should include sensitive data in the image.
- Scan
Windows boolRegistry - Scap
Enabled bool - Indicates if scanning should include scap.
- Scap
Files List<string> - List of SCAP user scripts for checks.
- Scopes
List<Pulumiverse.
Aquasec. Inputs. Kubernetes Assurance Policy Scope> - Trusted
Base List<Pulumiverse.Images Aquasec. Inputs. Kubernetes Assurance Policy Trusted Base Image> - List of trusted images.
- Trusted
Base boolImages Enabled - Indicates if list of trusted base images is relevant.
- Vulnerability
Exploitability bool - Vulnerability
Score List<int>Ranges - Whitelisted
Licenses List<string> - List of whitelisted licenses.
- Whitelisted
Licenses boolEnabled - Indicates if license blacklist is relevant.
- Aggregated
Vulnerability map[string]string - Aggregated vulnerability information.
- Allowed
Images []string - List of explicitly allowed images.
- Application
Scopes []string - Assurance
Type string - What type of assurance policy is described.
- Audit
On boolFailure - Indicates if auditing for failures.
- string
- Name of user account that created the policy.
- Auto
Scan boolConfigured - Auto
Scan boolEnabled - Auto
Scan []KubernetesTimes Assurance Policy Auto Scan Time Args - Blacklist
Permissions []string - List of function's forbidden permissions.
- Blacklist
Permissions boolEnabled - Indicates if blacklist permissions is relevant.
- Blacklisted
Licenses []string - List of blacklisted licenses.
- Blacklisted
Licenses boolEnabled - Indicates if license blacklist is relevant.
- Block
Failed bool - Indicates if failed images are blocked.
- Control
Exclude boolNo Fix - Custom
Checks []KubernetesAssurance Policy Custom Check Args - List of Custom user scripts for checks.
- Custom
Checks boolEnabled - Indicates if scanning should include custom checks.
- Custom
Severity string - Custom
Severity boolEnabled - Cves
Black boolList Enabled - Indicates if CVEs blacklist is relevant.
- Cves
Black []stringLists - List of CVEs blacklisted items.
- Cves
White boolList Enabled - Indicates if CVEs whitelist is relevant.
- Cves
White []stringLists - List of cves whitelisted licenses
- Cvss
Severity string - Identifier of the cvss severity.
- Cvss
Severity boolEnabled - Indicates if the cvss severity is scanned.
- Cvss
Severity boolExclude No Fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- Description string
- Disallow
Exploit []stringTypes - Disallow
Malware bool - Indicates if malware should block the image.
- Docker
Cis boolEnabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- Domain string
- Name of the container image.
- Domain
Name string - Dta
Enabled bool - Dta
Severity string - Enabled bool
- Enforce bool
- Enforce
After intDays - Enforce
Excessive boolPermissions - Exceptional
Monitored []stringMalware Paths - Exclude
Application []stringScopes - Fail
Cicd bool - Indicates if cicd failures will fail the image.
- Forbidden
Labels []KubernetesAssurance Policy Forbidden Label Args - Forbidden
Labels boolEnabled - Force
Microenforcer bool - Function
Integrity boolEnabled - Ignore
Base boolImage Vln - Ignore
Recently boolPublished Vln - Ignore
Recently intPublished Vln Period - Ignore
Risk boolResources Enabled - Indicates if risk resources are ignored.
- Ignored
Risk []stringResources - List of ignored risk resources.
- Ignored
Sensitive []stringResources - Images []string
- List of images.
- Kube
Cis boolEnabled - Performs a Kubernetes CIS benchmark check for the host.
- Kubernetes
Controls []KubernetesAssurance Policy Kubernetes Control Args - List of Kubernetes controls.
- Kubernetes
Controls []stringAvd Ids - Kubernetes
Controls []stringNames - List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
- Labels []string
- List of labels.
- Lastupdate string
- Linux
Cis boolEnabled - Malware
Action string - Maximum
Score float64 - Value of allowed maximum score.
- Maximum
Score boolEnabled - Indicates if exceeding the maximum score is scanned.
- Maximum
Score boolExclude No Fix - Indicates that policy should ignore cases that do not have a known fix.
- Monitored
Malware []stringPaths - Name string
- Only
None boolRoot Users - Indicates if raise a warning for images that should only be run as root.
- Openshift
Hardening boolEnabled - Packages
Black boolList Enabled - Indicates if packages blacklist is relevant.
- Packages
Black []KubernetesLists Assurance Policy Packages Black List Args - List of blacklisted images.
- Packages
White boolList Enabled - Indicates if packages whitelist is relevant.
- Packages
White []KubernetesLists Assurance Policy Packages White List Args - List of whitelisted images.
- Partial
Results boolImage Fail - Permission string
- Policy
Settings KubernetesAssurance Policy Policy Settings Args - Read
Only bool - Registries []string
- List of registries.
- Registry string
- Required
Labels []KubernetesAssurance Policy Required Label Args - Required
Labels boolEnabled - Scan
Malware boolIn Archives - Scan
Nfs boolMounts - Scan
Process boolMemory - Scan
Sensitive boolData - Indicates if scan should include sensitive data in the image.
- Scan
Windows boolRegistry - Scap
Enabled bool - Indicates if scanning should include scap.
- Scap
Files []string - List of SCAP user scripts for checks.
- Scopes
[]Kubernetes
Assurance Policy Scope Args - Trusted
Base []KubernetesImages Assurance Policy Trusted Base Image Args - List of trusted images.
- Trusted
Base boolImages Enabled - Indicates if list of trusted base images is relevant.
- Vulnerability
Exploitability bool - Vulnerability
Score []intRanges - Whitelisted
Licenses []string - List of whitelisted licenses.
- Whitelisted
Licenses boolEnabled - Indicates if license blacklist is relevant.
- aggregated
Vulnerability Map<String,String> - Aggregated vulnerability information.
- allowed
Images List<String> - List of explicitly allowed images.
- application
Scopes List<String> - assurance
Type String - What type of assurance policy is described.
- audit
On BooleanFailure - Indicates if auditing for failures.
- String
- Name of user account that created the policy.
- auto
Scan BooleanConfigured - auto
Scan BooleanEnabled - auto
Scan List<KubernetesTimes Assurance Policy Auto Scan Time> - blacklist
Permissions List<String> - List of function's forbidden permissions.
- blacklist
Permissions BooleanEnabled - Indicates if blacklist permissions is relevant.
- blacklisted
Licenses List<String> - List of blacklisted licenses.
- blacklisted
Licenses BooleanEnabled - Indicates if license blacklist is relevant.
- block
Failed Boolean - Indicates if failed images are blocked.
- control
Exclude BooleanNo Fix - custom
Checks List<KubernetesAssurance Policy Custom Check> - List of Custom user scripts for checks.
- custom
Checks BooleanEnabled - Indicates if scanning should include custom checks.
- custom
Severity String - custom
Severity BooleanEnabled - cves
Black BooleanList Enabled - Indicates if CVEs blacklist is relevant.
- cves
Black List<String>Lists - List of CVEs blacklisted items.
- cves
White BooleanList Enabled - Indicates if CVEs whitelist is relevant.
- cves
White List<String>Lists - List of cves whitelisted licenses
- cvss
Severity String - Identifier of the cvss severity.
- cvss
Severity BooleanEnabled - Indicates if the cvss severity is scanned.
- cvss
Severity BooleanExclude No Fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- description String
- disallow
Exploit List<String>Types - disallow
Malware Boolean - Indicates if malware should block the image.
- docker
Cis BooleanEnabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- domain String
- Name of the container image.
- domain
Name String - dta
Enabled Boolean - dta
Severity String - enabled Boolean
- enforce Boolean
- enforce
After IntegerDays - enforce
Excessive BooleanPermissions - exceptional
Monitored List<String>Malware Paths - exclude
Application List<String>Scopes - fail
Cicd Boolean - Indicates if cicd failures will fail the image.
- forbidden
Labels List<KubernetesAssurance Policy Forbidden Label> - forbidden
Labels BooleanEnabled - force
Microenforcer Boolean - function
Integrity BooleanEnabled - ignore
Base BooleanImage Vln - ignore
Recently BooleanPublished Vln - ignore
Recently IntegerPublished Vln Period - ignore
Risk BooleanResources Enabled - Indicates if risk resources are ignored.
- ignored
Risk List<String>Resources - List of ignored risk resources.
- ignored
Sensitive List<String>Resources - images List<String>
- List of images.
- kube
Cis BooleanEnabled - Performs a Kubernetes CIS benchmark check for the host.
- kubernetes
Controls List<KubernetesAssurance Policy Kubernetes Control> - List of Kubernetes controls.
- kubernetes
Controls List<String>Avd Ids - kubernetes
Controls List<String>Names - List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
- labels List<String>
- List of labels.
- lastupdate String
- linux
Cis BooleanEnabled - malware
Action String - maximum
Score Double - Value of allowed maximum score.
- maximum
Score BooleanEnabled - Indicates if exceeding the maximum score is scanned.
- maximum
Score BooleanExclude No Fix - Indicates that policy should ignore cases that do not have a known fix.
- monitored
Malware List<String>Paths - name String
- only
None BooleanRoot Users - Indicates if raise a warning for images that should only be run as root.
- openshift
Hardening BooleanEnabled - packages
Black BooleanList Enabled - Indicates if packages blacklist is relevant.
- packages
Black List<KubernetesLists Assurance Policy Packages Black List> - List of blacklisted images.
- packages
White BooleanList Enabled - Indicates if packages whitelist is relevant.
- packages
White List<KubernetesLists Assurance Policy Packages White List> - List of whitelisted images.
- partial
Results BooleanImage Fail - permission String
- policy
Settings KubernetesAssurance Policy Policy Settings - read
Only Boolean - registries List<String>
- List of registries.
- registry String
- required
Labels List<KubernetesAssurance Policy Required Label> - required
Labels BooleanEnabled - scan
Malware BooleanIn Archives - scan
Nfs BooleanMounts - scan
Process BooleanMemory - scan
Sensitive BooleanData - Indicates if scan should include sensitive data in the image.
- scan
Windows BooleanRegistry - scap
Enabled Boolean - Indicates if scanning should include scap.
- scap
Files List<String> - List of SCAP user scripts for checks.
- scopes
List<Kubernetes
Assurance Policy Scope> - trusted
Base List<KubernetesImages Assurance Policy Trusted Base Image> - List of trusted images.
- trusted
Base BooleanImages Enabled - Indicates if list of trusted base images is relevant.
- vulnerability
Exploitability Boolean - vulnerability
Score List<Integer>Ranges - whitelisted
Licenses List<String> - List of whitelisted licenses.
- whitelisted
Licenses BooleanEnabled - Indicates if license blacklist is relevant.
- aggregated
Vulnerability {[key: string]: string} - Aggregated vulnerability information.
- allowed
Images string[] - List of explicitly allowed images.
- application
Scopes string[] - assurance
Type string - What type of assurance policy is described.
- audit
On booleanFailure - Indicates if auditing for failures.
- string
- Name of user account that created the policy.
- auto
Scan booleanConfigured - auto
Scan booleanEnabled - auto
Scan KubernetesTimes Assurance Policy Auto Scan Time[] - blacklist
Permissions string[] - List of function's forbidden permissions.
- blacklist
Permissions booleanEnabled - Indicates if blacklist permissions is relevant.
- blacklisted
Licenses string[] - List of blacklisted licenses.
- blacklisted
Licenses booleanEnabled - Indicates if license blacklist is relevant.
- block
Failed boolean - Indicates if failed images are blocked.
- control
Exclude booleanNo Fix - custom
Checks KubernetesAssurance Policy Custom Check[] - List of Custom user scripts for checks.
- custom
Checks booleanEnabled - Indicates if scanning should include custom checks.
- custom
Severity string - custom
Severity booleanEnabled - cves
Black booleanList Enabled - Indicates if CVEs blacklist is relevant.
- cves
Black string[]Lists - List of CVEs blacklisted items.
- cves
White booleanList Enabled - Indicates if CVEs whitelist is relevant.
- cves
White string[]Lists - List of cves whitelisted licenses
- cvss
Severity string - Identifier of the cvss severity.
- cvss
Severity booleanEnabled - Indicates if the cvss severity is scanned.
- cvss
Severity booleanExclude No Fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- description string
- disallow
Exploit string[]Types - disallow
Malware boolean - Indicates if malware should block the image.
- docker
Cis booleanEnabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- domain string
- Name of the container image.
- domain
Name string - dta
Enabled boolean - dta
Severity string - enabled boolean
- enforce boolean
- enforce
After numberDays - enforce
Excessive booleanPermissions - exceptional
Monitored string[]Malware Paths - exclude
Application string[]Scopes - fail
Cicd boolean - Indicates if cicd failures will fail the image.
- forbidden
Labels KubernetesAssurance Policy Forbidden Label[] - forbidden
Labels booleanEnabled - force
Microenforcer boolean - function
Integrity booleanEnabled - ignore
Base booleanImage Vln - ignore
Recently booleanPublished Vln - ignore
Recently numberPublished Vln Period - ignore
Risk booleanResources Enabled - Indicates if risk resources are ignored.
- ignored
Risk string[]Resources - List of ignored risk resources.
- ignored
Sensitive string[]Resources - images string[]
- List of images.
- kube
Cis booleanEnabled - Performs a Kubernetes CIS benchmark check for the host.
- kubernetes
Controls KubernetesAssurance Policy Kubernetes Control[] - List of Kubernetes controls.
- kubernetes
Controls string[]Avd Ids - kubernetes
Controls string[]Names - List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
- labels string[]
- List of labels.
- lastupdate string
- linux
Cis booleanEnabled - malware
Action string - maximum
Score number - Value of allowed maximum score.
- maximum
Score booleanEnabled - Indicates if exceeding the maximum score is scanned.
- maximum
Score booleanExclude No Fix - Indicates that policy should ignore cases that do not have a known fix.
- monitored
Malware string[]Paths - name string
- only
None booleanRoot Users - Indicates if raise a warning for images that should only be run as root.
- openshift
Hardening booleanEnabled - packages
Black booleanList Enabled - Indicates if packages blacklist is relevant.
- packages
Black KubernetesLists Assurance Policy Packages Black List[] - List of blacklisted images.
- packages
White booleanList Enabled - Indicates if packages whitelist is relevant.
- packages
White KubernetesLists Assurance Policy Packages White List[] - List of whitelisted images.
- partial
Results booleanImage Fail - permission string
- policy
Settings KubernetesAssurance Policy Policy Settings - read
Only boolean - registries string[]
- List of registries.
- registry string
- required
Labels KubernetesAssurance Policy Required Label[] - required
Labels booleanEnabled - scan
Malware booleanIn Archives - scan
Nfs booleanMounts - scan
Process booleanMemory - scan
Sensitive booleanData - Indicates if scan should include sensitive data in the image.
- scan
Windows booleanRegistry - scap
Enabled boolean - Indicates if scanning should include scap.
- scap
Files string[] - List of SCAP user scripts for checks.
- scopes
Kubernetes
Assurance Policy Scope[] - trusted
Base KubernetesImages Assurance Policy Trusted Base Image[] - List of trusted images.
- trusted
Base booleanImages Enabled - Indicates if list of trusted base images is relevant.
- vulnerability
Exploitability boolean - vulnerability
Score number[]Ranges - whitelisted
Licenses string[] - List of whitelisted licenses.
- whitelisted
Licenses booleanEnabled - Indicates if license blacklist is relevant.
- aggregated_
vulnerability Mapping[str, str] - Aggregated vulnerability information.
- allowed_
images Sequence[str] - List of explicitly allowed images.
- application_
scopes Sequence[str] - assurance_
type str - What type of assurance policy is described.
- audit_
on_ boolfailure - Indicates if auditing for failures.
- str
- Name of user account that created the policy.
- auto_
scan_ boolconfigured - auto_
scan_ boolenabled - auto_
scan_ Sequence[Kubernetestimes Assurance Policy Auto Scan Time Args] - blacklist_
permissions Sequence[str] - List of function's forbidden permissions.
- blacklist_
permissions_ boolenabled - Indicates if blacklist permissions is relevant.
- blacklisted_
licenses Sequence[str] - List of blacklisted licenses.
- blacklisted_
licenses_ boolenabled - Indicates if license blacklist is relevant.
- block_
failed bool - Indicates if failed images are blocked.
- control_
exclude_ boolno_ fix - custom_
checks Sequence[KubernetesAssurance Policy Custom Check Args] - List of Custom user scripts for checks.
- custom_
checks_ boolenabled - Indicates if scanning should include custom checks.
- custom_
severity str - custom_
severity_ boolenabled - cves_
black_ boollist_ enabled - Indicates if CVEs blacklist is relevant.
- cves_
black_ Sequence[str]lists - List of CVEs blacklisted items.
- cves_
white_ boollist_ enabled - Indicates if CVEs whitelist is relevant.
- cves_
white_ Sequence[str]lists - List of cves whitelisted licenses
- cvss_
severity str - Identifier of the cvss severity.
- cvss_
severity_ boolenabled - Indicates if the cvss severity is scanned.
- cvss_
severity_ boolexclude_ no_ fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- description str
- disallow_
exploit_ Sequence[str]types - disallow_
malware bool - Indicates if malware should block the image.
- docker_
cis_ boolenabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- domain str
- Name of the container image.
- domain_
name str - dta_
enabled bool - dta_
severity str - enabled bool
- enforce bool
- enforce_
after_ intdays - enforce_
excessive_ boolpermissions - exceptional_
monitored_ Sequence[str]malware_ paths - exclude_
application_ Sequence[str]scopes - fail_
cicd bool - Indicates if cicd failures will fail the image.
- forbidden_
labels Sequence[KubernetesAssurance Policy Forbidden Label Args] - forbidden_
labels_ boolenabled - force_
microenforcer bool - function_
integrity_ boolenabled - ignore_
base_ boolimage_ vln - ignore_
recently_ boolpublished_ vln - ignore_
recently_ intpublished_ vln_ period - ignore_
risk_ boolresources_ enabled - Indicates if risk resources are ignored.
- ignored_
risk_ Sequence[str]resources - List of ignored risk resources.
- ignored_
sensitive_ Sequence[str]resources - images Sequence[str]
- List of images.
- kube_
cis_ boolenabled - Performs a Kubernetes CIS benchmark check for the host.
- kubernetes_
controls Sequence[KubernetesAssurance Policy Kubernetes Control Args] - List of Kubernetes controls.
- kubernetes_
controls_ Sequence[str]avd_ ids - kubernetes_
controls_ Sequence[str]names - List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
- labels Sequence[str]
- List of labels.
- lastupdate str
- linux_
cis_ boolenabled - malware_
action str - maximum_
score float - Value of allowed maximum score.
- maximum_
score_ boolenabled - Indicates if exceeding the maximum score is scanned.
- maximum_
score_ boolexclude_ no_ fix - Indicates that policy should ignore cases that do not have a known fix.
- monitored_
malware_ Sequence[str]paths - name str
- only_
none_ boolroot_ users - Indicates if raise a warning for images that should only be run as root.
- openshift_
hardening_ boolenabled - packages_
black_ boollist_ enabled - Indicates if packages blacklist is relevant.
- packages_
black_ Sequence[Kuberneteslists Assurance Policy Packages Black List Args] - List of blacklisted images.
- packages_
white_ boollist_ enabled - Indicates if packages whitelist is relevant.
- packages_
white_ Sequence[Kuberneteslists Assurance Policy Packages White List Args] - List of whitelisted images.
- partial_
results_ boolimage_ fail - permission str
- policy_
settings KubernetesAssurance Policy Policy Settings Args - read_
only bool - registries Sequence[str]
- List of registries.
- registry str
- required_
labels Sequence[KubernetesAssurance Policy Required Label Args] - required_
labels_ boolenabled - scan_
malware_ boolin_ archives - scan_
nfs_ boolmounts - scan_
process_ boolmemory - scan_
sensitive_ booldata - Indicates if scan should include sensitive data in the image.
- scan_
windows_ boolregistry - scap_
enabled bool - Indicates if scanning should include scap.
- scap_
files Sequence[str] - List of SCAP user scripts for checks.
- scopes
Sequence[Kubernetes
Assurance Policy Scope Args] - trusted_
base_ Sequence[Kubernetesimages Assurance Policy Trusted Base Image Args] - List of trusted images.
- trusted_
base_ boolimages_ enabled - Indicates if list of trusted base images is relevant.
- vulnerability_
exploitability bool - vulnerability_
score_ Sequence[int]ranges - whitelisted_
licenses Sequence[str] - List of whitelisted licenses.
- whitelisted_
licenses_ boolenabled - Indicates if license blacklist is relevant.
- aggregated
Vulnerability Map<String> - Aggregated vulnerability information.
- allowed
Images List<String> - List of explicitly allowed images.
- application
Scopes List<String> - assurance
Type String - What type of assurance policy is described.
- audit
On BooleanFailure - Indicates if auditing for failures.
- String
- Name of user account that created the policy.
- auto
Scan BooleanConfigured - auto
Scan BooleanEnabled - auto
Scan List<Property Map>Times - blacklist
Permissions List<String> - List of function's forbidden permissions.
- blacklist
Permissions BooleanEnabled - Indicates if blacklist permissions is relevant.
- blacklisted
Licenses List<String> - List of blacklisted licenses.
- blacklisted
Licenses BooleanEnabled - Indicates if license blacklist is relevant.
- block
Failed Boolean - Indicates if failed images are blocked.
- control
Exclude BooleanNo Fix - custom
Checks List<Property Map> - List of Custom user scripts for checks.
- custom
Checks BooleanEnabled - Indicates if scanning should include custom checks.
- custom
Severity String - custom
Severity BooleanEnabled - cves
Black BooleanList Enabled - Indicates if CVEs blacklist is relevant.
- cves
Black List<String>Lists - List of CVEs blacklisted items.
- cves
White BooleanList Enabled - Indicates if CVEs whitelist is relevant.
- cves
White List<String>Lists - List of cves whitelisted licenses
- cvss
Severity String - Identifier of the cvss severity.
- cvss
Severity BooleanEnabled - Indicates if the cvss severity is scanned.
- cvss
Severity BooleanExclude No Fix - Indicates that policy should ignore cvss cases that do not have a known fix.
- description String
- disallow
Exploit List<String>Types - disallow
Malware Boolean - Indicates if malware should block the image.
- docker
Cis BooleanEnabled - Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
- domain String
- Name of the container image.
- domain
Name String - dta
Enabled Boolean - dta
Severity String - enabled Boolean
- enforce Boolean
- enforce
After NumberDays - enforce
Excessive BooleanPermissions - exceptional
Monitored List<String>Malware Paths - exclude
Application List<String>Scopes - fail
Cicd Boolean - Indicates if cicd failures will fail the image.
- forbidden
Labels List<Property Map> - forbidden
Labels BooleanEnabled - force
Microenforcer Boolean - function
Integrity BooleanEnabled - ignore
Base BooleanImage Vln - ignore
Recently BooleanPublished Vln - ignore
Recently NumberPublished Vln Period - ignore
Risk BooleanResources Enabled - Indicates if risk resources are ignored.
- ignored
Risk List<String>Resources - List of ignored risk resources.
- ignored
Sensitive List<String>Resources - images List<String>
- List of images.
- kube
Cis BooleanEnabled - Performs a Kubernetes CIS benchmark check for the host.
- kubernetes
Controls List<Property Map> - List of Kubernetes controls.
- kubernetes
Controls List<String>Avd Ids - kubernetes
Controls List<String>Names - List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
- labels List<String>
- List of labels.
- lastupdate String
- linux
Cis BooleanEnabled - malware
Action String - maximum
Score Number - Value of allowed maximum score.
- maximum
Score BooleanEnabled - Indicates if exceeding the maximum score is scanned.
- maximum
Score BooleanExclude No Fix - Indicates that policy should ignore cases that do not have a known fix.
- monitored
Malware List<String>Paths - name String
- only
None BooleanRoot Users - Indicates if raise a warning for images that should only be run as root.
- openshift
Hardening BooleanEnabled - packages
Black BooleanList Enabled - Indicates if packages blacklist is relevant.
- packages
Black List<Property Map>Lists - List of blacklisted images.
- packages
White BooleanList Enabled - Indicates if packages whitelist is relevant.
- packages
White List<Property Map>Lists - List of whitelisted images.
- partial
Results BooleanImage Fail - permission String
- policy
Settings Property Map - read
Only Boolean - registries List<String>
- List of registries.
- registry String
- required
Labels List<Property Map> - required
Labels BooleanEnabled - scan
Malware BooleanIn Archives - scan
Nfs BooleanMounts - scan
Process BooleanMemory - scan
Sensitive BooleanData - Indicates if scan should include sensitive data in the image.
- scan
Windows BooleanRegistry - scap
Enabled Boolean - Indicates if scanning should include scap.
- scap
Files List<String> - List of SCAP user scripts for checks.
- scopes List<Property Map>
- trusted
Base List<Property Map>Images - List of trusted images.
- trusted
Base BooleanImages Enabled - Indicates if list of trusted base images is relevant.
- vulnerability
Exploitability Boolean - vulnerability
Score List<Number>Ranges - whitelisted
Licenses List<String> - List of whitelisted licenses.
- whitelisted
Licenses BooleanEnabled - Indicates if license blacklist is relevant.
Supporting Types
KubernetesAssurancePolicyAutoScanTime, KubernetesAssurancePolicyAutoScanTimeArgs
- Iteration int
- Iteration
Type string - Time string
- Week
Days List<string>
- Iteration int
- Iteration
Type string - Time string
- Week
Days []string
- iteration Integer
- iteration
Type String - time String
- week
Days List<String>
- iteration number
- iteration
Type string - time string
- week
Days string[]
- iteration int
- iteration_
type str - time str
- week_
days Sequence[str]
- iteration Number
- iteration
Type String - time String
- week
Days List<String>
KubernetesAssurancePolicyCustomCheck, KubernetesAssurancePolicyCustomCheckArgs
- string
- Name of user account that created the policy.
- Description string
- Engine string
- Last
Modified int - Name string
- Path string
- Read
Only bool - Script
Id string - Severity string
- Snippet string
- string
- Name of user account that created the policy.
- Description string
- Engine string
- Last
Modified int - Name string
- Path string
- Read
Only bool - Script
Id string - Severity string
- Snippet string
- String
- Name of user account that created the policy.
- description String
- engine String
- last
Modified Integer - name String
- path String
- read
Only Boolean - script
Id String - severity String
- snippet String
- string
- Name of user account that created the policy.
- description string
- engine string
- last
Modified number - name string
- path string
- read
Only boolean - script
Id string - severity string
- snippet string
- str
- Name of user account that created the policy.
- description str
- engine str
- last_
modified int - name str
- path str
- read_
only bool - script_
id str - severity str
- snippet str
- String
- Name of user account that created the policy.
- description String
- engine String
- last
Modified Number - name String
- path String
- read
Only Boolean - script
Id String - severity String
- snippet String
KubernetesAssurancePolicyForbiddenLabel, KubernetesAssurancePolicyForbiddenLabelArgs
KubernetesAssurancePolicyKubernetesControl, KubernetesAssurancePolicyKubernetesControlArgs
KubernetesAssurancePolicyPackagesBlackList, KubernetesAssurancePolicyPackagesBlackListArgs
KubernetesAssurancePolicyPackagesWhiteList, KubernetesAssurancePolicyPackagesWhiteListArgs
KubernetesAssurancePolicyPolicySettings, KubernetesAssurancePolicyPolicySettingsArgs
- Enforce bool
- Is
Audit boolChecked - Warn bool
- Warning
Message string
- Enforce bool
- Is
Audit boolChecked - Warn bool
- Warning
Message string
- enforce Boolean
- is
Audit BooleanChecked - warn Boolean
- warning
Message String
- enforce boolean
- is
Audit booleanChecked - warn boolean
- warning
Message string
- enforce bool
- is_
audit_ boolchecked - warn bool
- warning_
message str
- enforce Boolean
- is
Audit BooleanChecked - warn Boolean
- warning
Message String
KubernetesAssurancePolicyRequiredLabel, KubernetesAssurancePolicyRequiredLabelArgs
KubernetesAssurancePolicyScope, KubernetesAssurancePolicyScopeArgs
KubernetesAssurancePolicyScopeVariable, KubernetesAssurancePolicyScopeVariableArgs
KubernetesAssurancePolicyTrustedBaseImage, KubernetesAssurancePolicyTrustedBaseImageArgs
Package Details
- Repository
- aquasec pulumiverse/pulumi-aquasec
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
aquasecTerraform Provider.