Aquasec v0.8.27, Jan 29 24

Aquasec v0.8.27 published on Monday, Jan 29, 2024 by Pulumiverse

aquasec.KubernetesAssurancePolicy

Explore with Pulumi AI

Aquasec v0.8.27 published on Monday, Jan 29, 2024 by Pulumiverse

Create KubernetesAssurancePolicy Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new KubernetesAssurancePolicy(name: string, args: KubernetesAssurancePolicyArgs, opts?: CustomResourceOptions);

@overload
def KubernetesAssurancePolicy(resource_name: str,
                              args: KubernetesAssurancePolicyArgs,
                              opts: Optional[ResourceOptions] = None)

@overload
def KubernetesAssurancePolicy(resource_name: str,
                              opts: Optional[ResourceOptions] = None,
                              application_scopes: Optional[Sequence[str]] = None,
                              aggregated_vulnerability: Optional[Mapping[str, str]] = None,
                              allowed_images: Optional[Sequence[str]] = None,
                              assurance_type: Optional[str] = None,
                              audit_on_failure: Optional[bool] = None,
                              author: Optional[str] = None,
                              auto_scan_configured: Optional[bool] = None,
                              auto_scan_enabled: Optional[bool] = None,
                              auto_scan_times: Optional[Sequence[KubernetesAssurancePolicyAutoScanTimeArgs]] = None,
                              blacklist_permissions: Optional[Sequence[str]] = None,
                              blacklist_permissions_enabled: Optional[bool] = None,
                              blacklisted_licenses: Optional[Sequence[str]] = None,
                              blacklisted_licenses_enabled: Optional[bool] = None,
                              block_failed: Optional[bool] = None,
                              control_exclude_no_fix: Optional[bool] = None,
                              custom_checks: Optional[Sequence[KubernetesAssurancePolicyCustomCheckArgs]] = None,
                              custom_checks_enabled: Optional[bool] = None,
                              custom_severity: Optional[str] = None,
                              custom_severity_enabled: Optional[bool] = None,
                              cves_black_list_enabled: Optional[bool] = None,
                              cves_black_lists: Optional[Sequence[str]] = None,
                              cves_white_list_enabled: Optional[bool] = None,
                              cves_white_lists: Optional[Sequence[str]] = None,
                              cvss_severity: Optional[str] = None,
                              cvss_severity_enabled: Optional[bool] = None,
                              cvss_severity_exclude_no_fix: Optional[bool] = None,
                              description: Optional[str] = None,
                              disallow_exploit_types: Optional[Sequence[str]] = None,
                              disallow_malware: Optional[bool] = None,
                              docker_cis_enabled: Optional[bool] = None,
                              domain: Optional[str] = None,
                              domain_name: Optional[str] = None,
                              dta_enabled: Optional[bool] = None,
                              dta_severity: Optional[str] = None,
                              enabled: Optional[bool] = None,
                              enforce: Optional[bool] = None,
                              enforce_after_days: Optional[int] = None,
                              enforce_excessive_permissions: Optional[bool] = None,
                              exceptional_monitored_malware_paths: Optional[Sequence[str]] = None,
                              exclude_application_scopes: Optional[Sequence[str]] = None,
                              fail_cicd: Optional[bool] = None,
                              forbidden_labels: Optional[Sequence[KubernetesAssurancePolicyForbiddenLabelArgs]] = None,
                              forbidden_labels_enabled: Optional[bool] = None,
                              force_microenforcer: Optional[bool] = None,
                              function_integrity_enabled: Optional[bool] = None,
                              ignore_base_image_vln: Optional[bool] = None,
                              ignore_recently_published_vln: Optional[bool] = None,
                              ignore_recently_published_vln_period: Optional[int] = None,
                              ignore_risk_resources_enabled: Optional[bool] = None,
                              ignored_risk_resources: Optional[Sequence[str]] = None,
                              ignored_sensitive_resources: Optional[Sequence[str]] = None,
                              images: Optional[Sequence[str]] = None,
                              kube_cis_enabled: Optional[bool] = None,
                              kubernetes_controls: Optional[Sequence[KubernetesAssurancePolicyKubernetesControlArgs]] = None,
                              kubernetes_controls_avd_ids: Optional[Sequence[str]] = None,
                              kubernetes_controls_names: Optional[Sequence[str]] = None,
                              labels: Optional[Sequence[str]] = None,
                              lastupdate: Optional[str] = None,
                              linux_cis_enabled: Optional[bool] = None,
                              malware_action: Optional[str] = None,
                              maximum_score: Optional[float] = None,
                              maximum_score_enabled: Optional[bool] = None,
                              maximum_score_exclude_no_fix: Optional[bool] = None,
                              monitored_malware_paths: Optional[Sequence[str]] = None,
                              name: Optional[str] = None,
                              only_none_root_users: Optional[bool] = None,
                              openshift_hardening_enabled: Optional[bool] = None,
                              packages_black_list_enabled: Optional[bool] = None,
                              packages_black_lists: Optional[Sequence[KubernetesAssurancePolicyPackagesBlackListArgs]] = None,
                              packages_white_list_enabled: Optional[bool] = None,
                              packages_white_lists: Optional[Sequence[KubernetesAssurancePolicyPackagesWhiteListArgs]] = None,
                              partial_results_image_fail: Optional[bool] = None,
                              permission: Optional[str] = None,
                              policy_settings: Optional[KubernetesAssurancePolicyPolicySettingsArgs] = None,
                              read_only: Optional[bool] = None,
                              registries: Optional[Sequence[str]] = None,
                              registry: Optional[str] = None,
                              required_labels: Optional[Sequence[KubernetesAssurancePolicyRequiredLabelArgs]] = None,
                              required_labels_enabled: Optional[bool] = None,
                              scan_malware_in_archives: Optional[bool] = None,
                              scan_nfs_mounts: Optional[bool] = None,
                              scan_process_memory: Optional[bool] = None,
                              scan_sensitive_data: Optional[bool] = None,
                              scan_windows_registry: Optional[bool] = None,
                              scap_enabled: Optional[bool] = None,
                              scap_files: Optional[Sequence[str]] = None,
                              scopes: Optional[Sequence[KubernetesAssurancePolicyScopeArgs]] = None,
                              trusted_base_images: Optional[Sequence[KubernetesAssurancePolicyTrustedBaseImageArgs]] = None,
                              trusted_base_images_enabled: Optional[bool] = None,
                              vulnerability_exploitability: Optional[bool] = None,
                              vulnerability_score_ranges: Optional[Sequence[int]] = None,
                              whitelisted_licenses: Optional[Sequence[str]] = None,
                              whitelisted_licenses_enabled: Optional[bool] = None)

func NewKubernetesAssurancePolicy(ctx *Context, name string, args KubernetesAssurancePolicyArgs, opts ...ResourceOption) (*KubernetesAssurancePolicy, error)

public KubernetesAssurancePolicy(string name, KubernetesAssurancePolicyArgs args, CustomResourceOptions? opts = null)

public KubernetesAssurancePolicy(String name, KubernetesAssurancePolicyArgs args)
public KubernetesAssurancePolicy(String name, KubernetesAssurancePolicyArgs args, CustomResourceOptions options)

type: aquasec:KubernetesAssurancePolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args KubernetesAssurancePolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args KubernetesAssurancePolicyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args KubernetesAssurancePolicyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args KubernetesAssurancePolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args KubernetesAssurancePolicyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var kubernetesAssurancePolicyResource = new Aquasec.KubernetesAssurancePolicy("kubernetesAssurancePolicyResource", new()
{
    ApplicationScopes = new[]
    {
        "string",
    },
    AggregatedVulnerability = 
    {
        { "string", "string" },
    },
    AllowedImages = new[]
    {
        "string",
    },
    AssuranceType = "string",
    AuditOnFailure = false,
    Author = "string",
    AutoScanConfigured = false,
    AutoScanEnabled = false,
    AutoScanTimes = new[]
    {
        new Aquasec.Inputs.KubernetesAssurancePolicyAutoScanTimeArgs
        {
            Iteration = 0,
            IterationType = "string",
            Time = "string",
            WeekDays = new[]
            {
                "string",
            },
        },
    },
    BlacklistPermissions = new[]
    {
        "string",
    },
    BlacklistPermissionsEnabled = false,
    BlacklistedLicenses = new[]
    {
        "string",
    },
    BlacklistedLicensesEnabled = false,
    BlockFailed = false,
    ControlExcludeNoFix = false,
    CustomChecks = new[]
    {
        new Aquasec.Inputs.KubernetesAssurancePolicyCustomCheckArgs
        {
            Author = "string",
            Description = "string",
            Engine = "string",
            LastModified = 0,
            Name = "string",
            Path = "string",
            ReadOnly = false,
            ScriptId = "string",
            Severity = "string",
            Snippet = "string",
        },
    },
    CustomChecksEnabled = false,
    CustomSeverity = "string",
    CustomSeverityEnabled = false,
    CvesBlackListEnabled = false,
    CvesBlackLists = new[]
    {
        "string",
    },
    CvesWhiteListEnabled = false,
    CvesWhiteLists = new[]
    {
        "string",
    },
    CvssSeverity = "string",
    CvssSeverityEnabled = false,
    CvssSeverityExcludeNoFix = false,
    Description = "string",
    DisallowExploitTypes = new[]
    {
        "string",
    },
    DisallowMalware = false,
    DockerCisEnabled = false,
    Domain = "string",
    DomainName = "string",
    DtaEnabled = false,
    DtaSeverity = "string",
    Enabled = false,
    Enforce = false,
    EnforceAfterDays = 0,
    EnforceExcessivePermissions = false,
    ExceptionalMonitoredMalwarePaths = new[]
    {
        "string",
    },
    ExcludeApplicationScopes = new[]
    {
        "string",
    },
    FailCicd = false,
    ForbiddenLabels = new[]
    {
        new Aquasec.Inputs.KubernetesAssurancePolicyForbiddenLabelArgs
        {
            Key = "string",
            Value = "string",
        },
    },
    ForbiddenLabelsEnabled = false,
    ForceMicroenforcer = false,
    FunctionIntegrityEnabled = false,
    IgnoreBaseImageVln = false,
    IgnoreRecentlyPublishedVln = false,
    IgnoreRecentlyPublishedVlnPeriod = 0,
    IgnoreRiskResourcesEnabled = false,
    IgnoredRiskResources = new[]
    {
        "string",
    },
    IgnoredSensitiveResources = new[]
    {
        "string",
    },
    Images = new[]
    {
        "string",
    },
    KubeCisEnabled = false,
    KubernetesControls = new[]
    {
        new Aquasec.Inputs.KubernetesAssurancePolicyKubernetesControlArgs
        {
            AvdId = "string",
            Description = "string",
            Enabled = false,
            Kind = "string",
            Name = "string",
            Ootb = false,
            ScriptId = 0,
            Severity = "string",
        },
    },
    KubernetesControlsAvdIds = new[]
    {
        "string",
    },
    KubernetesControlsNames = new[]
    {
        "string",
    },
    Labels = new[]
    {
        "string",
    },
    Lastupdate = "string",
    LinuxCisEnabled = false,
    MalwareAction = "string",
    MaximumScore = 0,
    MaximumScoreEnabled = false,
    MaximumScoreExcludeNoFix = false,
    MonitoredMalwarePaths = new[]
    {
        "string",
    },
    Name = "string",
    OnlyNoneRootUsers = false,
    OpenshiftHardeningEnabled = false,
    PackagesBlackListEnabled = false,
    PackagesBlackLists = new[]
    {
        new Aquasec.Inputs.KubernetesAssurancePolicyPackagesBlackListArgs
        {
            Arch = "string",
            Display = "string",
            Epoch = "string",
            Format = "string",
            License = "string",
            Name = "string",
            Release = "string",
            Version = "string",
            VersionRange = "string",
        },
    },
    PackagesWhiteListEnabled = false,
    PackagesWhiteLists = new[]
    {
        new Aquasec.Inputs.KubernetesAssurancePolicyPackagesWhiteListArgs
        {
            Arch = "string",
            Display = "string",
            Epoch = "string",
            Format = "string",
            License = "string",
            Name = "string",
            Release = "string",
            Version = "string",
            VersionRange = "string",
        },
    },
    PartialResultsImageFail = false,
    Permission = "string",
    PolicySettings = new Aquasec.Inputs.KubernetesAssurancePolicyPolicySettingsArgs
    {
        Enforce = false,
        IsAuditChecked = false,
        Warn = false,
        WarningMessage = "string",
    },
    ReadOnly = false,
    Registries = new[]
    {
        "string",
    },
    Registry = "string",
    RequiredLabels = new[]
    {
        new Aquasec.Inputs.KubernetesAssurancePolicyRequiredLabelArgs
        {
            Key = "string",
            Value = "string",
        },
    },
    RequiredLabelsEnabled = false,
    ScanMalwareInArchives = false,
    ScanNfsMounts = false,
    ScanProcessMemory = false,
    ScanSensitiveData = false,
    ScanWindowsRegistry = false,
    ScapEnabled = false,
    ScapFiles = new[]
    {
        "string",
    },
    Scopes = new[]
    {
        new Aquasec.Inputs.KubernetesAssurancePolicyScopeArgs
        {
            Expression = "string",
            Variables = new[]
            {
                new Aquasec.Inputs.KubernetesAssurancePolicyScopeVariableArgs
                {
                    Attribute = "string",
                    Name = "string",
                    Value = "string",
                },
            },
        },
    },
    TrustedBaseImages = new[]
    {
        new Aquasec.Inputs.KubernetesAssurancePolicyTrustedBaseImageArgs
        {
            Imagename = "string",
            Registry = "string",
        },
    },
    TrustedBaseImagesEnabled = false,
    VulnerabilityExploitability = false,
    VulnerabilityScoreRanges = new[]
    {
        0,
    },
    WhitelistedLicenses = new[]
    {
        "string",
    },
    WhitelistedLicensesEnabled = false,
});

example, err := aquasec.NewKubernetesAssurancePolicy(ctx, "kubernetesAssurancePolicyResource", &aquasec.KubernetesAssurancePolicyArgs{
	ApplicationScopes: pulumi.StringArray{
		pulumi.String("string"),
	},
	AggregatedVulnerability: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	AllowedImages: pulumi.StringArray{
		pulumi.String("string"),
	},
	AssuranceType:      pulumi.String("string"),
	AuditOnFailure:     pulumi.Bool(false),
	Author:             pulumi.String("string"),
	AutoScanConfigured: pulumi.Bool(false),
	AutoScanEnabled:    pulumi.Bool(false),
	AutoScanTimes: aquasec.KubernetesAssurancePolicyAutoScanTimeArray{
		&aquasec.KubernetesAssurancePolicyAutoScanTimeArgs{
			Iteration:     pulumi.Int(0),
			IterationType: pulumi.String("string"),
			Time:          pulumi.String("string"),
			WeekDays: pulumi.StringArray{
				pulumi.String("string"),
			},
		},
	},
	BlacklistPermissions: pulumi.StringArray{
		pulumi.String("string"),
	},
	BlacklistPermissionsEnabled: pulumi.Bool(false),
	BlacklistedLicenses: pulumi.StringArray{
		pulumi.String("string"),
	},
	BlacklistedLicensesEnabled: pulumi.Bool(false),
	BlockFailed:                pulumi.Bool(false),
	ControlExcludeNoFix:        pulumi.Bool(false),
	CustomChecks: aquasec.KubernetesAssurancePolicyCustomCheckArray{
		&aquasec.KubernetesAssurancePolicyCustomCheckArgs{
			Author:       pulumi.String("string"),
			Description:  pulumi.String("string"),
			Engine:       pulumi.String("string"),
			LastModified: pulumi.Int(0),
			Name:         pulumi.String("string"),
			Path:         pulumi.String("string"),
			ReadOnly:     pulumi.Bool(false),
			ScriptId:     pulumi.String("string"),
			Severity:     pulumi.String("string"),
			Snippet:      pulumi.String("string"),
		},
	},
	CustomChecksEnabled:   pulumi.Bool(false),
	CustomSeverity:        pulumi.String("string"),
	CustomSeverityEnabled: pulumi.Bool(false),
	CvesBlackListEnabled:  pulumi.Bool(false),
	CvesBlackLists: pulumi.StringArray{
		pulumi.String("string"),
	},
	CvesWhiteListEnabled: pulumi.Bool(false),
	CvesWhiteLists: pulumi.StringArray{
		pulumi.String("string"),
	},
	CvssSeverity:             pulumi.String("string"),
	CvssSeverityEnabled:      pulumi.Bool(false),
	CvssSeverityExcludeNoFix: pulumi.Bool(false),
	Description:              pulumi.String("string"),
	DisallowExploitTypes: pulumi.StringArray{
		pulumi.String("string"),
	},
	DisallowMalware:             pulumi.Bool(false),
	DockerCisEnabled:            pulumi.Bool(false),
	Domain:                      pulumi.String("string"),
	DomainName:                  pulumi.String("string"),
	DtaEnabled:                  pulumi.Bool(false),
	DtaSeverity:                 pulumi.String("string"),
	Enabled:                     pulumi.Bool(false),
	Enforce:                     pulumi.Bool(false),
	EnforceAfterDays:            pulumi.Int(0),
	EnforceExcessivePermissions: pulumi.Bool(false),
	ExceptionalMonitoredMalwarePaths: pulumi.StringArray{
		pulumi.String("string"),
	},
	ExcludeApplicationScopes: pulumi.StringArray{
		pulumi.String("string"),
	},
	FailCicd: pulumi.Bool(false),
	ForbiddenLabels: aquasec.KubernetesAssurancePolicyForbiddenLabelArray{
		&aquasec.KubernetesAssurancePolicyForbiddenLabelArgs{
			Key:   pulumi.String("string"),
			Value: pulumi.String("string"),
		},
	},
	ForbiddenLabelsEnabled:           pulumi.Bool(false),
	ForceMicroenforcer:               pulumi.Bool(false),
	FunctionIntegrityEnabled:         pulumi.Bool(false),
	IgnoreBaseImageVln:               pulumi.Bool(false),
	IgnoreRecentlyPublishedVln:       pulumi.Bool(false),
	IgnoreRecentlyPublishedVlnPeriod: pulumi.Int(0),
	IgnoreRiskResourcesEnabled:       pulumi.Bool(false),
	IgnoredRiskResources: pulumi.StringArray{
		pulumi.String("string"),
	},
	IgnoredSensitiveResources: pulumi.StringArray{
		pulumi.String("string"),
	},
	Images: pulumi.StringArray{
		pulumi.String("string"),
	},
	KubeCisEnabled: pulumi.Bool(false),
	KubernetesControls: aquasec.KubernetesAssurancePolicyKubernetesControlArray{
		&aquasec.KubernetesAssurancePolicyKubernetesControlArgs{
			AvdId:       pulumi.String("string"),
			Description: pulumi.String("string"),
			Enabled:     pulumi.Bool(false),
			Kind:        pulumi.String("string"),
			Name:        pulumi.String("string"),
			Ootb:        pulumi.Bool(false),
			ScriptId:    pulumi.Int(0),
			Severity:    pulumi.String("string"),
		},
	},
	KubernetesControlsAvdIds: pulumi.StringArray{
		pulumi.String("string"),
	},
	KubernetesControlsNames: pulumi.StringArray{
		pulumi.String("string"),
	},
	Labels: pulumi.StringArray{
		pulumi.String("string"),
	},
	Lastupdate:               pulumi.String("string"),
	LinuxCisEnabled:          pulumi.Bool(false),
	MalwareAction:            pulumi.String("string"),
	MaximumScore:             pulumi.Float64(0),
	MaximumScoreEnabled:      pulumi.Bool(false),
	MaximumScoreExcludeNoFix: pulumi.Bool(false),
	MonitoredMalwarePaths: pulumi.StringArray{
		pulumi.String("string"),
	},
	Name:                      pulumi.String("string"),
	OnlyNoneRootUsers:         pulumi.Bool(false),
	OpenshiftHardeningEnabled: pulumi.Bool(false),
	PackagesBlackListEnabled:  pulumi.Bool(false),
	PackagesBlackLists: aquasec.KubernetesAssurancePolicyPackagesBlackListArray{
		&aquasec.KubernetesAssurancePolicyPackagesBlackListArgs{
			Arch:         pulumi.String("string"),
			Display:      pulumi.String("string"),
			Epoch:        pulumi.String("string"),
			Format:       pulumi.String("string"),
			License:      pulumi.String("string"),
			Name:         pulumi.String("string"),
			Release:      pulumi.String("string"),
			Version:      pulumi.String("string"),
			VersionRange: pulumi.String("string"),
		},
	},
	PackagesWhiteListEnabled: pulumi.Bool(false),
	PackagesWhiteLists: aquasec.KubernetesAssurancePolicyPackagesWhiteListArray{
		&aquasec.KubernetesAssurancePolicyPackagesWhiteListArgs{
			Arch:         pulumi.String("string"),
			Display:      pulumi.String("string"),
			Epoch:        pulumi.String("string"),
			Format:       pulumi.String("string"),
			License:      pulumi.String("string"),
			Name:         pulumi.String("string"),
			Release:      pulumi.String("string"),
			Version:      pulumi.String("string"),
			VersionRange: pulumi.String("string"),
		},
	},
	PartialResultsImageFail: pulumi.Bool(false),
	Permission:              pulumi.String("string"),
	PolicySettings: &aquasec.KubernetesAssurancePolicyPolicySettingsArgs{
		Enforce:        pulumi.Bool(false),
		IsAuditChecked: pulumi.Bool(false),
		Warn:           pulumi.Bool(false),
		WarningMessage: pulumi.String("string"),
	},
	ReadOnly: pulumi.Bool(false),
	Registries: pulumi.StringArray{
		pulumi.String("string"),
	},
	Registry: pulumi.String("string"),
	RequiredLabels: aquasec.KubernetesAssurancePolicyRequiredLabelArray{
		&aquasec.KubernetesAssurancePolicyRequiredLabelArgs{
			Key:   pulumi.String("string"),
			Value: pulumi.String("string"),
		},
	},
	RequiredLabelsEnabled: pulumi.Bool(false),
	ScanMalwareInArchives: pulumi.Bool(false),
	ScanNfsMounts:         pulumi.Bool(false),
	ScanProcessMemory:     pulumi.Bool(false),
	ScanSensitiveData:     pulumi.Bool(false),
	ScanWindowsRegistry:   pulumi.Bool(false),
	ScapEnabled:           pulumi.Bool(false),
	ScapFiles: pulumi.StringArray{
		pulumi.String("string"),
	},
	Scopes: aquasec.KubernetesAssurancePolicyScopeArray{
		&aquasec.KubernetesAssurancePolicyScopeArgs{
			Expression: pulumi.String("string"),
			Variables: aquasec.KubernetesAssurancePolicyScopeVariableArray{
				&aquasec.KubernetesAssurancePolicyScopeVariableArgs{
					Attribute: pulumi.String("string"),
					Name:      pulumi.String("string"),
					Value:     pulumi.String("string"),
				},
			},
		},
	},
	TrustedBaseImages: aquasec.KubernetesAssurancePolicyTrustedBaseImageArray{
		&aquasec.KubernetesAssurancePolicyTrustedBaseImageArgs{
			Imagename: pulumi.String("string"),
			Registry:  pulumi.String("string"),
		},
	},
	TrustedBaseImagesEnabled:    pulumi.Bool(false),
	VulnerabilityExploitability: pulumi.Bool(false),
	VulnerabilityScoreRanges: pulumi.IntArray{
		pulumi.Int(0),
	},
	WhitelistedLicenses: pulumi.StringArray{
		pulumi.String("string"),
	},
	WhitelistedLicensesEnabled: pulumi.Bool(false),
})

var kubernetesAssurancePolicyResource = new KubernetesAssurancePolicy("kubernetesAssurancePolicyResource", KubernetesAssurancePolicyArgs.builder()
    .applicationScopes("string")
    .aggregatedVulnerability(Map.of("string", "string"))
    .allowedImages("string")
    .assuranceType("string")
    .auditOnFailure(false)
    .author("string")
    .autoScanConfigured(false)
    .autoScanEnabled(false)
    .autoScanTimes(KubernetesAssurancePolicyAutoScanTimeArgs.builder()
        .iteration(0)
        .iterationType("string")
        .time("string")
        .weekDays("string")
        .build())
    .blacklistPermissions("string")
    .blacklistPermissionsEnabled(false)
    .blacklistedLicenses("string")
    .blacklistedLicensesEnabled(false)
    .blockFailed(false)
    .controlExcludeNoFix(false)
    .customChecks(KubernetesAssurancePolicyCustomCheckArgs.builder()
        .author("string")
        .description("string")
        .engine("string")
        .lastModified(0)
        .name("string")
        .path("string")
        .readOnly(false)
        .scriptId("string")
        .severity("string")
        .snippet("string")
        .build())
    .customChecksEnabled(false)
    .customSeverity("string")
    .customSeverityEnabled(false)
    .cvesBlackListEnabled(false)
    .cvesBlackLists("string")
    .cvesWhiteListEnabled(false)
    .cvesWhiteLists("string")
    .cvssSeverity("string")
    .cvssSeverityEnabled(false)
    .cvssSeverityExcludeNoFix(false)
    .description("string")
    .disallowExploitTypes("string")
    .disallowMalware(false)
    .dockerCisEnabled(false)
    .domain("string")
    .domainName("string")
    .dtaEnabled(false)
    .dtaSeverity("string")
    .enabled(false)
    .enforce(false)
    .enforceAfterDays(0)
    .enforceExcessivePermissions(false)
    .exceptionalMonitoredMalwarePaths("string")
    .excludeApplicationScopes("string")
    .failCicd(false)
    .forbiddenLabels(KubernetesAssurancePolicyForbiddenLabelArgs.builder()
        .key("string")
        .value("string")
        .build())
    .forbiddenLabelsEnabled(false)
    .forceMicroenforcer(false)
    .functionIntegrityEnabled(false)
    .ignoreBaseImageVln(false)
    .ignoreRecentlyPublishedVln(false)
    .ignoreRecentlyPublishedVlnPeriod(0)
    .ignoreRiskResourcesEnabled(false)
    .ignoredRiskResources("string")
    .ignoredSensitiveResources("string")
    .images("string")
    .kubeCisEnabled(false)
    .kubernetesControls(KubernetesAssurancePolicyKubernetesControlArgs.builder()
        .avdId("string")
        .description("string")
        .enabled(false)
        .kind("string")
        .name("string")
        .ootb(false)
        .scriptId(0)
        .severity("string")
        .build())
    .kubernetesControlsAvdIds("string")
    .kubernetesControlsNames("string")
    .labels("string")
    .lastupdate("string")
    .linuxCisEnabled(false)
    .malwareAction("string")
    .maximumScore(0)
    .maximumScoreEnabled(false)
    .maximumScoreExcludeNoFix(false)
    .monitoredMalwarePaths("string")
    .name("string")
    .onlyNoneRootUsers(false)
    .openshiftHardeningEnabled(false)
    .packagesBlackListEnabled(false)
    .packagesBlackLists(KubernetesAssurancePolicyPackagesBlackListArgs.builder()
        .arch("string")
        .display("string")
        .epoch("string")
        .format("string")
        .license("string")
        .name("string")
        .release("string")
        .version("string")
        .versionRange("string")
        .build())
    .packagesWhiteListEnabled(false)
    .packagesWhiteLists(KubernetesAssurancePolicyPackagesWhiteListArgs.builder()
        .arch("string")
        .display("string")
        .epoch("string")
        .format("string")
        .license("string")
        .name("string")
        .release("string")
        .version("string")
        .versionRange("string")
        .build())
    .partialResultsImageFail(false)
    .permission("string")
    .policySettings(KubernetesAssurancePolicyPolicySettingsArgs.builder()
        .enforce(false)
        .isAuditChecked(false)
        .warn(false)
        .warningMessage("string")
        .build())
    .readOnly(false)
    .registries("string")
    .registry("string")
    .requiredLabels(KubernetesAssurancePolicyRequiredLabelArgs.builder()
        .key("string")
        .value("string")
        .build())
    .requiredLabelsEnabled(false)
    .scanMalwareInArchives(false)
    .scanNfsMounts(false)
    .scanProcessMemory(false)
    .scanSensitiveData(false)
    .scanWindowsRegistry(false)
    .scapEnabled(false)
    .scapFiles("string")
    .scopes(KubernetesAssurancePolicyScopeArgs.builder()
        .expression("string")
        .variables(KubernetesAssurancePolicyScopeVariableArgs.builder()
            .attribute("string")
            .name("string")
            .value("string")
            .build())
        .build())
    .trustedBaseImages(KubernetesAssurancePolicyTrustedBaseImageArgs.builder()
        .imagename("string")
        .registry("string")
        .build())
    .trustedBaseImagesEnabled(false)
    .vulnerabilityExploitability(false)
    .vulnerabilityScoreRanges(0)
    .whitelistedLicenses("string")
    .whitelistedLicensesEnabled(false)
    .build());

kubernetes_assurance_policy_resource = aquasec.KubernetesAssurancePolicy("kubernetesAssurancePolicyResource",
    application_scopes=["string"],
    aggregated_vulnerability={
        "string": "string",
    },
    allowed_images=["string"],
    assurance_type="string",
    audit_on_failure=False,
    author="string",
    auto_scan_configured=False,
    auto_scan_enabled=False,
    auto_scan_times=[aquasec.KubernetesAssurancePolicyAutoScanTimeArgs(
        iteration=0,
        iteration_type="string",
        time="string",
        week_days=["string"],
    )],
    blacklist_permissions=["string"],
    blacklist_permissions_enabled=False,
    blacklisted_licenses=["string"],
    blacklisted_licenses_enabled=False,
    block_failed=False,
    control_exclude_no_fix=False,
    custom_checks=[aquasec.KubernetesAssurancePolicyCustomCheckArgs(
        author="string",
        description="string",
        engine="string",
        last_modified=0,
        name="string",
        path="string",
        read_only=False,
        script_id="string",
        severity="string",
        snippet="string",
    )],
    custom_checks_enabled=False,
    custom_severity="string",
    custom_severity_enabled=False,
    cves_black_list_enabled=False,
    cves_black_lists=["string"],
    cves_white_list_enabled=False,
    cves_white_lists=["string"],
    cvss_severity="string",
    cvss_severity_enabled=False,
    cvss_severity_exclude_no_fix=False,
    description="string",
    disallow_exploit_types=["string"],
    disallow_malware=False,
    docker_cis_enabled=False,
    domain="string",
    domain_name="string",
    dta_enabled=False,
    dta_severity="string",
    enabled=False,
    enforce=False,
    enforce_after_days=0,
    enforce_excessive_permissions=False,
    exceptional_monitored_malware_paths=["string"],
    exclude_application_scopes=["string"],
    fail_cicd=False,
    forbidden_labels=[aquasec.KubernetesAssurancePolicyForbiddenLabelArgs(
        key="string",
        value="string",
    )],
    forbidden_labels_enabled=False,
    force_microenforcer=False,
    function_integrity_enabled=False,
    ignore_base_image_vln=False,
    ignore_recently_published_vln=False,
    ignore_recently_published_vln_period=0,
    ignore_risk_resources_enabled=False,
    ignored_risk_resources=["string"],
    ignored_sensitive_resources=["string"],
    images=["string"],
    kube_cis_enabled=False,
    kubernetes_controls=[aquasec.KubernetesAssurancePolicyKubernetesControlArgs(
        avd_id="string",
        description="string",
        enabled=False,
        kind="string",
        name="string",
        ootb=False,
        script_id=0,
        severity="string",
    )],
    kubernetes_controls_avd_ids=["string"],
    kubernetes_controls_names=["string"],
    labels=["string"],
    lastupdate="string",
    linux_cis_enabled=False,
    malware_action="string",
    maximum_score=0,
    maximum_score_enabled=False,
    maximum_score_exclude_no_fix=False,
    monitored_malware_paths=["string"],
    name="string",
    only_none_root_users=False,
    openshift_hardening_enabled=False,
    packages_black_list_enabled=False,
    packages_black_lists=[aquasec.KubernetesAssurancePolicyPackagesBlackListArgs(
        arch="string",
        display="string",
        epoch="string",
        format="string",
        license="string",
        name="string",
        release="string",
        version="string",
        version_range="string",
    )],
    packages_white_list_enabled=False,
    packages_white_lists=[aquasec.KubernetesAssurancePolicyPackagesWhiteListArgs(
        arch="string",
        display="string",
        epoch="string",
        format="string",
        license="string",
        name="string",
        release="string",
        version="string",
        version_range="string",
    )],
    partial_results_image_fail=False,
    permission="string",
    policy_settings=aquasec.KubernetesAssurancePolicyPolicySettingsArgs(
        enforce=False,
        is_audit_checked=False,
        warn=False,
        warning_message="string",
    ),
    read_only=False,
    registries=["string"],
    registry="string",
    required_labels=[aquasec.KubernetesAssurancePolicyRequiredLabelArgs(
        key="string",
        value="string",
    )],
    required_labels_enabled=False,
    scan_malware_in_archives=False,
    scan_nfs_mounts=False,
    scan_process_memory=False,
    scan_sensitive_data=False,
    scan_windows_registry=False,
    scap_enabled=False,
    scap_files=["string"],
    scopes=[aquasec.KubernetesAssurancePolicyScopeArgs(
        expression="string",
        variables=[aquasec.KubernetesAssurancePolicyScopeVariableArgs(
            attribute="string",
            name="string",
            value="string",
        )],
    )],
    trusted_base_images=[aquasec.KubernetesAssurancePolicyTrustedBaseImageArgs(
        imagename="string",
        registry="string",
    )],
    trusted_base_images_enabled=False,
    vulnerability_exploitability=False,
    vulnerability_score_ranges=[0],
    whitelisted_licenses=["string"],
    whitelisted_licenses_enabled=False)

const kubernetesAssurancePolicyResource = new aquasec.KubernetesAssurancePolicy("kubernetesAssurancePolicyResource", {
    applicationScopes: ["string"],
    aggregatedVulnerability: {
        string: "string",
    },
    allowedImages: ["string"],
    assuranceType: "string",
    auditOnFailure: false,
    author: "string",
    autoScanConfigured: false,
    autoScanEnabled: false,
    autoScanTimes: [{
        iteration: 0,
        iterationType: "string",
        time: "string",
        weekDays: ["string"],
    }],
    blacklistPermissions: ["string"],
    blacklistPermissionsEnabled: false,
    blacklistedLicenses: ["string"],
    blacklistedLicensesEnabled: false,
    blockFailed: false,
    controlExcludeNoFix: false,
    customChecks: [{
        author: "string",
        description: "string",
        engine: "string",
        lastModified: 0,
        name: "string",
        path: "string",
        readOnly: false,
        scriptId: "string",
        severity: "string",
        snippet: "string",
    }],
    customChecksEnabled: false,
    customSeverity: "string",
    customSeverityEnabled: false,
    cvesBlackListEnabled: false,
    cvesBlackLists: ["string"],
    cvesWhiteListEnabled: false,
    cvesWhiteLists: ["string"],
    cvssSeverity: "string",
    cvssSeverityEnabled: false,
    cvssSeverityExcludeNoFix: false,
    description: "string",
    disallowExploitTypes: ["string"],
    disallowMalware: false,
    dockerCisEnabled: false,
    domain: "string",
    domainName: "string",
    dtaEnabled: false,
    dtaSeverity: "string",
    enabled: false,
    enforce: false,
    enforceAfterDays: 0,
    enforceExcessivePermissions: false,
    exceptionalMonitoredMalwarePaths: ["string"],
    excludeApplicationScopes: ["string"],
    failCicd: false,
    forbiddenLabels: [{
        key: "string",
        value: "string",
    }],
    forbiddenLabelsEnabled: false,
    forceMicroenforcer: false,
    functionIntegrityEnabled: false,
    ignoreBaseImageVln: false,
    ignoreRecentlyPublishedVln: false,
    ignoreRecentlyPublishedVlnPeriod: 0,
    ignoreRiskResourcesEnabled: false,
    ignoredRiskResources: ["string"],
    ignoredSensitiveResources: ["string"],
    images: ["string"],
    kubeCisEnabled: false,
    kubernetesControls: [{
        avdId: "string",
        description: "string",
        enabled: false,
        kind: "string",
        name: "string",
        ootb: false,
        scriptId: 0,
        severity: "string",
    }],
    kubernetesControlsAvdIds: ["string"],
    kubernetesControlsNames: ["string"],
    labels: ["string"],
    lastupdate: "string",
    linuxCisEnabled: false,
    malwareAction: "string",
    maximumScore: 0,
    maximumScoreEnabled: false,
    maximumScoreExcludeNoFix: false,
    monitoredMalwarePaths: ["string"],
    name: "string",
    onlyNoneRootUsers: false,
    openshiftHardeningEnabled: false,
    packagesBlackListEnabled: false,
    packagesBlackLists: [{
        arch: "string",
        display: "string",
        epoch: "string",
        format: "string",
        license: "string",
        name: "string",
        release: "string",
        version: "string",
        versionRange: "string",
    }],
    packagesWhiteListEnabled: false,
    packagesWhiteLists: [{
        arch: "string",
        display: "string",
        epoch: "string",
        format: "string",
        license: "string",
        name: "string",
        release: "string",
        version: "string",
        versionRange: "string",
    }],
    partialResultsImageFail: false,
    permission: "string",
    policySettings: {
        enforce: false,
        isAuditChecked: false,
        warn: false,
        warningMessage: "string",
    },
    readOnly: false,
    registries: ["string"],
    registry: "string",
    requiredLabels: [{
        key: "string",
        value: "string",
    }],
    requiredLabelsEnabled: false,
    scanMalwareInArchives: false,
    scanNfsMounts: false,
    scanProcessMemory: false,
    scanSensitiveData: false,
    scanWindowsRegistry: false,
    scapEnabled: false,
    scapFiles: ["string"],
    scopes: [{
        expression: "string",
        variables: [{
            attribute: "string",
            name: "string",
            value: "string",
        }],
    }],
    trustedBaseImages: [{
        imagename: "string",
        registry: "string",
    }],
    trustedBaseImagesEnabled: false,
    vulnerabilityExploitability: false,
    vulnerabilityScoreRanges: [0],
    whitelistedLicenses: ["string"],
    whitelistedLicensesEnabled: false,
});

type: aquasec:KubernetesAssurancePolicy
properties:
    aggregatedVulnerability:
        string: string
    allowedImages:
        - string
    applicationScopes:
        - string
    assuranceType: string
    auditOnFailure: false
    author: string
    autoScanConfigured: false
    autoScanEnabled: false
    autoScanTimes:
        - iteration: 0
          iterationType: string
          time: string
          weekDays:
            - string
    blacklistPermissions:
        - string
    blacklistPermissionsEnabled: false
    blacklistedLicenses:
        - string
    blacklistedLicensesEnabled: false
    blockFailed: false
    controlExcludeNoFix: false
    customChecks:
        - author: string
          description: string
          engine: string
          lastModified: 0
          name: string
          path: string
          readOnly: false
          scriptId: string
          severity: string
          snippet: string
    customChecksEnabled: false
    customSeverity: string
    customSeverityEnabled: false
    cvesBlackListEnabled: false
    cvesBlackLists:
        - string
    cvesWhiteListEnabled: false
    cvesWhiteLists:
        - string
    cvssSeverity: string
    cvssSeverityEnabled: false
    cvssSeverityExcludeNoFix: false
    description: string
    disallowExploitTypes:
        - string
    disallowMalware: false
    dockerCisEnabled: false
    domain: string
    domainName: string
    dtaEnabled: false
    dtaSeverity: string
    enabled: false
    enforce: false
    enforceAfterDays: 0
    enforceExcessivePermissions: false
    exceptionalMonitoredMalwarePaths:
        - string
    excludeApplicationScopes:
        - string
    failCicd: false
    forbiddenLabels:
        - key: string
          value: string
    forbiddenLabelsEnabled: false
    forceMicroenforcer: false
    functionIntegrityEnabled: false
    ignoreBaseImageVln: false
    ignoreRecentlyPublishedVln: false
    ignoreRecentlyPublishedVlnPeriod: 0
    ignoreRiskResourcesEnabled: false
    ignoredRiskResources:
        - string
    ignoredSensitiveResources:
        - string
    images:
        - string
    kubeCisEnabled: false
    kubernetesControls:
        - avdId: string
          description: string
          enabled: false
          kind: string
          name: string
          ootb: false
          scriptId: 0
          severity: string
    kubernetesControlsAvdIds:
        - string
    kubernetesControlsNames:
        - string
    labels:
        - string
    lastupdate: string
    linuxCisEnabled: false
    malwareAction: string
    maximumScore: 0
    maximumScoreEnabled: false
    maximumScoreExcludeNoFix: false
    monitoredMalwarePaths:
        - string
    name: string
    onlyNoneRootUsers: false
    openshiftHardeningEnabled: false
    packagesBlackListEnabled: false
    packagesBlackLists:
        - arch: string
          display: string
          epoch: string
          format: string
          license: string
          name: string
          release: string
          version: string
          versionRange: string
    packagesWhiteListEnabled: false
    packagesWhiteLists:
        - arch: string
          display: string
          epoch: string
          format: string
          license: string
          name: string
          release: string
          version: string
          versionRange: string
    partialResultsImageFail: false
    permission: string
    policySettings:
        enforce: false
        isAuditChecked: false
        warn: false
        warningMessage: string
    readOnly: false
    registries:
        - string
    registry: string
    requiredLabels:
        - key: string
          value: string
    requiredLabelsEnabled: false
    scanMalwareInArchives: false
    scanNfsMounts: false
    scanProcessMemory: false
    scanSensitiveData: false
    scanWindowsRegistry: false
    scapEnabled: false
    scapFiles:
        - string
    scopes:
        - expression: string
          variables:
            - attribute: string
              name: string
              value: string
    trustedBaseImages:
        - imagename: string
          registry: string
    trustedBaseImagesEnabled: false
    vulnerabilityExploitability: false
    vulnerabilityScoreRanges:
        - 0
    whitelistedLicenses:
        - string
    whitelistedLicensesEnabled: false

KubernetesAssurancePolicy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The KubernetesAssurancePolicy resource accepts the following input properties:

ApplicationScopes List<string>
AggregatedVulnerability Dictionary<string, string>: Aggregated vulnerability information.
AllowedImages List<string>: List of explicitly allowed images.
AssuranceType string: What type of assurance policy is described.
AuditOnFailure bool: Indicates if auditing for failures.
Author string: Name of user account that created the policy.
AutoScanConfigured bool
AutoScanEnabled bool
AutoScanTimes List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyAutoScanTime>
BlacklistPermissions List<string>: List of function's forbidden permissions.
BlacklistPermissionsEnabled bool: Indicates if blacklist permissions is relevant.
BlacklistedLicenses List<string>: List of blacklisted licenses.
BlacklistedLicensesEnabled bool: Indicates if license blacklist is relevant.
BlockFailed bool: Indicates if failed images are blocked.
ControlExcludeNoFix bool
CustomChecks List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyCustomCheck>: List of Custom user scripts for checks.
CustomChecksEnabled bool: Indicates if scanning should include custom checks.
CustomSeverity string
CustomSeverityEnabled bool
CvesBlackListEnabled bool: Indicates if CVEs blacklist is relevant.
CvesBlackLists List<string>: List of CVEs blacklisted items.
CvesWhiteListEnabled bool: Indicates if CVEs whitelist is relevant.
CvesWhiteLists List<string>: List of cves whitelisted licenses
CvssSeverity string: Identifier of the cvss severity.
CvssSeverityEnabled bool: Indicates if the cvss severity is scanned.
CvssSeverityExcludeNoFix bool: Indicates that policy should ignore cvss cases that do not have a known fix.
Description string
DisallowExploitTypes List<string>
DisallowMalware bool: Indicates if malware should block the image.
DockerCisEnabled bool: Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
Domain string: Name of the container image.
DomainName string
DtaEnabled bool
DtaSeverity string
Enabled bool: Is the control enabled?
Enforce bool
EnforceAfterDays int
EnforceExcessivePermissions bool
ExceptionalMonitoredMalwarePaths List<string>
ExcludeApplicationScopes List<string>
FailCicd bool: Indicates if cicd failures will fail the image.
ForbiddenLabels List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyForbiddenLabel>
ForbiddenLabelsEnabled bool
ForceMicroenforcer bool
FunctionIntegrityEnabled bool
IgnoreBaseImageVln bool
IgnoreRecentlyPublishedVln bool
IgnoreRecentlyPublishedVlnPeriod int
IgnoreRiskResourcesEnabled bool: Indicates if risk resources are ignored.
IgnoredRiskResources List<string>: List of ignored risk resources.
IgnoredSensitiveResources List<string>
Images List<string>: List of images.
KubeCisEnabled bool: Performs a Kubernetes CIS benchmark check for the host.
KubernetesControls List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyKubernetesControl>: List of Kubernetes controls.
KubernetesControlsAvdIds List<string>
KubernetesControlsNames List<string>: List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
Labels List<string>: List of labels.
Lastupdate string
LinuxCisEnabled bool
MalwareAction string
MaximumScore double: Value of allowed maximum score.
MaximumScoreEnabled bool: Indicates if exceeding the maximum score is scanned.
MaximumScoreExcludeNoFix bool: Indicates that policy should ignore cases that do not have a known fix.
MonitoredMalwarePaths List<string>
Name string
OnlyNoneRootUsers bool: Indicates if raise a warning for images that should only be run as root.
OpenshiftHardeningEnabled bool
PackagesBlackListEnabled bool: Indicates if packages blacklist is relevant.
PackagesBlackLists List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyPackagesBlackList>: List of blacklisted images.
PackagesWhiteListEnabled bool: Indicates if packages whitelist is relevant.
PackagesWhiteLists List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyPackagesWhiteList>: List of whitelisted images.
PartialResultsImageFail bool
Permission string
PolicySettings Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyPolicySettings
ReadOnly bool
Registries List<string>: List of registries.
Registry string
RequiredLabels List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyRequiredLabel>
RequiredLabelsEnabled bool
ScanMalwareInArchives bool
ScanNfsMounts bool
ScanProcessMemory bool
ScanSensitiveData bool: Indicates if scan should include sensitive data in the image.
ScanWindowsRegistry bool
ScapEnabled bool: Indicates if scanning should include scap.
ScapFiles List<string>: List of SCAP user scripts for checks.
Scopes List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyScope>
TrustedBaseImages List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyTrustedBaseImage>: List of trusted images.
TrustedBaseImagesEnabled bool: Indicates if list of trusted base images is relevant.
VulnerabilityExploitability bool
VulnerabilityScoreRanges List<int>
WhitelistedLicenses List<string>: List of whitelisted licenses.
WhitelistedLicensesEnabled bool: Indicates if license blacklist is relevant.

ApplicationScopes []string
AggregatedVulnerability map[string]string: Aggregated vulnerability information.
AllowedImages []string: List of explicitly allowed images.
AssuranceType string: What type of assurance policy is described.
AuditOnFailure bool: Indicates if auditing for failures.
Author string: Name of user account that created the policy.
AutoScanConfigured bool
AutoScanEnabled bool
AutoScanTimes []KubernetesAssurancePolicyAutoScanTimeArgs
BlacklistPermissions []string: List of function's forbidden permissions.
BlacklistPermissionsEnabled bool: Indicates if blacklist permissions is relevant.
BlacklistedLicenses []string: List of blacklisted licenses.
BlacklistedLicensesEnabled bool: Indicates if license blacklist is relevant.
BlockFailed bool: Indicates if failed images are blocked.
ControlExcludeNoFix bool
CustomChecks []KubernetesAssurancePolicyCustomCheckArgs: List of Custom user scripts for checks.
CustomChecksEnabled bool: Indicates if scanning should include custom checks.
CustomSeverity string
CustomSeverityEnabled bool
CvesBlackListEnabled bool: Indicates if CVEs blacklist is relevant.
CvesBlackLists []string: List of CVEs blacklisted items.
CvesWhiteListEnabled bool: Indicates if CVEs whitelist is relevant.
CvesWhiteLists []string: List of cves whitelisted licenses
CvssSeverity string: Identifier of the cvss severity.
CvssSeverityEnabled bool: Indicates if the cvss severity is scanned.
CvssSeverityExcludeNoFix bool: Indicates that policy should ignore cvss cases that do not have a known fix.
Description string
DisallowExploitTypes []string
DisallowMalware bool: Indicates if malware should block the image.
DockerCisEnabled bool: Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
Domain string: Name of the container image.
DomainName string
DtaEnabled bool
DtaSeverity string
Enabled bool: Is the control enabled?
Enforce bool
EnforceAfterDays int
EnforceExcessivePermissions bool
ExceptionalMonitoredMalwarePaths []string
ExcludeApplicationScopes []string
FailCicd bool: Indicates if cicd failures will fail the image.
ForbiddenLabels []KubernetesAssurancePolicyForbiddenLabelArgs
ForbiddenLabelsEnabled bool
ForceMicroenforcer bool
FunctionIntegrityEnabled bool
IgnoreBaseImageVln bool
IgnoreRecentlyPublishedVln bool
IgnoreRecentlyPublishedVlnPeriod int
IgnoreRiskResourcesEnabled bool: Indicates if risk resources are ignored.
IgnoredRiskResources []string: List of ignored risk resources.
IgnoredSensitiveResources []string
Images []string: List of images.
KubeCisEnabled bool: Performs a Kubernetes CIS benchmark check for the host.
KubernetesControls []KubernetesAssurancePolicyKubernetesControlArgs: List of Kubernetes controls.
KubernetesControlsAvdIds []string
KubernetesControlsNames []string: List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
Labels []string: List of labels.
Lastupdate string
LinuxCisEnabled bool
MalwareAction string
MaximumScore float64: Value of allowed maximum score.
MaximumScoreEnabled bool: Indicates if exceeding the maximum score is scanned.
MaximumScoreExcludeNoFix bool: Indicates that policy should ignore cases that do not have a known fix.
MonitoredMalwarePaths []string
Name string
OnlyNoneRootUsers bool: Indicates if raise a warning for images that should only be run as root.
OpenshiftHardeningEnabled bool
PackagesBlackListEnabled bool: Indicates if packages blacklist is relevant.
PackagesBlackLists []KubernetesAssurancePolicyPackagesBlackListArgs: List of blacklisted images.
PackagesWhiteListEnabled bool: Indicates if packages whitelist is relevant.
PackagesWhiteLists []KubernetesAssurancePolicyPackagesWhiteListArgs: List of whitelisted images.
PartialResultsImageFail bool
Permission string
PolicySettings KubernetesAssurancePolicyPolicySettingsArgs
ReadOnly bool
Registries []string: List of registries.
Registry string
RequiredLabels []KubernetesAssurancePolicyRequiredLabelArgs
RequiredLabelsEnabled bool
ScanMalwareInArchives bool
ScanNfsMounts bool
ScanProcessMemory bool
ScanSensitiveData bool: Indicates if scan should include sensitive data in the image.
ScanWindowsRegistry bool
ScapEnabled bool: Indicates if scanning should include scap.
ScapFiles []string: List of SCAP user scripts for checks.
Scopes []KubernetesAssurancePolicyScopeArgs
TrustedBaseImages []KubernetesAssurancePolicyTrustedBaseImageArgs: List of trusted images.
TrustedBaseImagesEnabled bool: Indicates if list of trusted base images is relevant.
VulnerabilityExploitability bool
VulnerabilityScoreRanges []int
WhitelistedLicenses []string: List of whitelisted licenses.
WhitelistedLicensesEnabled bool: Indicates if license blacklist is relevant.

applicationScopes List<String>
aggregatedVulnerability Map<String,String>: Aggregated vulnerability information.
allowedImages List<String>: List of explicitly allowed images.
assuranceType String: What type of assurance policy is described.
auditOnFailure Boolean: Indicates if auditing for failures.
author String: Name of user account that created the policy.
autoScanConfigured Boolean
autoScanEnabled Boolean
autoScanTimes List<KubernetesAssurancePolicyAutoScanTime>
blacklistPermissions List<String>: List of function's forbidden permissions.
blacklistPermissionsEnabled Boolean: Indicates if blacklist permissions is relevant.
blacklistedLicenses List<String>: List of blacklisted licenses.
blacklistedLicensesEnabled Boolean: Indicates if license blacklist is relevant.
blockFailed Boolean: Indicates if failed images are blocked.
controlExcludeNoFix Boolean
customChecks List<KubernetesAssurancePolicyCustomCheck>: List of Custom user scripts for checks.
customChecksEnabled Boolean: Indicates if scanning should include custom checks.
customSeverity String
customSeverityEnabled Boolean
cvesBlackListEnabled Boolean: Indicates if CVEs blacklist is relevant.
cvesBlackLists List<String>: List of CVEs blacklisted items.
cvesWhiteListEnabled Boolean: Indicates if CVEs whitelist is relevant.
cvesWhiteLists List<String>: List of cves whitelisted licenses
cvssSeverity String: Identifier of the cvss severity.
cvssSeverityEnabled Boolean: Indicates if the cvss severity is scanned.
cvssSeverityExcludeNoFix Boolean: Indicates that policy should ignore cvss cases that do not have a known fix.
description String
disallowExploitTypes List<String>
disallowMalware Boolean: Indicates if malware should block the image.
dockerCisEnabled Boolean: Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
domain String: Name of the container image.
domainName String
dtaEnabled Boolean
dtaSeverity String
enabled Boolean: Is the control enabled?
enforce Boolean
enforceAfterDays Integer
enforceExcessivePermissions Boolean
exceptionalMonitoredMalwarePaths List<String>
excludeApplicationScopes List<String>
failCicd Boolean: Indicates if cicd failures will fail the image.
forbiddenLabels List<KubernetesAssurancePolicyForbiddenLabel>
forbiddenLabelsEnabled Boolean
forceMicroenforcer Boolean
functionIntegrityEnabled Boolean
ignoreBaseImageVln Boolean
ignoreRecentlyPublishedVln Boolean
ignoreRecentlyPublishedVlnPeriod Integer
ignoreRiskResourcesEnabled Boolean: Indicates if risk resources are ignored.
ignoredRiskResources List<String>: List of ignored risk resources.
ignoredSensitiveResources List<String>
images List<String>: List of images.
kubeCisEnabled Boolean: Performs a Kubernetes CIS benchmark check for the host.
kubernetesControls List<KubernetesAssurancePolicyKubernetesControl>: List of Kubernetes controls.
kubernetesControlsAvdIds List<String>
kubernetesControlsNames List<String>: List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
labels List<String>: List of labels.
lastupdate String
linuxCisEnabled Boolean
malwareAction String
maximumScore Double: Value of allowed maximum score.
maximumScoreEnabled Boolean: Indicates if exceeding the maximum score is scanned.
maximumScoreExcludeNoFix Boolean: Indicates that policy should ignore cases that do not have a known fix.
monitoredMalwarePaths List<String>
name String
onlyNoneRootUsers Boolean: Indicates if raise a warning for images that should only be run as root.
openshiftHardeningEnabled Boolean
packagesBlackListEnabled Boolean: Indicates if packages blacklist is relevant.
packagesBlackLists List<KubernetesAssurancePolicyPackagesBlackList>: List of blacklisted images.
packagesWhiteListEnabled Boolean: Indicates if packages whitelist is relevant.
packagesWhiteLists List<KubernetesAssurancePolicyPackagesWhiteList>: List of whitelisted images.
partialResultsImageFail Boolean
permission String
policySettings KubernetesAssurancePolicyPolicySettings
readOnly Boolean
registries List<String>: List of registries.
registry String
requiredLabels List<KubernetesAssurancePolicyRequiredLabel>
requiredLabelsEnabled Boolean
scanMalwareInArchives Boolean
scanNfsMounts Boolean
scanProcessMemory Boolean
scanSensitiveData Boolean: Indicates if scan should include sensitive data in the image.
scanWindowsRegistry Boolean
scapEnabled Boolean: Indicates if scanning should include scap.
scapFiles List<String>: List of SCAP user scripts for checks.
scopes List<KubernetesAssurancePolicyScope>
trustedBaseImages List<KubernetesAssurancePolicyTrustedBaseImage>: List of trusted images.
trustedBaseImagesEnabled Boolean: Indicates if list of trusted base images is relevant.
vulnerabilityExploitability Boolean
vulnerabilityScoreRanges List<Integer>
whitelistedLicenses List<String>: List of whitelisted licenses.
whitelistedLicensesEnabled Boolean: Indicates if license blacklist is relevant.

applicationScopes string[]
aggregatedVulnerability {[key: string]: string}: Aggregated vulnerability information.
allowedImages string[]: List of explicitly allowed images.
assuranceType string: What type of assurance policy is described.
auditOnFailure boolean: Indicates if auditing for failures.
author string: Name of user account that created the policy.
autoScanConfigured boolean
autoScanEnabled boolean
autoScanTimes KubernetesAssurancePolicyAutoScanTime[]
blacklistPermissions string[]: List of function's forbidden permissions.
blacklistPermissionsEnabled boolean: Indicates if blacklist permissions is relevant.
blacklistedLicenses string[]: List of blacklisted licenses.
blacklistedLicensesEnabled boolean: Indicates if license blacklist is relevant.
blockFailed boolean: Indicates if failed images are blocked.
controlExcludeNoFix boolean
customChecks KubernetesAssurancePolicyCustomCheck[]: List of Custom user scripts for checks.
customChecksEnabled boolean: Indicates if scanning should include custom checks.
customSeverity string
customSeverityEnabled boolean
cvesBlackListEnabled boolean: Indicates if CVEs blacklist is relevant.
cvesBlackLists string[]: List of CVEs blacklisted items.
cvesWhiteListEnabled boolean: Indicates if CVEs whitelist is relevant.
cvesWhiteLists string[]: List of cves whitelisted licenses
cvssSeverity string: Identifier of the cvss severity.
cvssSeverityEnabled boolean: Indicates if the cvss severity is scanned.
cvssSeverityExcludeNoFix boolean: Indicates that policy should ignore cvss cases that do not have a known fix.
description string
disallowExploitTypes string[]
disallowMalware boolean: Indicates if malware should block the image.
dockerCisEnabled boolean: Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
domain string: Name of the container image.
domainName string
dtaEnabled boolean
dtaSeverity string
enabled boolean: Is the control enabled?
enforce boolean
enforceAfterDays number
enforceExcessivePermissions boolean
exceptionalMonitoredMalwarePaths string[]
excludeApplicationScopes string[]
failCicd boolean: Indicates if cicd failures will fail the image.
forbiddenLabels KubernetesAssurancePolicyForbiddenLabel[]
forbiddenLabelsEnabled boolean
forceMicroenforcer boolean
functionIntegrityEnabled boolean
ignoreBaseImageVln boolean
ignoreRecentlyPublishedVln boolean
ignoreRecentlyPublishedVlnPeriod number
ignoreRiskResourcesEnabled boolean: Indicates if risk resources are ignored.
ignoredRiskResources string[]: List of ignored risk resources.
ignoredSensitiveResources string[]
images string[]: List of images.
kubeCisEnabled boolean: Performs a Kubernetes CIS benchmark check for the host.
kubernetesControls KubernetesAssurancePolicyKubernetesControl[]: List of Kubernetes controls.
kubernetesControlsAvdIds string[]
kubernetesControlsNames string[]: List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
labels string[]: List of labels.
lastupdate string
linuxCisEnabled boolean
malwareAction string
maximumScore number: Value of allowed maximum score.
maximumScoreEnabled boolean: Indicates if exceeding the maximum score is scanned.
maximumScoreExcludeNoFix boolean: Indicates that policy should ignore cases that do not have a known fix.
monitoredMalwarePaths string[]
name string
onlyNoneRootUsers boolean: Indicates if raise a warning for images that should only be run as root.
openshiftHardeningEnabled boolean
packagesBlackListEnabled boolean: Indicates if packages blacklist is relevant.
packagesBlackLists KubernetesAssurancePolicyPackagesBlackList[]: List of blacklisted images.
packagesWhiteListEnabled boolean: Indicates if packages whitelist is relevant.
packagesWhiteLists KubernetesAssurancePolicyPackagesWhiteList[]: List of whitelisted images.
partialResultsImageFail boolean
permission string
policySettings KubernetesAssurancePolicyPolicySettings
readOnly boolean
registries string[]: List of registries.
registry string
requiredLabels KubernetesAssurancePolicyRequiredLabel[]
requiredLabelsEnabled boolean
scanMalwareInArchives boolean
scanNfsMounts boolean
scanProcessMemory boolean
scanSensitiveData boolean: Indicates if scan should include sensitive data in the image.
scanWindowsRegistry boolean
scapEnabled boolean: Indicates if scanning should include scap.
scapFiles string[]: List of SCAP user scripts for checks.
scopes KubernetesAssurancePolicyScope[]
trustedBaseImages KubernetesAssurancePolicyTrustedBaseImage[]: List of trusted images.
trustedBaseImagesEnabled boolean: Indicates if list of trusted base images is relevant.
vulnerabilityExploitability boolean
vulnerabilityScoreRanges number[]
whitelistedLicenses string[]: List of whitelisted licenses.
whitelistedLicensesEnabled boolean: Indicates if license blacklist is relevant.

application_scopes Sequence[str]
aggregated_vulnerability Mapping[str, str]: Aggregated vulnerability information.
allowed_images Sequence[str]: List of explicitly allowed images.
assurance_type str: What type of assurance policy is described.
audit_on_failure bool: Indicates if auditing for failures.
author str: Name of user account that created the policy.
auto_scan_configured bool
auto_scan_enabled bool
auto_scan_times Sequence[KubernetesAssurancePolicyAutoScanTimeArgs]
blacklist_permissions Sequence[str]: List of function's forbidden permissions.
blacklist_permissions_enabled bool: Indicates if blacklist permissions is relevant.
blacklisted_licenses Sequence[str]: List of blacklisted licenses.
blacklisted_licenses_enabled bool: Indicates if license blacklist is relevant.
block_failed bool: Indicates if failed images are blocked.
control_exclude_no_fix bool
custom_checks Sequence[KubernetesAssurancePolicyCustomCheckArgs]: List of Custom user scripts for checks.
custom_checks_enabled bool: Indicates if scanning should include custom checks.
custom_severity str
custom_severity_enabled bool
cves_black_list_enabled bool: Indicates if CVEs blacklist is relevant.
cves_black_lists Sequence[str]: List of CVEs blacklisted items.
cves_white_list_enabled bool: Indicates if CVEs whitelist is relevant.
cves_white_lists Sequence[str]: List of cves whitelisted licenses
cvss_severity str: Identifier of the cvss severity.
cvss_severity_enabled bool: Indicates if the cvss severity is scanned.
cvss_severity_exclude_no_fix bool: Indicates that policy should ignore cvss cases that do not have a known fix.
description str
disallow_exploit_types Sequence[str]
disallow_malware bool: Indicates if malware should block the image.
docker_cis_enabled bool: Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
domain str: Name of the container image.
domain_name str
dta_enabled bool
dta_severity str
enabled bool: Is the control enabled?
enforce bool
enforce_after_days int
enforce_excessive_permissions bool
exceptional_monitored_malware_paths Sequence[str]
exclude_application_scopes Sequence[str]
fail_cicd bool: Indicates if cicd failures will fail the image.
forbidden_labels Sequence[KubernetesAssurancePolicyForbiddenLabelArgs]
forbidden_labels_enabled bool
force_microenforcer bool
function_integrity_enabled bool
ignore_base_image_vln bool
ignore_recently_published_vln bool
ignore_recently_published_vln_period int
ignore_risk_resources_enabled bool: Indicates if risk resources are ignored.
ignored_risk_resources Sequence[str]: List of ignored risk resources.
ignored_sensitive_resources Sequence[str]
images Sequence[str]: List of images.
kube_cis_enabled bool: Performs a Kubernetes CIS benchmark check for the host.
kubernetes_controls Sequence[KubernetesAssurancePolicyKubernetesControlArgs]: List of Kubernetes controls.
kubernetes_controls_avd_ids Sequence[str]
kubernetes_controls_names Sequence[str]: List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
labels Sequence[str]: List of labels.
lastupdate str
linux_cis_enabled bool
malware_action str
maximum_score float: Value of allowed maximum score.
maximum_score_enabled bool: Indicates if exceeding the maximum score is scanned.
maximum_score_exclude_no_fix bool: Indicates that policy should ignore cases that do not have a known fix.
monitored_malware_paths Sequence[str]
name str
only_none_root_users bool: Indicates if raise a warning for images that should only be run as root.
openshift_hardening_enabled bool
packages_black_list_enabled bool: Indicates if packages blacklist is relevant.
packages_black_lists Sequence[KubernetesAssurancePolicyPackagesBlackListArgs]: List of blacklisted images.
packages_white_list_enabled bool: Indicates if packages whitelist is relevant.
packages_white_lists Sequence[KubernetesAssurancePolicyPackagesWhiteListArgs]: List of whitelisted images.
partial_results_image_fail bool
permission str
policy_settings KubernetesAssurancePolicyPolicySettingsArgs
read_only bool
registries Sequence[str]: List of registries.
registry str
required_labels Sequence[KubernetesAssurancePolicyRequiredLabelArgs]
required_labels_enabled bool
scan_malware_in_archives bool
scan_nfs_mounts bool
scan_process_memory bool
scan_sensitive_data bool: Indicates if scan should include sensitive data in the image.
scan_windows_registry bool
scap_enabled bool: Indicates if scanning should include scap.
scap_files Sequence[str]: List of SCAP user scripts for checks.
scopes Sequence[KubernetesAssurancePolicyScopeArgs]
trusted_base_images Sequence[KubernetesAssurancePolicyTrustedBaseImageArgs]: List of trusted images.
trusted_base_images_enabled bool: Indicates if list of trusted base images is relevant.
vulnerability_exploitability bool
vulnerability_score_ranges Sequence[int]
whitelisted_licenses Sequence[str]: List of whitelisted licenses.
whitelisted_licenses_enabled bool: Indicates if license blacklist is relevant.

applicationScopes List<String>
aggregatedVulnerability Map<String>: Aggregated vulnerability information.
allowedImages List<String>: List of explicitly allowed images.
assuranceType String: What type of assurance policy is described.
auditOnFailure Boolean: Indicates if auditing for failures.
author String: Name of user account that created the policy.
autoScanConfigured Boolean
autoScanEnabled Boolean
autoScanTimes List<Property Map>
blacklistPermissions List<String>: List of function's forbidden permissions.
blacklistPermissionsEnabled Boolean: Indicates if blacklist permissions is relevant.
blacklistedLicenses List<String>: List of blacklisted licenses.
blacklistedLicensesEnabled Boolean: Indicates if license blacklist is relevant.
blockFailed Boolean: Indicates if failed images are blocked.
controlExcludeNoFix Boolean
customChecks List<Property Map>: List of Custom user scripts for checks.
customChecksEnabled Boolean: Indicates if scanning should include custom checks.
customSeverity String
customSeverityEnabled Boolean
cvesBlackListEnabled Boolean: Indicates if CVEs blacklist is relevant.
cvesBlackLists List<String>: List of CVEs blacklisted items.
cvesWhiteListEnabled Boolean: Indicates if CVEs whitelist is relevant.
cvesWhiteLists List<String>: List of cves whitelisted licenses
cvssSeverity String: Identifier of the cvss severity.
cvssSeverityEnabled Boolean: Indicates if the cvss severity is scanned.
cvssSeverityExcludeNoFix Boolean: Indicates that policy should ignore cvss cases that do not have a known fix.
description String
disallowExploitTypes List<String>
disallowMalware Boolean: Indicates if malware should block the image.
dockerCisEnabled Boolean: Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
domain String: Name of the container image.
domainName String
dtaEnabled Boolean
dtaSeverity String
enabled Boolean: Is the control enabled?
enforce Boolean
enforceAfterDays Number
enforceExcessivePermissions Boolean
exceptionalMonitoredMalwarePaths List<String>
excludeApplicationScopes List<String>
failCicd Boolean: Indicates if cicd failures will fail the image.
forbiddenLabels List<Property Map>
forbiddenLabelsEnabled Boolean
forceMicroenforcer Boolean
functionIntegrityEnabled Boolean
ignoreBaseImageVln Boolean
ignoreRecentlyPublishedVln Boolean
ignoreRecentlyPublishedVlnPeriod Number
ignoreRiskResourcesEnabled Boolean: Indicates if risk resources are ignored.
ignoredRiskResources List<String>: List of ignored risk resources.
ignoredSensitiveResources List<String>
images List<String>: List of images.
kubeCisEnabled Boolean: Performs a Kubernetes CIS benchmark check for the host.
kubernetesControls List<Property Map>: List of Kubernetes controls.
kubernetesControlsAvdIds List<String>
kubernetesControlsNames List<String>: List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
labels List<String>: List of labels.
lastupdate String
linuxCisEnabled Boolean
malwareAction String
maximumScore Number: Value of allowed maximum score.
maximumScoreEnabled Boolean: Indicates if exceeding the maximum score is scanned.
maximumScoreExcludeNoFix Boolean: Indicates that policy should ignore cases that do not have a known fix.
monitoredMalwarePaths List<String>
name String
onlyNoneRootUsers Boolean: Indicates if raise a warning for images that should only be run as root.
openshiftHardeningEnabled Boolean
packagesBlackListEnabled Boolean: Indicates if packages blacklist is relevant.
packagesBlackLists List<Property Map>: List of blacklisted images.
packagesWhiteListEnabled Boolean: Indicates if packages whitelist is relevant.
packagesWhiteLists List<Property Map>: List of whitelisted images.
partialResultsImageFail Boolean
permission String
policySettings Property Map
readOnly Boolean
registries List<String>: List of registries.
registry String
requiredLabels List<Property Map>
requiredLabelsEnabled Boolean
scanMalwareInArchives Boolean
scanNfsMounts Boolean
scanProcessMemory Boolean
scanSensitiveData Boolean: Indicates if scan should include sensitive data in the image.
scanWindowsRegistry Boolean
scapEnabled Boolean: Indicates if scanning should include scap.
scapFiles List<String>: List of SCAP user scripts for checks.
scopes List<Property Map>
trustedBaseImages List<Property Map>: List of trusted images.
trustedBaseImagesEnabled Boolean: Indicates if list of trusted base images is relevant.
vulnerabilityExploitability Boolean
vulnerabilityScoreRanges List<Number>
whitelistedLicenses List<String>: List of whitelisted licenses.
whitelistedLicensesEnabled Boolean: Indicates if license blacklist is relevant.

Outputs

All input properties are implicitly available as output properties. Additionally, the KubernetesAssurancePolicy resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

id String: The provider-assigned unique ID for this managed resource.

Look up Existing KubernetesAssurancePolicy Resource

Get an existing KubernetesAssurancePolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: KubernetesAssurancePolicyState, opts?: CustomResourceOptions): KubernetesAssurancePolicy

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        aggregated_vulnerability: Optional[Mapping[str, str]] = None,
        allowed_images: Optional[Sequence[str]] = None,
        application_scopes: Optional[Sequence[str]] = None,
        assurance_type: Optional[str] = None,
        audit_on_failure: Optional[bool] = None,
        author: Optional[str] = None,
        auto_scan_configured: Optional[bool] = None,
        auto_scan_enabled: Optional[bool] = None,
        auto_scan_times: Optional[Sequence[KubernetesAssurancePolicyAutoScanTimeArgs]] = None,
        blacklist_permissions: Optional[Sequence[str]] = None,
        blacklist_permissions_enabled: Optional[bool] = None,
        blacklisted_licenses: Optional[Sequence[str]] = None,
        blacklisted_licenses_enabled: Optional[bool] = None,
        block_failed: Optional[bool] = None,
        control_exclude_no_fix: Optional[bool] = None,
        custom_checks: Optional[Sequence[KubernetesAssurancePolicyCustomCheckArgs]] = None,
        custom_checks_enabled: Optional[bool] = None,
        custom_severity: Optional[str] = None,
        custom_severity_enabled: Optional[bool] = None,
        cves_black_list_enabled: Optional[bool] = None,
        cves_black_lists: Optional[Sequence[str]] = None,
        cves_white_list_enabled: Optional[bool] = None,
        cves_white_lists: Optional[Sequence[str]] = None,
        cvss_severity: Optional[str] = None,
        cvss_severity_enabled: Optional[bool] = None,
        cvss_severity_exclude_no_fix: Optional[bool] = None,
        description: Optional[str] = None,
        disallow_exploit_types: Optional[Sequence[str]] = None,
        disallow_malware: Optional[bool] = None,
        docker_cis_enabled: Optional[bool] = None,
        domain: Optional[str] = None,
        domain_name: Optional[str] = None,
        dta_enabled: Optional[bool] = None,
        dta_severity: Optional[str] = None,
        enabled: Optional[bool] = None,
        enforce: Optional[bool] = None,
        enforce_after_days: Optional[int] = None,
        enforce_excessive_permissions: Optional[bool] = None,
        exceptional_monitored_malware_paths: Optional[Sequence[str]] = None,
        exclude_application_scopes: Optional[Sequence[str]] = None,
        fail_cicd: Optional[bool] = None,
        forbidden_labels: Optional[Sequence[KubernetesAssurancePolicyForbiddenLabelArgs]] = None,
        forbidden_labels_enabled: Optional[bool] = None,
        force_microenforcer: Optional[bool] = None,
        function_integrity_enabled: Optional[bool] = None,
        ignore_base_image_vln: Optional[bool] = None,
        ignore_recently_published_vln: Optional[bool] = None,
        ignore_recently_published_vln_period: Optional[int] = None,
        ignore_risk_resources_enabled: Optional[bool] = None,
        ignored_risk_resources: Optional[Sequence[str]] = None,
        ignored_sensitive_resources: Optional[Sequence[str]] = None,
        images: Optional[Sequence[str]] = None,
        kube_cis_enabled: Optional[bool] = None,
        kubernetes_controls: Optional[Sequence[KubernetesAssurancePolicyKubernetesControlArgs]] = None,
        kubernetes_controls_avd_ids: Optional[Sequence[str]] = None,
        kubernetes_controls_names: Optional[Sequence[str]] = None,
        labels: Optional[Sequence[str]] = None,
        lastupdate: Optional[str] = None,
        linux_cis_enabled: Optional[bool] = None,
        malware_action: Optional[str] = None,
        maximum_score: Optional[float] = None,
        maximum_score_enabled: Optional[bool] = None,
        maximum_score_exclude_no_fix: Optional[bool] = None,
        monitored_malware_paths: Optional[Sequence[str]] = None,
        name: Optional[str] = None,
        only_none_root_users: Optional[bool] = None,
        openshift_hardening_enabled: Optional[bool] = None,
        packages_black_list_enabled: Optional[bool] = None,
        packages_black_lists: Optional[Sequence[KubernetesAssurancePolicyPackagesBlackListArgs]] = None,
        packages_white_list_enabled: Optional[bool] = None,
        packages_white_lists: Optional[Sequence[KubernetesAssurancePolicyPackagesWhiteListArgs]] = None,
        partial_results_image_fail: Optional[bool] = None,
        permission: Optional[str] = None,
        policy_settings: Optional[KubernetesAssurancePolicyPolicySettingsArgs] = None,
        read_only: Optional[bool] = None,
        registries: Optional[Sequence[str]] = None,
        registry: Optional[str] = None,
        required_labels: Optional[Sequence[KubernetesAssurancePolicyRequiredLabelArgs]] = None,
        required_labels_enabled: Optional[bool] = None,
        scan_malware_in_archives: Optional[bool] = None,
        scan_nfs_mounts: Optional[bool] = None,
        scan_process_memory: Optional[bool] = None,
        scan_sensitive_data: Optional[bool] = None,
        scan_windows_registry: Optional[bool] = None,
        scap_enabled: Optional[bool] = None,
        scap_files: Optional[Sequence[str]] = None,
        scopes: Optional[Sequence[KubernetesAssurancePolicyScopeArgs]] = None,
        trusted_base_images: Optional[Sequence[KubernetesAssurancePolicyTrustedBaseImageArgs]] = None,
        trusted_base_images_enabled: Optional[bool] = None,
        vulnerability_exploitability: Optional[bool] = None,
        vulnerability_score_ranges: Optional[Sequence[int]] = None,
        whitelisted_licenses: Optional[Sequence[str]] = None,
        whitelisted_licenses_enabled: Optional[bool] = None) -> KubernetesAssurancePolicy

func GetKubernetesAssurancePolicy(ctx *Context, name string, id IDInput, state *KubernetesAssurancePolicyState, opts ...ResourceOption) (*KubernetesAssurancePolicy, error)

public static KubernetesAssurancePolicy Get(string name, Input<string> id, KubernetesAssurancePolicyState? state, CustomResourceOptions? opts = null)

public static KubernetesAssurancePolicy get(String name, Output<String> id, KubernetesAssurancePolicyState state, CustomResourceOptions options)

Resource lookup is not supported in YAML

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AggregatedVulnerability Dictionary<string, string>: Aggregated vulnerability information.
AllowedImages List<string>: List of explicitly allowed images.
ApplicationScopes List<string>
AssuranceType string: What type of assurance policy is described.
AuditOnFailure bool: Indicates if auditing for failures.
Author string: Name of user account that created the policy.
AutoScanConfigured bool
AutoScanEnabled bool
AutoScanTimes List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyAutoScanTime>
BlacklistPermissions List<string>: List of function's forbidden permissions.
BlacklistPermissionsEnabled bool: Indicates if blacklist permissions is relevant.
BlacklistedLicenses List<string>: List of blacklisted licenses.
BlacklistedLicensesEnabled bool: Indicates if license blacklist is relevant.
BlockFailed bool: Indicates if failed images are blocked.
ControlExcludeNoFix bool
CustomChecks List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyCustomCheck>: List of Custom user scripts for checks.
CustomChecksEnabled bool: Indicates if scanning should include custom checks.
CustomSeverity string
CustomSeverityEnabled bool
CvesBlackListEnabled bool: Indicates if CVEs blacklist is relevant.
CvesBlackLists List<string>: List of CVEs blacklisted items.
CvesWhiteListEnabled bool: Indicates if CVEs whitelist is relevant.
CvesWhiteLists List<string>: List of cves whitelisted licenses
CvssSeverity string: Identifier of the cvss severity.
CvssSeverityEnabled bool: Indicates if the cvss severity is scanned.
CvssSeverityExcludeNoFix bool: Indicates that policy should ignore cvss cases that do not have a known fix.
Description string
DisallowExploitTypes List<string>
DisallowMalware bool: Indicates if malware should block the image.
DockerCisEnabled bool: Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
Domain string: Name of the container image.
DomainName string
DtaEnabled bool
DtaSeverity string
Enabled bool: Is the control enabled?
Enforce bool
EnforceAfterDays int
EnforceExcessivePermissions bool
ExceptionalMonitoredMalwarePaths List<string>
ExcludeApplicationScopes List<string>
FailCicd bool: Indicates if cicd failures will fail the image.
ForbiddenLabels List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyForbiddenLabel>
ForbiddenLabelsEnabled bool
ForceMicroenforcer bool
FunctionIntegrityEnabled bool
IgnoreBaseImageVln bool
IgnoreRecentlyPublishedVln bool
IgnoreRecentlyPublishedVlnPeriod int
IgnoreRiskResourcesEnabled bool: Indicates if risk resources are ignored.
IgnoredRiskResources List<string>: List of ignored risk resources.
IgnoredSensitiveResources List<string>
Images List<string>: List of images.
KubeCisEnabled bool: Performs a Kubernetes CIS benchmark check for the host.
KubernetesControls List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyKubernetesControl>: List of Kubernetes controls.
KubernetesControlsAvdIds List<string>
KubernetesControlsNames List<string>: List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
Labels List<string>: List of labels.
Lastupdate string
LinuxCisEnabled bool
MalwareAction string
MaximumScore double: Value of allowed maximum score.
MaximumScoreEnabled bool: Indicates if exceeding the maximum score is scanned.
MaximumScoreExcludeNoFix bool: Indicates that policy should ignore cases that do not have a known fix.
MonitoredMalwarePaths List<string>
Name string
OnlyNoneRootUsers bool: Indicates if raise a warning for images that should only be run as root.
OpenshiftHardeningEnabled bool
PackagesBlackListEnabled bool: Indicates if packages blacklist is relevant.
PackagesBlackLists List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyPackagesBlackList>: List of blacklisted images.
PackagesWhiteListEnabled bool: Indicates if packages whitelist is relevant.
PackagesWhiteLists List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyPackagesWhiteList>: List of whitelisted images.
PartialResultsImageFail bool
Permission string
PolicySettings Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyPolicySettings
ReadOnly bool
Registries List<string>: List of registries.
Registry string
RequiredLabels List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyRequiredLabel>
RequiredLabelsEnabled bool
ScanMalwareInArchives bool
ScanNfsMounts bool
ScanProcessMemory bool
ScanSensitiveData bool: Indicates if scan should include sensitive data in the image.
ScanWindowsRegistry bool
ScapEnabled bool: Indicates if scanning should include scap.
ScapFiles List<string>: List of SCAP user scripts for checks.
Scopes List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyScope>
TrustedBaseImages List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyTrustedBaseImage>: List of trusted images.
TrustedBaseImagesEnabled bool: Indicates if list of trusted base images is relevant.
VulnerabilityExploitability bool
VulnerabilityScoreRanges List<int>
WhitelistedLicenses List<string>: List of whitelisted licenses.
WhitelistedLicensesEnabled bool: Indicates if license blacklist is relevant.

AggregatedVulnerability map[string]string: Aggregated vulnerability information.
AllowedImages []string: List of explicitly allowed images.
ApplicationScopes []string
AssuranceType string: What type of assurance policy is described.
AuditOnFailure bool: Indicates if auditing for failures.
Author string: Name of user account that created the policy.
AutoScanConfigured bool
AutoScanEnabled bool
AutoScanTimes []KubernetesAssurancePolicyAutoScanTimeArgs
BlacklistPermissions []string: List of function's forbidden permissions.
BlacklistPermissionsEnabled bool: Indicates if blacklist permissions is relevant.
BlacklistedLicenses []string: List of blacklisted licenses.
BlacklistedLicensesEnabled bool: Indicates if license blacklist is relevant.
BlockFailed bool: Indicates if failed images are blocked.
ControlExcludeNoFix bool
CustomChecks []KubernetesAssurancePolicyCustomCheckArgs: List of Custom user scripts for checks.
CustomChecksEnabled bool: Indicates if scanning should include custom checks.
CustomSeverity string
CustomSeverityEnabled bool
CvesBlackListEnabled bool: Indicates if CVEs blacklist is relevant.
CvesBlackLists []string: List of CVEs blacklisted items.
CvesWhiteListEnabled bool: Indicates if CVEs whitelist is relevant.
CvesWhiteLists []string: List of cves whitelisted licenses
CvssSeverity string: Identifier of the cvss severity.
CvssSeverityEnabled bool: Indicates if the cvss severity is scanned.
CvssSeverityExcludeNoFix bool: Indicates that policy should ignore cvss cases that do not have a known fix.
Description string
DisallowExploitTypes []string
DisallowMalware bool: Indicates if malware should block the image.
DockerCisEnabled bool: Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
Domain string: Name of the container image.
DomainName string
DtaEnabled bool
DtaSeverity string
Enabled bool: Is the control enabled?
Enforce bool
EnforceAfterDays int
EnforceExcessivePermissions bool
ExceptionalMonitoredMalwarePaths []string
ExcludeApplicationScopes []string
FailCicd bool: Indicates if cicd failures will fail the image.
ForbiddenLabels []KubernetesAssurancePolicyForbiddenLabelArgs
ForbiddenLabelsEnabled bool
ForceMicroenforcer bool
FunctionIntegrityEnabled bool
IgnoreBaseImageVln bool
IgnoreRecentlyPublishedVln bool
IgnoreRecentlyPublishedVlnPeriod int
IgnoreRiskResourcesEnabled bool: Indicates if risk resources are ignored.
IgnoredRiskResources []string: List of ignored risk resources.
IgnoredSensitiveResources []string
Images []string: List of images.
KubeCisEnabled bool: Performs a Kubernetes CIS benchmark check for the host.
KubernetesControls []KubernetesAssurancePolicyKubernetesControlArgs: List of Kubernetes controls.
KubernetesControlsAvdIds []string
KubernetesControlsNames []string: List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
Labels []string: List of labels.
Lastupdate string
LinuxCisEnabled bool
MalwareAction string
MaximumScore float64: Value of allowed maximum score.
MaximumScoreEnabled bool: Indicates if exceeding the maximum score is scanned.
MaximumScoreExcludeNoFix bool: Indicates that policy should ignore cases that do not have a known fix.
MonitoredMalwarePaths []string
Name string
OnlyNoneRootUsers bool: Indicates if raise a warning for images that should only be run as root.
OpenshiftHardeningEnabled bool
PackagesBlackListEnabled bool: Indicates if packages blacklist is relevant.
PackagesBlackLists []KubernetesAssurancePolicyPackagesBlackListArgs: List of blacklisted images.
PackagesWhiteListEnabled bool: Indicates if packages whitelist is relevant.
PackagesWhiteLists []KubernetesAssurancePolicyPackagesWhiteListArgs: List of whitelisted images.
PartialResultsImageFail bool
Permission string
PolicySettings KubernetesAssurancePolicyPolicySettingsArgs
ReadOnly bool
Registries []string: List of registries.
Registry string
RequiredLabels []KubernetesAssurancePolicyRequiredLabelArgs
RequiredLabelsEnabled bool
ScanMalwareInArchives bool
ScanNfsMounts bool
ScanProcessMemory bool
ScanSensitiveData bool: Indicates if scan should include sensitive data in the image.
ScanWindowsRegistry bool
ScapEnabled bool: Indicates if scanning should include scap.
ScapFiles []string: List of SCAP user scripts for checks.
Scopes []KubernetesAssurancePolicyScopeArgs
TrustedBaseImages []KubernetesAssurancePolicyTrustedBaseImageArgs: List of trusted images.
TrustedBaseImagesEnabled bool: Indicates if list of trusted base images is relevant.
VulnerabilityExploitability bool
VulnerabilityScoreRanges []int
WhitelistedLicenses []string: List of whitelisted licenses.
WhitelistedLicensesEnabled bool: Indicates if license blacklist is relevant.

aggregatedVulnerability Map<String,String>: Aggregated vulnerability information.
allowedImages List<String>: List of explicitly allowed images.
applicationScopes List<String>
assuranceType String: What type of assurance policy is described.
auditOnFailure Boolean: Indicates if auditing for failures.
author String: Name of user account that created the policy.
autoScanConfigured Boolean
autoScanEnabled Boolean
autoScanTimes List<KubernetesAssurancePolicyAutoScanTime>
blacklistPermissions List<String>: List of function's forbidden permissions.
blacklistPermissionsEnabled Boolean: Indicates if blacklist permissions is relevant.
blacklistedLicenses List<String>: List of blacklisted licenses.
blacklistedLicensesEnabled Boolean: Indicates if license blacklist is relevant.
blockFailed Boolean: Indicates if failed images are blocked.
controlExcludeNoFix Boolean
customChecks List<KubernetesAssurancePolicyCustomCheck>: List of Custom user scripts for checks.
customChecksEnabled Boolean: Indicates if scanning should include custom checks.
customSeverity String
customSeverityEnabled Boolean
cvesBlackListEnabled Boolean: Indicates if CVEs blacklist is relevant.
cvesBlackLists List<String>: List of CVEs blacklisted items.
cvesWhiteListEnabled Boolean: Indicates if CVEs whitelist is relevant.
cvesWhiteLists List<String>: List of cves whitelisted licenses
cvssSeverity String: Identifier of the cvss severity.
cvssSeverityEnabled Boolean: Indicates if the cvss severity is scanned.
cvssSeverityExcludeNoFix Boolean: Indicates that policy should ignore cvss cases that do not have a known fix.
description String
disallowExploitTypes List<String>
disallowMalware Boolean: Indicates if malware should block the image.
dockerCisEnabled Boolean: Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
domain String: Name of the container image.
domainName String
dtaEnabled Boolean
dtaSeverity String
enabled Boolean: Is the control enabled?
enforce Boolean
enforceAfterDays Integer
enforceExcessivePermissions Boolean
exceptionalMonitoredMalwarePaths List<String>
excludeApplicationScopes List<String>
failCicd Boolean: Indicates if cicd failures will fail the image.
forbiddenLabels List<KubernetesAssurancePolicyForbiddenLabel>
forbiddenLabelsEnabled Boolean
forceMicroenforcer Boolean
functionIntegrityEnabled Boolean
ignoreBaseImageVln Boolean
ignoreRecentlyPublishedVln Boolean
ignoreRecentlyPublishedVlnPeriod Integer
ignoreRiskResourcesEnabled Boolean: Indicates if risk resources are ignored.
ignoredRiskResources List<String>: List of ignored risk resources.
ignoredSensitiveResources List<String>
images List<String>: List of images.
kubeCisEnabled Boolean: Performs a Kubernetes CIS benchmark check for the host.
kubernetesControls List<KubernetesAssurancePolicyKubernetesControl>: List of Kubernetes controls.
kubernetesControlsAvdIds List<String>
kubernetesControlsNames List<String>: List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
labels List<String>: List of labels.
lastupdate String
linuxCisEnabled Boolean
malwareAction String
maximumScore Double: Value of allowed maximum score.
maximumScoreEnabled Boolean: Indicates if exceeding the maximum score is scanned.
maximumScoreExcludeNoFix Boolean: Indicates that policy should ignore cases that do not have a known fix.
monitoredMalwarePaths List<String>
name String
onlyNoneRootUsers Boolean: Indicates if raise a warning for images that should only be run as root.
openshiftHardeningEnabled Boolean
packagesBlackListEnabled Boolean: Indicates if packages blacklist is relevant.
packagesBlackLists List<KubernetesAssurancePolicyPackagesBlackList>: List of blacklisted images.
packagesWhiteListEnabled Boolean: Indicates if packages whitelist is relevant.
packagesWhiteLists List<KubernetesAssurancePolicyPackagesWhiteList>: List of whitelisted images.
partialResultsImageFail Boolean
permission String
policySettings KubernetesAssurancePolicyPolicySettings
readOnly Boolean
registries List<String>: List of registries.
registry String
requiredLabels List<KubernetesAssurancePolicyRequiredLabel>
requiredLabelsEnabled Boolean
scanMalwareInArchives Boolean
scanNfsMounts Boolean
scanProcessMemory Boolean
scanSensitiveData Boolean: Indicates if scan should include sensitive data in the image.
scanWindowsRegistry Boolean
scapEnabled Boolean: Indicates if scanning should include scap.
scapFiles List<String>: List of SCAP user scripts for checks.
scopes List<KubernetesAssurancePolicyScope>
trustedBaseImages List<KubernetesAssurancePolicyTrustedBaseImage>: List of trusted images.
trustedBaseImagesEnabled Boolean: Indicates if list of trusted base images is relevant.
vulnerabilityExploitability Boolean
vulnerabilityScoreRanges List<Integer>
whitelistedLicenses List<String>: List of whitelisted licenses.
whitelistedLicensesEnabled Boolean: Indicates if license blacklist is relevant.

aggregatedVulnerability {[key: string]: string}: Aggregated vulnerability information.
allowedImages string[]: List of explicitly allowed images.
applicationScopes string[]
assuranceType string: What type of assurance policy is described.
auditOnFailure boolean: Indicates if auditing for failures.
author string: Name of user account that created the policy.
autoScanConfigured boolean
autoScanEnabled boolean
autoScanTimes KubernetesAssurancePolicyAutoScanTime[]
blacklistPermissions string[]: List of function's forbidden permissions.
blacklistPermissionsEnabled boolean: Indicates if blacklist permissions is relevant.
blacklistedLicenses string[]: List of blacklisted licenses.
blacklistedLicensesEnabled boolean: Indicates if license blacklist is relevant.
blockFailed boolean: Indicates if failed images are blocked.
controlExcludeNoFix boolean
customChecks KubernetesAssurancePolicyCustomCheck[]: List of Custom user scripts for checks.
customChecksEnabled boolean: Indicates if scanning should include custom checks.
customSeverity string
customSeverityEnabled boolean
cvesBlackListEnabled boolean: Indicates if CVEs blacklist is relevant.
cvesBlackLists string[]: List of CVEs blacklisted items.
cvesWhiteListEnabled boolean: Indicates if CVEs whitelist is relevant.
cvesWhiteLists string[]: List of cves whitelisted licenses
cvssSeverity string: Identifier of the cvss severity.
cvssSeverityEnabled boolean: Indicates if the cvss severity is scanned.
cvssSeverityExcludeNoFix boolean: Indicates that policy should ignore cvss cases that do not have a known fix.
description string
disallowExploitTypes string[]
disallowMalware boolean: Indicates if malware should block the image.
dockerCisEnabled boolean: Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
domain string: Name of the container image.
domainName string
dtaEnabled boolean
dtaSeverity string
enabled boolean: Is the control enabled?
enforce boolean
enforceAfterDays number
enforceExcessivePermissions boolean
exceptionalMonitoredMalwarePaths string[]
excludeApplicationScopes string[]
failCicd boolean: Indicates if cicd failures will fail the image.
forbiddenLabels KubernetesAssurancePolicyForbiddenLabel[]
forbiddenLabelsEnabled boolean
forceMicroenforcer boolean
functionIntegrityEnabled boolean
ignoreBaseImageVln boolean
ignoreRecentlyPublishedVln boolean
ignoreRecentlyPublishedVlnPeriod number
ignoreRiskResourcesEnabled boolean: Indicates if risk resources are ignored.
ignoredRiskResources string[]: List of ignored risk resources.
ignoredSensitiveResources string[]
images string[]: List of images.
kubeCisEnabled boolean: Performs a Kubernetes CIS benchmark check for the host.
kubernetesControls KubernetesAssurancePolicyKubernetesControl[]: List of Kubernetes controls.
kubernetesControlsAvdIds string[]
kubernetesControlsNames string[]: List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
labels string[]: List of labels.
lastupdate string
linuxCisEnabled boolean
malwareAction string
maximumScore number: Value of allowed maximum score.
maximumScoreEnabled boolean: Indicates if exceeding the maximum score is scanned.
maximumScoreExcludeNoFix boolean: Indicates that policy should ignore cases that do not have a known fix.
monitoredMalwarePaths string[]
name string
onlyNoneRootUsers boolean: Indicates if raise a warning for images that should only be run as root.
openshiftHardeningEnabled boolean
packagesBlackListEnabled boolean: Indicates if packages blacklist is relevant.
packagesBlackLists KubernetesAssurancePolicyPackagesBlackList[]: List of blacklisted images.
packagesWhiteListEnabled boolean: Indicates if packages whitelist is relevant.
packagesWhiteLists KubernetesAssurancePolicyPackagesWhiteList[]: List of whitelisted images.
partialResultsImageFail boolean
permission string
policySettings KubernetesAssurancePolicyPolicySettings
readOnly boolean
registries string[]: List of registries.
registry string
requiredLabels KubernetesAssurancePolicyRequiredLabel[]
requiredLabelsEnabled boolean
scanMalwareInArchives boolean
scanNfsMounts boolean
scanProcessMemory boolean
scanSensitiveData boolean: Indicates if scan should include sensitive data in the image.
scanWindowsRegistry boolean
scapEnabled boolean: Indicates if scanning should include scap.
scapFiles string[]: List of SCAP user scripts for checks.
scopes KubernetesAssurancePolicyScope[]
trustedBaseImages KubernetesAssurancePolicyTrustedBaseImage[]: List of trusted images.
trustedBaseImagesEnabled boolean: Indicates if list of trusted base images is relevant.
vulnerabilityExploitability boolean
vulnerabilityScoreRanges number[]
whitelistedLicenses string[]: List of whitelisted licenses.
whitelistedLicensesEnabled boolean: Indicates if license blacklist is relevant.

aggregated_vulnerability Mapping[str, str]: Aggregated vulnerability information.
allowed_images Sequence[str]: List of explicitly allowed images.
application_scopes Sequence[str]
assurance_type str: What type of assurance policy is described.
audit_on_failure bool: Indicates if auditing for failures.
author str: Name of user account that created the policy.
auto_scan_configured bool
auto_scan_enabled bool
auto_scan_times Sequence[KubernetesAssurancePolicyAutoScanTimeArgs]
blacklist_permissions Sequence[str]: List of function's forbidden permissions.
blacklist_permissions_enabled bool: Indicates if blacklist permissions is relevant.
blacklisted_licenses Sequence[str]: List of blacklisted licenses.
blacklisted_licenses_enabled bool: Indicates if license blacklist is relevant.
block_failed bool: Indicates if failed images are blocked.
control_exclude_no_fix bool
custom_checks Sequence[KubernetesAssurancePolicyCustomCheckArgs]: List of Custom user scripts for checks.
custom_checks_enabled bool: Indicates if scanning should include custom checks.
custom_severity str
custom_severity_enabled bool
cves_black_list_enabled bool: Indicates if CVEs blacklist is relevant.
cves_black_lists Sequence[str]: List of CVEs blacklisted items.
cves_white_list_enabled bool: Indicates if CVEs whitelist is relevant.
cves_white_lists Sequence[str]: List of cves whitelisted licenses
cvss_severity str: Identifier of the cvss severity.
cvss_severity_enabled bool: Indicates if the cvss severity is scanned.
cvss_severity_exclude_no_fix bool: Indicates that policy should ignore cvss cases that do not have a known fix.
description str
disallow_exploit_types Sequence[str]
disallow_malware bool: Indicates if malware should block the image.
docker_cis_enabled bool: Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
domain str: Name of the container image.
domain_name str
dta_enabled bool
dta_severity str
enabled bool: Is the control enabled?
enforce bool
enforce_after_days int
enforce_excessive_permissions bool
exceptional_monitored_malware_paths Sequence[str]
exclude_application_scopes Sequence[str]
fail_cicd bool: Indicates if cicd failures will fail the image.
forbidden_labels Sequence[KubernetesAssurancePolicyForbiddenLabelArgs]
forbidden_labels_enabled bool
force_microenforcer bool
function_integrity_enabled bool
ignore_base_image_vln bool
ignore_recently_published_vln bool
ignore_recently_published_vln_period int
ignore_risk_resources_enabled bool: Indicates if risk resources are ignored.
ignored_risk_resources Sequence[str]: List of ignored risk resources.
ignored_sensitive_resources Sequence[str]
images Sequence[str]: List of images.
kube_cis_enabled bool: Performs a Kubernetes CIS benchmark check for the host.
kubernetes_controls Sequence[KubernetesAssurancePolicyKubernetesControlArgs]: List of Kubernetes controls.
kubernetes_controls_avd_ids Sequence[str]
kubernetes_controls_names Sequence[str]: List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
labels Sequence[str]: List of labels.
lastupdate str
linux_cis_enabled bool
malware_action str
maximum_score float: Value of allowed maximum score.
maximum_score_enabled bool: Indicates if exceeding the maximum score is scanned.
maximum_score_exclude_no_fix bool: Indicates that policy should ignore cases that do not have a known fix.
monitored_malware_paths Sequence[str]
name str
only_none_root_users bool: Indicates if raise a warning for images that should only be run as root.
openshift_hardening_enabled bool
packages_black_list_enabled bool: Indicates if packages blacklist is relevant.
packages_black_lists Sequence[KubernetesAssurancePolicyPackagesBlackListArgs]: List of blacklisted images.
packages_white_list_enabled bool: Indicates if packages whitelist is relevant.
packages_white_lists Sequence[KubernetesAssurancePolicyPackagesWhiteListArgs]: List of whitelisted images.
partial_results_image_fail bool
permission str
policy_settings KubernetesAssurancePolicyPolicySettingsArgs
read_only bool
registries Sequence[str]: List of registries.
registry str
required_labels Sequence[KubernetesAssurancePolicyRequiredLabelArgs]
required_labels_enabled bool
scan_malware_in_archives bool
scan_nfs_mounts bool
scan_process_memory bool
scan_sensitive_data bool: Indicates if scan should include sensitive data in the image.
scan_windows_registry bool
scap_enabled bool: Indicates if scanning should include scap.
scap_files Sequence[str]: List of SCAP user scripts for checks.
scopes Sequence[KubernetesAssurancePolicyScopeArgs]
trusted_base_images Sequence[KubernetesAssurancePolicyTrustedBaseImageArgs]: List of trusted images.
trusted_base_images_enabled bool: Indicates if list of trusted base images is relevant.
vulnerability_exploitability bool
vulnerability_score_ranges Sequence[int]
whitelisted_licenses Sequence[str]: List of whitelisted licenses.
whitelisted_licenses_enabled bool: Indicates if license blacklist is relevant.

aggregatedVulnerability Map<String>: Aggregated vulnerability information.
allowedImages List<String>: List of explicitly allowed images.
applicationScopes List<String>
assuranceType String: What type of assurance policy is described.
auditOnFailure Boolean: Indicates if auditing for failures.
author String: Name of user account that created the policy.
autoScanConfigured Boolean
autoScanEnabled Boolean
autoScanTimes List<Property Map>
blacklistPermissions List<String>: List of function's forbidden permissions.
blacklistPermissionsEnabled Boolean: Indicates if blacklist permissions is relevant.
blacklistedLicenses List<String>: List of blacklisted licenses.
blacklistedLicensesEnabled Boolean: Indicates if license blacklist is relevant.
blockFailed Boolean: Indicates if failed images are blocked.
controlExcludeNoFix Boolean
customChecks List<Property Map>: List of Custom user scripts for checks.
customChecksEnabled Boolean: Indicates if scanning should include custom checks.
customSeverity String
customSeverityEnabled Boolean
cvesBlackListEnabled Boolean: Indicates if CVEs blacklist is relevant.
cvesBlackLists List<String>: List of CVEs blacklisted items.
cvesWhiteListEnabled Boolean: Indicates if CVEs whitelist is relevant.
cvesWhiteLists List<String>: List of cves whitelisted licenses
cvssSeverity String: Identifier of the cvss severity.
cvssSeverityEnabled Boolean: Indicates if the cvss severity is scanned.
cvssSeverityExcludeNoFix Boolean: Indicates that policy should ignore cvss cases that do not have a known fix.
description String
disallowExploitTypes List<String>
disallowMalware Boolean: Indicates if malware should block the image.
dockerCisEnabled Boolean: Checks the host according to the Docker CIS benchmark, if Docker is found on the host.
domain String: Name of the container image.
domainName String
dtaEnabled Boolean
dtaSeverity String
enabled Boolean: Is the control enabled?
enforce Boolean
enforceAfterDays Number
enforceExcessivePermissions Boolean
exceptionalMonitoredMalwarePaths List<String>
excludeApplicationScopes List<String>
failCicd Boolean: Indicates if cicd failures will fail the image.
forbiddenLabels List<Property Map>
forbiddenLabelsEnabled Boolean
forceMicroenforcer Boolean
functionIntegrityEnabled Boolean
ignoreBaseImageVln Boolean
ignoreRecentlyPublishedVln Boolean
ignoreRecentlyPublishedVlnPeriod Number
ignoreRiskResourcesEnabled Boolean: Indicates if risk resources are ignored.
ignoredRiskResources List<String>: List of ignored risk resources.
ignoredSensitiveResources List<String>
images List<String>: List of images.
kubeCisEnabled Boolean: Performs a Kubernetes CIS benchmark check for the host.
kubernetesControls List<Property Map>: List of Kubernetes controls.
kubernetesControlsAvdIds List<String>
kubernetesControlsNames List<String>: List of kubernetes control names and available kubernetes controls are: 'Access to host IPC namespace', 'Access to host PID', 'Access to host network', 'Access to host ports', 'All container images must start with a GCR domain', 'All container images must start with an ECR domain', 'All container images must start with the *.azurecr.io domain', 'CPU not limited', 'CPU requests not specified', 'Can elevate its own privileges', 'ConfigMap with secrets', 'ConfigMap with sensitive content', 'Container images from public registries used', 'Default capabilitiessome containers do not drop all', 'Default capabilitiessome containers do not drop any', 'Delete pod logs', 'Exec into Pods', 'Image tag :latest used', 'Manage EKS IAM Auth ConfigMap', 'Manage Kubernetes RBAC resources', 'Manage Kubernetes networking', 'Manage Kubernetes workloads and pods', 'Manage all resources', 'Manage all resources at the namespace', 'Manage configmaps', 'Manage namespace secrets', 'Manage secrets', 'Manage webhookconfigurations', 'Manages /etc/hosts', 'Memory not limited', 'Memory requests not specified', 'Non-core volume types used.', 'Non-default /proc masks set', 'Privileged', 'Root file system is not read-only', 'Runs as root user', 'Runs with GID <= 10000', 'Runs with UID <= 10000', 'Runs with a root primary or supplementary GID', 'Runtime/Default AppArmor profile not set', 'Runtime/Default Seccomp profile not set', 'SELinux custom options set', 'SYS_ADMIN capability added', 'Seccomp policies disabled', 'Service with External IP', 'Specific capabilities added', 'Unsafe sysctl options set', 'User with admin access', 'Workloads in the default namespace', 'hostPath volume mounted with docker.sock', 'hostPath volumes mounted'
labels List<String>: List of labels.
lastupdate String
linuxCisEnabled Boolean
malwareAction String
maximumScore Number: Value of allowed maximum score.
maximumScoreEnabled Boolean: Indicates if exceeding the maximum score is scanned.
maximumScoreExcludeNoFix Boolean: Indicates that policy should ignore cases that do not have a known fix.
monitoredMalwarePaths List<String>
name String
onlyNoneRootUsers Boolean: Indicates if raise a warning for images that should only be run as root.
openshiftHardeningEnabled Boolean
packagesBlackListEnabled Boolean: Indicates if packages blacklist is relevant.
packagesBlackLists List<Property Map>: List of blacklisted images.
packagesWhiteListEnabled Boolean: Indicates if packages whitelist is relevant.
packagesWhiteLists List<Property Map>: List of whitelisted images.
partialResultsImageFail Boolean
permission String
policySettings Property Map
readOnly Boolean
registries List<String>: List of registries.
registry String
requiredLabels List<Property Map>
requiredLabelsEnabled Boolean
scanMalwareInArchives Boolean
scanNfsMounts Boolean
scanProcessMemory Boolean
scanSensitiveData Boolean: Indicates if scan should include sensitive data in the image.
scanWindowsRegistry Boolean
scapEnabled Boolean: Indicates if scanning should include scap.
scapFiles List<String>: List of SCAP user scripts for checks.
scopes List<Property Map>
trustedBaseImages List<Property Map>: List of trusted images.
trustedBaseImagesEnabled Boolean: Indicates if list of trusted base images is relevant.
vulnerabilityExploitability Boolean
vulnerabilityScoreRanges List<Number>
whitelistedLicenses List<String>: List of whitelisted licenses.
whitelistedLicensesEnabled Boolean: Indicates if license blacklist is relevant.

Supporting Types

KubernetesAssurancePolicyAutoScanTime, KubernetesAssurancePolicyAutoScanTimeArgs

Iteration int
IterationType string
Time string
WeekDays List<string>

Iteration int
IterationType string
Time string
WeekDays []string

iteration Integer
iterationType String
time String
weekDays List<String>

iteration number
iterationType string
time string
weekDays string[]

iteration int
iteration_type str
time str
week_days Sequence[str]

iteration Number
iterationType String
time String
weekDays List<String>

KubernetesAssurancePolicyCustomCheck, KubernetesAssurancePolicyCustomCheckArgs

Author string: Name of user account that created the policy.
Description string
Engine string
LastModified int
Name string
Path string
ReadOnly bool
ScriptId string
Severity string
Snippet string

Author string: Name of user account that created the policy.
Description string
Engine string
LastModified int
Name string
Path string
ReadOnly bool
ScriptId string
Severity string
Snippet string

author String: Name of user account that created the policy.
description String
engine String
lastModified Integer
name String
path String
readOnly Boolean
scriptId String
severity String
snippet String

author string: Name of user account that created the policy.
description string
engine string
lastModified number
name string
path string
readOnly boolean
scriptId string
severity string
snippet string

author str: Name of user account that created the policy.
description str
engine str
last_modified int
name str
path str
read_only bool
script_id str
severity str
snippet str

author String: Name of user account that created the policy.
description String
engine String
lastModified Number
name String
path String
readOnly Boolean
scriptId String
severity String
snippet String

KubernetesAssurancePolicyForbiddenLabel, KubernetesAssurancePolicyForbiddenLabelArgs

Key string
Value string

Key string
Value string

key String
value String

key string
value string

key str
value str

key String
value String

KubernetesAssurancePolicyKubernetesControl, KubernetesAssurancePolicyKubernetesControlArgs

AvdId string: AVD ID.
Description string: Description of the control.
Enabled bool: Is the control enabled?
Kind string: Kind of the control.
Name string: Name of the control.
Ootb bool: Out-of-the-box status of the control.
ScriptId int: Script ID.
Severity string: Severity of the control.

AvdId string: AVD ID.
Description string: Description of the control.
Enabled bool: Is the control enabled?
Kind string: Kind of the control.
Name string: Name of the control.
Ootb bool: Out-of-the-box status of the control.
ScriptId int: Script ID.
Severity string: Severity of the control.

avdId String: AVD ID.
description String: Description of the control.
enabled Boolean: Is the control enabled?
kind String: Kind of the control.
name String: Name of the control.
ootb Boolean: Out-of-the-box status of the control.
scriptId Integer: Script ID.
severity String: Severity of the control.

avdId string: AVD ID.
description string: Description of the control.
enabled boolean: Is the control enabled?
kind string: Kind of the control.
name string: Name of the control.
ootb boolean: Out-of-the-box status of the control.
scriptId number: Script ID.
severity string: Severity of the control.

avd_id str: AVD ID.
description str: Description of the control.
enabled bool: Is the control enabled?
kind str: Kind of the control.
name str: Name of the control.
ootb bool: Out-of-the-box status of the control.
script_id int: Script ID.
severity str: Severity of the control.

avdId String: AVD ID.
description String: Description of the control.
enabled Boolean: Is the control enabled?
kind String: Kind of the control.
name String: Name of the control.
ootb Boolean: Out-of-the-box status of the control.
scriptId Number: Script ID.
severity String: Severity of the control.

KubernetesAssurancePolicyPackagesBlackList, KubernetesAssurancePolicyPackagesBlackListArgs

Arch string
Display string
Epoch string
Format string
License string
Name string
Release string
Version string
VersionRange string

Arch string
Display string
Epoch string
Format string
License string
Name string
Release string
Version string
VersionRange string

arch String
display String
epoch String
format String
license String
name String
release String
version String
versionRange String

arch string
display string
epoch string
format string
license string
name string
release string
version string
versionRange string

arch str
display str
epoch str
format str
license str
name str
release str
version str
version_range str

arch String
display String
epoch String
format String
license String
name String
release String
version String
versionRange String

KubernetesAssurancePolicyPackagesWhiteList, KubernetesAssurancePolicyPackagesWhiteListArgs

Arch string
Display string
Epoch string
Format string
License string
Name string
Release string
Version string
VersionRange string

Arch string
Display string
Epoch string
Format string
License string
Name string
Release string
Version string
VersionRange string

arch String
display String
epoch String
format String
license String
name String
release String
version String
versionRange String

arch string
display string
epoch string
format string
license string
name string
release string
version string
versionRange string

arch str
display str
epoch str
format str
license str
name str
release str
version str
version_range str

arch String
display String
epoch String
format String
license String
name String
release String
version String
versionRange String

KubernetesAssurancePolicyPolicySettings, KubernetesAssurancePolicyPolicySettingsArgs

Enforce bool
IsAuditChecked bool
Warn bool
WarningMessage string

Enforce bool
IsAuditChecked bool
Warn bool
WarningMessage string

enforce Boolean
isAuditChecked Boolean
warn Boolean
warningMessage String

enforce boolean
isAuditChecked boolean
warn boolean
warningMessage string

enforce bool
is_audit_checked bool
warn bool
warning_message str

enforce Boolean
isAuditChecked Boolean
warn Boolean
warningMessage String

KubernetesAssurancePolicyRequiredLabel, KubernetesAssurancePolicyRequiredLabelArgs

Key string
Value string

Key string
Value string

key String
value String

key string
value string

key str
value str

key String
value String

KubernetesAssurancePolicyScope, KubernetesAssurancePolicyScopeArgs

Expression string
Variables List<Pulumiverse.Aquasec.Inputs.KubernetesAssurancePolicyScopeVariable>

Expression string
Variables []KubernetesAssurancePolicyScopeVariable

expression String
variables List<KubernetesAssurancePolicyScopeVariable>

expression string
variables KubernetesAssurancePolicyScopeVariable[]

expression str
variables Sequence[KubernetesAssurancePolicyScopeVariable]

expression String
variables List<Property Map>

KubernetesAssurancePolicyScopeVariable, KubernetesAssurancePolicyScopeVariableArgs

Attribute string
Name string
Value string

Attribute string
Name string
Value string

attribute String
name String
value String

attribute string
name string
value string

attribute str
name str
value str

attribute String
name String
value String

KubernetesAssurancePolicyTrustedBaseImage, KubernetesAssurancePolicyTrustedBaseImageArgs

Imagename string
Registry string

Imagename string
Registry string

imagename String
registry String

imagename string
registry string

imagename str
registry str

imagename String
registry String

Package Details

Repository: aquasec pulumiverse/pulumi-aquasec
License: Apache-2.0
Notes: This Pulumi package is based on the aquasec Terraform Provider.

Aquasec v0.8.27 published on Monday, Jan 29, 2024 by Pulumiverse

pulumiverse/pulumi-aquasec

aquasec.KubernetesAssurancePolicy

On this page

On this page

Create KubernetesAssurancePolicy Resource

Constructor syntax

Parameters

Constructor example

KubernetesAssurancePolicy Resource Properties

Inputs

Outputs

Look up Existing KubernetesAssurancePolicy Resource

Supporting Types

KubernetesAssurancePolicyAutoScanTime, KubernetesAssurancePolicyAutoScanTimeArgs

KubernetesAssurancePolicyCustomCheck, KubernetesAssurancePolicyCustomCheckArgs

KubernetesAssurancePolicyForbiddenLabel, KubernetesAssurancePolicyForbiddenLabelArgs

KubernetesAssurancePolicyKubernetesControl, KubernetesAssurancePolicyKubernetesControlArgs

KubernetesAssurancePolicyPackagesBlackList, KubernetesAssurancePolicyPackagesBlackListArgs

KubernetesAssurancePolicyPackagesWhiteList, KubernetesAssurancePolicyPackagesWhiteListArgs

KubernetesAssurancePolicyPolicySettings, KubernetesAssurancePolicyPolicySettingsArgs

KubernetesAssurancePolicyRequiredLabel, KubernetesAssurancePolicyRequiredLabelArgs

KubernetesAssurancePolicyScope, KubernetesAssurancePolicyScopeArgs

KubernetesAssurancePolicyScopeVariable, KubernetesAssurancePolicyScopeVariableArgs

KubernetesAssurancePolicyTrustedBaseImage, KubernetesAssurancePolicyTrustedBaseImageArgs

Package Details

On this page

On this page