Application Scopes
TABLE OF CONTENTS
Introduction
You can use the Application Scopes UI screen to define and manage application scopes. To access this screen, navigate to Administration > Application Scopes.
Resources
In the context of RBAC, resources are grouped into categories: Artifacts (of applications), Workloads (containers), and Infrastructure (elements). Each category is subdivided into specific types of resources. Each resource type can be specified by the use of attributes.
Aqua Enterprise defines these resources, grouped by category.
The brand name VMware Tanzu has replaced Pivotal. The latter term may still be used in application scope definitions, e.g., PAS (Pivotal Application Service) instead of TAS (Tanzu Application Service).
Artifacts
An artifact is an application. It can be an image (for a container, not a CF application); a serverless function; or a Tanzu Application Service (TAS) droplet.
| Resource type | Attribute | Usage |
|---|---|---|
| Function | Name | Function name |
| Serverless App | Name of a serverless application defined in Aqua | |
| Tag | Serverless function tag Note: A tag name and value must be specified. | |
| Image | Registry | Name of a registry as defined in Aqua |
| Repository | Image repository name. Example: In registry.aquasec.com/server:2022.4, the repository name is server. | |
| TAS (PAS) droplet | Blobstore | Name of the Cloud Controller blobstore in which the TAS droplet resides |
Workloads
A workload is a running container. It can run in a Kubernetes cluster, on a VM (no orchestrator), or under Tanzu Application Service (TAS).
| Resource type | Attribute | Usage |
|---|---|---|
| Kubernetes | Cluster Name | Name of a Kubernetes cluster on which a container is running |
| Namespace | Kubernetes namespace in which a container is running | |
| No Orchestrator | Container Name | Name of a container running on a VM |
| Enforcer Group | Name of an Aqua Enforcer group associated with the VM on which the container is running | |
| Host Name | Host name of the VM on which the container is running | |
| TAS (PAS) | Organization | Name of a Tanzu organization (org) associated with the container |
| Space | Name of a Cloud Foundry space associated with the container |
Infrastructure
An infrastructure resource is an element of a computing environment on which a workload is orchestrated and run. It can be a host (VM) or a Kubernetes cluster.
| Resource type | Attribute | Usage |
|---|---|---|
| Host | Enforcer Group | Name of an Aqua Enforcer group associated with the host (VM) |
| Kubernetes | Cluster Name | Name of a Kubernetes cluster in which the host (VM) is running |
Application scope
An application scope consists of one or more terms: [category, resource type, attribute, value]. The value is a free-text (non-case-sensitive) character string that identifies specific resources. The value can incorporate an asterisk (*) for use as a wildcard (representing zero or more characters).
Special rules concern the use of more than one term.
Single term
The simplest form of application scope consists of just one term. For example, the following would include all container images from the nginx repository in Aqua:
| Category | Resource type | Attribute | Value |
|---|---|---|---|
| Artifacts | Image | Repository | nginx |
AND logic: More than one term specifying the same [category, resource type]
The various terms are logically joined with AND (intersection). For example, the following terms, ANDed together, might specify all containers named payroll* running on VMs whose host names are Prod*.
Recall: Attribute values are not case-sensitive! Therefore, payroll* would match containers named Payroll, payroll56, and PAYROLL-now.
| Category | Resource type | Attribute | Value |
|---|---|---|---|
| Workloads | No Orchestrator | Container Name | payroll* |
| Workloads | No Orchestrator | Host Name | Prod* |
When the attribute is the same across terms you will generally get an empty set. Example: Specifying both [Artifacts, Image, Repository, nginx] and [Artifacts, Image, Repository, alpine]; no images are found in both repos.
OR logic: More than one term specifying different resource types
This is common usage; all sets of resources are simply joined together. For example, the following would result in an application scope consisting of all of the following:
- All container images from the elasticsearch repo
- All serverless functions named payroll*, whose owner tag is set to BernieM
- All containers running on the Kubernetes cluster cluster02
| Category | Resource type | Attribute | Value(s) |
|---|---|---|---|
| Artifacts | Function | Name | payroll* |
| Artifacts | Function | Tag | owner, BernieM |
| Artifacts | Image | Repository | elasticsearch |
| Workloads | Kubernetes | Cluster Name | cluster02 |
This application scope would appear as such in the UI:
The Global application scope
An application scope named Global is predefined in Aqua. It includes all system resources (artifacts, workloads, and infrastructure). You cannot edit or delete it.
Operations
Add an application scope
- In the Aqua UI: Navigate to Account Management > User Management > Application Scopes.
- Click Add Scope.
- Enter the name of the application scope (and optionally) its description.
- (Optional) Enter the email address of the application scope's owner.
- Using the drop-down menus, select a resource type and attribute. Then enter its value (both values in the case of a function tag). As you enter text, the UI provides a dynamically-filtered set of entries that correspond to your text string. You can select any of them from the drop-down list provided.
Remember: Values are case-insensitive, and you can use the asterisk wildcard character. Click Add to add each term. - Repeat the previous step as necessary until the application scope is fully defined.
- Click Save to save the policy.
You can remove any part of the scope specification by clicking the X on its box.
This screenshot corresponds to the example given in OR logic: More than one term specifying different resource types above:
Modify an application scope
You can change the description and/or the resource components of an application scope.
- In the Aqua UI: Navigate to Account Management > User Management > Application Scopes.
- Click the name of the application scope you want to modify.
- Follow the instructions for Add an application scope above.
Delete application scope(s)
- In the Aqua UI: Navigate to Account Management > User Management > Application Scopes.
- Click the name of the application scope(s) you want to delete (other than Global).
- Click the trashcan icon.
Did you find it helpful? Yes No
Send feedback