Introduction

This article outlines the process for creating Kubernetes Assurance policies on Cloud Service Providers (CSP) and Workload Protection using a Terraform script.



Applicability

This knowledge base (KB) article applies to both On-Premises and SaaS Workload Protection environments. 



Steps/Procedure

1. Obtain Script IDs for Controls

Before creating the Terraform script, you must collect the Script ID for each control from the Aqua Console.

1.1 Access the Aqua Console

  • Navigate to your SaaS or On-Prem Workload Protection environment.

1.2 Locate Assurance Policies

  • Go to the Assurance Policies section.
  • Open the default Kubernetes Assurance Policy.

1.3 Inspect API Calls

  • Open the browser's Inspect page (usually accessed by right-clicking and selecting "Inspect" or pressing F12).
  • Switch to the Network tab.

1.4 Clear Existing API Calls

  • Clear any existing API calls to ensure clarity in monitoring new requests.

1.5 Save the Assurance Policy

  • In the UI, click the SAVE button to save the Kubernetes Assurance Policy.
  • After saving, an API call named default will appear in the Network tab.

1.6 Review API Call Payload

  • Click on the kubernetes_assurance_policy_default API call.
  • Navigate to the Payload section.
  • Scroll down to find the kubernetes_controls: [...] entry.

1.7 Extract Script IDs

  • Expand the kubernetes_controls section.
  • Note the Script IDs associated with each control name, as these will be required for your Terraform script.


2. Create Terraform Script

With the Script IDs gathered, proceed to create your Terraform script to implement the Assurance Policies.

2.1 Write the Terraform Script

  • Structure your script using the collected Script IDs to define the required controls for your Kubernetes Assurance policies.
  • Ensure that each control is properly referenced and that the syntax follows Terraform conventions.
  • terraform {
      required_providers {
        aquasec = {
          version = "0.8.30"  # Version may change in future releases
          source  = "aquasecurity/aquasec"
        }
      }
    }
    
    provider "aquasec" {
      username = "<AQUA_USER>"        # Alternatively sourced from $AQUA_USER
      aqua_url = "https://<AQUA_URL>" # Alternatively sourced from $AQUA_URL
      password = "<PASSWORD>"          # Alternatively sourced from $AQUA_PASSWORD
    }
    
    resource "aquasec_kubernetes_assurance_policy" "kubernetes_assurance_policy" {
      name               = "kubernetes_assurance_policy_name1"
      assurance_type     = "kubernetes"
      description        = "kubernetes_assurance_policy_name1"
      application_scopes = ["Global"]
      audit_on_failure   = true
      block_failed       = true
    
      kubernetes_controls {
        avd_id      = "AVD-KSV-0008"
        description = "Sharing the host’s IPC namespace allows container processes to communicate with processes on the host."
        enabled     = true
        kind        = "workload"
        name        = "Access to host IPC namespace"
        ootb        = true
        script_id   = 88
        severity    = "high"
      }
    
      kubernetes_controls {
        avd_id      = "AVD-KSV-0009"
        description = "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter."
        enabled     = true
        kind        = "workload"
        name        = "Access to host network"
        ootb        = true
        script_id   = 90
        severity    = "high"
      }
    
      kubernetes_controls {
        avd_id      = "AVD-KSV-0010"
        description = "Sharing the host’s PID namespace allows visibility on host processes, potentially leaking information such as environment variables and configuration."
        enabled     = false
        kind        = "workload"
        name        = "Access to host PID"
        ootb        = true
        script_id   = 89
        severity    = "high"
      }
    
      kubernetes_controls {
        avd_id      = "AVD-KSV-0024"
        description = "According to pod security standard 'Host Ports', hostPorts should be disallowed, or at minimum restricted to a known list."
        enabled     = false
        kind        = "workload"
        name        = "Access to host ports"
        ootb        = true
        script_id   = 129
        severity    = "high"
      }
    }


2.2 Apply the Terraform Script

  • Execute terraform apply to apply the changes to your Kubernetes Assurance Policies.
  • Monitor the output for confirmation of successful application.


NOTE:  The Script ID may vary across different platforms/environments. The Script ID you see in one environment (e.g., SaaS) will not necessarily be the same in another environment(On-Prem). 



Conclusion

Following the steps outlined in this article will allow you to effectively create and manage Kubernetes Assurance policies using Terraform scripts. Always ensure you are using the correct Script IDs before applying changes to avoid disruptions in your Workload Protection environment. 


Additional Resources

[1] https://registry.terraform.io/providers/aquasecurity/aquasec/latest/docs

[2] https://github.com/aquasecurity/terraform-provider-aquasec/blob/main/examples/resources/aquasec_kubernetes_assurance_policy/resource.tf

image