Terraform | Create a Kubernetes Assurance Policy
Introduction
This article outlines the process for creating Kubernetes Assurance policies on Cloud Service Providers (CSP) and Workload Protection using a Terraform script.
Applicability
This knowledge base (KB) article applies to both On-Premises and SaaS Workload Protection environments.
Steps/Procedure
1. Obtain Script IDs for Controls
Before creating the Terraform script, you must collect the Script ID for each control from the Aqua Console.
1.1 Access the Aqua Console
- Navigate to your SaaS or On-Prem Workload Protection environment.
1.2 Locate Assurance Policies
- Go to the Assurance Policies section.
- Open the default Kubernetes Assurance Policy.
1.3 Inspect API Calls
- Open the browser's Inspect page (usually accessed by right-clicking and selecting "Inspect" or pressing
F12
). - Switch to the Network tab.
1.4 Clear Existing API Calls
- Clear any existing API calls to ensure clarity in monitoring new requests.
1.5 Save the Assurance Policy
- In the UI, click the SAVE button to save the Kubernetes Assurance Policy.
- After saving, an API call named
default
will appear in the Network tab.
1.6 Review API Call Payload
- Click on the
kubernetes_assurance_policy_default
API call. - Navigate to the Payload section.
- Scroll down to find the
kubernetes_controls: [...]
entry.
1.7 Extract Script IDs
- Expand the
kubernetes_controls
section. - Note the Script IDs associated with each control name, as these will be required for your Terraform script.
2. Create Terraform Script
With the Script IDs gathered, proceed to create your Terraform script to implement the Assurance Policies.
2.1 Write the Terraform Script
- Structure your script using the collected Script IDs to define the required controls for your Kubernetes Assurance policies.
- Ensure that each control is properly referenced and that the syntax follows Terraform conventions.
terraform { required_providers { aquasec = { version = "0.8.30" # Version may change in future releases source = "aquasecurity/aquasec" } } } provider "aquasec" { username = "<AQUA_USER>" # Alternatively sourced from $AQUA_USER aqua_url = "https://<AQUA_URL>" # Alternatively sourced from $AQUA_URL password = "<PASSWORD>" # Alternatively sourced from $AQUA_PASSWORD } resource "aquasec_kubernetes_assurance_policy" "kubernetes_assurance_policy" { name = "kubernetes_assurance_policy_name1" assurance_type = "kubernetes" description = "kubernetes_assurance_policy_name1" application_scopes = ["Global"] audit_on_failure = true block_failed = true kubernetes_controls { avd_id = "AVD-KSV-0008" description = "Sharing the host’s IPC namespace allows container processes to communicate with processes on the host." enabled = true kind = "workload" name = "Access to host IPC namespace" ootb = true script_id = 88 severity = "high" } kubernetes_controls { avd_id = "AVD-KSV-0009" description = "Sharing the host’s network namespace permits processes in the pod to communicate with processes bound to the host’s loopback adapter." enabled = true kind = "workload" name = "Access to host network" ootb = true script_id = 90 severity = "high" } kubernetes_controls { avd_id = "AVD-KSV-0010" description = "Sharing the host’s PID namespace allows visibility on host processes, potentially leaking information such as environment variables and configuration." enabled = false kind = "workload" name = "Access to host PID" ootb = true script_id = 89 severity = "high" } kubernetes_controls { avd_id = "AVD-KSV-0024" description = "According to pod security standard 'Host Ports', hostPorts should be disallowed, or at minimum restricted to a known list." enabled = false kind = "workload" name = "Access to host ports" ootb = true script_id = 129 severity = "high" } }
2.2 Apply the Terraform Script
- Execute
terraform apply
to apply the changes to your Kubernetes Assurance Policies. - Monitor the output for confirmation of successful application.
NOTE: The Script ID may vary across different platforms/environments. The Script ID you see in one environment (e.g., SaaS) will not necessarily be the same in another environment(On-Prem).
Conclusion
Following the steps outlined in this article will allow you to effectively create and manage Kubernetes Assurance policies using Terraform scripts. Always ensure you are using the correct Script IDs before applying changes to avoid disruptions in your Workload Protection environment.
Additional Resources
[1] https://registry.terraform.io/providers/aquasecurity/aquasec/latest/docs
Did you find it helpful? Yes No
Send feedback