Container Management API
Overview
Kubernetes hardening policies combine predefined and user-defined policy rules that describe the target configuration of Kubernetes resources. Kubernetes hardening policies assure the security of the workloads configuration.
Use Cases
- Alert, block or enforce workload and image properties to adhere to defined security and compliance standards throughout the application lifecycle.
Requirements
- Container Security Product
- All API calls require an API key with appropriate permissions, see Authentication for details
Key Features
- Configure rules
- Use Scopes to group Kubernetes resources for targeted security protection and analysis. For example, you can group resources by cluster and namespace and then create policies for that scope.
- Templated Policies
Resources
Authentication
Determine whether you use Carbon Black Cloud or VMware Cloud Services Platform to manage identity and authorization, or see the Carbon Black Cloud API Access Guide for complete instructions.Carbon Black Cloud Managed Identity and Authentication
Customize your access to the Carbon Black Cloud APIs with Role-Based Access Control; All APIs and Services authenticate via API Keys. To access the data in Carbon Black Cloud via API, you must set up a key with the correct permissions for the calls you want to make and pass it in the HTTP Headers.
Environment
Available on majority of environments; Use the Carbon Black Cloud Console URL, as described here.
API Route
Replace the {cbc-hostname} and {org_key} with the URL of your Environment and the org_key for your specific Org.
- {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/policies/{policyId}
- {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/policies
- {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/scopes/{scopeId}
- {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/scopes
- {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/policies_scopes/{scopeId}
- {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/policies_scopes
- {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/rules
- {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/rules/{custom_rule_id}
- {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/templates
- {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/templates/add_rules
- {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/templates/{template_id}
Access Level
Before you create your API Key, you need to create a "Custom" Access Level including each category:
- Workloads Management > Manage Kubernetes Security > kubernetes.security, allow permission to
READ, CREATE, UPDATE, DELETE
API Key
When creating your API Key, use the Access Level Type of "Custom" and select the Access Level you created. Details on constructing and passing the API Key in your requests are available here.
API Calls
The Container Management APIs enable manipulation of Policies, Scopes, Rules, Templates and the relationships between them.
Policy
The calls in this section manage the policy object - creation, updates and delete.
Get Policy
Returns the policy object for a provided policy id.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | kubernetes.security |
READ |
Majority of environments |
Request
GET {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/policies/{policy_id}Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | The policy object specified by policy_id |
application/json | See example response below |
| 403 | Forbidden application/json | application/json | |
| 404 | Policy id was not found | application/json | |
| 500 | Internal Server Error | application/json | |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
GET https://defense.conferdeploy.net/containers/v1/orgs/ABCD1234/guardrails/management/policies/12a345cde-0a9b-464a-804e-0cbb3201c68fX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"policy_id": "12a345cde-0a9b-464a-804e-0cbb3201c68f",
"name": "kube-system",
"scope_metadata": {
"scope_id": "123456a7-a607-4377-8ca3-d1020ad8fb85",
"scope_name": "sample-scope"
},
"creator": "demouser@demoorg.com",
"created_on": 1631168658409,
"created_on_iso": "2021-09-09T06:24:18.409Z",
"modified_by": "demouser@demoorg.com",
"modified_on": 1655988483580,
"modified_on_iso": "2022-06-23T12:48:03.58Z",
"rules": [
{
"id": "demo-rule",
"action": "alert",
"is_enabled": true
}
],
"exceptions": {
"rule2": [
{
"cluster": "my-cluster",
"namespace": "my-namespace",
"kind": "*",
"name": "sample",
"username": "*",
"labels": [
{
"key": "qq",
"value": "zz"
}
]
}
]
},
"include_init_containers": false,
"include_ephemeral_containers": true,
"status": "enabled"
}Get All Policies
Returns the list of policies configured in the system.
Policies are used to define the misconfigurations and rules we want to enforce on resources in the selected scope.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | kubernetes.security |
READ |
Majority of environments |
Request
GET {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/policiesResponse Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | The list of configured policies | application/json | See example response below |
| 403 | Forbidden application/json | application/json | |
| 500 | Internal Server Error | application/json | |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
GET https://defense.conferdeploy.net/containers/v1/orgs/ABCD1234/guardrails/management/policiesX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"items": [
{
"policy_id": "a12bc3d4-d1bb-4859-ad3d-da21efb2ca2f",
"name": "Demo Policy",
"scope_metadata": {
"scope_id": "12a34b5c-519f-4580-8d95-78738075dc63",
"scope_name": "demo-scope"
},
"exceptions_count": 1,
"creator": "demouser@demoorg.com",
"created_on": 1655190366737,
"created_on_iso": "2022-06-14T07:06:06.737Z",
"modified_by": "demouser@demoorg.com",
"modified_on": 1666703636607,
"modified_on_iso": "2022-10-25T13:13:56.607Z",
"status": "enabled"
}Create or Update Policy
Enables the user to create a new policy or make updates to an existing policy.
Policies are used to in order to define the misconfigurations and rules we want to enforce on resources in the selected scope.
Note: The Create Policy and Update Policy endpoints are the same endpoint. The request differs by inclusion of policy_id for an update operation.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | kubernetes.security |
CREATE, UPDATE |
Majority of environments |
Request
PUT {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/policiesRequest Body - application/json
{
"name": "<string>",
"scope_id": "<uuid>",
"status": "<string>",
"rules": [
{
"id": "<string>",
"action": "<string>",
"is_enabled": <boolean>,
"preset_id": "<string>",
"preset_name": "<string>"
}
],
"exceptions": {
"ruleId1": [
{
"name": "<string>",
"username": "<string>",
"labels": [
{
"key": "<string>",
"value": "<string>"
}
],
"cluster": "<string>",
"namespace": "<string>",
"kind": "<string>"
}
]
},
"include_init_containers": <boolean>,
"include_ephemeral_containers": <boolean>,
"policy_id": "<uuid>"
}
Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
| id | Unique identifier of the policy | string | N/A Generated at creation |
| name REQUIRED | Unique policy name | string | NA |
| scope_id REQUIRED | The scope id that the policy should apply on. If missing a new policy will be created. | string | N/A |
| status REQUIRED | The state the policy is in | string | enabled, disabled, draft |
| rules | List of rules that are included in the policy | [Rule] | |
| exceptions | Workloads to be exculded from coverage by the policy | [Exception] | N/A |
| include_init_containers | True if the policy is enforcing the rules on init containers | boolean | N/A |
| include_ephemeral_containers | True if the policy enforcing the rules on ephemeral containers | boolean | N/A |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | The policy was created or updated successfully | application/json | See example response below |
| 400 | Scope Id is a mandatory field and was not provided. | application/json | |
| 400 | Scope Id does not exist. | application/json | |
| 400 | Status is a mandatory field and was not provided. | application/json | |
| 400 | Bad request, the message identifies the problem. | application/json | Example error messages:
|
| 403 | Forbidden application/json | application/json | |
| 409 | Duplicate error
The name property must be unique
The scope_id property must be unique |
application/json | |
| 500 | Internal Server Error | application/json | |
Examples
Request
Request Headers
Request Body
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
PUT https://defense.conferdeploy.net/containers/v1/orgs/ABCD1234/guardrails/management/policiesX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"{
"name": "Demo-Policy",
"include_init_containers": false,
"include_ephemeral_containers": true,
"scope_id": "ee58a110-62f4-482b-9fb4-09f6ef8b1994",
"rules": [
{
"id": "deny-ephemeral-containers",
"action": "alert",
"is_enabled": true
}
],
"exceptions": {
"rule2": [
{
"cluster": "my-cluster",
"namespace": "my-namespace",
"kind": "*",
"name": "sample",
"username": "*",
"labels": [
{
"key": "label_key",
"value": "label_value"
}
]
}
]
},
"status": "enabled"
}{
"policy_id": "0e58ef37-15e5-482b-a4a1-68a84e179845"
}Delete Policy
Deletes the policy object specified by the policy id.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | kubernetes.security |
DELETE |
Majority of environments |
Request
DELETE {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/policies/{policy_id}Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Policy was deleted | No body | |
| 400 | Policy id was not found | application/json | |
| 403 | Forbidden application/json | application/json | |
| 500 | Internal Server Error | application/json | |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
DELETE https://defense.conferdeploy.net/containers/v1/orgs/ABCD1234/guardrails/management/policies/{policy_id}X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"No response bodyScopes
Scopes are a way to group Kubernetes resources for targeted security protection and analysis. For example, you can group resources by cluster and namespace and then create policies for that scope.
Use the endpoints in this section to manage scopes.
Get Scope
Returns the scope object for a specified scope id.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | kubernetes.security |
READ |
Majority of environments |
Request
GET {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/scopes/{scope_id}Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | The scope object | application/json | See example response below |
| 403 | Forbidden application/json | application/json | |
| 404 | Scope id was not found | application/json | |
| 500 | Internal Server Error | application/json | |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
GET https://defense.conferdeploy.net/containers/v1/orgs/ABCD1234/guardrails/management/scopes/840a2f32-ea30-4ff8-8748-c01aa51ad40dX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"scope_id": "12a3bc4d-ee56-7f8g-a11b-2345cd67e89e",
"name": "Updated Demo Scope 01",
"creator": "",
"created_on": 1683174576876,
"created_on_iso": "2023-05-04T04:29:36.876Z",
"modified_by": "",
"modified_on": 1683174635458,
"modified_on_iso": "2023-05-04T04:29:36.876Z",
"lifecycle_phase": "build",
"is_protected": false,
"clusters_groups": [],
"clusters": [
"demo:cluster"
],
"namespaces": [
"*"
],
"grouping_type": "destination",
"workloads_count": 0
}Get All Scopes
Returns the list of scopes configured in the system. Scopes are used to define a set of resources we want to track.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | kubernetes.security |
READ |
Majority of environments |
Request
GET {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/scopesResponse Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | The scopes were successfully retrieved | application/json | See example response below |
| 403 | Forbidden application/json | application/json | |
| 500 | Internal Server Error | application/json | |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
GET https://defense.conferdeploy.net/containers/v1/orgs/ABCD1234/guardrails/management/scopesX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"items": [
{
"scope_id": "12a3bc4d-ee56-7f8g-a11b-2345cd67e89e",
"name": "Updated Demo Scope 01",
"creator": "",
"created_on": 1683174576876,
"created_on_iso": "2023-05-04T04:29:36.876Z",
"modified_by": "",
"modified_on": 1683174635458,
"modified_on_iso": "2023-05-04T04:29:36.876Z",
"lifecycle_phase": "build",
"is_protected": false,
"clusters_groups": [],
"clusters": [
"demo:cluster"
],
"namespaces": [
"*"
],
"grouping_type": "destination",
"workloads_count": 0
}
]
}Get Scope With Policy
Returns the scope for a specified scope id, with the policy that is applied on it.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | kubernetes.security |
READ |
Majority of environments |
Request
GET {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/policies_scopes/{scope_id}Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | The scope with its policy. If policy_metadata is null then no policy is attached to the scope. |
application/json | See example response below |
| 403 | Forbidden application/json | application/json | |
| 404 | Scope id was not found in path | application/json | |
| 500 | Internal Server Error | application/json | |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
GET https://defense.conferdeploy.net/containers/v1/orgs/ABCD1234/guardrails/management/policies_scopes/12a3bc4d-ee56-7f8g-a11b-2345cd67e89eX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"scope_id": "92aa9f26-dc59-4864-8c58-9be1230de9d5",
"name": "demo scope",
"policy_metadata": {
"policy_id": "5839f6b3-1760-4288-bf75-dbad8f81fbc2",
"policy_name": "demo policy name"
},
"workload_count": 0,
"lifecycle_phase": "deployed"
}Get All Scopes With Policies
Get the list of scopes configured in the system and the policy that is applied on each.
Can be used to determine what scope can be used when creating a new policy.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | kubernetes.security |
READ |
Majority of environments |
Request
GET {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/policies_scopesResponse Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | The list of scopes with their policies.
if policy_metadata is null then the scope does not have a policy attached. |
application/json | See example response below |
| 403 | Forbidden application/json | application/json | |
| 500 | Internal Server Error | application/json | |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
GET https://defense.conferdeploy.net/containers/v1/orgs/ABCD1234/guardrails/management/policies_scopesX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"items": [
{
"scope_id": "any-scope-id",
"name": "Any",
"policy_metadata": {
"policy_id": "123a4b56-520f-411a-a146-3be26dfbbdbd",
"policy_name": "default"
},
"workload_count": 117,
"lifecycle_phase": "deployed"
},
{
"scope_id": "123456a7-a607-4377-8ca3-d1020ad8fb85",
"name": "demo-scope",
"policy_metadata": {
"policy_id": "a123bc56-ce51-4569-94a1-defa909e1615",
"policy_name": "demo-policy"
},
"workload_count": 33,
"lifecycle_phase": "any"
}
]
}Create Scope
Create a new scope or make changes to an existing scope.
Scopes are used to in order to define a list of resources we want to track.
Note: The Create Scope and Update Scope endpoints are the same endpoint. The request differs by inclusion of scope_id for an update operation.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | kubernetes.security |
CREATE, UPDATE |
Majority of environments |
Request
POST {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/scopesRequest Body - application/json - Update Scope
Do not include scope_id for a create operation.
{
"name": "<string>",
"creator": "<email>",
"created_on": <integer>,
"modified_by": "<string>",
"modified_on": <integer>,
"is_protected": <boolean>,
"lifecycle_phase": "<string>",
"clusters_groups": [
"<string>"
],
"clusters": [
"<string>"
],
"namespaces": [
"<string>"
]
}Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
| name REQUIRED | Unique user assigned identifier of the scope | String | N/A |
| clusters REQUIRED | The clusters of the resources you want to track.
One of the properties [ clusters_groups] or [clusters] has to have at least 1 value. |
Array | * means all clusters |
| clusters_groups REQUIRED | The cluster groups of the resources you want to track
One of the properties [ clusters_groups] or [clusters] has to have at least 1 value. |
Array | * means all cluster groups |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Scope was updated or created successfully | application/json | See example response below |
| 400 | Bad request, the message identifies the problem. | application/json | Example error messages:
|
| 403 | Forbidden application/json | application/json | |
| 409 | Duplicate error
The name property must be unique and the combination of the fileds [clusters_groups, clusters, namespaces] must be unique |
application/json | |
| 500 | Internal Server Error | application/json | |
Examples
Request
Request Headers
Request Body
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
POST https://defense.conferdeploy.net/containers/v1/orgs/ABCD1234/guardrails/management/scopesX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"{
"name": "Updated Demo Scope 01",
"lifecycle_phase": "build",
"clusters": [
"demo:cluster"
],
"clusters_groups": [],
"namespaces": [
"*"
]
}{
"id": "12a3bc4d-ee56-7f8g-a11b-2345cd67e89e",
"scope_id": "12a3bc4d-ee56-7f8g-a11b-2345cd67e89e"
}Update Scope
Make changes to an existing scope.
Scopes are used to in order to define a list of resources we want to track.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | kubernetes.security |
UPDATE |
Majority of environments |
Request
POST {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/scopesRequest Body - application/json - Update Scope
{
"scope_id": "<uuid>",
"name": "<string>",
"creator": "<email>",
"created_on": <integer>,
"modified_by": "<string>",
"modified_on": <integer>,
"is_protected": <boolean>,
"lifecycle_phase": "<string>",
"clusters_groups": [
"<string>"
],
"clusters": [
"<string>"
],
"namespaces": [
"<string>"
]
}Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
| name REQUIRED | Unique identifier of the scope. If not included, the request is a create operation instead of update. | String | N/A |
| namespaces REQUIRED | The clusters of the resources you want to track.
One of the properties [ clusters_groups] or [clusters] has to have at least 1 value. |
Array | * means all namespaces |
| clusters REQUIRED | The clusters of the resources you want to track.
One of the properties [ clusters_groups] or [clusters] has to have at least 1 value. |
Array | * means all clusters |
| clusters_groups REQUIRED | The cluster groups of the resources you want to track
One of the properties [ clusters_groups] or [clusters] has to have at least 1 value. |
Array | * means all clusters groups |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Scope was updated or created successfully | application/json | See example response below |
| 400 | Bad Request such as the scope that was provided wasn’t valid. Message provides detail on the error. | application/json | |
| 403 | Forbidden application/json | application/json | |
| 409 | Duplicate error
The name property must be unique and the combination of the fileds [clusters_groups, clusters, namespaces] must be unique |
application/json | |
| 500 | Internal Server Error | application/json | |
Examples
Request
Request Headers
Request Body
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
POST https://defense.conferdeploy.net/containers/v1/orgs/ABCD1234/guardrails/management/scopesX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"{
"scope_id": "12a3bc4d-ee56-7f8g-a11b-2345cd67e89e",
"name": "Updated Demo Scope 01",
"lifecycle_phase": "build",
"clusters": [
"demo:cluster"
],
"clusters_groups": [],
"namespaces": [
"*"
]
}{
"id": "12a3bc4d-ee56-7f8g-a11b-2345cd67e89e",
"scope_id": "12a3bc4d-ee56-7f8g-a11b-2345cd67e89e"
}Delete Scope
Deletes the scope object specified by the scope id.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | kubernetes.security |
DELETE |
Majority of environments |
Request
DELETE {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/scopes/{scope_id}Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 204 | Scope was deleted | application/json | See example response below |
| 400 | Scope can’t be deleted | application/json | Example error messages: |
| 403 | Forbidden application/json | application/json | |
| 404 | Scope id was not found | application/json | |
| 500 | Internal Server Error | application/json | |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
DELETE https://defense.conferdeploy.net/containers/v1/orgs/ABCD1234/guardrails/management/scopes/12a3bc4d-ee56-7f8g-a11b-2345cd67e89eX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"No Response BodyRules
Get All Rules
Returns the list of misconfiguration types that can be added to a policy.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | kubernetes.security |
READ |
Majority of environments |
Request
GET {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/rulesResponse Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | The list of rules available to use in policies. | application/json | See example response below |
| 403 | Forbidden application/json | application/json | |
| 500 | Internal Server Error | application/json | |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
GET https://defense.conferdeploy.net/containers/v1/orgs/ABCD1234/guardrails/management/rulesX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"rules": {
"app-armor": {
"rule_id": "app-armor",
"name": "AppArmor",
"description": "AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program.",
"risk": "medium",
"category": "Workload Security",
"supported_actions": [
"enforce",
"alert",
"block"
],
"preset_support": {
"is_required": true,
"security_settings": [
{
"path": "metadata.annotations[container.apparmor.security.beta.kubernetes.io/*]",
"supported_actions": [
"REMOVE",
"ENFORCE"
]
}
],
"default_settings": null
},
"presets": [
{
"id": "b8c2b952-960d-4ca7-b0a6-d81f1e0bc574",
"name": "remove",
"rule_id": "app-armor",
"policies": [],
"security_settings": [
{
"path": "metadata.annotations[container.apparmor.security.beta.kubernetes.io/*]",
"action": "REMOVE",
"value": ""
}
]
},
{
"id": "e85f797b-c384-46c9-a7d4-07a87fcc40bd",
"name": "localhost",
"rule_id": "app-armor",
"policies": [],
"security_settings": [
{
"path": "metadata.annotations[container.apparmor.security.beta.kubernetes.io/*]",
"action": "ENFORCE",
"value": "localhost/test"
}
]
},
{
"id": "ea4de48f-dc31-4dba-bf9d-9eb77adc4b97",
"name": "runtime-default",
"rule_id": "app-armor",
"policies": [],
"security_settings": [
{
"path": "metadata.annotations[container.apparmor.security.beta.kubernetes.io/*]",
"action": "ENFORCE",
"value": "runtime/default"
}
]
}
],
"policies": [],
"templates": [],
"custom_rule_metadata": null
},
"cluster-role-binding": {
"rule_id": "cluster-role-binding",
"name": "Cluster role binding",
"description": "Binds a user or service account to a role in a cluster and all its namespaces.",
"risk": "medium",
"category": "RBAC",
"supported_actions": [
"alert",
"block"
],
"preset_support": null,
"presets": null,
"policies": [
{
"policy_id": "6cfad063-9491-455f-a12e-6f09876afc00",
"policy_name": "demo-policy"
}
],
"templates": [
{
"template_id": "cis-benchmark-1-6-0",
"template_name": "CiS benchmark 1.6.0"
}
],
"custom_rule_metadata": null
},
"company-banned-list": {
"rule_id": "company-banned-list",
"name": "Company banned list",
"description": "Prevents deployment of images with company banned files.",
"risk": "high",
"category": "Container Images",
"supported_actions": [
"alert",
"block"
],
"preset_support": null,
"presets": null,
"policies": [
{
"policy_id": "24269c35-05bd-461c-9131-05ab6b07ec47",
"policy_name": "big-demo-policy"
},
{
"policy_id": "59cf71a6-c4a2-414e-9c3d-2906c282916d",
"policy_name": "little-demo-policy"
}
],
"templates": [],
"custom_rule_metadata": null
}
}
}Delete Custom Rule
Deletes the custom rule specified by the rule id.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | kubernetes.security |
DELETE |
Majority of environments |
Request
DELETE {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/rules/{custom_rule_id}Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 204 | Custom rule was deleted | application/json | See example response below |
| 403 | Forbidden application/json | application/json | |
| 404 | Custom Rule was not found | application/json | |
| 500 | Internal Server Error | application/json | |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
DELETE https://defense.conferdeploy.net/containers/v1/orgs/ABCD1234/guardrails/management/rules/09c851ee-46f8-4d18-847f-c0df4446472cX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"No Response BodyTemplates
Get All Templates
Returns the list of templates that can be used when creating policies.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | kubernetes.security |
READ |
Majority of environments |
Request
GET {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/templatesResponse Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | The list of templates | application/json | See example response below |
| 403 | Forbidden application/json | application/json | |
| 500 | Internal Server Error | application/json | |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
GET https://defense.conferdeploy.net/containers/v1/orgs/ABCD1234/guardrails/management/templatesX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"{
"items": [
{
"template_id": "cis-benchmark-1-6-0",
"name": "CiS benchmark 1.6.0",
"rules": [
{
"id": "privileged",
"action": "alert"
},
{
"id": "privilege-escalation",
"action": "alert"
}
],
"custom_template_metadata": {
"creator": "demouser@demoorg.com",
"created_on": 1644579658878,
"created_on_iso": "2022-02-11T11:40:58.878Z"
}
}
]
}Create or Update a Template
Creates or updates a new template.
Note: The Create Template and Update Template endpoints are the same endpoint. The request differs by inclusion of template_id for an update operation.
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | kubernetes.security |
CREATE, UPDATE |
Majority of environments |
Request
POST {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/templatesIf template_id is null or missing a new template will be created. Otherwise the specified template will be updated.
Request Body - application/json
{
"template_id": "<string>",
"name": "<string>",
"rules": {
"id": "<string>",
"action": "<string>"
}
}
Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
| template_id | The unique identifier of the template to be updated | String | e.g. “75f2315e-d6d9-4254-9f19-03001ff6fb02” |
| name | Descriptive name of the template | String | e.g. “Demo Template” |
| rules | List of rules to include in the template | Object | |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | The template was created or updated | application/json | |
| 400 | The provided template was invalid | application/json | |
| 403 | Forbidden application/json | application/json | |
| 500 | Internal Server Error | application/json | |
Examples
Request
Request Headers
Request Body
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
POST https://defense.conferdeploy.net/containers/v1/orgs/ABCD1234/guardrails/management/templatesX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"{
"name": "Demo Template One",
"rules": [
{
"id": "demo_rule_one",
"action": "alert"
}
]
}{
"template_id": "75f2315e-d6d9-4254-9f19-03001ff6fb02"
}Add Rules to Templates
Add the list of provided rules to the list of templates
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | kubernetes.security |
CREATE |
Majority of environments |
Request
POST {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/templates/add_rulesRequest Body - application/json
{
"template_ids": [
"<string>"
],
"rules": [
{
"id": "<string>",
"action": "<string>"
}
]
}
Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
| template_ids | List of the id’s of templates to be updated | [ string ] | e.g. [ “75f2315e-d6d9-4254-9f19-03001ff6fb02” ] |
| rules | List of rules to include in the template | Object | |
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 204 | The rules were added to the templates | N/A | No response body |
| 400 | The provided body was invalid | application/json | |
| 403 | Forbidden application/json | application/json | |
| 500 | Internal Server Error | application/json | |
Examples
Request
Request Headers
Request Body
Response Body - 204
To download or review the Carbon Black Cloud Postman collection, click here.
POST https://defense.conferdeploy.net/containers/v1/orgs/ABCD1234/guardrails/management/templates/add_rulesX-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"
Content-Type: "application/json"{
"template_ids": [
"ac6a5ef2-6b7f-4d4e-bc5d-4934f8d28a59"
],
"rules": [
{
"id": "be54f44a-6a18-4365-ada9-aa30c0460ffa",
"action": "alert"
}
]
}No response bodyDelete Custom Template
Deletes the specified custom template
API Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | kubernetes.security |
DELETE |
Majority of environments |
Request
DELETE {cbc-hostname}/containers/v1/orgs/{org_key}/guardrails/management/templates/{template_id}
Response Codes
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 204 | Custom Template was deleted | N/A | No response body |
| 400 | Template id was not found | application/json | |
| 403 | Forbidden application/json | application/json | |
| 400 | Template id was not found | application/json | |
| 500 | Internal Server Error | application/json | |
Examples
Request
Request Headers
Response Body
To download or review the Carbon Black Cloud Postman collection, click here.
DELETE https://defense.conferdeploy.net/containers/v1/orgs/ABCD1234/guardrails/management/templates/ac6a5ef2-6b7f-4d4e-bc5d-4934f8d28a59X-AUTH-TOKEN: "ABCDEFGHIJKLMNO123456789/ABCD123456"No response bodyFields
Exception
Use an Exception to exclude workloads from the coverage of a Kubernetes policy due to known and accepted behavior.
- For most rules, the exceptions are based on a workload name.
- For Role-Based Access Control (RBAC) rules, the exceptions are based on resource name and username.
- For rules that allow the Enforce action, the exceptions are based on workload name or workload label.
| Field | Definition | Data Type | Values |
|---|---|---|---|
name |
Name of the exception | string | N/A |
username |
Match the name of the user modifiying the workload | N/A | |
labels |
Match the labels on the workload | Array | N/A |
cluster |
The cluster scope of the exception will be applied to | string | * means all clusters |
namespace |
The namespace scope of the exception will be applied to | string | * means all namespaces |
kind |
The resource kind scope that the exception will be applied to | string | * means all resource kinds |
Rule
| Field | Definition | Data Type | Values |
|---|---|---|---|
rule_id |
The rule id | string | N/A |
name |
The rule name | string | N/A |
description |
The rule description | string | N/A |
risk |
The perceived risk when violating this rule. Will be null for custom rules. | string | low, medium, high |
Last modified on July 28, 2023