Container Resources

Container Resources are available in InsightCloudSec as the second section (tab) under the Resource landing page. They include resources related to storage and container functionality including clusters, containers, and container instances.

These resources are displayed alphabetically using the InsightCloudSec normalized terminology, such as clusters and services. Hovering over an individual resource provides the CSP-specific terminology with the associated logo to help users confirm the information they're viewing. For example, hovering over Container Instances displays Amazon's Container Instance, and Azure's Container Instance.

For a comprehensive reference of this normalized terminology check out our Resource Terminology.

1500

Resources - Container Landing Page

🚧

A Note About Resource Attributes

A large number of Resource Attributes are offered for the resources outlined here. Because we are continuously expanding our supported resources the attributes and details included here can not be guaranteed to include every resource or every attribute.

If you need information about the attributes of a particular resource we are happy to help get those details for you - reach out to us through the Customer Support Portal with any questions!

App Run Service

App Run Services are managed services that simplify deploying containerized web applications and APIs quickly at scale with little to no experience, e.g., AWS App Runner, GCP Cloud Run.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region where the resource resides
service_idThe unique ID for the App Run Service
nameThe name for the App Run Service
arnThe ARN associated with the App Run Service
statusThe current state of the App Run Service
urlThe URL generated by the App Run Service that can be used to access it
repositoryThe repository source for the App Run Service
repository_typeThe type of repository source used for the App Run Service
environment_variablesThe environment variables available to the App Run Service
coresThe number of CPU cores available to the App Run Service
memoryThe amount of memory (in gigabytes) available to the App Run Service
auto_deploymentWhether auto deployment is enabled
role_resource_idThe identifier for the role associated with the App Run Service
key_resource_idThe resource ID of encryption key associated with the App Run Service
create_timeThe timestamp when the App Runner service was created
last_update_timeThe timestamp when the App Runner service was last updated
delete_timeThe timestamp when the App Runner service was delete
publicDenotes whether the App Runner service is publicly available
ingressConfiguration for the ingress associated with the App Runner Service
contains_secretIndicates if the App Runner Service contains a Secret within environment variables

Artifact Registry

Artifact Registries store artifacts and build dependencies in one central location.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
nameName of the artifact registry
descriptionOptional description for the artifact registry
create_timeThe time the artifact registry was created
update_timeThe time the artifact registry was last updated
publicly_accessibleDenotes whether the artifact registry is publicly accessible
image_countThe count of images in the artifact registry
key_resource_idResource ID for the encryption key associated with the artifact registry
registry_typeThe artifact type of the registry

Clusters

Clusters are a logical grouping of Containers. This class inherits from TopLevelResource and has direct access to the resource's database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
nameThe name of the cluster
region_nameThe region where the cluster resides
network_resource_idThe network provider ID of the cluster
endpointThe endpoint address for the cluster
statusThe status of the cluster (running, active, etc)
versionThe version of the cluster
image_typeThe image type the cluster is based from
cluster_certThe text of the cluster certificate
client_certThe text of the client certificate
client_keyThe text ext of the client key
service_accountDenotes if service account (default)
instance_groupsThe number of instance groups in the cluster
role_arnThe role ARN for the cluster
arnThe Amazon Resource Name for the cluster
res_typeThe type of Cluster (GKS, EKS, ECS etc)
created_atThe time and Date cluster was created
registered_container_instancesThe number of registered container instances for the cluster
running_deploymentThe deployment is running in the cluster
pending_deploymentThe deployment is pending being run in the cluster
active_servicesThe number of active services in cluster
master_auth_network_enabledDenotes the master auth network is enabled on the cluster (true/false)
endpoint_public_accessDenotes if the cluster allows access from the public endpoint (true/false)
endpoint_private_accessDenotes if the cluster allows access from the private endpoint (true/false)
node_repair_enabledDenotes if the cluster has node repair enabled (true/false)
node_upgrade_enabledDenotes if the cluster has node upgrade enabled (true/false)
network_policy_enabledDenotes if the cluster has a network policy enabled (true/false)
alias_ip_ranges_enabledDenotes if the cluster uses alias IP ranges (true/false)
created_client_cert_enabledDenotes the cluster enables creating client certificates
pod_security_enabledDenotes if the cluster has pod security enabled (true/false)
dashboard_disabledDenotes if the cluster has dashbard disabled (true/false)
legacy_auth_disabledDenotes if the cluster has legacy auth disabled (true/false)
basic_auth_disabledDenotes if the cluster has basic auth disabled (true/false)
monitoringDenotes if the cluster has monitoring enabled (true/false)
loggingDenotes if the cluster is logging (true/false)
logging_typesThe enabled logging types for the cluster
private_clusterDenotes if the cluster is private (true/false)
security_groupsThe Security Groups associated with the cluster
public_access_cidrsThe IP networks that can connect to the cluster
platform_versionThe version of the platform associated with the cluster
identity_providerThe identity provider for the cluster
fargateDenotes whether the cluster is Fargate enabled
key_resource_idThe resource ID of the key used to encrypt the cluster
autopilotDenotes whether the cluster has autopilot enabled
profileThe profile associated with the cluster
addonsThe addons associated with the cluster
capabilitiesThe capabilities associated with the cluster
shielded_nodesDenotes whether the cluster has shielded nodes enabled
secure_bootDenotes whether the cluster has secure boot enabled
integrity_monitoringDenotes whether the cluster has integrity monitoring enabled

Container Image

Container Images are Docker images stored in registries. This class inherits from TopLevelResource and has direct access to the resource's database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region where the Image resides
nameThe name of the container image
digestThe digest of the container image
hash_algorithmThe type of hash algorithm the image uses (example: sha256)
image_tagsThe tags on the image
raw_image_tagsThe raw tags on the image
sizeThe size of image in bytes
registry_idThe account ID associated with the registry
registry_nameThe name of the registry
push_timeThe timestamp this image was pushed to the registry
last_scannedThe timestamp when this image was last scanned
finding_countThe scan finding counts of the image
criticalThe critical vulnerability findings for the image
highThe high vulnerability findings for the image
mediumThe medium vulnerability findings for the image
lowThe low vulnerability findings for the image
container_countThe number of containers running the image

Container Instances

Instances the containers run on. This class inherits from TopLevelResource and has direct access to the resource's database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
nameThe name of the container instance
region_nameThe region where the container instance resides
instance_resource_idThe resource ID of the instance
network_resource_idThe resource ID of the network the container instance is associated with
provider_idThe provider ID of this Instance
pod_cidrThe pod CIDR of the node assigned by the cloud provider
internal_ip_addressThe internal IP address of the container instance
external_ip_addressThe external IP address of the container instance
hostname_addressThe DNS hostname of the container instance
architectureThe Architecture reported by the node
boot_idThe Boot ID reported by the node
container_runtime_versionThe Container Runtime Version reported by the node through runtime remote API (e.g. docker://1.5.0)
operating_systemThe Operating System reported by the node
os_imageThe OS Image reported by the node from /etc/os-release (e.g. Debian GNU/Linux 7 [wheezy])
kubelet_versionThe Kubelet Version reported by the node
cluster_nameThe name of the cluster the instance is a part of
generate_nameThe GenerateName is an optional prefix, used by the Instance, to generate a unique name ONLY IF the Name field has not been provided
resource_versionThe opaque value that represents the internal version of this object that can be used by kubernetes
create_timeThe timestamp this Instance was created
api_serverThe API Server for the cluster/instance, services REST operations
controller_managerThe controller managing control loops for the instance
schedulerThe manager that decides when and where to run pods on the instance
pod_countThe count of Pods for Instance
cpu_allocationDenotes how much CPU is allocated for Instance
memory_allocationDenotes how much Memory is allocated for instance
pod_allocationDenotes how many Pods are allocated for this Instance
is_masterBoolean value denoting if this Instance is the master
readyBoolean value denoting if the Instance is ready
unschedulableThe unschedulable controls node schedulability of new pods. By default, node is schedulable
allocatableThe allocatable space for pods within capacity
capacityThe capacity of the instance (kube reserved, system reserved, eviction threshold and allocatable space for pods)
conditionsThe JSON value of the conditions for the instance
node_infoThe JSON value with set of ids/uuids to uniquely identify the node
annotationsThe JSON value of annotations (metadata) about the node (class, scheme, etc)
owner_referencesThe JSON value of owner references for the instance (api version, controller setting, kind, name, etc)

Container Node Group

Container Node Groups are auto scaling groups containing compute instances that are managed by the parent cluster.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region that the registry resides in
nameThe name of the container node group
arnThe ARN of the container node group
create_timeThe time the container node group was created
cluster_resource_idThe resource ID of the parent cluster
statusThe status of the container node group
versionThe Kubernetes version of the node group
release_versionThe release version of the node group
spotIndicates if the node group leverages spot pricing
instance_typesThe instance types used by the node group
image_typeThe image type used by the node group
role_resource_idThe resource ID of the associated role
role_nameThe name of the associated role
launch_template_nameThe name of the launch template used by the node group
launch_template_resource_idThe resource ID for the launch template
desired_countThe desired node count of the group
min_countThe minimum node count of the group
max_countThe maximum node count of the group
relationshipsThe relationships associated with the node group

Container Registry

Container Registries make it easier for developers to develop and manage Docker containers.
This class inherits from TopLevelResource and has direct access to the resource's database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region that the registry resides in
create_timeThe time the registry was created
nameThe name of the registry
registry_idThe account ID associated with the registry
statusThe status of the registry
namespace_idThe Amazon Resource Name of the registry (AWS only)
policyThe JSON policy associated with the registry
trusted_accountsThe trusted accounts for the registry
publicly_accessibleDenotes if the registry is publicly accessible
image_countThe number of images are in the registry
registry_typeThe type of registry
scan_on_pushDenotes if scan on push is enabled or disabled (if not enabled, InsightCloudSec will not be able to see results for image vulnerability scanning)
lifecycle_policyThe lifecycle policy for the registry
encryption_typeThe type of encryption used for the registry
key_resource_idResource identifier of the encryption key associated with the registry
tag_mutabilityDenotes whether the container registry's resource tags are mutable
scan_typeThe type of scan used for the registry

Container Service

A container service is a scalable and fast container management service that makes it simple to manage all the containers within a cluster.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
region_nameThe region where the resource resides
nameThe name for the Container Service
arnThe Amazon Resource Name associated with the Container Service
create_timeTimestamp for when the Container Service was created
cluster_resource_idThe identifier for the cluster associated with the Container Service
task_resource_idThe identifier for the task associated with the Container Service
container_registriesList of container registries associated with the Container Service
desired_countThe desired number of tasks to run
running_countThe number of tasks currently running
pending_countThe number of tasks pending
platform_versionThe version of the platform in use
role_resource_idThe identifier for the role associated with the Container Service
role_nameThe name of the role that allows the Container Service to make calls to a load balancer
assign_public_ipDenotes whether a public IP has been assigned to the Container Service
scheduling_strategyThe type of scheduling strategy used for the service
created_byThe Amazon Resource Name associated with the role that created the Container Service
enable_ecs_tagsDenotes whether the Container Service has enabled tags
propagate_tagsDenotes whether to propagate tags from the task definition or Container Service to the tasks within the Container Service.
enable_execute_commandDenotes whether the Container Service has the execute command enabled

Containers

Containers are small, lightweight execution environments that share the operating system kernel. This class inherits from TopLevelResource and has direct access to the resource's database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
nameThe name of the container
pod_nameThe name of the pod
namespaceThe location namespace for the container
region_nameThe region where the container resides
imageThe image name the container is running from
image_pull_policyDenotes the image pull policy is enabled
restart_policyDenotes if a restart policy is set on the container
working_dirThe root directory of the container
termination_message_policyThe file indicating how the termination message should be populated
termination_message_pathThe path at which the file to which the container's termination message will be written is mounted into the container's filesystem
restart_countThe restart count of container
running_timeThe time the container has been running
privilegedDenotes if container is privileged
stdinThe container allocated a buffer for stdin during runtime
stdin_onceThe container runtime should close the stdin channel after it has been opened by a single attach
ttyDenotes if the container has allocated a TTY for itself
argsThe arguments to the entrypoint
commandThe entrypoint array. Not executed within a shell
envThe list of environment variables to set in the container
security_contextThe security options the container should be run with
volume_mountsThe JSON of volume mounts on the container
stateThe state of the container (running, created, restarting, etc)
repositoryThe repository of where the container is pulling the image from
versionThe version the container is pulling the image from
raw_image_tagThe raw tag of the image the container is currently using
statusThe status of the container
pod_resource_idThe resource ID of the pod
task_definition_resource_idThe resource ID fo the parent task definition
log_driverThe logging driver
log_group_nameThe name of the logging group to feed logs into
log_group_resource_idThe resource ID for the target log group
runtime_idThe ID for the container runtime
container_idThe ID for the container
arnThe ARN associated with the container
digestUnique immutable ID for the container image
contains_secretIndicates if the container contains a Secret within the environment variables or run arguments

Deployment/Tasks

Deployment/Tasks provides declarative updates for Pods and ReplicaSets. This class inherits from TopLevelResource and has direct access to the resource's database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
nameThe name of the deployment
namespaceThe namespace defines the space within each name must be unique
region_nameThe region where deployment resides
arnThe Amazon Resource Name of deployment
desired_statusThe desired status of deployment
launch_typeThe deployment launch type (AWS only)
connectivityThe connectivity of deployment
platform_versionThe deployment platform version
last_statusThe last status of the deployment (progressing, complete)
cluster_nameThe name of the cluster for deployment
strategy_typeThe strategy type for deployment (rolling update, recreate)
pausedDenotes if deployment is paused (true/false)
create_timeThe create time of the deployment
available_replicasThe total number of available pods (ready for at least minReadySeconds) targeted by this deployment
unavailable_replicasThe total number of unavailable pods targeted by this deployment
replicasThe total number of non-terminated pods targeted by this deployment
ready_replicasThe total number of ready pods targeted by this deployment
updated_replicasThe total number of non-terminated pods targeted by the deployment
observed_generationThe generation observed by the deployment controller
collision_countThe number of of hash collisions for deployment
annotationsThe JSON value of annotations (metadata) for deployment
conditionsThe JSON value latest available observations of the deployment's current state
owner_referencesThe JSON value of owner references for the deployment (api version, controller setting, kind, name, etc)
rolling_updateThe JSON value of rolling update config parameters

Ingress

Ingress is an API object that manages external access to the services in a cluster. This class inherits from TopLevelResource and has direct access to the resource's database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
nameThe name of the Ingress
ingress_uidThe unique in time and space value for ingress
namespaceThe object name and auth scope of Ingress
cluster_nameThe name of the cluster which the ingress belongs to
generationThe sequence number representing a specific generation of the desired state
resource_versionThe resource version of Ingress
create_timeThe creation time of Ingress
annotationsThe JSON value of annotations (metadata) for Ingress
rulesThe JSON value of Ingress rules

Namespaces

A virtual cluster backed by a physical cluster; typically, there are several distinct namespaces on a single physical cluster. An example of a Namespace is an Kubernetes Namespace.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
nameThe name of the namespace
statusThe status of the namespace
create_timeThe timestamp for when the namespace was created
annotationsCustom metadata for the namespace

Pod Security Policies

Pod Security Policies are a cluster-level resource that controls security sensitive aspects of the pod specification. This class inherits from TopLevelResource and has direct access to the resource's database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
nameThe name of the Pod Security Policy
privilegedDenotes if a pod can request to be run as privileged
allow_privilege_escalationDenotes if a pod can request to allow privilege escalation
host_ipcDenotes if the policy allows the use of HostIPC in the pod spec
host_networkDenotes if the policy allows the use of HostNetwork in the pod spec
host_pidDenotes if the policy allows the use of HostPID in the pod spec
read_only_root_filesystemDenotes if containers run with a read only root file system
run_as_userThe JSON value of the strategy that will dictate the allowable RunAsUser values that may be set
se_linuxThe JSON Value of the strategy that will dictate the allowable labels that may be set
fs_groupThe JSON value of the strategy that will dictate what fs group is used by the SecurityContext
supplemental_groupsThe JSON value of the strategy that will dictate what supplemental groups are used by the SecurityContext
create_timeThe creation time of the Pod Security Policy
annotationsThe JSON value of annotations (metadata) for the Pod Security Policy
allowed_capabilitiesThe JSON list of capabilities that can be requested to add to the container
required_drop_capabilitiesThe JSON list the capabilities that will be dropped from the container

Pods

Pods refer to a running process on your cluster. This class inherits from TopLevelResource and has direct access to the resource's database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
nameThe name of the pod
namespaceThe pod name and auth scope
namespace_idThe fully qualified ID of the resource, including the resource name and resource type
region_nameThe region the Pod resides in
versionThe version the Pod uses
hostnameThe hostname of the Pod (docker image name)
container_instance_resource_idThe cluster master node
host_ipThe IP address of the host to which the pod is assigned
pod_ipThe IP address allocated to the pod. Routable at least within the cluster
statusThe current status of the pod
execution_role_arnThe role ARN for Pod execution
network_modeThe contains network modes for Pod
restart_policyThe restart policy for all containers within the pod. (always, onfailure, never)
service_account_nameThe name of the ServiceAccount to use to run the pod
priority_class_nameThe specified, indicates the pod's priority (system-node-critical, system-cluster-critical)
generate_nameThe GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided
resource_versionThe internal version of this Pod
dns_policyThe DNS policy for the pod (clusterfirst, clusterfirstwithhostnet, default or none)
create_timeThe create time for the pod
generationThe number representing a specific generation of the desired state
priorityThe priority value
host_ipcUse the host's ipc namespace (true/false)
host_networkHost networking requested for this pod
host_pidThe host's pid namespace (true/false)
owner_referencesThe JSON value of owner references for the Pod (api version, controller setting, kind, name, etc)
security_contextThe JSON value of the security context attached to the pod
launch_typeThe JSON Value of the launch type of pod
node_selectorThe JSON list of node selector requirements by node's fields
container_countThe number of containers within the pod
container_statusesThe status of containers within the pod

Service Fabric Cluster

A cluster that orchestrates highly available and durable micro services at scale.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
nameThe name of the cluster
region_nameThe name of the region in which the cluster resides
cluster_idThe ID of the cluster
cluster_stateThe state of the cluster
cluster_code_versionThe current code version of the cluster
upgrade_modeThe set mode for upgrading the version of the cluster
vm_imageThe operating system image running on the cluster
node_countThe current number of nodes attached to the cluster
node_type_nameThe name of the primary node attached to the cluster
node_instance_countThe number of nodes attached to the primary node
client_portThe TCP cluster management endpoint port of the primary node
http_portThe HTTP cluster management endpoint port of the primary node
reverse_proxy_portThe reverse proxy endpoint port of the primary node
namespace_idThe unique composite ID of the provider ID for the resource

Services

Services are a grouping of pods that are running on the cluster. This class inherits from TopLevelResource and has direct access to the resource's database object.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
nameThe name of the service
namespaceThe services name and auth scope- Namespace defines the space within each name must be unique
cluster_nameThe name of the cluster which the service belongs to
external_i_psThe list of IP addresses for which nodes in the cluster will also accept traffic for this service
external_nameThe external reference that kubedns or equivalent will return as a CNAME record for this service
load_balancer_ipThe LoadBalancer will get created with the IP specified in this field
Only applies to Service Type: LoadBalancer
resource_versionThe version for the service
service_typeDenotes how the Service is exposed. (externalname, clusterip, nodeport, loadalancer)
generationThe sequence number representing a specific generation of the desired state
create_timeThe creation time of the service
annotationsThe JSON value of annotations (metadata) for the Service
selectorThe JSON value of selector with label keys and values that route service traffic to pods
load_balancer_source_rangesThe restricter of traffic through the cloud-provider load-balancer will be restricted to the specified kubernetes.client IPs (JSON)
If specified and supported by the platform
service_portsThe JSON list of the ports of the service

Task Definitions

Task Definitions are required to run Docker containers within container management services in the cloud. An example of a Task Definition is an AWS Elastic Container Service (ECS) Task Definition.

AttributeDescription
resource_idThe primary resource identifier that takes the form of a prefix followed by numbers and letters
organization_service_idThe ID of the parent organization service (cloud)
nameThe name of the Task Definition
region_nameThe region the Task Definition resides in
versionThe version of the Task Definition
arnThe Amazon Resource Name
statusThe status of the Task Definition
container_countThe number of containers within the Task Definition
network_modeThe Docker networking mode to use for containers within the Task Definition
launch_typeThe type of infrastructure on which the Task Definition is loaded
execution_role_arnThe Amazon Resource Name of the task execution role
cpuThe number of CPU units used by the Task Definition
memoryThe amount of memory used by the Task Definition
familyThe name of a family that the Task Definition is registered to
created_atDate the Task Definition was created
volumesVolumes associated with the Task Definition
container_definitionsDefinitions for containers within the Task Definition
contains_secretDenotes if the task definition contains a secret in its environment variables