InsightCloudSec Docs

Welcome to the InsightCloudSec Docs!

InsightCloudSec by Rapid7 (formerly DivvyCloud) is a Cloud-Native Security Platform that provides real-time analysis and automated remediation for continuous security and compliance for your multi-cloud environment.

For questions reach out to us through [email protected].

Take Me to the Docs!    Release Notes

Container Resources

Container Resources are available in InsightCloudSec as the second section (tab) under the Resource landing page. They include resources related to storage and container functionality including clusters, containers, and container instances.

These resources are displayed alphabetically using the InsightCloudSec normalized terminology, such as clusters and services. Hovering over an individual resource provides the CSP-specific terminology with the associated logo to help users confirm the information they're viewing. For example, hovering over Container Instances displays Amazon's Container Instance, and Azure's Node Instance.

For a comprehensive reference of this normalized terminology check out our Resource Terminology.

Resources - Container Landing PageResources - Container Landing Page

Resources - Container Landing Page

🚧

A Note About Resource Attributes

A large number of Resource Attributes are offered for the resources outlined here. Because we are continuously expanding our supported resources the attributes and details included here can not be guaranteed to include every resource or every attribute.

If you need information about the attributes of a particular resource we are happy to help get those details for you - reach out to [email protected] with any questions!

App Run Service

App Run Services are managed services that simplify deploying containerized web applications and APIs quickly at scale with little to no experience, e.g., AWS App Runner, GCP Cloud Run.

Attribute

Description

resource_id

The primary resource identifier that takes the form of a prefix followed by numbers and letters

organization_service_id

The ID of the parent organization service (cloud)

region_name

The region where the resource resides

service_id

The unique ID for the App Run Service

name

The name for the App Run Service

arn

The ARN associated with the App Run Service

status

The current state of the App Run Service

url

The URL generated by the App Run Service that can be used to access it

repository

The repository source for the App Run Service

repository_type

The type of repository source used for the App Run Service

environment_variables

The environment variables available to the App Run Service

cores

The number of CPU cores available to the App Run Service

memory_gb

The amount of memory (in gigabytes) available to the App Run Service

auto_deployment

Whether auto deployment is enabled

role_resource_id

The identifier for the role associated with the App Run Service

key_resource_id

The resource ID of encryption key associated with the App Run Service

create_time

The timestamp when the App Runner service was created

last_update_time

The timestamp when the App Runner service was last updated

delete_time

The timestamp when the App Runner service was delete

Clusters

Clusters are a logical grouping of Containers. This class inherits from TopLevelResource and has direct access to the resource's database object.

Attribute

Description

resource_id

The primary resource identifier that takes the form of a prefix followed by numbers and letters

organization_service_id

The ID of the parent organization service (cloud)

name

The name of the cluster

region_name

The region where the cluster resides

network_resource_id

The network provider ID of the cluster

endpoint

The endpoint address for the cluster

status

The status of the cluster (running, active, etc)

version

The version of the cluster

image_type

The image type the cluster is based from

cluster_cert

The text of the cluster certificate

client_cert

The text of the client certificate

client_key

The text ext of the client key

service_account

Denotes if service account (default)

instance_groups

The number of instance groups in the cluster

role_arn

The role ARN for the cluster

arn

The Amazon Resource Name for the cluster

res_type

The type of Cluster (GKS, EKS, ECS etc)

created_at

The time and Date cluster was created

registered_container_instances

The number of registered container instances for the cluster

running_deployment

The deployment is running in the cluster

pending_deployment

The deployment is pending being run in the cluster

active_services

The number of active services in cluster

master_auth_network_enabled

Denotes the master auth network is enabled on the cluster (true/false)

endpoint_public_access

Denotes if the cluster allows access from the public endpoint (true/false)

endpoint_private_access

Denotes if the cluster allows access from the private endpoint (true/false)

node_repair_enabled

Denotes if the cluster has node repair enabled (true/false)

node_upgrade_enabled

Denotes if the cluster has node upgrade enabled (true/false)

network_policy_enabled

Denotes if the cluster has a network policy enabled (true/false)

alias_ip_ranges_enabled

Denotes if the cluster uses alias IP ranges (true/false)

created_client_cert_enabled

Denotes the cluster enables creating client certificates

pod_security_enabled

Denotes if the cluster has pod security enabled (true/false)

dashboard_disabled

Denotes if the cluster has dashbard disabled (true/false)

legacy_auth_disabled

Denotes if the cluster has legacy auth disabled (true/false)

basic_auth_disabled

Denotes if the cluster has basic auth disabled (true/false)

monitoring

Denotes if the cluster has monitoring enabled (true/false)

logging

Denotes if the cluster is logging (true/false)

private_cluster

Denotes if the cluster is private (true/false)

security_groups

The Security Groups associated with the cluster

tags

The tags on the cluster

public_access_cidrs

The IP networks that can connect to the cluster

Container Image

Container Images are Docker images stored in registries.
This class inherits from TopLevelResource and has direct access to the resource's database object.

Attribute

Description

resource_id

The primary resource identifier that takes the form of a prefix followed by numbers and letters

organization_service_id

The ID of the parent organization service (cloud)

region_name

The region where the Image resides

digest

The digest of the container image

hash_algorithm

The type of hash algorithm the image uses (example: sha256)

image_tags

The tags on the image

size

The size of image in bytes

registry_id

The account ID associated with the registry

registry_name

The name of the registry

push_time

The timestamp this image was pushed to the registry

last_scanned

The timestamp when this image was last scanned

finding_count

The scan finding counts of the image

finding_summary

The scan finding summary of the image

Container Instances

Instances the containers run on. This class inherits from TopLevelResource and has direct access to the resource's database object.

Attribute

Description

resource_id

The primary resource identifier that takes the form of a prefix followed by numbers and letters

organization_service_id

The ID of the parent organization service (cloud)

name

The name of the container instance

region_name

The region where the container instance resides

instance_resource_id

The resource ID of the instance

network_resource_id

The resource ID of the network the container instance is associated with

provider_id

The provider ID of this Instance

pod_cidr

The pod CIDR of the node assigned by the cloud provider

internal_ip_address

The internal IP address of the container instance

external_ip_address

The external IP address of the container instance

hostname_address

The DNS hostname of the container instance

architecture

The Architecture reported by the node

boot_id

The Boot ID reported by the node

container_runtime_version

The Container Runtime Version reported by the node through runtime remote API (e.g. docker://1.5.0)

operating_system

The Operating System reported by the node

os_image

The OS Image reported by the node from /etc/os-release (e.g. Debian GNU/Linux 7 [wheezy])

kubelet_version

The Kubelet Version reported by the node

cluster_name

The name of the cluster the instance is a part of

generate_name

The GenerateName is an optional prefix, used by the Instance, to generate a unique name ONLY IF the Name field has not been provided

resource_version

The opaque value that represents the internal version of this object that can be used by kubernetes

create_time

The timestamp this Instance was created

api_server

The API Server for the cluster/instance, services REST operations

controller_manager

The controller managing control loops for the instance

scheduler

The manager that decides when and where to run pods on the instance

pod_count

The count of Pods for Instance

cpu_allocation

Denotes how much CPU is allocated for Instance

memory_allocation

Denotes how much Memory is allocated for instance

pod_allocation

Denotes how many Pods are allocated for this Instance

is_master

Boolean value denoting if this Instance is the master

ready

Boolean value denoting if the Instance is ready

unschedulable

The unschedulable controls node schedulability of new pods. By default, node is schedulable

allocatable

The allocatable space for pods within capacity

capacity

The capacity of the instance (kube reserved, system reserved, eviction threshold and allocatable space for pods)

conditions

The JSON value of the conditions for the instance

node_info

The JSON value with set of ids/uuids to uniquely identify the node

annotations

The JSON value of annotations (metadata) about the node (class, scheme, etc)

owner_references

The JSON value of owner references for the instance (api version, controller setting, kind, name, etc)

Container Registry

Container Registries make it easier for developers to develop and manage Docker containers.
This class inherits from TopLevelResource and has direct access to the resource's database object.

Attribute

Description

resource_id

The primary resource identifier that takes the form of a prefix followed by numbers and letters

organization_service_id

The ID of the parent organization service (cloud)

region_name

The region that this registry resides in

create_time

The time the registry was created

name

The name of the registry

registry_id

The account ID associated with the registry

status

The status of the registry

namespace_id

The Amazon Resource Name of the registry (AWS only)

policy

The JSON policy associated with the registry

trusted_accounts

The trusted accounts for this registry

publicly_accessible

Denotes if the registry is publicly accessible

image_count

The number of images are in the registry

registry_type

The type of registry

scan_on_push

Denotes if scan on push is enabled or disabled (if not enabled, InsightCloudSec will not be able to see results for image vulnerability scanning)

Containers

Containers are small, lightweight execution environments that share the operating system kernel. This class inherits from TopLevelResource and has direct access to the resource's database object.

Attribute

Description

resource_id

The primary resource identifier that takes the form of a prefix followed by numbers and letters

organization_service_id

The ID of the parent organization service (cloud)

name

The name of the container

pod_name

The name of the pod

namespace

The location namespace for the container

region_name

The region where the container resides

image

The image name the container is running from

image_pull_policy

Denotes the image pull policy is enabled

restart_policy

Denotes if a restart policy is set on the container

working_dir

The root directory of the container

termination_message_policy

The file indicating how the termination message should be populated

termination_message_path

The path at which the file to which the container's termination message will be written is mounted into the container's filesystem

restart_count

The restart count of container

running_time

The time the container has been running

privileged

Denotes if container is privileged

stdin

The container allocated a buffer for stdin during runtime

stdin_once

The container runtime should close the stdin channel after it has been opened by a single attach

tty

Denotes if the container has allocated a TTY for itself

args

The arguments to the entrypoint

command

The entrypoint array. Not executed within a shell

env

The list of environment variables to set in the container

security_context

The security options the container should be run with

volume_mounts

The JSON of volume mounts on the container

state

The state of the container (running, created, restarting, etc)

repository

The repository of where the container is pulling the image from

version

The version the container is pulling the image from

status

The status of the container

pod_resource_id

The resource ID of the pod

Deployment/Tasks

Deployment/Tasks provides declarative updates for Pods and ReplicaSets. This class inherits from TopLevelResource and has direct access to the resource's database object.

Attribute

Description

resource_id

The primary resource identifier that takes the form of a prefix followed by numbers and letters

organization_service_id

The ID of the parent organization service (cloud)

name

The name of the deployment

namespace

The namespace defines the space within each name must be unique

region_name

The region where deployment resides

arn

The Amazon Resource Name of deployment

desired_status

The desired status of deployment

launch_type

The deployment launch type (AWS only)

connectivity

The connectivity of deployment

platform_version

The deployment platform version

last_status

The last status of the deployment (progressing, complete)

cluster_name

The name of the cluster for deployment

strategy_type

The strategy type for deployment (rolling update, recreate)

paused

Denotes if deployment is paused (true/false)

create_time

The create time of the deployment

available_replicas

The total number of available pods (ready for at least minReadySeconds) targeted by this deployment

unavailable_replicas

The total number of unavailable pods targeted by this deployment

replicas

The total number of non-terminated pods targeted by this deployment

ready_replicas

The total number of ready pods targeted by this deployment

updated_replicas

The total number of non-terminated pods targeted by the deployment

observed_generation

The generation observed by the deployment controller

collision_count

The number of of hash collisions for deployment

annotations

The JSON value of annotations (metadata) for deployment

conditions

The JSON value latest available observations of the deployment's current state

owner_references

The JSON value of owner references for the deployment (api version, controller setting, kind, name, etc)

rolling_update

The JSON value of rolling update config parameters

Ingress

Ingress is an API object that manages external access to the services in a cluster. This class inherits from TopLevelResource and has direct access to the resource's database object.

Attribute

Description

resource_id

The primary resource identifier that takes the form of a prefix followed by numbers and letters

organization_service_id

The ID of the parent organization service (cloud)

name

The name of the Ingress

ingress_uid

The unique in time and space value for ingress

namespace

The object name and auth scope of Ingress

cluster_name

The name of the cluster which the ingress belongs to

generation

The sequence number representing a specific generation of the desired state

resource_version

The resource version of Ingress

create_time

The creation time of Ingress

annotations

The JSON value of annotations (metadata) for Ingress

rules

The JSON value of Ingress rules

Namespaces

A virtual cluster backed by a physical cluster; typically, there are several distinct namespaces on a single physical cluster. An example of a Namespace is an Kubernetes Namespace.

Attribute

Description

resource_id

The primary resource identifier that takes the form of a prefix followed by numbers and letters

organization_service_id

The ID of the parent organization service (cloud)

name

The name of the namespace

status

The status of the namespace

create_time

The timestamp for when the namespace was created

annotations

Custom metadata for the namespace

Pod Security Policies

Pod Security Policies are a cluster-level resource that controls security sensitive aspects of the pod specification. This class inherits from TopLevelResource and has direct access to the resource's database object.

Attribute

Description

resource_id

The primary resource identifier that takes the form of a prefix followed by numbers and letters

organization_service_id

The ID of the parent organization service (cloud)

name

The name of the Pod Security Policy

privileged

Denotes if a pod can request to be run as privileged

allow_privilege_escalation

Denotes if a pod can request to allow privilege escalation

host_ipc

Denotes if the policy allows the use of HostIPC in the pod spec

host_network

Denotes if the policy allows the use of HostNetwork in the pod spec

host_pid

Denotes if the policy allows the use of HostPID in the pod spec

read_only_root_filesystem

Denotes if containers run with a read only root file system

run_as_user

The JSON value of the strategy that will dictate the allowable RunAsUser values that may be set

se_linux

The JSON Value of the strategy that will dictate the allowable labels that may be set

fs_group

The JSON value of the strategy that will dictate what fs group is used by the SecurityContext

supplemental_groups

The JSON value of the strategy that will dictate what supplemental groups are used by the SecurityContext

create_time

The creation time of the Pod Security Policy

annotations

The JSON value of annotations (metadata) for the Pod Security Policy

allowed_capabilities

The JSON list of capabilities that can be requested to add to the container

required_drop_capabilities

The JSON list the capabilities that will be dropped from the container

Pods

Pods refer to a running process on your cluster. This class inherits from TopLevelResource and has direct access to the resource's database object.

Attribute

Description

resource_id

The primary resource identifier that takes the form of a prefix followed by numbers and letters

organization_service_id

The ID of the parent organization service (cloud)

name

The name of the pod

namespace

The pod name and auth scope

region_name

The region the Pod resides in

version

The version the Pod uses

hostname

The hostname of the Pod (docker image name)

container_instance_resource_id

The cluster master node

host_ip

The IP address of the host to which the pod is assigned

pod_ip

The IP address allocated to the pod. Routable at least within the cluster

status

The current status of the pod

execution_role_arn

The role ARN for Pod execution

network_mode

The contains network modes for Pod

restart_policy

The restart policy for all containers within the pod. (always, onfailure, never)

service_account_name

The name of the ServiceAccount to use to run the pod

priority_class_name

The specified, indicates the pod's priority (system-node-critical, system-cluster-critical)

generate_name

The GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided

resource_version

The internal version of this Pod

dns_policy

The DNS policy for the pod (clusterfirst, clusterfirstwithhostnet, default or none)

create_time

The create time for the pod

generation

The number representing a specific generation of the desired state

priority

The priority value

host_ipc

Use the host's ipc namespace (true/false)

host_network

Host networking requested for this pod

host_pid

The host's pid namespace (true/false)

owner_references

The JSON value of owner references for the Pod (api version, controller setting, kind, name, etc)

security_context

The JSON value of the security context attached to the pod

launch_type

The JSON Value of the launch type of pod

node_selector

The JSON list of node selector requirements by node's fields

container_count

The number of containers within the pod

Services

Services are a grouping of pods that are running on the cluster. This class inherits from TopLevelResource and has direct access to the resource's database object.

Attribute

Description

resource_id

The primary resource identifier that takes the form of a prefix followed by numbers and letters

organization_service_id

The ID of the parent organization service (cloud)

name

The name of the service

namespace

The services name and auth scope- Namespace defines the space within each name must be unique

cluster_name

The name of the cluster which the service belongs to

external_i_ps

The list of IP addresses for which nodes in the cluster will also accept traffic for this service

external_name

The external reference that kubedns or equivalent will return as a CNAME record for this service

load_balancer_ip

The LoadBalancer will get created with the IP specified in this field
Only applies to Service Type: LoadBalancer

resource_version

The version for the service

service_type

Denotes how the Service is exposed. (externalname, clusterip, nodeport, loadalancer)

generation

The sequence number representing a specific generation of the desired state

create_time

The creation time of the service

annotations

The JSON value of annotations (metadata) for the Service

selector

The JSON value of selector with label keys and values that route service traffic to pods

load_balancer_source_ranges

The restricter of traffic through the cloud-provider load-balancer will be restricted to the specified kubernetes.client IPs (JSON)
If specified and supported by the platform

service_ports

The JSON list of the ports of the service

Task Definitions

Task Definitions are required to run Docker containers within container management services in the cloud. An example of a Task Definition is an AWS Elastic Container Service (ECS) Task Definition.

Attribute

Description

resource_id

The primary resource identifier that takes the form of a prefix followed by numbers and letters

organization_service_id

The ID of the parent organization service (cloud)

name

The name of the Task Definition

region_name

The region the Task Definition resides in

version

The version of the Task Definition

arn

The Amazon Resource Name

status

The status of the Task Definition

container_count

The number of containers within the Task Definition

network_mode

The Docker networking mode to use for containers within the Task Definition

launch_type

The type of infrastructure on which the Task Definition is loaded

execution_role_arn

The Amazon Resource Name of the task execution role

cpu

The number of CPU units used by the Task Definition

memory

The amount of memory used by the Task Definition

family

The name of a family that the Task Definition is registered to

created_at

Date the Task Definition was created

Updated 16 days ago

Container Resources


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.