Policy resources
policy/access
AccessReport
Represents any access made by the user.
Example
{ "action": "Accept", "enforcerID": "xxx-xxx-xxx", "enforcerNamespace": "/my/namespace", "processingUnitID": "xxx-xxx-xxx-xxx", "processingUnitName": "pu1", "processingUnitNamespace": "/my/ns", "type": "SSHLogin" }
Relations
Create an access report.
Attributes
UserAccessPolicy
The enforcer policy that controls user access.
Example
{ "disabled": false, "name": "the name", "propagate": false, "protected": false }
Relations
Retrieves the list of user access policies.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Creates a new enforcer policy.
Deletes the policy with the given ID.
Parameters:
Retrieves the policy with the given ID.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Updates the policy with the given ID.
Attributes
activeDuration [smh]$`]
Type: string
Defines for how long the policy will be active according to the
activeSchedule.
Type: string
Defines when the policy should be active using the cron notation.
The policy will be active for the given activeDuration.
Type: []string
Contains tags that can only be set during creation, must all start
with the '@' prefix, and should only be used by external systems.
Type: [][]string
Contains the tag expression matching the enforcers the subject is allowed
to connect to.
policy/audit
AuditProfile
A set of audit rules that determine the types of events that must be captured in
the kernel.
Example
{ "name": "the name", "propagate": false, "protected": false }
Relations
Retrieves the list of audit profiles.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Creates a new audit profile.
Deletes the profile with the given ID.
Parameters:
Retrieves the object with the given ID.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Updates the profile with the given ID.
Returns the list of audit profiles that are referred to by this mapping.
Returns a list of the audit profiles that must be applied to this enforcer.
AuditProfileMappingPolicy
Use an audit profile mapping to define the set of enforcers that must
implement a specific audit profile.
Example
{ "disabled": false, "fallback": false, "name": "the name", "propagate": false, "protected": false }
Relations
Retrieves the list of audit profile mapping policies.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Creates a new audit profile mapping policy.
Deletes the mapping with the given ID.
Parameters:
Retrieves the mapping with the given ID.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Updates the mapping with the given ID.
Returns the list of audit profiles that are referred to by this mapping.
Returns the list of enforcers that are affected by this mapping.
Attributes
activeDuration [smh]$`]
Type: string
Defines for how long the policy will be active according to the
activeSchedule.
Type: string
Defines when the policy should be active using the cron notation.
The policy will be active for the given activeDuration.
Type: []string
Contains tags that can only be set during creation, must all start
with the '@' prefix, and should only be used by external systems.
Type: [][]string
The tag or tag expression that identifies the enforcer(s) to implement the audit profile.
AuditReport
Post a new audit report.
Example
{ "AUID": "xxx-xxx", "CWD": "/etc", "EXE": "/bin/ls", "a0": "xxx-xxx", "a1": "xxx-xxx", "a2": "xxx-xxx", "a3": "xxx-xxx", "arch": "x86_64", "auditProfileID": "xxx-xxx-xxx-xxx", "auditProfileNamespace": "/my/ns", "command": "ls", "enforcerID": "xxx-xxx-xxx-xxx", "enforcerNamespace": "/my/ns", "processingUnitID": "xxx-xxx-xxx-xxx", "processingUnitNamespace": "/my/ns", "recordType": "Syscall", "success": false, "syscall": "execve", "timestamp": "2018-06-14T23:10:46.420397985Z" }
Relations
Create a audit statistics report.
policy/authorization
APIAuthorizationPolicy
An API authorization defines the operations a user can perform in a
namespace: GET, POST, PUT, DELETE, PATCH, and/or HEAD.
It is also possible to restrict the user to a subset of the APIs in the
namespace by setting authorizedIdentities. An API authorization always
propagates down to all the children of the current namespace.
Example
{ "authorizedIdentities": [ "@auth:role=namespace.administrator" ], "authorizedNamespace": "/namespace", "disabled": false, "fallback": false, "name": "the name", "propagationHidden": false, "protected": false }
Relations
Retrieves the list of API authorizations.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Creates a new API authorization.
Deletes the authorization with the given ID.
Parameters:
Retrieves the authorization with the given ID.
Updates the authorization with the given ID.
Attributes
activeDuration [smh]$`]
Type: string
Defines for how long the policy will be active according to the
activeSchedule.
Type: string
Defines when the policy should be active using the cron notation.
The policy will be active for the given activeDuration.
Type: []string
If set, the API authorization will only be valid if the request comes from one
the declared subnets.
Type: []string
Contains tags that can only be set during creation, must all start
with the '@' prefix, and should only be used by external systems.
APICheck
Allows you to verify if a client identified by his token is allowed to do
some operations on some APIs.
Example
{ "namespace": "/namespace", "operation": "Create", "targetIdentities": [ "processingunit", "enforcer" ] }
Relations
Verifies the authorizations on various identities for a given token.
Attributes
The operation you want to check.
AppCredential
Create an app credential.
Example
{ "CSR": "-----BEGIN CERTIFICATE REQUEST----- MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c 1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/ ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn 29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2 97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w= -----END CERTIFICATE REQUEST-----", "disabled": false, "name": "the name", "protected": false, "roles": [ "@auth:role=enforcer", "@auth:role=kubesquall" ] }
Relations
Retrieves the list of app credentials.
Parameters:
Creates a new app credential.
Deletes the app credential with the given ID.
Parameters:
Retrieves the app credential with the given ID.
Updates the app credential with the given ID.
Attributes
Type: string
Contains a PEM-encoded certificate signing request (CSR). It can
only be set during a renew.
- The CNMUSTbe app:credential:<appcred-id>:<appcred-name>
- The OMUSTbe the namespace of the app credential
If you send anything else, the signing request will be rejected.
Type: []string
If set, the app credential will only be valid if the request comes from one
the declared subnets.
Type: string
If set, this will limit the maximum validity of the token issued from this app
credential. This information will be embedded into the delivered certificate and
cannot be changed once set. In order to change it, you need to renew the
certificate.
Type: []string
Contains tags that can only be set during creation, must all start
with the '@' prefix, and should only be used by external systems.
Credential
Represents an app credential.
Attributes
policy/dns
DNSLookupReport
A DNS lookup report is used to report a DNS lookup that is happening on
behalf of a processing unit. If the DNS server is on the standard UDP port 53
then the enforcer can proxy the DNS traffic and make a report. The report
indicate whether or not the lookup was successful.
Example
{ "action": "Accept", "enforcerNamespace": "/my/namespace", "processingUnitID": "xxx-xxx-xxx", "processingUnitNamespace": "/my/namespace", "resolvedName": "www.google.com", "sourceIP": "10.0.0.1", "value": 1 }
Relations
Create a DNS Lookup report.
policy/enforcerconfig
EnforcerProfile
Allows you to create reusable configuration profiles for your enforcers.
Enforcer profiles contain various startup information that can (for some)
be updated live. Enforcer profiles are assigned to enforcers using a
enforcer profile mapping.
Example
{ "kubernetesMetadataExtractor": "PodAtomic", "kubernetesSupportEnabled": false, "metadataExtractor": "Docker", "name": "the name", "propagate": false, "protected": false }
Relations
Retrieves the list of enforcer profiles.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Creates a new enforcer profile.
Deletes the enforcer profile with the given ID.
Parameters:
Retrieves the enforcer profile with the given ID.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Updates the enforcer profile with the given ID.
Returns the list of enforcer profiles that an enforcer profile mapping
matches.
Returns the enforcer profile that must be used by a enforcer.
Attributes
Type: []string
Ignore any networks specified here and do not even report any flows.
This can be useful for excluding localhost loopback traffic, ignoring
traffic to the Kubernetes API, and using Microsegmentation for SSH only.
Type: [][]string
A tag expression that identifies processing units to ignore. This can be
useful to exclude kube-system pods, AWS EC2 agent pods, and third-party
agents.
This field is kept for backward compatibility for enforcers <= 3.5.
Default value:
"PodAtomic"
Type: []string
Contains tags that can only be set during creation, must all start
with the '@' prefix, and should only be used by external systems.
This field is kept for backward compatibility for enforcers <= 3.5.
Default value:
"Docker"
Type: []string
If empty, the enforcer auto-discovers the TCP networks. Auto-discovery
works best in Kubernetes and OpenShift deployments. You may need to manually
specify the TCP networks if middle boxes exist that do not comply with
TCP Fast Open RFC 7413.
Type: []string
If empty, the enforcer enforces all UDP networks. This works best when all UDP
networks have enforcers. If some UDP networks do not have enforcers, you
may need to manually specify the UDP networks that should be enforced.
Type: []string
List of trusted certificate authorities. If empty, the main chain of trust
will be used.
EnforcerProfileMappingPolicy
Allows you to map an enforcer profile to one or more enforcers.
The mapping can also be propagated down to the child namespace.
Example
{ "disabled": false, "fallback": false, "name": "the name", "object": [ [ "a=a", "b=b" ], [ "c=c" ] ], "propagate": false, "protected": false, "subject": [ [ "a=a", "b=b" ], [ "c=c" ] ] }
Relations
Retrieves the list of enforcer profile mappings.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Creates a new enforcer profile mappings.
Deletes the mapping with the given ID.
Parameters:
Retrieves the mapping with the given ID.
Updates the mapping with the given ID.
Returns the list of enforcer profiles that an enforcer profile mapping
matches.
Returns the list of enforcers affected by an enforcer profile mapping.
Attributes
Type: []string
Contains tags that can only be set during creation, must all start
with the '@' prefix, and should only be used by external systems.
Type: [][]string
The tag or tag expression that identifies the enforcers that should
implement the mapped profile.
TrustedCA
Represents a trusted certificate authority (CA).
Relations
Retrieves the trusted CAs of a namespace.
Parameters:
- type (enum(Any | X509 | SSH | JWT)): The type of certificates that it should return.
Returns the list of certificate authorities that should be trusted by this
enforcer.
Parameters:
- type (enum(Any | X509 | SSH)): Type of certificate to get.
Returns the list of trusted CAs for this namespace.
Parameters:
- type (enum(Any | X509 | SSH | JWT)): Type of certificate to get.
Attributes
TrustedNamespace
This object allows you to declare trust between namespaces that are cryptographically
isolated. The namespaces can be local or served by different Microsegmentation Console controllers.
Example
{ "certificateAuthority": "-----BEGIN CERTIFICATE----- MIIBbjCCARSgAwIBAgIRANRbvVzTzBZOvMCb8BiKCLowCgYIKoZIzj0EAwIwJjEN MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNTE4 NDgwN1oXDTI3MTEyNDE4NDgwN1owJjENMAsGA1UEChMEQWNtZTEVMBMGA1UEAxMM QWNtZSBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ/80HR51+vau 7XH7zS7b8ABA0e/TdBOg1NznbnXdXil1tDvWloWuH5+/bbaiEg54wksJHFXaukw8 jhTLU7zT56MjMCEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wCgYI KoZIzj0EAwIDSAAwRQIhALwAZh2KLFFC1qfb5CqFHExlXS0PUltax9PvQCN9P0vl AiBl7/st9u/JpERjJgirxJxOgKNlV6pq9ti75EfQtZZcQA== -----END CERTIFICATE-----", "name": "the name", "protected": false }
Relations
Retrieves the list of trusted namespaces.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Creates a new trusted namespace.
Delete the trusted namespace with the given ID.
Retrieve the trusted namespace with the given ID.
Update the trusted namespace with the given ID.
Attributes
policy/files
FileAccessPolicy
A file access policy allows processing units to access various folder and files.
It will use the tags of a file path to know what is the path of the file or
folder to allow access to. You can allow the processing unit to have any
combination of read, write, or execute.
When a processing unit is a Docker container, then it will police the volumes.
Mount and execute won’t have any effect.
File paths are not supported yet for standard Linux processes.
Example
{ "allowsExecute": false, "allowsRead": false, "allowsWrite": false, "disabled": false, "encryptionEnabled": false, "fallback": false, "logsEnabled": false, "name": "the name", "propagate": false, "protected": false }
Relations
Retrieves the list of file access policies.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Creates a new file access policies.
Deletes the policy with the given ID.
Parameters:
Retrieves the policy with the given ID.
Updates the policy with the given ID.
Returns the list of file paths that match the policy.
Returns the list of processing units that match the policy.
Attributes
activeDuration [smh]$`]
Type: string
Defines for how long the policy will be active according to the
activeSchedule.
Type: string
Defines when the policy should be active using the cron notation.
The policy will be active for the given activeDuration.
Type: []string
Contains tags that can only be set during creation, must all start
with the '@' prefix, and should only be used by external systems.
FileAccessReport
Post a new file access report.
Example
{ "action": "Accepted", "host": "localhost", "mode": "rxw", "path": "/etc/passwd", "processingUnitID": "xxx-xxx-xxx-xxx", "processingUnitNamespace": "/my/ns", "timestamp": "2018-06-14T23:10:46.420397985Z" }
Relations
Create a file access statistics report.
Attributes
FilePath
A file path represents a random path to a file or a folder. They can be used in
file access policies to allow processing units to access them, using
various modes (read, write, execute). You will need to use the file paths tags
to set some policies. A good example would be volume=web or
file=/etc/passwd.
Example
{ "filepath": "/etc/passwd", "name": "the name", "propagate": false, "protected": false }
Relations
Retrieves the list of file paths.
Parameters:
Create a new file path.
Deletes the object with the given ID.
Parameters:
Retrieves the object with the given ID.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Updates the object with the given ID.
Returns the list of file paths that match the policy.
policy/hooks
HookPolicy
Allows you to define hooks to the write operations in squall. Hooks are sent
to an external Rufus server that will do the processing and eventually return a
modified version of the object before we save it.
Example
{ "certificateAuthority": "-----BEGIN CERTIFICATE----- MIIBbjCCARSgAwIBAgIRANRbvVzTzBZOvMCb8BiKCLowCgYIKoZIzj0EAwIwJjEN MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNTE4 NDgwN1oXDTI3MTEyNDE4NDgwN1owJjENMAsGA1UEChMEQWNtZTEVMBMGA1UEAxMM QWNtZSBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ/80HR51+vau 7XH7zS7b8ABA0e/TdBOg1NznbnXdXil1tDvWloWuH5+/bbaiEg54wksJHFXaukw8 jhTLU7zT56MjMCEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wCgYI KoZIzj0EAwIDSAAwRQIhALwAZh2KLFFC1qfb5CqFHExlXS0PUltax9PvQCN9P0vl AiBl7/st9u/JpERjJgirxJxOgKNlV6pq9ti75EfQtZZcQA== -----END CERTIFICATE-----", "clientCertificate": "-----BEGIN CERTIFICATE----- MIIBczCCARigAwIBAgIRALD3Vz81Pq10g7n4eAkOsCYwCgYIKoZIzj0EAwIwJjEN MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNzA2 NTM1MloXDTI3MTEyNjA2NTM1MlowGDEWMBQGA1UEAxMNY2xhaXJlLWNsaWVudDBZ MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOmzPJj+t25T148eQH5gVrZ7nHwckF5O evJQ3CjSEMesjZ/u7cW8IBfXlxZKHxl91IEbbB3svci4c8pycUNZ2kujNTAzMA4G A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA MAoGCCqGSM49BAMCA0kAMEYCIQCjAAmkQpTua0HR4q6jnePaFBp/JMXwTXTxzbV6 peGbBQIhAP+1OR8GFnn2PlacwHqWXHwkvy6CLPVikvgtwEdB6jH8 -----END CERTIFICATE-----", "clientCertificateKey": "-----BEGIN EC PRIVATE KEY----- MHcCAQEEIGOXJI/123456789oamOu4tQAIKFdbyvkIJg9GME0mHzoAoGCCqGSM49 AwEHoUQDQgAE6bM8mP123456789AfmBWtnucfByQXk568lDcKNIQx6yNn+7txbwg F9eXFkofGX3UgRtsHe123456789xQ1naSw== -----END EC PRIVATE KEY-----", "continueOnError": false, "disabled": false, "endpoint": "https://hooks.hookserver.com/remoteprocessors", "endpointType": "URL", "fallback": false, "mode": "Pre", "name": "the name", "propagate": false, "propagationHidden": false, "protected": false, "selectors": [ [ "automation:name=myautomation" ] ], "subject": [ [ "$identity=processingunit" ] ] }
Relations
Retrieves the list of hooks.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Creates a new hook.
Deletes the hook with the given ID.
Parameters:
Retrieves the hook with the given ID.
Updates the hook with the given ID.
Attributes
Type: string
Contains the client certificate that will be used to connect
to the remote endpoint. If provided, the private key associated with this
certificate must also be configured.
Type: string
Contains the key associated with the clientCertificate. It must be provided
only
when clientCertificate has been configured.
Type: boolean
Type: []string
Contains tags that can only be set during creation, must all start
with the '@' prefix, and should only be used by external systems.
Type: [][]string
A tag or tag expression that identifies the automation that must be run in
case no endpoint is provided.
Type: []string
RemoteProcessor
Hook to integrate a Microsegmentation service.
Example
{ "claims": [ "@auth:realm=certificate", "@auth:commonname=john" ], "input": "{ \"name\": \"hello\", \"description\": \"hello\", }", "mode": "Pre", "namespace": "/my/namespace", "operation": "create", "targetIdentity": "processingunit" }
Relations
This should be be here.
Attributes
policy/hosts
HostService
Represents services that a host must expose and protect.
Example
{ "hostModeEnabled": false, "name": "the name", "propagate": false, "protected": false }
Relations
Retrieves the list of host services.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
- propagated (boolean): Also retrieve the objects that propagate down.
Creates a new host service.
Deletes the host service with the given ID.
Parameters:
Retrieves the host service with the given ID.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Updates the host service with the given ID.
Returns a list of the host services policies that apply to this enforcer.
Parameters:
- appliedServices (boolean): Valid when retrieved for a given enforcer and returns the applied services.
- setServices (boolean): Instructs Microsegmentation Console to cache the services that were resolved.
Returns the list of host services that are referenced by this mapping.
Attributes
Type: []string
Contains tags that can only be set during creation, must all start
with the '@' prefix, and should only be used by external systems.
HostServiceMappingPolicy
Host service mapping allows you to map host services to the enforcers that should
implement them. You must map host services to one or more enforcers for the host
services to have any effect.
Example
{ "disabled": false, "fallback": false, "name": "the name", "propagate": false, "protected": false }
Relations
Retrieves the list of host service mappings.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Creates a new host service mapping.
Deletes the mapping with the given ID.
Parameters:
Retrieves the mapping with the given ID.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Updates the mapping with the given ID.
Returns the list of enforcers that are affected by this mapping.
Returns the list of host services that are referenced by this mapping.
Attributes
activeDuration [smh]$`]
Type: string
Defines for how long the policy will be active according to the
activeSchedule.
Type: string
Defines when the policy should be active using the cron notation.
The policy will be active for the given activeDuration.
Type: []string
Contains tags that can only be set during creation, must all start
with the '@' prefix, and should only be used by external systems.
Type: [][]string
A tag or tag expression identifying the enforcer(s) that should implement
the specified host service(s).
policy/networking
CachedFlowReport
Post a new cached flow report.
Example
{ "action": "Accept", "destinationController": "api.east.acme.com", "destinationID": "xxx-xxx-xxx", "destinationNamespace": "/my/namespace", "destinationPlatform": "api.east.acme.com", "destinationType": "ProcessingUnit", "encrypted": false, "enforcerID": "5c6cce207ddf1fc159a104bf", "isLocalDestinationID": false, "isLocalSourceID": false, "namespace": "/my/namespace", "observed": false, "observedAction": "NotApplicable", "observedEncrypted": false, "observedPolicyID": "xxx-xxx-xxx", "observedPolicyNamespace": "/my/namespace", "policyID": "xxx-xxx-xxx", "policyNamespace": "/my/namespace", "protocol": 6, "serviceType": "NotApplicable", "sourceController": "api.west.acme.com", "sourceID": "xxx-xxx-xxx", "sourceNamespace": "/my/namespace", "sourcePlatform": "api.west.acme.com", "sourceType": "ProcessingUnit", "value": 1 }
Relations
Create a cached flow statistics report.
Attributes
Type: string
Namespace of the destination. This is deprecated. Use remoteNamespace. This
property does nothing.
Type: string
Action observed on the flow.
Default value:
"NotApplicable"
ID of the service.
Default value:
"NotApplicable"
Type: string
Namespace of the source. This is deprecated. Use remoteNamespace. This
property does nothing.
Claims
Represents the claims in the token used to access a service.
Example
{ "content": { "exp": 1553899021, "iat": 1553888221, "iss": "https://accounts.acme.com", "sub": "alice@acme.com" }, "hash": "1134423925458173049" }
Relations
Retrieves the list of claims.
Parameters:
Creates a new claims record.
Retrieves the object with the given ID.
Attributes
ConnectionExceptionReport
Post a new flow log.
Example
{ "destinationController": "api.west.acme.com", "destinationProcessingUnitID": "xxx-xxx-xxx", "enforcerID": "xxx-xxx-xxx", "enforcerNamespace": "/my/namespace", "namespace": "/my/namespace", "processingUnitID": "xxx-xxx-xxx", "processingUnitNamespace": "/my/namespace", "protocol": 6, "serviceType": "L3", "state": [ "Unknown" ], "value": 1 }
Relations
Create a connection exception report.
Attributes
Type: string
Identifier of the destination controller. This should be set in
SynAckTransmitted state.
Represents the current state this report was generated.
ExternalNetwork
An external network represents a random network or IP address that is not
managed by Microsegmentation. External networks can be used in network policies
to
allow traffic from or to the declared network or IP, using the provided
protocol and port (or range of ports). If you want to describe the internet
(i.e., anywhere), use 0.0.0.0/0 as the address and 1-65000 for the ports.
You must assign the external network one or more tags. These allow you to
reference the external network from your network policies.
Example
{ "name": "the name", "propagate": false, "protected": false, "servicePorts": [ "tcp/80", "udp/80:100" ], "type": "Subnet" }
Relations
Retrieves the list of external networks.
Parameters:
Creates a new external network.
Deletes the object with the given ID.
Parameters:
Retrieves the object with the given ID.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Updates the object with the given ID.
Returns the list of external networks affected by an infrastructure policy.
Parameters:
- mode (enum(subject | object)): Matching mode.
Returns the list of external networks affected by a network policy.
Parameters:
- mode (enum(subject | object)): Matching mode.
Returns the list of external networks affected by a network rule set policy.
Parameters:
- mode (enum(subject | object)): Matching mode.
FlowReport
Post a new flow log.
Example
{ "action": "Accept", "destinationController": "api.east.acme.com", "destinationID": "xxx-xxx-xxx", "destinationNamespace": "/my/namespace", "destinationPlatform": "api.east.acme.com", "destinationType": "ProcessingUnit", "encrypted": false, "enforcerID": "5c6cce207ddf1fc159a104bf", "namespace": "/my/namespace", "observed": false, "observedAction": "NotApplicable", "observedEncrypted": false, "observedPolicyID": "xxx-xxx-xxx", "observedPolicyNamespace": "/my/namespace", "policyID": "xxx-xxx-xxx", "policyNamespace": "/my/namespace", "protocol": 6, "serviceType": "NotApplicable", "sourceController": "api.west.acme.com", "sourceID": "xxx-xxx-xxx", "sourceNamespace": "/my/namespace", "sourcePlatform": "api.west.acme.com", "sourceType": "ProcessingUnit", "value": 1 }
Relations
Create a flow statistics report.
Attributes
Type: string
Namespace of the destination. This is deprecated. Use remoteNamespace. This
property does nothing.
Type: string
Action observed on the flow.
Default value:
"NotApplicable"
ID of the service.
Default value:
"NotApplicable"
Type: string
Namespace of the source. This is deprecated. Use remoteNamespace. This
property does nothing.
InfrastructurePolicy
Infrastructure policies represent the network access rules of the underlying
infrastructure. They can assist you in analyzing how AWS security groups,
firewalls, and other access control list (ACL) mechanisms may affect
Microsegmentation network policies. Microsegmentation’s AWS integration
app automatically populates AWS security groups.
Example
{ "action": "Allow", "applyPolicyMode": "OutgoingTraffic", "disabled": false, "name": "the name", "protected": false }
Relations
Retrieves the list of infrastructure policies.
Parameters:
Creates a new infrastructure policy.
Deletes the infrastructure policy with the given ID.
Parameters:
Retrieves the infrastructure policy with the given ID.
Updates the infrastructure policy with the given ID.
Returns the list of external networks affected by an infrastructure policy.
Parameters:
- mode (enum(subject | object)): Matching mode.
Returns the list of processing units affected by an infrastructure policy.
Parameters:
- mode (enum(subject | object)): Matching mode.
Returns the list of services affected by an infrastructure policy.
Parameters:
- mode (enum(subject | object)): Matching mode.
Attributes
activeDuration [smh]$`]
Type: string
Defines for how long the policy will be active according to the
activeSchedule.
Type: string
Defines when the policy should be active using the cron notation.
The policy will be active for the given activeDuration.
Determines if the policy applies to the outgoing traffic of the subject or the
incoming traffic of the subject. OutgoingTraffic (default) or
IncomingTraffic.
Default value:
"OutgoingTraffic"
Type: []string
Contains tags that can only be set during creation, must all start
with the '@' prefix, and should only be used by external systems.
NetworkAccessPolicy
Allows you to define network policies to allow or prevent processing units
identified by their tags to talk to other processing units or external networks
(also identified by their tags).
Example
{ "action": "Allow", "applyPolicyMode": "Bidirectional", "disabled": false, "encryptionEnabled": false, "fallback": false, "logsEnabled": false, "name": "the name", "negateObject": false, "negateSubject": false, "observationEnabled": false, "observedTrafficAction": "Continue", "propagate": false, "protected": false }
Relations
Retrieves the list of network policies.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Creates a new network policy. This is deprecated. in favor of
NetworkRuleSetPolicy.
Deletes the policy with the given ID.
Parameters:
Retrieves the policy with the given ID.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Updates the policy with the given ID.
Returns the list of external networks affected by a network policy.
Parameters:
- mode (enum(subject | object)): Matching mode.
Returns the list of processing units affected by a network policy.
Parameters:
- mode (enum(subject | object)): Matching mode.
Returns the list of services affected by a network policy.
Parameters:
- mode (enum(subject | object)): Matching mode.
Attributes
Defines the action to apply to a flow.
Default value:
"Allow"
activeDuration [smh]$`]
Type: string
Defines for how long the policy will be active according to the
activeSchedule.
Type: string
Defines when the policy should be active using the cron notation.
The policy will be active for the given activeDuration.
Sets three different types of policies. IncomingTraffic: applies the policy to
all
processing units that match the object and allows them to accept connections
from
processing units or external networks that match the subject.
OutgoingTraffic: applies
the policy to all processing units that match the subject and allows them to
initiate
connections with processing units or external networks that match the object.
Bidirectional (default): applies the policy to all processing units that match
the object
and allows them to accept connections from processing units that match the
subject.
Also applies the policy to all processing units that match the subject and
allows them
to initiate connections with processing units that match the object.
Default value:
"Bidirectional"
Type: boolean
Defines if the flow has to be encrypted. This property is deprecated and have no
incidence.
Type: boolean
Type: []string
Contains tags that can only be set during creation, must all start
with the '@' prefix, and should only be used by external systems.
Type: enum(Apply | Continue)
If observationEnabled is set to true, this defines the final action taken
on the packets: Apply or Continue (default).
Default value:
"Continue"
NetworkRuleSetPolicy
Allows you to define network rule sets to allow or prevent processing units
identified by their tags to talk to other processing units or external networks
(also identified by their tags).
Example
{ "disabled": false, "fallback": false, "name": "the name", "propagate": false, "protected": false }
Relations
Retrieves the list of network rule set policies.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Creates a new network rule set policy policy.
Deletes the policy with the given ID.
Parameters:
Retrieves the policy with the given ID.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Updates the policy with the given ID.
Returns the list of external networks affected by a network rule set policy.
Parameters:
- mode (enum(subject | object)): Matching mode.
Returns the list of processing units affected by a network rule set policy.
Parameters:
- mode (enum(subject | object)): Matching mode.
Returns the list of services affected by a network rule set policy.
Parameters:
- mode (enum(subject | object)): Matching mode.
Attributes
Type: []networkrule
The set of rules to apply to incoming traffic (traffic coming to the Processing
Unit matching the subject).
Type: []string
Contains tags that can only be set during creation, must all start
with the '@' prefix, and should only be used by external systems.
Type: []networkrule
The set of rules to apply to outgoing traffic (traffic coming from the
Processing Unit matching the subject).
Type: [][]string
A tag expression identifying used to match processing units to which this policy
applies to.
policy/processingunits
IsolationProfile
Defines system call rules, system call actions, and other capabilities on a
processing unit.
Example
{ "name": "the name", "propagate": false, "protected": false }
Relations
Retrieves the list of isolation profiles.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Creates a new isolation profile.
Deletes the profile with the given ID.
Retrieves the profile with the given ID.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Updates the profile with the given ID.
Returns the list of isolation profiles associated with the mapping.
Attributes
Type: _syscall_action
The default action applied to all system calls of this profile.
Default is Allow.
Type: []string
Contains tags that can only be set during creation, must all start
with the '@' prefix, and should only be used by external systems.
ProcessingUnitPolicy
Processing unit policies allow you to define special behavior for
processing units. For example you can associate an isolation profile
with a set of processing units or select a specific datapath.
Example
{ "action": "Default", "datapathType": "Default", "disabled": false, "fallback": false, "name": "the name", "propagate": false, "protected": false }
Relations
Retrieves the list of processing unit policies.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Creates a new processing unit policy.
Deletes the object with the given ID.
Parameters:
Retrieves the object with the given ID.
Updates the object with the given ID.
Returns the list of isolation profiles associated with the mapping.
Returns the list of processing units referenced by the mapping.
Attributes
Action determines the action to take while enforcing the isolation profile.
NOTE: Choose Default if your processing unit is not supposed to make a
decision on isolation profiles at all.
Default value:
"Default"
activeDuration [smh]$`]
Type: string
Defines for how long the policy will be active according to the
activeSchedule.
Type: string
Defines when the policy should be active using the cron notation.
The policy will be active for the given activeDuration.
The datapath type that processing units selected by subject should
implement:
- Default: This policy is not making a decision for the datapath.
- Aporeto: The enforcer is managing and handling the datapath.
- EnvoyAuthorizer: The enforcer is serving Envoy-compatible gRPC APIs for every processing unit that for example can be used by an Envoy proxy to use the Microsegmentation PKI and implement Microsegmentation network policies. NOTE: The enforcer is not going to own the datapath in this example. It is merely providing an authorizer API.
Default value:
"Default"
Type: [][]string
The isolation profiles to be mapped. Only applies to Enforce and
LogCompliance actions.
Type: []string
Contains tags that can only be set during creation, must all start
with the '@' prefix, and should only be used by external systems.
ProcessingUnitService
Represents a service attached to a processing unit.
policy/quota
QuotaCheck
Allows you to verify the quota for a given identity in a given namespace
with the given tags.
Example
{ "targetIdentity": "processingunit", "targetNamespace": "/my/namespace" }
Relations
Verifies if the quota is exceeded for a particular object.
Parameters:
Attributes
Type: integer
If the parameter remaining=true is passed, this value will be populated with
the number of remaining objects in the quota.
Default value:
-1
QuotaPolicy
Allows you to set quotas on the number of objects that can be
created in a namespace.
Example
{ "disabled": false, "fallback": false, "identities": [ "processingunit", "enforcer" ], "name": "the name", "propagate": false, "propagationHidden": false, "protected": false, "targetNamespace": "/my/namespace" }
Relations
Retrieves the list of quotas.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Creates a new quota.
Deletes the quota with the given ID.
Parameters:
Retrieves the quota with the given ID.
Updates the quota with the given ID.
Attributes
Type: []string
Contains tags that can only be set during creation, must all start
with the '@' prefix, and should only be used by external systems.
policy/services
ClaimMapping
Allows you to map a claim in a token to an HTTP header. This can be useful
when offloading authentication and authorization to Microsegmentation. Some applications
may expect to receive information in the HTTP header.
Example
{ "claimName": "email", "targetHTTPHeader": "X-Username" }
Attributes
Endpoint
Represents an HTTP endpoint.
Example
{ "public": false }
Attributes
HTTPResourceSpec
Describes an HTTP resource exposed by one or more services.
Example
{ "name": "the name", "propagate": false, "protected": false }
Relations
Retrieves the list of HTTP resource specifications.
Parameters:
Creates a new HTTP resource specification.
Deletes the HTTP resource with the given ID.
Parameters:
Retrieves the HTTP resource with the given ID.
Parameters:
Updates the HTTP resource with the given ID.
Retrieves the HTTP Resource exposed by this service.
Service
Defines a generic service object at layer 4 or layer 7 that encapsulates the
description of a microservice. A service exposes APIs and can be implemented
through third-party entities (such as a cloud provider) or through processing
units.
Example
{ "OIDCProviderURL": "https://accounts.google.com", "OIDCScopes": [ "email", "profile" ], "TLSType": "Aporeto", "authorizationType": "None", "disabled": false, "exposedAPIs": [ [ "package=p1" ] ], "exposedPort": 443, "exposedServiceIsTLS": false, "external": false, "name": "the name", "port": 443, "propagate": false, "protected": false, "publicApplicationPort": 443, "selectors": [ [ "$identity=processingunit" ] ], "type": "HTTP" }
Relations
Retrieves the list of services.
Parameters:
Creates a new service.
Deletes the service with the given ID.
Parameters:
Retrieves the service with the given ID.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Updates the service with the given ID.
Returns the list of services affected by an infrastructure policy.
Parameters:
- mode (enum(subject | object)): Matching mode.
Returns the list of services affected by a network policy.
Parameters:
- mode (enum(subject | object)): Matching mode.
Returns the list of services affected by a network rule set policy.
Parameters:
- mode (enum(subject | object)): Matching mode.
Retrieves the services used by a processing unit.
Returns the list of external services that are targets of service dependency.
Retrieves the HTTP Resource exposed by this service.
Retrieves the processing units that implement this service.
Attributes
Type: string
PEM-encoded certificate that will be used to validate the user’s JSON web token
(JWT)
in HTTP requests. This is an optional field, needed only if the
authorizationType
is set to JWT.
Type: string
PEM-encoded certificate authority to use to verify client certificates. This
only applies if authorizationType is set to MTLS. If it is not set,
Microsegmentation Console’s public signing certificate authority will be used.
Type: string
This is an advanced setting. Optional OIDC callback URL. If you don’t set it,
the enforcer will autodiscover it. It will be
https://<hosts[0]|IPs[0]>/aporeto/oidc/callback.
Type: []string
Configures the scopes you want to request from the OIDC provider. Only has
effect
if authorizationType is set to OIDC.
Type: string
Type: string
PEM-encoded certificate key associated with TLSCertificate. Only has effect
and required if TLSType is set to External.
Set how to provide a server certificate to the service.
- Aporeto: Generate a certificate signed by the Microsegmentation Console public CA.
- LetsEncrypt: Issue a certificate from Let’s Encrypt.
- External: Let you define your own certificate and key to use.
- None: TLS is disabled (not recommended).
Default value:
"Aporeto"
Defines the user authorization type that should be used.
- None (default): No authorization.
- JWT: Configures a simple JWT verification from the HTTP Authorization header.
- OIDC: Configures OIDC authorization. You must then set OIDCClientID,OIDCClientSecret, OIDCProviderURL.
- MTLS: Configures client certificate authorization. Then you can optionally use MTLSCertificateAuthority, otherwise Microsegmentation Console’s public signing certificate will be used.
Default value:
"None"
Type: []claimmapping
Defines a list of mappings between claims and HTTP headers. When these mappings
are defined, the enforcer will copy the values of the claims to the
corresponding HTTP headers.
Type: []endpoint
Resolves the API endpoints that the service is exposing. Only valid during
policy rendering.
Type: [][]string
Contains a tag expression that will determine which APIs a service is exposing.
The APIs can be defined as the RESTAPISpec or similar specifications for other
layer 7 protocols.
Type: integer
The port that the service can be accessed on. Note that this is different from
the port attribute that describes the port that the service is actually
listening on. For example if a load balancer is used, the exposedPort is
the port that the load balancer is listening for the service, whereas the
port that the implementation is listening on can be different.
Type: boolean
Indicates that the exposed service is TLS. This means that the enforcer has to
initiate a TLS session in order to forward traffic to the service.
Default value:
false
Type: []string
Contains tags that can only be set during creation, must all start
with the '@' prefix, and should only be used by external systems.
Type: integer
The port that the implementation of the service is listening to. It can be
different than exposedPort. This is needed for port mapping use cases
where there are private and public ports.
Type: integer
A new virtual port that the service can be accessed on using HTTPS. Since the
enforcer transparently inserts TLS in the application path, you might want
to declare a new port where the enforcer listens for TLS. However, the
application does not need to be modified and the enforcer will map the
traffic to the correct application port. This is useful when
an application is being accessed from a public network.
Type: string
If this is set, the user will be redirected to that URL in case of any
authorization failure, allowing you to provide a nice message to the user.
The query parameter ?failure_message=<message> will be added to that
URL explaining the possible reason for the failure.
Type: [][]string
A tag or tag expression that identifies the processing unit that implements this
particular service.
ServiceDependency
Allows you to define a service dependency where a set of processing units as defined
by their tags require access to specific services.
Example
{ "disabled": false, "fallback": false, "name": "the name", "propagate": false, "protected": false }
Relations
Retrieves the list of service dependencies.
Parameters:
- propagated (boolean): Also retrieve the objects that propagate down.
Creates a new service dependency.
Deletes the object with the given ID.
Parameters:
Retrieves the object with the given ID.
Updates the object with the given ID.
Returns the list of processing units that depend on an service.
Returns the list of external services that are targets of service dependency.
Attributes
activeDuration [smh]$`]
Type: string
Defines for how long the policy will be active according to the
activeSchedule.
Type: string
Defines when the policy should be active using the cron notation.
The policy will be active for the given activeDuration.
Type: []string
Contains tags that can only be set during creation, must all start
with the '@' prefix, and should only be used by external systems.