Create a Centralized Policy
Creates a new policy.
Input ParametersInput Parameters
| Parameter | Mandatory/Optional | Data Type | Description |
|---|---|---|---|
| k8sFilters | Mandatory | ---- | Specify cluster and namespace details. Not required while creating Organization level policy (k8sFilters: null). |
| cluster | Mandatory | string | Applicable for Cluster level policy. Provides cluster details. |
| clusterUid | Mandatory | string | Applicable for Cluster level policy. Specify UID of the cluster. For example: a455f902-7e5a-6ccb-447cb0b18fa5ec94 |
| clusterName | Mandatory | string | Applicable for Cluster level policy. Specify name of the cluster. |
| namespace | Mandatory | ------ | Applicable for Namespace level policy. Provides details of the namespace. |
| namespaceUuid | Mandatory | string | Specify UUID of the namespace. |
| namespaceValue | Mandatory | string | Specify value of the namespace. For example: acmecorp_qa |
| clusterUid | Mandatory | string | Applicable for Namespace level policy. Specify UID of the cluster. |
| policyName | Mandatory | string | Enter a policy name of up to 150 characters. |
| description | Mandatory | string | Enter a description for the policy of up to 250 characters. |
| policyType | Mandatory | string | Specify the policy type. Valid values: CICD, or K8S_Admission_Controller |
| policyMode | Mandatory | string | Specify the policy mode as active to enforce the policy or inactive to keep the policy deactivated. |
| assetType | Mandatory | string | Specify the asset type. Currently, only "CICD" is supported. |
| isDefault | Mandatory | string | Specify whether to make it a default policy. The valid values are: true or false. |
| centralizedPolicyRules | At least one active rule is mandatory | - |
Provide rules as part of the policy evaluation. This rule reads: If the count of vulnerabilities with severity level 1 is greater than 1, deny/fail the CICD build. Where,
|
| name | Mandatory | array | Indicates array for the centralized policy rules to be included. New rule sub-type: - Block Unauthorized Author - Block Older Vulnerability |
| type | Mandatory | string | A part of 'centralized PolicyRules' array. Indicates policy rule type. Is available only if the particular rule is set and enabled for the policy. New values: - IMAGESCAN_VULN_RESTRICTED_AUTHORS - IMAGESCAN_VULN_RESTRICTED_OLDER_VULNERABILITY |
Sample: Create a Cluster Level PolicySample: Create a Cluster Level Policy
API Request
curl -X "POST"
"<qualys_base_url>/csapi/v1.3/centralizedPolicy"
-H "accept: application/json"
-H "Authorization: Bearer <Token>"
-H "Content-Type: application/json"Request Body for creating cluster level policy
'{
"policyName": "k8sACP",
"description": "Create a policy through API",
"policyType": "K8S_ADMISSION_CONTROLLER",
"centralizedPolicyRules":
[
{
"name": "rule23",
"type": "IMAGESCAN_VULN_SEVERITYCOUNT",
"action": "ALLOW",
"isEnabled": true,
"stopProcessing": true,
"sortOrder": 0,
"metaData":
{
"operator": "GREATER_THAN",
"threshold": 1,
"severityLevel": 2
}
}
],
"policyMode": "ACTIVE",
"isDefault": false,
"tagIds": [],
"k8sFilters":
[
{
"cluster": {
"clusterUid": "a455f902-9c93-450e-901c-b0b18fa5ec94",
"clusterName": "kubernetes-admin@kubernetes"
},
"namespace":null
}
]
}'Response
{
"uuid": "d967073a-28d8-414d-b96d-3d19eaa20935"
}Sample: Create a Centralized Image Assessment (CICD) PolicySample: Create a Centralized Image Assessment (CICD) Policy
API Request
curl -X 'POST' \
'<qualys_base_url>/csapi/v1.3/centralizedPolicy' \
-H 'accept: application/json' \
-H 'Authorization: Bearer <token>' \
-H 'Content-Type: application/json' \Request Body for creating Centralized Image Assessment (CICD) Policy
-d '{
"policyName": "Restricted author and old vul rule test",
"description": "Test",
"centralizedPolicyRules": [
{
"name": "Block Unauthorized Author",
"type": "IMAGESCAN_VULN_RESTRICTED_AUTHORS",
"isEnabled": true,
"stopProcessing": false,
"order": 0,
"kind": "IMAGE_SECURITY",
"metaData": {
"values": [
"John Doe"
]
},
"action": "FAIL"
},
{
"name": "Block Older Vulnerability",
"type": "IMAGESCAN_VULN_RESTRICTED_OLDER_VULNERABILITY",
"isEnabled": true,
"stopProcessing": false,
"order": 0,
"kind": "IMAGE_SECURITY",
"metaData": {
"value": 60
},
"action": "FAIL"
}
],
"exclusionPolicyRules": [],
"policyMode": "ACTIVE",
"policyType": "CICD",
"isDefault": false,
"tagIds": [
"7e538fcd-aae2-4d6e-a2cf-953a799b80b3"
],
"k8sFilters": []
}'
Response
{
"uuid": "d296f6a2-dd15-4700-b2b1-be29a06cbee2"
} Sample: Create a Centralized Admission Controller PolicySample: Create a Centralized Admission Controller Policy
API Request
curl -X 'POST' \
'<qualys_base_url>/csapi/v1.3/centralizedPolicy' \
-H 'accept: application/json' \
-H 'Authorization: Bearer <token>' \
-H 'Content-Type: application/json' \Request Body for creating Centralized Admission Controller Policy
-d '{
"policyName": "Restricted author and old vul rule test",
"description": "Test",
"centralizedPolicyRules": [
{
"name": "Block Unauthorized Author",
"type": "IMAGESCAN_VULN_RESTRICTED_AUTHORS",
"isEnabled": true,
"stopProcessing": false,
"order": 0,
"kind": "IMAGE_SECURITY",
"metaData": {
"values": [
"John Doe"
]
},
"action": "FAIL"
},
{
"name": "Block Older Vulnerability",
"type": "IMAGESCAN_VULN_RESTRICTED_OLDER_VULNERABILITY",
"isEnabled": true,
"stopProcessing": false,
"order": 0,
"kind": "IMAGE_SECURITY",
"metaData": {
"value": 60
},
"action": "FAIL"
}
],
"exclusionPolicyRules": [],
"policyMode": "ACTIVE",
"policyType": "CICD",
"isDefault": false,
"tagIds": [
"7e538fcd-aae2-4d6e-a2cf-953a799b80b3"
],
"k8sFilters": []
}'
Response
{
"uuid": "d296f6a2-dd15-4700-b2b1-be29a06cbee2"
}