Skip to content
CrowdStrike Developer Center

cloud_security_kac_policy

This resource manages an Admission Control policy, which provides instructions to the Falcon Kubernetes Admission Controller (KAC) about what actions to take on objects at runtime.

API Scopes

Section titled “API Scopes”

The following API scopes are required:

  • Falcon Container Policies: READ
  • Falcon Container Policies: WRITE

Example Usage

Section titled “Example Usage”
terraform {
  required_providers {
    crowdstrike = {
      source = "registry.terraform.io/crowdstrike/crowdstrike"
    }
  }
}


provider "crowdstrike" {
  cloud = "us-2"
}




resource "crowdstrike_cloud_security_kac_policy" "example" {
  name        = "example-kac-policy"
  description = "An example KAC policy created with Terraform"
  enabled     = true
  host_groups = [
    "a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4",
    "f47ac10b58cc4372a5670e4cn521b862",
  ]
  rule_groups = [
    {
      name          = "example-rule-group"
      description   = "An example rule group"
      deny_on_error = false
      image_assessment = {
        enabled             = true
        unassessed_handling = "Alert"
      }
      labels = [
        {
          key      = "pd*",
          value    = "abc*",
          operator = "neq"
        }
      ]
      namespaces = ["abc*"]
      default_rules = {
        privileged_container          = "Alert"
        sensitive_data_in_environment = "Disabled"
      }
      custom_rules = [
        {
          id     = "123e4567-e89b-12d3-a456-426614174000"
          action = "Alert"
        }
      ]
    }
  ]
  default_rule_group = {
    deny_on_error = false
    image_assessment = {
      enabled             = false
      unassessed_handling = "Allow Without Alert"
    }
    default_rules = {
      container_run_as_root = "Prevent"
    }
    custom_rules = [
      {
        id     = "123e4567-e89b-12d3-a456-426614174000"
        action = "Disabled"
      }
    ]
  }
}


output "cloud_security_kac_policy" {
  value = crowdstrike_cloud_security_kac_policy.example
}

Schema

Section titled “Schema”

Required

Section titled “Required”
  • name (String) Name of the Kubernetes Admission Control policy.

Optional

Section titled “Optional”
  • default_rule_group (Attributes) The default rule group always has the lowest precedence. Only deny_on_error, image_assessment, and default_rules are configurable for the default rule group. (see below for nested schema)
  • description (String) Description of the Kubernetes Admission Control policy.
  • enabled (Boolean) Whether the policy is enabled.
  • host_groups (Set of String) Host Group ids to attach to the KAC policy.
  • rule_groups (Attributes List) A list of KAC policy rule groups in order of highest to lowest priority. Reordering the list will change rule group precedence. When reordering the list of rule groups to update precedence, the rule group names must match the state, otherwise the provider will consider it a new rule group, or an in place update. (see below for nested schema)

Read-Only

Section titled “Read-Only”
  • id (String) Identifier for the Cloud Security KAC Policy.
  • last_updated (String) Timestamp of the last Terraform update of the resource.

Nested Schema for default_rule_group

Section titled “Nested Schema for default_rule_group”

Optional:

  • custom_rules (Attributes Set) Defines custom rules for the KAC policy. All custom rules attached to the policy must be included in every rule_groups block that defines custom_rules. Any rule_groups block that omits custom_rules will have all custom rules set to "Disabled" by default. Action must be one of:
  • "Disabled": Do nothing
  • "Alert": Send an alert
  • "Prevent": Prevent the object from running (see below for nested schema)
  • default_rules (Attributes) Set the action Falcon KAC should take when assessing default rules. All default rules are set to "Alert" by default. Action must be one of:
  • "Disabled": Do nothing
  • "Alert": Send an alert
  • "Prevent": Prevent the object from running (see below for nested schema)
  • deny_on_error (Boolean) Defines how KAC will handle an unrecognized error or timeout when processing an admission request. If set to “false”, the pod or workload will be allowed to run.
  • image_assessment (Attributes) When enabled, KAC applies image assessment policies to pods or workloads that are being created or updated on the Kubernetes cluster. (see below for nested schema)

Read-Only:

  • description (String) Description of the default KAC policy rule group.
  • id (String) Identifier for the default KAC policy rule group.
  • labels (Attributes Set) The default rule group applies to all labels, and is not configurable. (see below for nested schema)
  • name (String) Name of the default KAC policy rule group.
  • namespaces (Set of String) The default rule group namespace is "*", which applies to all namespaces, and is not configurable.

Nested Schema for default_rule_group.custom_rules

Section titled “Nested Schema for default_rule_group.custom_rules”

Required:

  • action (String) Determines what action Falcon KAC takes when assessing the custom rule.
  • id (String) Identifier for the KAC custom rule.

Nested Schema for default_rule_group.default_rules

Section titled “Nested Schema for default_rule_group.default_rules”

Optional:

  • container_in_host_ipc_namespace (String) Workload is exposed through a shared host ipc. Sharing host IPC allows container to communicate with host processes through IPC mechanism and access shared memory. It can potentially leak information or DoS the host process.
  • container_in_host_pid_namespace (String) Workload is exposed through a shared host pid. Sharing host PID allows visibility of process on host, potentially leaking host and container processes, environment variables, configurations etc.
  • container_run_as_root (String) The container is configured to run as root. Containers running as root allow applications to modify the container filesystem, memory and system packages at runtime. Additionally, root users can create raw sockets and bind on ports under 1024. These workloads should be avoided as it increases the attack surface.
  • container_using_unsafe_sysctls (String) Sysctl allows users to modify the kernel settings at run time. Some sysctl configs can exhaust resources for other containers.
  • container_with_many_capabilities (String) This means that container has got more than expected number of capabilities. Limiting the admission of containers with capabilities ensures that only a small number of containers have extended capabilities outside the default range. This helps ensure that if a container is compromised, it is unable to provide a productive path for an attacker to move laterally to other containers in the pod.
  • container_with_network_capabilities (String) CAP_NET_RAW is a powerful Linux capability. Processes with this capability can forge any kind of packet or bind to any address. This allows a container to open raw sockets and inject malicious packets into the Kubernetes container network.
  • container_with_sysadmin_capability (String) One of the containers found with CAP_SYS_ADMIN capability. CAP_SYS_ADMIN capability is equivalent to root user. It can help an attacker to escape the container.
  • container_with_unsafe_proc_mount (String) Container has access to the host’s /proc filesystem. By default, container runtime masks certain parts of the /proc filesystem from within a container in order to prevent potential security issues. There are only two valid options for this entry: Default, which maintains the standard container runtime behavior, or Unmasked, which removes all masking for the /proc filesystem.
  • container_without_resource_limits (String) The container needs to have enough resources allocated on host to run. Without any resource constraints on container, a large application can drain all host resources, causing DoS attack (Denial of Service).
  • container_without_run_as_non_root (String) The container is allowed to run as root. Containers running as root allow applications to modify the container filesystem, memory and system packages at runtime. Additionally, root users can create raw sockets and bind on ports under 1024. These workloads should be avoided as it increases the attack surface.
  • entrypoint_contains_chroot_command (String) Adversaries may attempt to gain root access to host by running chroot on the /mnt directory in the pod command. The pod command configures how the container will run when initiated.
  • entrypoint_contains_network_scanning_command (String) Presence of network scanning tool in the Pod command. The pod command configures how the container will run when initiated. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.
  • host_network_attached_to_container (String) Workload is exposed through a shared host network. Sharing host network allows container to sniff traffic on the host, access localhost services on node and potentially bypass network policy to attack the host network.
  • host_port_attached_to_container (String) This container setting binds the container listening port to the IP address of the host. This exposes the pod to adjacent networks and/or to the Internet. Binding a pod to a hostPort, limits the number of places the pod can be scheduled, because each [hostIP, hostPort, protocol] combination must be unique.
  • malformed_sysctl_value (String) Sysctl allows users to modify the kernel settings at run time. A sysctl value was detected that attempts to set multiple kernel settings. This is an indication of malicious attempt to tamper with worker nodes in Kubernetes cluster. This is related to the vulnerability (CVE-2022-0811) that allows the attacker to pass malicious kernel settings via sysctl value and gain root access.
  • privilege_escalation_allowed (String) AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. It can be a security risk as it may help child process gain more privileges.
  • privileged_container (String) Privileged workload running in kubernetes. A privileged workload allows access to host resources and kernel capabilities which increases the attack surface significantly.
  • runtime_socket_in_container (String) The container runtime socket such as /var/run/docker.sock is the UNIX socket that the Container Runtime is listening to. This is the primary entry point for the Container Runtime API. Providing access to runtime’s socket is equivalent to giving unrestricted root access to your host. It leads to container escape and privilege escalation to host.
  • sensitive_data_in_environment (String) Environment variables expose sensitive data. Secrets found in environment variables.
  • sensitive_data_in_secret_key_ref (String) Environment variables expose sensitive data. Secrets found in SecretKeyRef of spec.
  • sensitive_host_directories (String) Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. Sharing sensitive folders and files, such as / (root), /var/run/, docker.sock, etc. can allow a container to reconfigure the Kubernetes clusters, run new container images, etc.
  • service_account_token_automounted (String) Service account secret token is mounted within the pod. Kubernetes mounts the service account token within a pod by default. If an application within the pod is compromised, an attacker can further compromise the cluster with the service account token.
  • service_attached_to_load_balancer (String) The service is accessible from local network or the internet. A load balancer is exposing the workload, making it accessible from local network or the Internet.
  • service_attached_to_node_port (String) Workload is exposed through a node port. A node port can expose the workload on host network making it accessible from local network or the internet.
  • workload_in_default_namespace (String) Workload running in default namespace. Each workload or micro-service should run in a dedicated namespace with namespace specific security policies. A default namespace can be used by an attacker to bypass these specific security policies.
  • workload_with_unconfined_seccomp_profile (String) Workload should not have Unconfined seccomp profile attached. A seccomp policy specifies which system calls are allowed by the container. It is a sandboxing technique to limit system calls. An unconfined profile removes any system call limitations which allows an attacker to use any dangerous system call to break out of the container.
  • workload_without_recommended_seccomp_profile (String) Workload should have seccomp profile attached. A seccomp policy specifies which system calls can be called by an application. It is a sandboxing technique that reduces the chance that a kernel vulnerability will be successfully exploited.
  • workload_without_security_context (String) Workload should have appropriate security context present.
  • workload_without_selinux_or_apparmor (String) Workload should have SELinux or AppArmor profile attached. SELinux (RedHat-based distributions) and AppArmor (Debian-based distributions) provides Mandatory Access Control (MAC). It is a kernel level security module which restricts the access to a resource, based on a policy rather than a user role. A process initiated by the root user inside a container can not access host resources even if they are available, which limits an attacker escaping a container.

Nested Schema for default_rule_group.image_assessment

Section titled “Nested Schema for default_rule_group.image_assessment”

Required:

  • enabled (Boolean) Enable Image Assessment in KAC.
  • unassessed_handling (String) The action KAC should take when image is unassessed (i.e. unknown). Must be one of: [“Alert”, “Prevent”, “Allow Without Alert”].

Nested Schema for default_rule_group.labels

Section titled “Nested Schema for default_rule_group.labels”

Read-Only:

  • key (String) The default rule group label key is "*".
  • operator (String) The default rule group label operator is "eq" (equals).
  • value (String) The default rule group label value is "*".

Nested Schema for rule_groups

Section titled “Nested Schema for rule_groups”

Required:

  • name (String) Name of the KAC policy rule group.

Optional:

  • custom_rules (Attributes Set) Defines custom rules for the KAC policy. All custom rules attached to the policy must be included in every rule_groups block that defines custom_rules. Any rule_groups block that omits custom_rules will have all custom rules set to "Disabled" by default. Action must be one of:
  • "Disabled": Do nothing
  • "Alert": Send an alert
  • "Prevent": Prevent the object from running (see below for nested schema)
  • default_rules (Attributes) Set the action Falcon KAC should take when assessing default rules. All default rules are set to "Alert" by default. Action must be one of:
  • "Disabled": Do nothing
  • "Alert": Send an alert
  • "Prevent": Prevent the object from running (see below for nested schema)
  • deny_on_error (Boolean) Defines how KAC will handle an unrecognized error or timeout when processing an admission request. If set to “false”, the pod or workload will be allowed to run.
  • description (String) Description of the KAC policy rule group.
  • image_assessment (Attributes) When enabled, KAC applies image assessment policies to pods or workloads that are being created or updated on the Kubernetes cluster. (see below for nested schema)
  • labels (Attributes Set) Pod or Service label selectors. (see below for nested schema)
  • namespaces (Set of String) Namespace selectors. Namespace must only include lowercased alphanumeric characters, dashes, and asterisk (for wildcard).

Read-Only:

  • id (String) Identifier for the KAC policy rule group.

Nested Schema for rule_groups.custom_rules

Section titled “Nested Schema for rule_groups.custom_rules”

Required:

  • action (String) Determines what action Falcon KAC takes when assessing the custom rule.
  • id (String) Identifier for the KAC custom rule.

Nested Schema for rule_groups.default_rules

Section titled “Nested Schema for rule_groups.default_rules”

Optional:

  • container_in_host_ipc_namespace (String) Workload is exposed through a shared host ipc. Sharing host IPC allows container to communicate with host processes through IPC mechanism and access shared memory. It can potentially leak information or DoS the host process.
  • container_in_host_pid_namespace (String) Workload is exposed through a shared host pid. Sharing host PID allows visibility of process on host, potentially leaking host and container processes, environment variables, configurations etc.
  • container_run_as_root (String) The container is configured to run as root. Containers running as root allow applications to modify the container filesystem, memory and system packages at runtime. Additionally, root users can create raw sockets and bind on ports under 1024. These workloads should be avoided as it increases the attack surface.
  • container_using_unsafe_sysctls (String) Sysctl allows users to modify the kernel settings at run time. Some sysctl configs can exhaust resources for other containers.
  • container_with_many_capabilities (String) This means that container has got more than expected number of capabilities. Limiting the admission of containers with capabilities ensures that only a small number of containers have extended capabilities outside the default range. This helps ensure that if a container is compromised, it is unable to provide a productive path for an attacker to move laterally to other containers in the pod.
  • container_with_network_capabilities (String) CAP_NET_RAW is a powerful Linux capability. Processes with this capability can forge any kind of packet or bind to any address. This allows a container to open raw sockets and inject malicious packets into the Kubernetes container network.
  • container_with_sysadmin_capability (String) One of the containers found with CAP_SYS_ADMIN capability. CAP_SYS_ADMIN capability is equivalent to root user. It can help an attacker to escape the container.
  • container_with_unsafe_proc_mount (String) Container has access to the host’s /proc filesystem. By default, container runtime masks certain parts of the /proc filesystem from within a container in order to prevent potential security issues. There are only two valid options for this entry: Default, which maintains the standard container runtime behavior, or Unmasked, which removes all masking for the /proc filesystem.
  • container_without_resource_limits (String) The container needs to have enough resources allocated on host to run. Without any resource constraints on container, a large application can drain all host resources, causing DoS attack (Denial of Service).
  • container_without_run_as_non_root (String) The container is allowed to run as root. Containers running as root allow applications to modify the container filesystem, memory and system packages at runtime. Additionally, root users can create raw sockets and bind on ports under 1024. These workloads should be avoided as it increases the attack surface.
  • entrypoint_contains_chroot_command (String) Adversaries may attempt to gain root access to host by running chroot on the /mnt directory in the pod command. The pod command configures how the container will run when initiated.
  • entrypoint_contains_network_scanning_command (String) Presence of network scanning tool in the Pod command. The pod command configures how the container will run when initiated. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.
  • host_network_attached_to_container (String) Workload is exposed through a shared host network. Sharing host network allows container to sniff traffic on the host, access localhost services on node and potentially bypass network policy to attack the host network.
  • host_port_attached_to_container (String) This container setting binds the container listening port to the IP address of the host. This exposes the pod to adjacent networks and/or to the Internet. Binding a pod to a hostPort, limits the number of places the pod can be scheduled, because each [hostIP, hostPort, protocol] combination must be unique.
  • malformed_sysctl_value (String) Sysctl allows users to modify the kernel settings at run time. A sysctl value was detected that attempts to set multiple kernel settings. This is an indication of malicious attempt to tamper with worker nodes in Kubernetes cluster. This is related to the vulnerability (CVE-2022-0811) that allows the attacker to pass malicious kernel settings via sysctl value and gain root access.
  • privilege_escalation_allowed (String) AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. It can be a security risk as it may help child process gain more privileges.
  • privileged_container (String) Privileged workload running in kubernetes. A privileged workload allows access to host resources and kernel capabilities which increases the attack surface significantly.
  • runtime_socket_in_container (String) The container runtime socket such as /var/run/docker.sock is the UNIX socket that the Container Runtime is listening to. This is the primary entry point for the Container Runtime API. Providing access to runtime’s socket is equivalent to giving unrestricted root access to your host. It leads to container escape and privilege escalation to host.
  • sensitive_data_in_environment (String) Environment variables expose sensitive data. Secrets found in environment variables.
  • sensitive_data_in_secret_key_ref (String) Environment variables expose sensitive data. Secrets found in SecretKeyRef of spec.
  • sensitive_host_directories (String) Containers can mount sensitive folders from the hosts, giving them potentially dangerous access to critical host configurations and binaries. Sharing sensitive folders and files, such as / (root), /var/run/, docker.sock, etc. can allow a container to reconfigure the Kubernetes clusters, run new container images, etc.
  • service_account_token_automounted (String) Service account secret token is mounted within the pod. Kubernetes mounts the service account token within a pod by default. If an application within the pod is compromised, an attacker can further compromise the cluster with the service account token.
  • service_attached_to_load_balancer (String) The service is accessible from local network or the internet. A load balancer is exposing the workload, making it accessible from local network or the Internet.
  • service_attached_to_node_port (String) Workload is exposed through a node port. A node port can expose the workload on host network making it accessible from local network or the internet.
  • workload_in_default_namespace (String) Workload running in default namespace. Each workload or micro-service should run in a dedicated namespace with namespace specific security policies. A default namespace can be used by an attacker to bypass these specific security policies.
  • workload_with_unconfined_seccomp_profile (String) Workload should not have Unconfined seccomp profile attached. A seccomp policy specifies which system calls are allowed by the container. It is a sandboxing technique to limit system calls. An unconfined profile removes any system call limitations which allows an attacker to use any dangerous system call to break out of the container.
  • workload_without_recommended_seccomp_profile (String) Workload should have seccomp profile attached. A seccomp policy specifies which system calls can be called by an application. It is a sandboxing technique that reduces the chance that a kernel vulnerability will be successfully exploited.
  • workload_without_security_context (String) Workload should have appropriate security context present.
  • workload_without_selinux_or_apparmor (String) Workload should have SELinux or AppArmor profile attached. SELinux (RedHat-based distributions) and AppArmor (Debian-based distributions) provides Mandatory Access Control (MAC). It is a kernel level security module which restricts the access to a resource, based on a policy rather than a user role. A process initiated by the root user inside a container can not access host resources even if they are available, which limits an attacker escaping a container.

Nested Schema for rule_groups.image_assessment

Section titled “Nested Schema for rule_groups.image_assessment”

Required:

  • enabled (Boolean) Enable Image Assessment in KAC.
  • unassessed_handling (String) The action Falcon KAC should take when image is unassessed (i.e. unknown). Must be one of: [“Alert”, “Prevent”, “Allow Without Alert”].

Nested Schema for rule_groups.labels

Section titled “Nested Schema for rule_groups.labels”

Required:

  • key (String) Label key. Key must only include alphanumeric characters and .-_*/, and cannot be longer than 253 characters.
  • operator (String) Label operator. Must be one of “eq” (equals) or “neq” (not equals)
  • value (String) Label value. Label must only include alphanumeric characters and .-_*, and cannot be longer than 63 characters.

Import

Section titled “Import”

Import is supported using the following syntax:

Terminal window
# Cloud Security Kac Policy can be imported by specifying the id.
terraform import crowdstrike_cloud_security_kac_policy.example 7fb858a949034a0cbca175f660f1e769
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use