# Policies ## GetOrganizationPolicies `client.Organizations.Policies.Get(ctx, body) (*OrganizationPolicyGetResponse, error)` **post** `/gitpod.v1.OrganizationService/GetOrganizationPolicies` Gets organization policy settings by organization ID. Use this method to: - Retrieve current policy settings for an organization - View resource limits and restrictions - Check allowed editors and other configurations ### Examples - Get organization policies: Retrieves policy settings for a specific organization. ```yaml organizationId: "b0e12f6c-4c67-429d-a4a6-d9838b5da047" ``` ### Parameters - `body OrganizationPolicyGetParams` - `OrganizationID param.Field[string]` organization_id is the ID of the organization to retrieve policies for ### Returns - `type OrganizationPolicyGetResponse struct{…}` - `Policies OrganizationPolicies` - `AgentPolicy AgentPolicy` agent_policy contains agent-specific policy settings - `CommandDenyList []string` command_deny_list contains a list of commands that agents are not allowed to execute - `McpDisabled bool` mcp_disabled controls whether MCP (Model Context Protocol) is disabled for agents - `ScmToolsDisabled bool` scm_tools_disabled controls whether SCM (Source Control Management) tools are disabled for agents - `ConversationSharingPolicy ConversationSharingPolicy` conversation_sharing_policy controls whether agent conversations can be shared - `const ConversationSharingPolicyUnspecified ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_UNSPECIFIED"` - `const ConversationSharingPolicyDisabled ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_DISABLED"` - `const ConversationSharingPolicyOrganization ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_ORGANIZATION"` - `MaxSubagentsPerEnvironment int64` max_subagents_per_environment limits the number of non-terminal sub-agents a parent can have running simultaneously in the same environment. Valid range: 0-10. Zero means use the default (5). - `ScmToolsAllowedGroupID string` scm_tools_allowed_group_id restricts SCM tools access to members of this group. Empty means no restriction (all users can use SCM tools if not disabled). - `AllowedEditorIDs []string` allowed_editor_ids is the list of editor IDs that are allowed to be used in the organization - `AllowLocalRunners bool` allow_local_runners controls whether local runners are allowed to be used in the organization - `DefaultEditorID string` default_editor_id is the default editor ID to be used when a user doesn't specify one - `DefaultEnvironmentImage string` default_environment_image is the default container image when none is defined in repo - `MaximumEnvironmentsPerUser string` maximum_environments_per_user limits total environments (running or stopped) per user - `MaximumRunningEnvironmentsPerUser string` maximum_running_environments_per_user limits simultaneously running environments per user - `MembersCreateProjects bool` members_create_projects controls whether members can create projects - `MembersRequireProjects bool` members_require_projects controls whether environments can only be created from projects by non-admin users - `OrganizationID string` organization_id is the ID of the organization - `PortSharingDisabled bool` port_sharing_disabled controls whether user-initiated port sharing is disabled in the organization. System ports (VS Code Browser, agents) are always exempt from this policy. - `RequireCustomDomainAccess bool` require_custom_domain_access controls whether users must access via custom domain when one is configured. When true, access via app.gitpod.io is blocked. - `RestrictAccountCreationToScim bool` restrict_account_creation_to_scim controls whether account creation is restricted to SCIM-provisioned users only. When true and SCIM is configured for the organization, only users provisioned via SCIM can create accounts. - `DeleteArchivedEnvironmentsAfter string` delete_archived_environments_after controls how long archived environments are kept before automatic deletion. 0 means no automatic deletion. Maximum duration is 4 weeks (2419200 seconds). - `EditorVersionRestrictions map[string, OrganizationPoliciesEditorVersionRestriction]` editor_version_restrictions restricts which editor versions can be used. Maps editor ID to version policy, editor_version_restrictions not set means no restrictions. If empty or not set for an editor, we will use the latest version of the editor - `AllowedVersions []string` allowed_versions lists the versions that are allowed If empty, we will use the latest version of the editor Examples for JetBrains: `["2025.2", "2025.1", "2024.3"]` - `MaximumEnvironmentLifetime string` maximum_environment_lifetime controls for how long environments are allowed to be reused. 0 means no maximum lifetime. Maximum duration is 180 days (15552000 seconds). - `MaximumEnvironmentTimeout string` maximum_environment_timeout controls the maximum timeout allowed for environments in seconds. 0 means no limit (never). Minimum duration is 30 minutes (1800 seconds). value must be 0s (no limit) or at least 1800s (30 minutes): ``` this == duration('0s') || this >= duration('1800s') ``` - `SecurityAgentPolicy SecurityAgentPolicy` security_agent_policy contains security agent configuration for the organization. When configured, security agents are automatically deployed to all environments. - `Crowdstrike CrowdStrikeConfig` crowdstrike contains CrowdStrike Falcon configuration - `AdditionalOptions map[string, string]` additional_options contains additional FALCONCTL_OPT_* options as key-value pairs. Keys should NOT include the FALCONCTL_OPT_ prefix. - `CidSecretID string` cid_secret_id references an organization secret containing the Customer ID (CID). - `Enabled bool` enabled controls whether CrowdStrike Falcon is deployed to environments - `Image string` image is the CrowdStrike Falcon sensor container image reference - `Tags string` tags are optional tags to apply to the Falcon sensor (comma-separated) - `VetoExecPolicy VetoExecPolicy` veto_exec_policy contains the veto exec policy for environments. - `Action KernelControlsAction` action specifies what action kernel-level controls take on policy violations - `const KernelControlsActionUnspecified KernelControlsAction = "KERNEL_CONTROLS_ACTION_UNSPECIFIED"` - `const KernelControlsActionBlock KernelControlsAction = "KERNEL_CONTROLS_ACTION_BLOCK"` - `const KernelControlsActionAudit KernelControlsAction = "KERNEL_CONTROLS_ACTION_AUDIT"` - `Enabled bool` enabled controls whether executable blocking is active - `Executables []string` executables is the list of executable paths or names to block ### Example ```go package main import ( "context" "fmt" "github.com/gitpod-io/gitpod-sdk-go" "github.com/gitpod-io/gitpod-sdk-go/option" ) func main() { client := gitpod.NewClient( option.WithBearerToken("My Bearer Token"), ) policy, err := client.Organizations.Policies.Get(context.TODO(), gitpod.OrganizationPolicyGetParams{ OrganizationID: gitpod.F("b0e12f6c-4c67-429d-a4a6-d9838b5da047"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", policy.Policies) } ``` #### Response ```json { "policies": { "agentPolicy": { "commandDenyList": [ "string" ], "mcpDisabled": true, "scmToolsDisabled": true, "conversationSharingPolicy": "CONVERSATION_SHARING_POLICY_UNSPECIFIED", "maxSubagentsPerEnvironment": 10, "scmToolsAllowedGroupId": "scmToolsAllowedGroupId" }, "allowedEditorIds": [ "string" ], "allowLocalRunners": true, "defaultEditorId": "defaultEditorId", "defaultEnvironmentImage": "defaultEnvironmentImage", "maximumEnvironmentsPerUser": "maximumEnvironmentsPerUser", "maximumRunningEnvironmentsPerUser": "maximumRunningEnvironmentsPerUser", "membersCreateProjects": true, "membersRequireProjects": true, "organizationId": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "portSharingDisabled": true, "requireCustomDomainAccess": true, "restrictAccountCreationToScim": true, "deleteArchivedEnvironmentsAfter": "+9125115.360s", "editorVersionRestrictions": { "foo": { "allowedVersions": [ "string" ] } }, "maximumEnvironmentLifetime": "+9125115.360s", "maximumEnvironmentLifetimeStrict": true, "maximumEnvironmentTimeout": "+9125115.360s", "securityAgentPolicy": { "crowdstrike": { "additionalOptions": { "foo": "string" }, "cidSecretId": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "enabled": true, "image": "image", "tags": "tags" }, "customAgents": [ { "id": "id", "description": "description", "enabled": true, "envMappings": [ { "name": "name", "secretName": "secretName" } ], "name": "name", "startCommand": "startCommand" } ] }, "vetoExecPolicy": { "action": "KERNEL_CONTROLS_ACTION_UNSPECIFIED", "enabled": true, "executables": [ "string" ], "safelist": [ "string" ] } } } ``` ## UpdateOrganizationPolicies `client.Organizations.Policies.Update(ctx, body) (*OrganizationPolicyUpdateResponse, error)` **post** `/gitpod.v1.OrganizationService/UpdateOrganizationPolicies` Updates organization policy settings. Use this method to: - Configure editor restrictions - Set environment resource limits - Define project creation permissions - Customize default configurations ### Examples - Update editor policies: Restricts available editors and sets a default. ```yaml organizationId: "b0e12f6c-4c67-429d-a4a6-d9838b5da047" allowedEditorIds: - "vscode" - "jetbrains" defaultEditorId: "vscode" ``` - Set environment limits: Configures limits for environment usage. ```yaml organizationId: "b0e12f6c-4c67-429d-a4a6-d9838b5da047" maximumEnvironmentTimeout: "3600s" maximumRunningEnvironmentsPerUser: "5" maximumEnvironmentsPerUser: "20" ``` ### Parameters - `body OrganizationPolicyUpdateParams` - `OrganizationID param.Field[string]` organization_id is the ID of the organization to update policies for - `AgentPolicy param.Field[OrganizationPolicyUpdateParamsAgentPolicy]` agent_policy contains agent-specific policy settings - `CommandDenyList []string` command_deny_list contains a list of commands that agents are not allowed to execute - `ConversationSharingPolicy ConversationSharingPolicy` conversation_sharing_policy controls whether agent conversations can be shared - `const ConversationSharingPolicyUnspecified ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_UNSPECIFIED"` - `const ConversationSharingPolicyDisabled ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_DISABLED"` - `const ConversationSharingPolicyOrganization ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_ORGANIZATION"` - `MaxSubagentsPerEnvironment int64` max_subagents_per_environment limits the number of non-terminal sub-agents a parent can have running simultaneously in the same environment. Valid range: 0-10. Zero means use the default (5). - `McpDisabled bool` mcp_disabled controls whether MCP (Model Context Protocol) is disabled for agents - `ScmToolsAllowedGroupID string` scm_tools_allowed_group_id restricts SCM tools access to members of this group. Empty means no restriction (all users can use SCM tools if not disabled). - `ScmToolsDisabled bool` scm_tools_disabled controls whether SCM (Source Control Management) tools are disabled for agents - `AllowedEditorIDs param.Field[[]string]` allowed_editor_ids is the list of editor IDs that are allowed to be used in the organization - `AllowLocalRunners param.Field[bool]` allow_local_runners controls whether local runners are allowed to be used in the organization - `DefaultEditorID param.Field[string]` default_editor_id is the default editor ID to be used when a user doesn't specify one - `DefaultEnvironmentImage param.Field[string]` default_environment_image is the default container image when none is defined in repo - `DeleteArchivedEnvironmentsAfter param.Field[string]` delete_archived_environments_after controls how long archived environments are kept before automatic deletion. 0 means no automatic deletion. Maximum duration is 4 weeks (2419200 seconds). - `EditorVersionRestrictions param.Field[map[string, OrganizationPolicyUpdateParamsEditorVersionRestrictions]]` editor_version_restrictions restricts which editor versions can be used. Maps editor ID to version policy with allowed major versions. - `AllowedVersions []string` allowed_versions lists the versions that are allowed If empty, we will use the latest version of the editor Examples for JetBrains: `["2025.2", "2025.1", "2024.3"]` - `MaximumEnvironmentLifetime param.Field[string]` maximum_environment_lifetime controls for how long environments are allowed to be reused. 0 means no maximum lifetime. Maximum duration is 180 days (15552000 seconds). - `MaximumEnvironmentsPerUser param.Field[string]` maximum_environments_per_user limits total environments (running or stopped) per user - `MaximumEnvironmentTimeout param.Field[string]` maximum_environment_timeout controls the maximum timeout allowed for environments in seconds. 0 means no limit (never). Minimum duration is 30 minutes (1800 seconds). value must be 0s (no limit) or at least 1800s (30 minutes): ``` this == duration('0s') || this >= duration('1800s') ``` - `MaximumRunningEnvironmentsPerUser param.Field[string]` maximum_running_environments_per_user limits simultaneously running environments per user - `MembersCreateProjects param.Field[bool]` members_create_projects controls whether members can create projects - `MembersRequireProjects param.Field[bool]` members_require_projects controls whether environments can only be created from projects by non-admin users - `PortSharingDisabled param.Field[bool]` port_sharing_disabled controls whether user-initiated port sharing is disabled in the organization. System ports (VS Code Browser, agents) are always exempt from this policy. - `RequireCustomDomainAccess param.Field[bool]` require_custom_domain_access controls whether users must access via custom domain when one is configured. When true, access via app.gitpod.io is blocked. - `RestrictAccountCreationToScim param.Field[bool]` restrict_account_creation_to_scim controls whether account creation is restricted to SCIM-provisioned users only. When true and SCIM is configured for the organization, only users provisioned via SCIM can create accounts. - `SecurityAgentPolicy param.Field[OrganizationPolicyUpdateParamsSecurityAgentPolicy]` security_agent_policy contains security agent configuration updates - `Crowdstrike OrganizationPolicyUpdateParamsSecurityAgentPolicyCrowdstrike` crowdstrike contains CrowdStrike Falcon configuration updates - `AdditionalOptions map[string, string]` additional_options contains additional FALCONCTL_OPT_* options as key-value pairs - `CidSecretID string` cid_secret_id references an organization secret containing the Customer ID (CID) - `Enabled bool` enabled controls whether CrowdStrike Falcon is deployed to environments - `Image string` image is the CrowdStrike Falcon sensor container image reference - `Tags string` tags are optional tags to apply to the Falcon sensor - `VetoExecPolicy param.Field[VetoExecPolicy]` veto_exec_policy contains the veto exec policy for environments. ### Returns - `type OrganizationPolicyUpdateResponse interface{…}` ### Example ```go package main import ( "context" "fmt" "github.com/gitpod-io/gitpod-sdk-go" "github.com/gitpod-io/gitpod-sdk-go/option" ) func main() { client := gitpod.NewClient( option.WithBearerToken("My Bearer Token"), ) policy, err := client.Organizations.Policies.Update(context.TODO(), gitpod.OrganizationPolicyUpdateParams{ OrganizationID: gitpod.F("b0e12f6c-4c67-429d-a4a6-d9838b5da047"), MaximumEnvironmentsPerUser: gitpod.F("20"), MaximumEnvironmentTimeout: gitpod.F("3600s"), MaximumRunningEnvironmentsPerUser: gitpod.F("5"), }) if err != nil { panic(err.Error()) } fmt.Printf("%+v\n", policy) } ``` #### Response ```json {} ``` ## Domain Types ### Agent Policy - `type AgentPolicy struct{…}` AgentPolicy contains agent-specific policy settings for an organization - `CommandDenyList []string` command_deny_list contains a list of commands that agents are not allowed to execute - `McpDisabled bool` mcp_disabled controls whether MCP (Model Context Protocol) is disabled for agents - `ScmToolsDisabled bool` scm_tools_disabled controls whether SCM (Source Control Management) tools are disabled for agents - `ConversationSharingPolicy ConversationSharingPolicy` conversation_sharing_policy controls whether agent conversations can be shared - `const ConversationSharingPolicyUnspecified ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_UNSPECIFIED"` - `const ConversationSharingPolicyDisabled ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_DISABLED"` - `const ConversationSharingPolicyOrganization ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_ORGANIZATION"` - `MaxSubagentsPerEnvironment int64` max_subagents_per_environment limits the number of non-terminal sub-agents a parent can have running simultaneously in the same environment. Valid range: 0-10. Zero means use the default (5). - `ScmToolsAllowedGroupID string` scm_tools_allowed_group_id restricts SCM tools access to members of this group. Empty means no restriction (all users can use SCM tools if not disabled). ### Conversation Sharing Policy - `type ConversationSharingPolicy string` ConversationSharingPolicy controls how agent conversations can be shared. - `const ConversationSharingPolicyUnspecified ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_UNSPECIFIED"` - `const ConversationSharingPolicyDisabled ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_DISABLED"` - `const ConversationSharingPolicyOrganization ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_ORGANIZATION"` ### Crowd Strike Config - `type CrowdStrikeConfig struct{…}` CrowdStrikeConfig configures CrowdStrike Falcon sensor deployment - `AdditionalOptions map[string, string]` additional_options contains additional FALCONCTL_OPT_* options as key-value pairs. Keys should NOT include the FALCONCTL_OPT_ prefix. - `CidSecretID string` cid_secret_id references an organization secret containing the Customer ID (CID). - `Enabled bool` enabled controls whether CrowdStrike Falcon is deployed to environments - `Image string` image is the CrowdStrike Falcon sensor container image reference - `Tags string` tags are optional tags to apply to the Falcon sensor (comma-separated) ### Custom Agent Env Mapping - `type CustomAgentEnvMapping struct{…}` CustomAgentEnvMapping maps a script placeholder to an organization secret. The backend resolves the secret name to a UUID at runtime. - `Name string` name is the environment variable name used as a placeholder in the start command. - `SecretName string` secret_name is the name of the organization secret whose value populates this placeholder. ### Custom Security Agent - `type CustomSecurityAgent struct{…}` CustomSecurityAgent defines a custom security agent configured by an organization admin. - `ID string` id is a unique identifier for this custom agent within the organization. Server-generated at save time if empty. - `Description string` description is a human-readable description of what this agent does - `Enabled bool` enabled controls whether this custom agent is deployed to environments - `EnvMappings []CustomAgentEnvMapping` env_mappings maps script placeholders to organization secret names, resolved to secret values at runtime. - `Name string` name is the environment variable name used as a placeholder in the start command. - `SecretName string` secret_name is the name of the organization secret whose value populates this placeholder. - `Name string` name is the display name for this custom agent - `StartCommand string` start_command is the shell script that starts the agent ### Kernel Controls Action - `type KernelControlsAction string` KernelControlsAction defines how a kernel-level policy violation is handled. - `const KernelControlsActionUnspecified KernelControlsAction = "KERNEL_CONTROLS_ACTION_UNSPECIFIED"` - `const KernelControlsActionBlock KernelControlsAction = "KERNEL_CONTROLS_ACTION_BLOCK"` - `const KernelControlsActionAudit KernelControlsAction = "KERNEL_CONTROLS_ACTION_AUDIT"` ### Organization Policies - `type OrganizationPolicies struct{…}` - `AgentPolicy AgentPolicy` agent_policy contains agent-specific policy settings - `CommandDenyList []string` command_deny_list contains a list of commands that agents are not allowed to execute - `McpDisabled bool` mcp_disabled controls whether MCP (Model Context Protocol) is disabled for agents - `ScmToolsDisabled bool` scm_tools_disabled controls whether SCM (Source Control Management) tools are disabled for agents - `ConversationSharingPolicy ConversationSharingPolicy` conversation_sharing_policy controls whether agent conversations can be shared - `const ConversationSharingPolicyUnspecified ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_UNSPECIFIED"` - `const ConversationSharingPolicyDisabled ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_DISABLED"` - `const ConversationSharingPolicyOrganization ConversationSharingPolicy = "CONVERSATION_SHARING_POLICY_ORGANIZATION"` - `MaxSubagentsPerEnvironment int64` max_subagents_per_environment limits the number of non-terminal sub-agents a parent can have running simultaneously in the same environment. Valid range: 0-10. Zero means use the default (5). - `ScmToolsAllowedGroupID string` scm_tools_allowed_group_id restricts SCM tools access to members of this group. Empty means no restriction (all users can use SCM tools if not disabled). - `AllowedEditorIDs []string` allowed_editor_ids is the list of editor IDs that are allowed to be used in the organization - `AllowLocalRunners bool` allow_local_runners controls whether local runners are allowed to be used in the organization - `DefaultEditorID string` default_editor_id is the default editor ID to be used when a user doesn't specify one - `DefaultEnvironmentImage string` default_environment_image is the default container image when none is defined in repo - `MaximumEnvironmentsPerUser string` maximum_environments_per_user limits total environments (running or stopped) per user - `MaximumRunningEnvironmentsPerUser string` maximum_running_environments_per_user limits simultaneously running environments per user - `MembersCreateProjects bool` members_create_projects controls whether members can create projects - `MembersRequireProjects bool` members_require_projects controls whether environments can only be created from projects by non-admin users - `OrganizationID string` organization_id is the ID of the organization - `PortSharingDisabled bool` port_sharing_disabled controls whether user-initiated port sharing is disabled in the organization. System ports (VS Code Browser, agents) are always exempt from this policy. - `RequireCustomDomainAccess bool` require_custom_domain_access controls whether users must access via custom domain when one is configured. When true, access via app.gitpod.io is blocked. - `RestrictAccountCreationToScim bool` restrict_account_creation_to_scim controls whether account creation is restricted to SCIM-provisioned users only. When true and SCIM is configured for the organization, only users provisioned via SCIM can create accounts. - `DeleteArchivedEnvironmentsAfter string` delete_archived_environments_after controls how long archived environments are kept before automatic deletion. 0 means no automatic deletion. Maximum duration is 4 weeks (2419200 seconds). - `EditorVersionRestrictions map[string, OrganizationPoliciesEditorVersionRestriction]` editor_version_restrictions restricts which editor versions can be used. Maps editor ID to version policy, editor_version_restrictions not set means no restrictions. If empty or not set for an editor, we will use the latest version of the editor - `AllowedVersions []string` allowed_versions lists the versions that are allowed If empty, we will use the latest version of the editor Examples for JetBrains: `["2025.2", "2025.1", "2024.3"]` - `MaximumEnvironmentLifetime string` maximum_environment_lifetime controls for how long environments are allowed to be reused. 0 means no maximum lifetime. Maximum duration is 180 days (15552000 seconds). - `MaximumEnvironmentTimeout string` maximum_environment_timeout controls the maximum timeout allowed for environments in seconds. 0 means no limit (never). Minimum duration is 30 minutes (1800 seconds). value must be 0s (no limit) or at least 1800s (30 minutes): ``` this == duration('0s') || this >= duration('1800s') ``` - `SecurityAgentPolicy SecurityAgentPolicy` security_agent_policy contains security agent configuration for the organization. When configured, security agents are automatically deployed to all environments. - `Crowdstrike CrowdStrikeConfig` crowdstrike contains CrowdStrike Falcon configuration - `AdditionalOptions map[string, string]` additional_options contains additional FALCONCTL_OPT_* options as key-value pairs. Keys should NOT include the FALCONCTL_OPT_ prefix. - `CidSecretID string` cid_secret_id references an organization secret containing the Customer ID (CID). - `Enabled bool` enabled controls whether CrowdStrike Falcon is deployed to environments - `Image string` image is the CrowdStrike Falcon sensor container image reference - `Tags string` tags are optional tags to apply to the Falcon sensor (comma-separated) - `VetoExecPolicy VetoExecPolicy` veto_exec_policy contains the veto exec policy for environments. - `Action KernelControlsAction` action specifies what action kernel-level controls take on policy violations - `const KernelControlsActionUnspecified KernelControlsAction = "KERNEL_CONTROLS_ACTION_UNSPECIFIED"` - `const KernelControlsActionBlock KernelControlsAction = "KERNEL_CONTROLS_ACTION_BLOCK"` - `const KernelControlsActionAudit KernelControlsAction = "KERNEL_CONTROLS_ACTION_AUDIT"` - `Enabled bool` enabled controls whether executable blocking is active - `Executables []string` executables is the list of executable paths or names to block ### Security Agent Policy - `type SecurityAgentPolicy struct{…}` SecurityAgentPolicy contains security agent configuration for an organization. When enabled, security agents are automatically deployed to all environments. - `Crowdstrike CrowdStrikeConfig` crowdstrike contains CrowdStrike Falcon configuration - `AdditionalOptions map[string, string]` additional_options contains additional FALCONCTL_OPT_* options as key-value pairs. Keys should NOT include the FALCONCTL_OPT_ prefix. - `CidSecretID string` cid_secret_id references an organization secret containing the Customer ID (CID). - `Enabled bool` enabled controls whether CrowdStrike Falcon is deployed to environments - `Image string` image is the CrowdStrike Falcon sensor container image reference - `Tags string` tags are optional tags to apply to the Falcon sensor (comma-separated) ### Veto Exec Policy - `type VetoExecPolicy struct{…}` VetoExecPolicy defines the policy for blocking or auditing executable execution in environments. - `Action KernelControlsAction` action specifies what action kernel-level controls take on policy violations - `const KernelControlsActionUnspecified KernelControlsAction = "KERNEL_CONTROLS_ACTION_UNSPECIFIED"` - `const KernelControlsActionBlock KernelControlsAction = "KERNEL_CONTROLS_ACTION_BLOCK"` - `const KernelControlsActionAudit KernelControlsAction = "KERNEL_CONTROLS_ACTION_AUDIT"` - `Enabled bool` enabled controls whether executable blocking is active - `Executables []string` executables is the list of executable paths or names to block