AdmissionRule

JSON representation

An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors , that all pod creations will be allowed, or that all pod creations will be denied.

Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation.

JSON representation
{ "evaluationMode" : enum ( `EvaluationMode` ) , "requireAttestationsBy" : [ string ] , "enforcementMode" : enum ( `EnforcementMode` ) }

Fields

Fields
`evaluationMode`	`enum ( EvaluationMode )` Required. How this admission rule will be evaluated.
`requireAttestationsBy[]`	`string` Optional. The resource names of the attestors that must attest to a container image, in the format `projects//attestors/` . Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluationMode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
`enforcementMode`	`enum ( EnforcementMode )` Required. The action when a pod creation is denied by the admission rule.

evaluationMode

enum ( EvaluationMode )

Required. How this admission rule will be evaluated.

requireAttestationsBy[]

string

Optional. The resource names of the attestors that must attest to a container image, in the format projects/*/attestors/* . Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource.

Note: this field must be non-empty when the evaluationMode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

enforcementMode

enum ( EnforcementMode )

Required. The action when a pod creation is denied by the admission rule.

AdmissionRule Stay organized with collections Save and categorize content based on your preferences.

AdmissionRule