Reference documentation and code samples for the Google Cloud Binary Authorization V1 Client class Policy.
A policy for container image binary authorization.
Generated from protobuf message google.cloud.binaryauthorization.v1.Policy
Namespace
Google \ Cloud \ BinaryAuthorization \ V1Methods
__construct
Constructor.
data
array
Optional. Data for populating the Message object.
↳ name
string
Output only. The resource name, in the format projects/*/policy
. There is at most one policy per project.
↳ description
string
Optional. A descriptive comment.
↳ global_policy_evaluation_mode
int
Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.
↳ admission_whitelist_patterns
array< Google\Cloud\BinaryAuthorization\V1\AdmissionWhitelistPattern
>
Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.
↳ cluster_admission_rules
array| Google\Protobuf\Internal\MapField
Optional. Per-cluster admission rules. Cluster spec format: location.clusterId
. There can be at most one admission rule per cluster spec. A location
is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). For clusterId
syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters
.
↳ kubernetes_namespace_admission_rules
array| Google\Protobuf\Internal\MapField
Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format: [a-z.-]+, e.g. 'some-namespace'
↳ kubernetes_service_account_admission_rules
array| Google\Protobuf\Internal\MapField
Optional. Per-kubernetes-service-account admission rules. Service account spec format: namespace:serviceaccount
. e.g. 'test-ns:default'
↳ istio_service_identity_admission_rules
array| Google\Protobuf\Internal\MapField
Optional. Per-istio-service-identity admission rules. Istio service identity spec format: spiffe://
↳ default_admission_rule
Google\Cloud\BinaryAuthorization\V1\AdmissionRule
Required. Default admission rule for a cluster without a per-cluster, per- kubernetes-service-account, or per-istio-service-identity admission rule.
↳ update_time
getName
Output only. The resource name, in the format projects/*/policy
. There is
at most one policy per project.
string
setName
Output only. The resource name, in the format projects/*/policy
. There is
at most one policy per project.
var
string
$this
getDescription
Optional. A descriptive comment.
string
setDescription
Optional. A descriptive comment.
var
string
$this
getGlobalPolicyEvaluationMode
Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.
int
setGlobalPolicyEvaluationMode
Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.
var
int
$this
getAdmissionWhitelistPatterns
Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.
setAdmissionWhitelistPatterns
Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.
$this
getClusterAdmissionRules
Optional. Per-cluster admission rules. Cluster spec format: location.clusterId
. There can be at most one admission rule per cluster
spec.
A location
is either a compute zone (e.g. us-central1-a) or a region
(e.g. us-central1).
For clusterId
syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters
.
setClusterAdmissionRules
Optional. Per-cluster admission rules. Cluster spec format: location.clusterId
. There can be at most one admission rule per cluster
spec.
A location
is either a compute zone (e.g. us-central1-a) or a region
(e.g. us-central1).
For clusterId
syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters
.
$this
getKubernetesNamespaceAdmissionRules
Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format: [a-z.-]+, e.g. 'some-namespace'
setKubernetesNamespaceAdmissionRules
Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format: [a-z.-]+, e.g. 'some-namespace'
$this
getKubernetesServiceAccountAdmissionRules
Optional. Per-kubernetes-service-account admission rules. Service account
spec format: namespace:serviceaccount
. e.g. 'test-ns:default'
setKubernetesServiceAccountAdmissionRules
Optional. Per-kubernetes-service-account admission rules. Service account
spec format: namespace:serviceaccount
. e.g. 'test-ns:default'
$this
getIstioServiceIdentityAdmissionRules
Optional. Per-istio-service-identity admission rules. Istio service identity spec format: spiffe://
setIstioServiceIdentityAdmissionRules
Optional. Per-istio-service-identity admission rules. Istio service identity spec format: spiffe://
$this
getDefaultAdmissionRule
Required. Default admission rule for a cluster without a per-cluster, per- kubernetes-service-account, or per-istio-service-identity admission rule.
hasDefaultAdmissionRule
clearDefaultAdmissionRule
setDefaultAdmissionRule
Required. Default admission rule for a cluster without a per-cluster, per- kubernetes-service-account, or per-istio-service-identity admission rule.
$this
getUpdateTime
Output only. Time when the policy was last updated.
hasUpdateTime
clearUpdateTime
setUpdateTime
Output only. Time when the policy was last updated.
$this
