Console
    Contact Us Start free

    Policy

    A policy for Binary Authorization.

    JSON representation 
     { 
 "name" 
 : 
 string 
 , 
 "description" 
 : 
 string 
 , 
 "globalPolicyEvaluationMode" 
 : 
 enum (  GlobalPolicyEvaluationMode 
 
) 
 , 
 "admissionWhitelistPatterns" 
 : 
 [ 
 { 
 object (  AdmissionWhitelistPattern 
 
) 
 } 
 ] 
 , 
 "clusterAdmissionRules" 
 : 
 { 
 string 
 : 
 { 
 object (  AdmissionRule 
 
) 
 } 
 , 
 ... 
 } 
 , 
 "kubernetesNamespaceAdmissionRules" 
 : 
 { 
 string 
 : 
 { 
 object (  AdmissionRule 
 
) 
 } 
 , 
 ... 
 } 
 , 
 "kubernetesServiceAccountAdmissionRules" 
 : 
 { 
 string 
 : 
 { 
 object (  AdmissionRule 
 
) 
 } 
 , 
 ... 
 } 
 , 
 "istioServiceIdentityAdmissionRules" 
 : 
 { 
 string 
 : 
 { 
 object (  AdmissionRule 
 
) 
 } 
 , 
 ... 
 } 
 , 
 "defaultAdmissionRule" 
 : 
 { 
 object (  AdmissionRule 
 
) 
 } 
 , 
 "updateTime" 
 : 
 string 
 , 
 "etag" 
 : 
 string 
 }
    Fields
    name

    string

    Output only. The resource name, in the format projects/*/policy . There is at most one policy per project.
    description

    string

    Optional. A descriptive comment.
    globalPolicyEvaluationMode

    enum ( GlobalPolicyEvaluationMode )

    Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.
    admissionWhitelistPatterns[]

    object ( AdmissionWhitelistPattern )

    Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.
    clusterAdmissionRules

    map (key: string, value: object ( AdmissionRule ))

    Optional. Per-cluster admission rules. Cluster spec format: location.clusterId . There can be at most one admission rule per cluster spec. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). For clusterId syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters .

    An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" } .
    kubernetesNamespaceAdmissionRules

    map (key: string, value: object ( AdmissionRule ))

    Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format: [a-z.-]+ , e.g. some-namespace

    An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" } .
    istioServiceIdentityAdmissionRules

    map (key: string, value: object ( AdmissionRule ))

    Optional. Per-istio-service-identity admission rules. Istio service identity spec format: spiffe://<domain>/ns/<namespace>/sa/<serviceaccount> or <domain>/ns/<namespace>/sa/<serviceaccount> e.g. spiffe://example.com/ns/test-ns/sa/default

    An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" } .
    defaultAdmissionRule

    object ( AdmissionRule )

    Required. Default admission rule for a cluster without a per-cluster, per- kubernetes-service-account, or per-istio-service-identity admission rule.
    updateTime

    string ( Timestamp format)

    Output only. Time when the policy was last updated.

    A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z" .
    etag

    string

    Optional. A checksum, returned by the server, that can be sent on update requests to ensure the policy has an up-to-date value before attempting to update it. See https://google.aip.dev/154 .
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: