Console
    Contact Us Start free

    REST Resource: projects.policy

    Resource: Policy

    A policy for container image binary authorization.

    JSON representation 
     { 
 "name" 
 : 
 string 
 , 
 "description" 
 : 
 string 
 , 
 "globalPolicyEvaluationMode" 
 : 
 enum (  GlobalPolicyEvaluationMode 
 
) 
 , 
 "admissionWhitelistPatterns" 
 : 
 [ 
 { 
 object (  AdmissionWhitelistPattern 
 
) 
 } 
 ] 
 , 
 "clusterAdmissionRules" 
 : 
 { 
 string 
 : 
 { 
 object (  AdmissionRule 
 
) 
 } 
 , 
 ... 
 } 
 , 
 "kubernetesNamespaceAdmissionRules" 
 : 
 { 
 string 
 : 
 { 
 object (  AdmissionRule 
 
) 
 } 
 , 
 ... 
 } 
 , 
 "kubernetesServiceAccountAdmissionRules" 
 : 
 { 
 string 
 : 
 { 
 object (  AdmissionRule 
 
) 
 } 
 , 
 ... 
 } 
 , 
 "istioServiceIdentityAdmissionRules" 
 : 
 { 
 string 
 : 
 { 
 object (  AdmissionRule 
 
) 
 } 
 , 
 ... 
 } 
 , 
 "defaultAdmissionRule" 
 : 
 { 
 object (  AdmissionRule 
 
) 
 } 
 , 
 "updateTime" 
 : 
 string 
 , 
 "etag" 
 : 
 string 
 }
    Fields
    name

    string

    Output only. The resource name, in the format projects/*/policy . There is at most one policy per project.
    description

    string

    Optional. A descriptive comment.
    globalPolicyEvaluationMode

    enum ( GlobalPolicyEvaluationMode )

    Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.
    admissionWhitelistPatterns[]

    object ( AdmissionWhitelistPattern )

    Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.
    clusterAdmissionRules

    map (key: string, value: object ( AdmissionRule ))

    Optional. Per-cluster admission rules. Cluster spec format: location.clusterId . There can be at most one admission rule per cluster spec. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). For clusterId syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters .

    An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" } .
    kubernetesNamespaceAdmissionRules

    map (key: string, value: object ( AdmissionRule ))

    Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format: [a-z.-]+ , e.g. some-namespace

    An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" } .
    istioServiceIdentityAdmissionRules

    map (key: string, value: object ( AdmissionRule ))

    Optional. Per-istio-service-identity admission rules. Istio service identity spec format: spiffe://<domain>/ns/<namespace>/sa/<serviceaccount> or <domain>/ns/<namespace>/sa/<serviceaccount> e.g. spiffe://example.com/ns/test-ns/sa/default

    An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" } .
    defaultAdmissionRule

    object ( AdmissionRule )

    Required. Default admission rule for a cluster without a per-cluster, per- kubernetes-service-account, or per-istio-service-identity admission rule.
    updateTime

    string ( Timestamp format)

    Output only. Time when the policy was last updated.

    A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z" .
    etag

    string

    Optional. A checksum, returned by the server, that can be sent on update requests to ensure the policy has an up-to-date value before attempting to update it. See https://google.aip.dev/154 .

    GlobalPolicyEvaluationMode

    Enums
    GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED Not specified: DISABLE is assumed.
    ENABLE Enables system policy evaluation.
    DISABLE Disables system policy evaluation.

    AdmissionWhitelistPattern

    An admission allowlist pattern exempts images from checks by admission rules .

    JSON representation 
     { 
 "namePattern" 
 : 
 string 
 }
    Fields
    namePattern

    string

    An image name pattern to allowlist, in the form registry/path/to/image . This supports a trailing * wildcard, but this is allowed only in text after the registry/ part. This also supports a trailing ** wildcard which matches subdirectories of a given entry.

    AdmissionRule

    An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors , that all pod creations will be allowed, or that all pod creations will be denied.

    Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation.

    JSON representation 
     { 
 "evaluationMode" 
 : 
 enum (  EvaluationMode 
 
) 
 , 
 "requireAttestationsBy" 
 : 
 [ 
 string 
 ] 
 , 
 "enforcementMode" 
 : 
 enum (  EnforcementMode 
 
) 
 }
    Fields
    evaluationMode

    enum ( EvaluationMode )

    Required. How this admission rule will be evaluated.
    requireAttestationsBy[]

    string

    Optional. The resource names of the attestors that must attest to a container image, in the format projects/*/attestors/* . Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource.

    Note: this field must be non-empty when the evaluationMode field specifies REQUIRE_ATTESTATION , otherwise it must be empty.
    enforcementMode

    enum ( EnforcementMode )

    Required. The action when a pod creation is denied by the admission rule.

    EvaluationMode

    Enums
    EVALUATION_MODE_UNSPECIFIED Do not use.
    ALWAYS_ALLOW This rule allows all pod creations.
    REQUIRE_ATTESTATION This rule allows a pod creation if all the attestors listed in requireAttestationsBy have valid attestations for all of the images in the pod spec.
    ALWAYS_DENY This rule denies all pod creations.

    EnforcementMode

    Defines the possible actions when a pod creation is denied by an admission rule.

    Enums
    ENFORCEMENT_MODE_UNSPECIFIED Do not use.
    ENFORCED_BLOCK_AND_AUDIT_LOG Enforce the admission rule by blocking the pod creation.
    DRYRUN_AUDIT_LOG_ONLY Dryrun mode: Audit logging only. This will allow the pod creation as if the admission request had specified break-glass.

    Methods

    getIamPolicy

    		Gets the access control policy for a resource.

    setIamPolicy

    		Sets the access control policy on the specified resource.

    testIamPermissions

    		Returns permissions that a caller has on the specified resource.
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: