Policy

A policy for Binary Authorization.

JSON representation
{
  "name": string,
  "description": string,
  "globalPolicyEvaluationMode": enum (GlobalPolicyEvaluationMode),
  "admissionWhitelistPatterns": [
    {
      object (AdmissionWhitelistPattern)
    }
  ],
  "clusterAdmissionRules": {
    string: {
      object (AdmissionRule)
    },
    ...
  },
  "kubernetesNamespaceAdmissionRules": {
    string: {
      object (AdmissionRule)
    },
    ...
  },
  "kubernetesServiceAccountAdmissionRules": {
    string: {
      object (AdmissionRule)
    },
    ...
  },
  "istioServiceIdentityAdmissionRules": {
    string: {
      object (AdmissionRule)
    },
    ...
  },
  "defaultAdmissionRule": {
    object (AdmissionRule)
  },
  "updateTime": string,
  "etag": string
}
Fields
name

string

Output only. The resource name, in the format projects/*/policy. There is at most one policy per project.

description

string

Optional. A descriptive comment.

globalPolicyEvaluationMode

enum (GlobalPolicyEvaluationMode)

Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.

admissionWhitelistPatterns[]

object (AdmissionWhitelistPattern)

Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.

clusterAdmissionRules

map (key: string, value: object (AdmissionRule))

Optional. Per-cluster admission rules. Cluster spec format: location.clusterId. There can be at most one admission rule per cluster spec. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). For clusterId syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

kubernetesNamespaceAdmissionRules

map (key: string, value: object (AdmissionRule))

Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format: [a-z.-]+, e.g. some-namespace

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

kubernetesServiceAccountAdmissionRules

map (key: string, value: object (AdmissionRule))

Optional. Per-kubernetes-service-account admission rules. Service account spec format: namespace:serviceaccount. e.g. test-ns:default

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

istioServiceIdentityAdmissionRules

map (key: string, value: object (AdmissionRule))

Optional. Per-istio-service-identity admission rules. Istio service identity spec format: spiffe://<domain>/ns/<namespace>/sa/<serviceaccount> or <domain>/ns/<namespace>/sa/<serviceaccount> e.g. spiffe://example.com/ns/test-ns/sa/default

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

defaultAdmissionRule

object (AdmissionRule)

Required. Default admission rule for a cluster without a per-cluster, per- kubernetes-service-account, or per-istio-service-identity admission rule.

updateTime

string (Timestamp format)

Output only. Time when the policy was last updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

etag

string

Optional. A checksum, returned by the server, that can be sent on update requests to ensure the policy has an up-to-date value before attempting to update it. See https://google.aip.dev/154.