AdmissionRule(mapping=None, *, ignore_unknown_fields=False, **kwargs)
An [admission rule][google.cloud.binaryauthorization.v1beta1.AdmissionRule] specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied.
Images matching an [admission allowlist pattern][google.cloud.binaryauthorization.v1beta1.AdmissionWhitelistPattern] are exempted from admission rules and will never block a pod creation.
Attributes
Name | Description |
evaluation_mode |
google.cloud.binaryauthorization_v1beta1.types.AdmissionRule.EvaluationMode
Required. How this admission rule will be evaluated. |
require_attestations_by |
Sequence[str]
Optional. The resource names of the attestors that must attest to a container image, in the format projects/*/attestors/* . Each attestor must exist before
a policy can reference it. To add an attestor to a policy
the principal issuing the policy change request must be able
to read the attestor resource.
Note: this field must be non-empty when the evaluation_mode
field specifies REQUIRE_ATTESTATION, otherwise it must be
empty.
|
enforcement_mode |
google.cloud.binaryauthorization_v1beta1.types.AdmissionRule.EnforcementMode
Required. The action when a pod creation is denied by the admission rule. |
Classes
EnforcementMode
EnforcementMode(value)
Defines the possible actions when a pod creation is denied by an admission rule.
EvaluationMode
EvaluationMode(value)
API documentation for binaryauthorization_v1beta1.types.AdmissionRule.EvaluationMode
class.