Policy(mapping=None, *, ignore_unknown_fields=False, **kwargs)
A policy for container image binary authorization.
Attributes
Name | Description |
name |
str
Output only. The resource name, in the format projects/*/policy . There is at most one policy per
project.
|
description |
str
Optional. A descriptive comment. |
global_policy_evaluation_mode |
google.cloud.binaryauthorization_v1.types.Policy.GlobalPolicyEvaluationMode
Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy. |
admission_whitelist_patterns |
Sequence[google.cloud.binaryauthorization_v1.types.AdmissionWhitelistPattern]
Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies. |
cluster_admission_rules |
Sequence[google.cloud.binaryauthorization_v1.types.Policy.ClusterAdmissionRulesEntry]
Optional. Per-cluster admission rules. Cluster spec format: location.clusterId . There can be at most one admission
rule per cluster spec. A location is either a compute
zone (e.g. us-central1-a) or a region (e.g. us-central1).
For clusterId syntax restrictions see
https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
|
kubernetes_namespace_admission_rules |
Sequence[google.cloud.binaryauthorization_v1.types.Policy.KubernetesNamespaceAdmissionRulesEntry]
Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format: [a-z.-]+, e.g. 'some-namespace' |
kubernetes_service_account_admission_rules |
Sequence[google.cloud.binaryauthorization_v1.types.Policy.KubernetesServiceAccountAdmissionRulesEntry]
Optional. Per-kubernetes-service-account admission rules. Service account spec format: namespace:serviceaccount .
e.g. 'test-ns:default'
|
istio_service_identity_admission_rules |
Sequence[google.cloud.binaryauthorization_v1.types.Policy.IstioServiceIdentityAdmissionRulesEntry]
Optional. Per-istio-service-identity admission rules. Istio service identity spec format: spiffe:// |
default_admission_rule |
google.cloud.binaryauthorization_v1.types.AdmissionRule
Required. Default admission rule for a cluster without a per-cluster, per- kubernetes- service-account, or per-istio-service-identity admission rule. |
update_time |
google.protobuf.timestamp_pb2.Timestamp
Output only. Time when the policy was last updated. |
Classes
ClusterAdmissionRulesEntry
ClusterAdmissionRulesEntry(mapping=None, *, ignore_unknown_fields=False, **kwargs)
The abstract base class for a message.
Name | Description |
kwargs |
dict
Keys and values corresponding to the fields of the message. |
mapping |
Union[dict,
A dictionary or message to be used to determine the values for this message. |
ignore_unknown_fields |
Optional(bool)
If True, do not raise errors for unknown fields. Only applied if |
GlobalPolicyEvaluationMode
GlobalPolicyEvaluationMode(value)
API documentation for binaryauthorization_v1.types.Policy.GlobalPolicyEvaluationMode
class.
IstioServiceIdentityAdmissionRulesEntry
IstioServiceIdentityAdmissionRulesEntry(
mapping=None, *, ignore_unknown_fields=False, **kwargs
)
The abstract base class for a message.
Name | Description |
kwargs |
dict
Keys and values corresponding to the fields of the message. |
mapping |
Union[dict,
A dictionary or message to be used to determine the values for this message. |
ignore_unknown_fields |
Optional(bool)
If True, do not raise errors for unknown fields. Only applied if |
KubernetesNamespaceAdmissionRulesEntry
KubernetesNamespaceAdmissionRulesEntry(
mapping=None, *, ignore_unknown_fields=False, **kwargs
)
The abstract base class for a message.
Name | Description |
kwargs |
dict
Keys and values corresponding to the fields of the message. |
mapping |
Union[dict,
A dictionary or message to be used to determine the values for this message. |
ignore_unknown_fields |
Optional(bool)
If True, do not raise errors for unknown fields. Only applied if |
KubernetesServiceAccountAdmissionRulesEntry
KubernetesServiceAccountAdmissionRulesEntry(
mapping=None, *, ignore_unknown_fields=False, **kwargs
)
The abstract base class for a message.
Name | Description |
kwargs |
dict
Keys and values corresponding to the fields of the message. |
mapping |
Union[dict,
A dictionary or message to be used to determine the values for this message. |
ignore_unknown_fields |
Optional(bool)
If True, do not raise errors for unknown fields. Only applied if |