An admission rule
specifies either that all container images used in a pod creation request must be attested to by one or more attestors
, that all pod creations will be allowed, or that all pod creations will be denied.
Images matching an admission allowlist pattern
are exempted from admission rules and will never block a pod creation.
JSON representation |
---|
{ "evaluationMode": enum ( |
Fields | |
---|---|
evaluationMode |
Required. How this admission rule will be evaluated. |
requireAttestationsBy[] |
Optional. The resource names of the attestors that must attest to a container image, in the format Note: this field must be non-empty when the evaluationMode field specifies REQUIRE_ATTESTATION, otherwise it must be empty. |
enforcementMode |
Required. The action when a pod creation is denied by the admission rule. |