Policy

A policy for container image binary authorization.

JSON representation
{
  "name": string,
  "description": string,
  "globalPolicyEvaluationMode": enum (GlobalPolicyEvaluationMode),
  "admissionWhitelistPatterns": [
    {
      object (AdmissionWhitelistPattern)
    }
  ],
  "clusterAdmissionRules": {
    string: {
      object(AdmissionRule)
    },
    ...
  },
  "defaultAdmissionRule": {
    object (AdmissionRule)
  },
  "updateTime": string
}
Fields
name

string

Output only. The resource name, in the format projects/*/policy. There is at most one policy per project.

description

string

Optional. A descriptive comment.

globalPolicyEvaluationMode

enum (GlobalPolicyEvaluationMode)

Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.

admissionWhitelistPatterns[]

object (AdmissionWhitelistPattern)

Optional. Admission policy whitelisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.

clusterAdmissionRules

map (key: string, value: object (AdmissionRule))

Optional. Per-cluster admission rules. Cluster spec format: location.clusterId. There can be at most one admission rule per cluster spec. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). For clusterId syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

defaultAdmissionRule

object (AdmissionRule)

Required. Default admission rule for a cluster without a per-cluster, per- kubernetes-service-account, or per-istio-service-identity admission rule.

updateTime

string (Timestamp format)

Output only. Time when the policy was last updated.

A timestamp in RFC3339 UTC "Zulu" format, accurate to nanoseconds. Example: "2014-10-02T15:01:23.045123456Z".

GlobalPolicyEvaluationMode

Enums
GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED Not specified: DISABLE is assumed.
ENABLE Enables global policy evaluation.
DISABLE Disables global policy evaluation.

AdmissionWhitelistPattern

An admission whitelist pattern exempts images from checks by admission rules.

JSON representation
{
  "namePattern": string
}
Fields
namePattern

string

An image name pattern to whitelist, in the form registry/path/to/image. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.

AdmissionRule

An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied.

Images matching an admission whitelist pattern are exempted from admission rules and will never block a pod creation.

JSON representation
{
  "evaluationMode": enum (EvaluationMode),
  "requireAttestationsBy": [
    string
  ],
  "enforcementMode": enum (EnforcementMode)
}
Fields
evaluationMode

enum (EvaluationMode)

Required. How this admission rule will be evaluated.

requireAttestationsBy[]

string

Optional. The resource names of the attestors that must attest to a container image, in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource.

Note: this field must be non-empty when the evaluationMode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

enforcementMode

enum (EnforcementMode)

Required. The action when a pod creation is denied by the admission rule.

EvaluationMode

Enums
EVALUATION_MODE_UNSPECIFIED Do not use.
ALWAYS_ALLOW This rule allows all all pod creations.
REQUIRE_ATTESTATION This rule allows a pod creation if all the attestors listed in 'requireAttestationsBy' have valid attestations for all of the images in the pod spec.
ALWAYS_DENY This rule denies all pod creations.

EnforcementMode

Defines the possible actions when a pod creation is denied by an admission rule.

Enums
ENFORCEMENT_MODE_UNSPECIFIED Do not use.
ENFORCED_BLOCK_AND_AUDIT_LOG Enforce the admission rule by blocking the pod creation.
DRYRUN_AUDIT_LOG_ONLY Dryrun mode: Audit logging only. This will allow the pod creation as if the admission request had specified break-glass.

Şunun hakkında geri bildirim gönderin...

Binary Authorization