Method: projects.platforms.gke.policies.evaluate

HTTP request
Path parameters
Request body
- JSON representation
Response body
- JSON representation
Authorization scopes
Verdict
PodResult
- JSON representation
PodVerdict
ImageResult
- JSON representation
ImageVerdict
AllowlistResult
- JSON representation
CheckSetResult
- JSON representation
CheckResults
- JSON representation
CheckResult
- JSON representation
EvaluationResult
- JSON representation
CheckVerdict

Evaluates a Kubernetes object versus a GKE platform policy. Returns NOT_FOUND if the policy doesn't exist, INVALID_ARGUMENT if the policy or request is malformed and PERMISSION_DENIED if the client does not have sufficient permissions.

HTTP request

POST https://binaryauthorization.googleapis.com/v1/{name=projects/*/platforms/gke/policies/*}:evaluate

The URL uses gRPC Transcoding syntax.

Path parameters

Parameters

Parameters
`name`	`string` Required. The name of the `platform policy` to evaluate in the format `projects//platforms//policies/*`. Authorization requires the following IAM permission on the specified resource `name`: `binaryauthorization.platformPolicies.evaluatePolicy`

name

string

Required. The name of the platform policy to evaluate in the format projects/*/platforms/*/policies/*.

Authorization requires the following IAM permission on the specified resource name:

binaryauthorization.platformPolicies.evaluatePolicy

Request body

The request body contains data with the following structure:

JSON representation
{ "resource": { object } }

Fields

Fields
`resource`	`object (Struct format)` Required. JSON or YAML blob representing a Kubernetes resource.

resource

object (Struct format)

Required. JSON or YAML blob representing a Kubernetes resource.

Response body

Response message for PlatformPolicyEvaluationService.EvaluateGkePolicy.

If successful, the response body contains data with the following structure:

JSON representation
{ "verdict": enum (`Verdict`), "results": [ { object (`PodResult`) } ] }

Fields

Fields
`verdict`	`enum (Verdict)` The result of evaluating all Pods in the request.
`results[]`	`object (PodResult)` Evaluation result for each Pod contained in the request.

verdict

enum (Verdict)

The result of evaluating all Pods in the request.

results[]

object (PodResult)

Evaluation result for each Pod contained in the request.

Authorization scopes

Requires the following OAuth scope:

https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

Verdict

Whether the Pods passed, failed, or couldn't be evaluated.

Enums
`VERDICT_UNSPECIFIED`	Not specified. This should never be used.
`CONFORMANT`	All Pods in the request conform to the policy.
`NON_CONFORMANT`	At least one Pod does not conform to the policy.
`ERROR`	Encountered at least one error evaluating a Pod and all other Pods conform to the policy. Non-conformance has precedence over errors.

PodResult

Result of evaluating the whole GKE policy for one Pod.

JSON representation
{ "podName": string, "kubernetesNamespace": string, "kubernetesServiceAccount": string, "verdict": enum (`PodVerdict`), "imageResults": [ { object (`ImageResult`) } ] }

Fields
`podName`	`string` The name of the Pod.
`kubernetesNamespace`	`string` The Kubernetes namespace of the Pod.
`kubernetesServiceAccount`	`string` The Kubernetes service account of the Pod.
`verdict`	`enum (PodVerdict)` The result of evaluating this Pod.
`imageResults[]`	`object (ImageResult)` Per-image details.

PodVerdict

Whether the Pod passed, failed, or couldn't be evaluated.

Enums
`POD_VERDICT_UNSPECIFIED`	Not specified. This should never be used.
`CONFORMANT`	All images conform to the policy.
`NON_CONFORMANT`	At least one image does not conform to the policy.
`ERROR`	Encountered at least one error evaluating an image and all other images with non-error verdicts conform to the policy. Non-conformance has precedence over errors.

ImageResult

Result of evaluating one image.

JSON representation

JSON representation
{ "imageUri": string, "verdict": enum (`ImageVerdict`), "explanation": string, // Union field `result` can be only one of the following: "allowlistResult": { object (`AllowlistResult`) }, "checkSetResult": { object (`CheckSetResult`) } // End of list of possible types for union field `result`. }

{
  "imageUri": string,
  "verdict": enum (ImageVerdict),
  "explanation": string,

  // Union field result can be only one of the following:
  "allowlistResult": {
    object (AllowlistResult)
  },
  "checkSetResult": {
    object (CheckSetResult)
  }
  // End of list of possible types for union field result.
}

Fields
`imageUri`	`string` Image URI from the request.
`verdict`	`enum (ImageVerdict)` The result of evaluating this image.
`explanation`	`string` Explanation of this image result. Only populated if no check sets were evaluated.
Union field `result`. How the image was evaluated. `result` can be only one of the following:
`allowlistResult`	`object (AllowlistResult)` If the image was exempted by a top-level `allowPattern`, contains the allowlist pattern that the image name matched.
`checkSetResult`	`object (CheckSetResult)` If a check set was evaluated, contains the result of the check set. Empty if there were no check sets.

ImageVerdict

Whether the image passed, failed, or couldn't be evaluated.

Enums
`IMAGE_VERDICT_UNSPECIFIED`	Not specified. This should never be used.
`CONFORMANT`	Image conforms to the policy.
`NON_CONFORMANT`	Image does not conform to the policy.
`ERROR`	Error evaluating the image. Non-conformance has precedence over errors.

AllowlistResult

Result of evaluating an image name allowlist.

JSON representation
{ "matchedPattern": string }

Fields

Fields
`matchedPattern`	`string` The allowlist pattern that the image matched.

matchedPattern

string

The allowlist pattern that the image matched.

CheckSetResult

Result of evaluating one check set.

JSON representation

JSON representation
{ "index": string, "displayName": string, "scope": { object (`Scope`) }, "explanation": string, // Union field `result` can be only one of the following: "allowlistResult": { object (`AllowlistResult`) }, "checkResults": { object (`CheckResults`) } // End of list of possible types for union field `result`. }

{
  "index": string,
  "displayName": string,
  "scope": {
    object (Scope)
  },
  "explanation": string,

  // Union field result can be only one of the following:
  "allowlistResult": {
    object (AllowlistResult)
  },
  "checkResults": {
    object (CheckResults)
  }
  // End of list of possible types for union field result.
}

Fields
`index`	`string (int64 format)` The index of the check set.
`displayName`	`string` The name of the check set.
`scope`	`object (Scope)` The scope of the check set.
`explanation`	`string` Explanation of this check set result. Only populated if no checks were evaluated.
Union field `result`. How the check set was evaluated. `result` can be only one of the following:
`allowlistResult`	`object (AllowlistResult)` If the image was exempted by an `allowPattern` in the check set, contains the pattern that the image name matched.
`checkResults`	`object (CheckResults)` If checks were evaluated, contains the results of evaluating each check.

CheckResults

Result of evaluating one or more checks.

JSON representation
{ "results": [ { object (`CheckResult`) } ] }

Fields

Fields
`results[]`	`object (CheckResult)` Per-check details.

results[]

object (CheckResult)

Per-check details.

CheckResult

Result of evaluating one check.

JSON representation

JSON representation
{ "index": string, "displayName": string, "type": string, "explanation": string, // Union field `result` can be only one of the following: "allowlistResult": { object (`AllowlistResult`) }, "evaluationResult": { object (`EvaluationResult`) } // End of list of possible types for union field `result`. }

{
  "index": string,
  "displayName": string,
  "type": string,
  "explanation": string,

  // Union field result can be only one of the following:
  "allowlistResult": {
    object (AllowlistResult)
  },
  "evaluationResult": {
    object (EvaluationResult)
  }
  // End of list of possible types for union field result.
}

Fields
`index`	`string (int64 format)` The index of the check.
`displayName`	`string` The name of the check.
`type`	`string` The type of the check.
`explanation`	`string` Explanation of this check result.
Union field `result`. How the check was evaluated. `result` can be only one of the following:
`allowlistResult`	`object (AllowlistResult)` If the image was exempted by an `allowPattern` in the check, contains the pattern that the image name matched.
`evaluationResult`	`object (EvaluationResult)` If a check was evaluated, contains the result of the check.

EvaluationResult

Result of evaluating one check.

JSON representation
{ "verdict": enum (`CheckVerdict`) }

Fields

Fields
`verdict`	`enum (CheckVerdict)` The result of evaluating this check.

verdict

enum (CheckVerdict)

The result of evaluating this check.

CheckVerdict

Whether the check passed, failed, or couldn't be evaluated.

Enums
`CHECK_VERDICT_UNSPECIFIED`	Not specified. This should never be used.
`CONFORMANT`	The check was successfully evaluated and the image satisfied the check.
`NON_CONFORMANT`	The check was successfully evaluated and the image did not satisfy the check.
`ERROR`	The check was not successfully evaluated.