REST Resource: projects.policy

Resource: Policy

A policy for container image binary authorization.

JSON representation 
{
  "name": string,
  "description": string,
  "globalPolicyEvaluationMode": enum (GlobalPolicyEvaluationMode),
  "admissionWhitelistPatterns": [
    {
      object (AdmissionWhitelistPattern)
    }
  ],
  "clusterAdmissionRules": {
    string: {
      object (AdmissionRule)
    },
    ...
  },
  "kubernetesNamespaceAdmissionRules": {
    string: {
      object (AdmissionRule)
    },
    ...
  },
  "kubernetesServiceAccountAdmissionRules": {
    string: {
      object (AdmissionRule)
    },
    ...
  },
  "istioServiceIdentityAdmissionRules": {
    string: {
      object (AdmissionRule)
    },
    ...
  },
  "defaultAdmissionRule": {
    object (AdmissionRule)
  },
  "updateTime": string,
  "etag": string
}
Fields
name

string

Output only. The resource name, in the format projects/*/policy. There is at most one policy per project.
description

string

Optional. A descriptive comment.
globalPolicyEvaluationMode

enum (GlobalPolicyEvaluationMode)

Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.
admissionWhitelistPatterns[]

object (AdmissionWhitelistPattern)

Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.
clusterAdmissionRules

map (key: string, value: object (AdmissionRule))

Optional. Per-cluster admission rules. Cluster spec format: location.clusterId. There can be at most one admission rule per cluster spec. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). For clusterId syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
kubernetesNamespaceAdmissionRules

map (key: string, value: object (AdmissionRule))

Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format: [a-z.-]+, e.g. some-namespace

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
kubernetesServiceAccountAdmissionRules

map (key: string, value: object (AdmissionRule))

Optional. Per-kubernetes-service-account admission rules. Service account spec format: namespace:serviceaccount. e.g. test-ns:default

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
istioServiceIdentityAdmissionRules

map (key: string, value: object (AdmissionRule))

Optional. Per-istio-service-identity admission rules. Istio service identity spec format: spiffe://<domain>/ns/<namespace>/sa/<serviceaccount> or <domain>/ns/<namespace>/sa/<serviceaccount> e.g. spiffe://example.com/ns/test-ns/sa/default

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
defaultAdmissionRule

object (AdmissionRule)

Required. Default admission rule for a cluster without a per-cluster, per- kubernetes-service-account, or per-istio-service-identity admission rule.
updateTime

string (Timestamp format)

Output only. Time when the policy was last updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
etag

string

Optional. A checksum, returned by the server, that can be sent on update requests to ensure the policy has an up-to-date value before attempting to update it. See https://google.aip.dev/154.

GlobalPolicyEvaluationMode

Enums
GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED Not specified: DISABLE is assumed.
ENABLE Enables system policy evaluation.
DISABLE Disables system policy evaluation.

AdmissionWhitelistPattern

An admission allowlist pattern exempts images from checks by admission rules.

JSON representation 
{
  "namePattern": string
}
Fields
namePattern

string

An image name pattern to allowlist, in the form registry/path/to/image. This supports a trailing * wildcard, but this is allowed only in text after the registry/ part. This also supports a trailing ** wildcard which matches subdirectories of a given entry.

AdmissionRule

An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied.

Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation.

JSON representation 
{
  "evaluationMode": enum (EvaluationMode),
  "requireAttestationsBy": [
    string
  ],
  "enforcementMode": enum (EnforcementMode)
}
Fields
evaluationMode

enum (EvaluationMode)

Required. How this admission rule will be evaluated.
requireAttestationsBy[]

string

Optional. The resource names of the attestors that must attest to a container image, in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource.

Note: this field must be non-empty when the evaluationMode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
enforcementMode

enum (EnforcementMode)

Required. The action when a pod creation is denied by the admission rule.

EvaluationMode

Enums
EVALUATION_MODE_UNSPECIFIED Do not use.
ALWAYS_ALLOW This rule allows all pod creations.
REQUIRE_ATTESTATION This rule allows a pod creation if all the attestors listed in requireAttestationsBy have valid attestations for all of the images in the pod spec.
ALWAYS_DENY This rule denies all pod creations.

EnforcementMode

Defines the possible actions when a pod creation is denied by an admission rule.

Enums
ENFORCEMENT_MODE_UNSPECIFIED Do not use.
ENFORCED_BLOCK_AND_AUDIT_LOG Enforce the admission rule by blocking the pod creation.
DRYRUN_AUDIT_LOG_ONLY Dryrun mode: Audit logging only. This will allow the pod creation as if the admission request had specified break-glass.

Methods

getIamPolicy

 Gets the access control policy for a resource.

setIamPolicy

 Sets the access control policy on the specified resource.

testIamPermissions

 Returns permissions that a caller has on the specified resource.