BinaryAuthorizationPolicy

Property Value
Google Cloud Service Name Binary Authorization
Google Cloud Service Documentation /binary-authorization/docs/
Google Cloud REST Resource Name binaryauthorization/v1beta1/projects.policy
Google Cloud REST Resource Documentation /binary-authorization/docs/reference/rest/v1beta1/projects.policy
Config Connector Resource Short Names gcpbinaryauthorizationpolicy
gcpbinaryauthorizationpolicies
binaryauthorizationpolicy
Config Connector Service Name binaryauthorization.googleapis.com
Config Connector Resource Fully Qualified Name binaryauthorizationpolicies.binaryauthorization.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No

Custom Resource Definition Properties

Spec

Schema

  admissionWhitelistPatterns:
  - namePattern: string
  clusterAdmissionRules:
    string: object
  defaultAdmissionRule:
    enforcementMode: string
    evaluationMode: string
    requireAttestationsBy:
    - external: string
      name: string
      namespace: string
  description: string
  globalPolicyEvaluationMode: string
  istioServiceIdentityAdmissionRules:
    string: object
  kubernetesNamespaceAdmissionRules:
    string: object
  kubernetesServiceAccountAdmissionRules:
    string: object
  projectRef:
    external: string
    name: string
    namespace: string
Fields

admissionWhitelistPatterns

Optional

list (object)

Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.

admissionWhitelistPatterns.[]

Optional

object

admissionWhitelistPatterns.[].namePattern

Optional

string

An image name pattern to allowlist, in the form `registry/path/to/image`. This supports a trailing `*` as a wildcard, but this is allowed only in text after the `registry/` part.

clusterAdmissionRules

Optional

map (key: string, value: object)

Optional. Per-cluster admission rules. Cluster spec format: location.clusterId. There can be at most one admission rule per cluster spec. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). For clusterId syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.

defaultAdmissionRule

Required

object

Required. Default admission rule for a cluster without a per-cluster, per-kubernetes-service-account, or per-istio-service-identity admission rule.

defaultAdmissionRule.enforcementMode

Required

string

Required. The action when a pod creation is denied by the admission rule. Possible values: ENFORCEMENT_MODE_UNSPECIFIED, ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY

defaultAdmissionRule.evaluationMode

Required

string

Required. How this admission rule will be evaluated. Possible values: ALWAYS_ALLOW, ALWAYS_DENY, REQUIRE_ATTESTATION

defaultAdmissionRule.requireAttestationsBy

Optional

list (object)

defaultAdmissionRule.requireAttestationsBy.[]

Optional

object

defaultAdmissionRule.requireAttestationsBy.[].external

Optional

string

defaultAdmissionRule.requireAttestationsBy.[].name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

defaultAdmissionRule.requireAttestationsBy.[].namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

description

Optional

string

Optional. A descriptive comment.

globalPolicyEvaluationMode

Optional

string

Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy. Possible values: GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED, ENABLE, DISABLE

istioServiceIdentityAdmissionRules

Optional

map (key: string, value: object)

Optional. Per-istio-service-identity admission rules. Istio service identity spec format: spiffe:///ns//sa/ or /ns//sa/ e.g. spiffe://example.com/ns/test-ns/sa/default

kubernetesNamespaceAdmissionRules

Optional

map (key: string, value: object)

Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format: [a-z.-]+, e.g. 'some-namespace'

kubernetesServiceAccountAdmissionRules

Optional

map (key: string, value: object)

Optional. Per-kubernetes-service-account admission rules. Service account spec format: namespace:serviceaccount. e.g. 'test-ns:default'

projectRef

Required

object

The Project that this resource belongs to.

projectRef.external

Optional

string

The project of the resource.

projectRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

projectRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

Status

Schema

  conditions:
  - lastTransitionTime: string
    message: string
    reason: string
    status: string
    type: string
  observedGeneration: integer
  selfLink: string
  updateTime: string
Fields
conditions

list (object)

Conditions represent the latest available observation of the resource's current state.

conditions.[]

object

conditions.[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions.[].message

string

Human-readable message indicating details about last transition.

conditions.[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions.[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions.[].type

string

Type is the type of the condition.

observedGeneration

integer

ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.

selfLink

string

Output only. The resource name, in the format `projects/*/policy`. There is at most one policy per project.

updateTime

string

Output only. Time when the policy was last updated.

Sample YAML(s)

Cluster Policy

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
  kind: BinaryAuthorizationPolicy
  metadata:
    name: binaryauthorizationpolicy-sample-cluster
  spec:
    admissionWhitelistPatterns:
      - namePattern: "gcr.io/*"
    clusterAdmissionRules:
      us-west1-a.test-cluster:
        evaluationMode: "REQUIRE_ATTESTATION"
        requireAttestationsBy:
          - name: binaryauthorizationpolicy-dep-cluster
        enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
    defaultAdmissionRule:
      evaluationMode: "REQUIRE_ATTESTATION"
      requireAttestationsBy:
        - name: binaryauthorizationpolicy-dep-cluster
      enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
    description: A sample Binary Authorization policy with a cluster admission rule
    globalPolicyEvaluationMode: DISABLE
  ---
  apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
  kind: BinaryAuthorizationAttestor
  metadata:
    name: binaryauthorizationpolicy-dep-cluster
  spec:
    description: A sample binary authorization attestor.
    userOwnedDrydockNote:
      noteRef:
        name: binaryauthorizationpolicy-dep-cluster
  ---
  apiVersion: containeranalysis.cnrm.cloud.google.com/v1beta1
  kind: ContainerAnalysisNote
  metadata:
    name: binaryauthorizationpolicy-dep-cluster
  spec:
    package:
      name: test-package

Default Policy

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
  kind: BinaryAuthorizationPolicy
  metadata:
    name: binaryauthorizationpolicy-sample-default
  spec:
    projectRef:
      name: binauthpolicy-dep-default
    admissionWhitelistPatterns:
      - namePattern: "gcr.io/google_containers/*"
      - namePattern: "gcr.io/google-containers/*"
      - namePattern: "k8s.gcr.io/*"
      - namePattern: "gke.gcr.io/*"
      - namePattern: "gcr.io/stackdriver-agents/*"
    defaultAdmissionRule:
      enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
      evaluationMode: "ALWAYS_ALLOW"
    globalPolicyEvaluationMode: ENABLE
  ---
  apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
  kind: Project
  metadata:
    annotations:
      cnrm.cloud.google.com/auto-create-network: "false"
    name: binauthpolicy-dep-default
  spec:
    name: Config Connector Sample
    folderRef:
      # Replace "${FOLDER_ID?}" with the numeric ID of the parent folder
      external: "${FOLDER_ID?}"
    billingAccountRef:
      # Replace "${BILLING_ACCOUNT_ID?}" with the numeric ID for your billing account
      external: "${BILLING_ACCOUNT_ID?}"
  ---
  apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
  kind: Service
  metadata:
    annotations:
      cnrm.cloud.google.com/project-id: binauthpolicy-dep-default
    name: binaryauthorizationpolicy-dep-default
  spec:
    resourceID: binaryauthorization.googleapis.com

Namespace Policy

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
  kind: BinaryAuthorizationPolicy
  metadata:
    name: binaryauthorizationpolicy-sample-namespace
  spec:
    admissionWhitelistPatterns:
      - namePattern: "gcr.io/*"
    kubernetesNamespaceAdmissionRules:
      test-namespace:
        evaluationMode: "REQUIRE_ATTESTATION"
        requireAttestationsBy:
          - name: binaryauthorizationpolicy-dep-namespace
        enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
    defaultAdmissionRule:
      evaluationMode: "REQUIRE_ATTESTATION"
      requireAttestationsBy:
        - name: binaryauthorizationpolicy-dep-namespace
      enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
    description: A sample Binary Authorization policy
    globalPolicyEvaluationMode: DISABLE
  ---
  apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
  kind: BinaryAuthorizationAttestor
  metadata:
    name: binaryauthorizationpolicy-dep-namespace
  spec:
    description: A sample binary authorization attestor.
    userOwnedDrydockNote:
      noteRef:
        name: binaryauthorizationpolicy-dep-namespace
  ---
  apiVersion: containeranalysis.cnrm.cloud.google.com/v1beta1
  kind: ContainerAnalysisNote
  metadata:
    name: binaryauthorizationpolicy-dep-namespace
  spec:
    package:
      name: test-package

Service Account Policy

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
  kind: BinaryAuthorizationPolicy
  metadata:
    name: binaryauthorizationpolicy-sample-serviceaccount
  spec:
    admissionWhitelistPatterns:
      - namePattern: "gcr.io/*"
    kubernetesServiceAccountAdmissionRules:
      test-namespace:default:
        evaluationMode: "REQUIRE_ATTESTATION"
        requireAttestationsBy:
          - name: binaryauthorizationpolicy-dep-serviceaccount
        enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
    defaultAdmissionRule:
      evaluationMode: "REQUIRE_ATTESTATION"
      requireAttestationsBy:
        - name: binaryauthorizationpolicy-dep-serviceaccount
      enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
    description: A sample Binary Authorization policy
    globalPolicyEvaluationMode: DISABLE
  ---
  apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
  kind: BinaryAuthorizationAttestor
  metadata:
    name: binaryauthorizationpolicy-dep-serviceaccount
  spec:
    description: A sample binary authorization attestor.
    userOwnedDrydockNote:
      noteRef:
        name: binaryauthorizationpolicy-dep-serviceaccount
  ---
  apiVersion: containeranalysis.cnrm.cloud.google.com/v1beta1
  kind: ContainerAnalysisNote
  metadata:
    name: binaryauthorizationpolicy-dep-serviceaccount
  spec:
    package:
      name: test-package

Service Identity Policy

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
  kind: BinaryAuthorizationPolicy
  metadata:
    name: binaryauthorizationpolicy-sample-serviceidentity
  spec:
    admissionWhitelistPatterns:
      - namePattern: "gcr.io/*"
    istioServiceIdentityAdmissionRules:
      spiffe://example.com/ns/test-ns/sa/default:
        evaluationMode: "REQUIRE_ATTESTATION"
        requireAttestationsBy:
          - name: binaryauthorizationpolicy-dep-serviceidentity
        enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
    defaultAdmissionRule:
      evaluationMode: "REQUIRE_ATTESTATION"
      requireAttestationsBy:
        - name: binaryauthorizationpolicy-dep-serviceidentity
      enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
    description: A sample Binary Authorization policy
    globalPolicyEvaluationMode: DISABLE
  ---
  apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
  kind: BinaryAuthorizationAttestor
  metadata:
    name: binaryauthorizationpolicy-dep-serviceidentity
  spec:
    description: A sample binary authorization attestor.
    userOwnedDrydockNote:
      noteRef:
        name: binaryauthorizationpolicy-dep-serviceidentity
  ---
  apiVersion: containeranalysis.cnrm.cloud.google.com/v1beta1
  kind: ContainerAnalysisNote
  metadata:
    name: binaryauthorizationpolicy-dep-serviceidentity
  spec:
    package:
      name: test-package