BinaryAuthorizationPolicy


Property Value
Google Cloud Service Name Binary Authorization
Google Cloud Service Documentation /binary-authorization/docs/
Google Cloud REST Resource Name binaryauthorization/v1beta1/projects.policy
Google Cloud REST Resource Documentation /binary-authorization/docs/reference/rest/v1beta1/projects.policy
Config Connector Resource Short Names gcpbinaryauthorizationpolicy
gcpbinaryauthorizationpolicies
binaryauthorizationpolicy
Config Connector Service Name binaryauthorization.googleapis.com
Config Connector Resource Fully Qualified Name binaryauthorizationpolicies.binaryauthorization.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember Yes
IAMPolicy/IAMPartialPolicy Supports Conditions Yes
IAMPolicyMember Supports Conditions No
Supports IAM Audit Configs No
IAM External Reference Format

projects/{{project}}/policy

Config Connector Default Average Reconcile Interval In Seconds 600

Custom Resource Definition Properties

Spec

Schema

admissionWhitelistPatterns:
- namePattern: string
clusterAdmissionRules:
  string: object
defaultAdmissionRule:
  enforcementMode: string
  evaluationMode: string
  requireAttestationsBy:
  - external: string
    name: string
    namespace: string
description: string
globalPolicyEvaluationMode: string
istioServiceIdentityAdmissionRules:
  string: object
kubernetesNamespaceAdmissionRules:
  string: object
kubernetesServiceAccountAdmissionRules:
  string: object
projectRef:
  external: string
  name: string
  namespace: string
Fields

admissionWhitelistPatterns

Optional

list (object)

Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.

admissionWhitelistPatterns[]

Optional

object

admissionWhitelistPatterns[].namePattern

Optional

string

An image name pattern to allowlist, in the form `registry/path/to/image`. This supports a trailing `*` as a wildcard, but this is allowed only in text after the `registry/` part.

clusterAdmissionRules

Optional

map (key: string, value: object)

Optional. Per-cluster admission rules. Cluster spec format: location.clusterId. There can be at most one admission rule per cluster spec. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). For clusterId syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.

defaultAdmissionRule

Required

object

Required. Default admission rule for a cluster without a per-cluster, per-kubernetes-service-account, or per-istio-service-identity admission rule.

defaultAdmissionRule.enforcementMode

Required

string

Required. The action when a pod creation is denied by the admission rule. Possible values: ENFORCEMENT_MODE_UNSPECIFIED, ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY

defaultAdmissionRule.evaluationMode

Required

string

Required. How this admission rule will be evaluated. Possible values: ALWAYS_ALLOW, ALWAYS_DENY, REQUIRE_ATTESTATION

defaultAdmissionRule.requireAttestationsBy

Optional

list (object)

defaultAdmissionRule.requireAttestationsBy[]

Optional

object

defaultAdmissionRule.requireAttestationsBy[].external

Optional

string

Allowed value: The Google Cloud resource name of a `BinaryAuthorizationAttestor` resource (format: `projects/{{project}}/attestors/{{name}}`).

defaultAdmissionRule.requireAttestationsBy[].name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

defaultAdmissionRule.requireAttestationsBy[].namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

description

Optional

string

Optional. A descriptive comment.

globalPolicyEvaluationMode

Optional

string

Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy. Possible values: GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED, ENABLE, DISABLE

istioServiceIdentityAdmissionRules

Optional

map (key: string, value: object)

Optional. Per-istio-service-identity admission rules. Istio service identity spec format: spiffe:///ns//sa/ or /ns//sa/ e.g. spiffe://example.com/ns/test-ns/sa/default

kubernetesNamespaceAdmissionRules

Optional

map (key: string, value: object)

Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format: [a-z.-]+, e.g. 'some-namespace'

kubernetesServiceAccountAdmissionRules

Optional

map (key: string, value: object)

Optional. Per-kubernetes-service-account admission rules. Service account spec format: namespace:serviceaccount. e.g. 'test-ns:default'

projectRef

Required

object

Immutable. The Project that this resource belongs to.

projectRef.external

Optional

string

The project of the resource. Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).

projectRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

projectRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

Status

Schema

conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
observedGeneration: integer
selfLink: string
updateTime: string
Fields
conditions

list (object)

Conditions represent the latest available observation of the resource's current state.

conditions[]

object

conditions[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions[].message

string

Human-readable message indicating details about last transition.

conditions[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions[].type

string

Type is the type of the condition.

observedGeneration

integer

ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.

selfLink

string

Output only. The resource name, in the format `projects/*/policy`. There is at most one policy per project.

updateTime

string

Output only. Time when the policy was last updated.

Sample YAML(s)

Cluster Policy

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
kind: BinaryAuthorizationPolicy
metadata:
  name: binaryauthorizationpolicy-sample-cluster
spec:
  projectRef:
    name: binauthzpolicy-dep-cluster
  admissionWhitelistPatterns:
    - namePattern: "gcr.io/*"
  clusterAdmissionRules:
    us-west1-a.test-cluster:
      evaluationMode: "REQUIRE_ATTESTATION"
      requireAttestationsBy:
        - name: binaryauthorizationpolicy-dep-cluster
      enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
  defaultAdmissionRule:
    evaluationMode: "REQUIRE_ATTESTATION"
    requireAttestationsBy:
      - name: binaryauthorizationpolicy-dep-cluster
    enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
  description: A sample Binary Authorization policy with a cluster admission rule
  globalPolicyEvaluationMode: DISABLE
---
apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
kind: BinaryAuthorizationAttestor
metadata:
  name: binaryauthorizationpolicy-dep-cluster
spec:
  projectRef:
    name: binauthzpolicy-dep-cluster
  description: A sample binary authorization attestor.
  userOwnedDrydockNote:
    noteRef:
      name: binaryauthorizationpolicy-dep-cluster
---
apiVersion: containeranalysis.cnrm.cloud.google.com/v1beta1
kind: ContainerAnalysisNote
metadata:
  name: binaryauthorizationpolicy-dep-cluster
spec:
  projectRef:
    name: binauthzpolicy-dep-cluster
  package:
    name: test-package
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
  name: binauthzpolicy-dep-cluster
spec:
  name: Config Connector Sample
  organizationRef:
    # Replace "${ORG_ID?}" with the numeric ID for your organization
    external: "${ORG_ID?}"
  billingAccountRef:
    # Replace "${BILLING_ACCOUNT_ID?}" with the numeric ID for your billing account
    external: "${BILLING_ACCOUNT_ID?}"
---
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
  annotations:
    cnrm.cloud.google.com/disable-dependent-services: "false"
  name: binaryauthorizationpolicy-dep1-cluster
spec:
  projectRef:
    name: binauthzpolicy-dep-cluster
  resourceID: containeranalysis.googleapis.com
---
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
  annotations:
    cnrm.cloud.google.com/disable-dependent-services: "false"
  name: binaryauthorizationpolicy-dep2-cluster
spec:
  projectRef:
    name: binauthzpolicy-dep-cluster
  resourceID: binaryauthorization.googleapis.com

Default Policy

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
kind: BinaryAuthorizationPolicy
metadata:
  name: binaryauthorizationpolicy-sample-default
spec:
  projectRef:
    name: binauthpolicy-dep-default
  admissionWhitelistPatterns:
    - namePattern: "gcr.io/google_containers/*"
    - namePattern: "gcr.io/google-containers/*"
    - namePattern: "registry.k8s.io/*"
    - namePattern: "gke.gcr.io/*"
    - namePattern: "gcr.io/stackdriver-agents/*"
  defaultAdmissionRule:
    enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
    evaluationMode: "ALWAYS_ALLOW"
  globalPolicyEvaluationMode: ENABLE
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
  annotations:
    cnrm.cloud.google.com/auto-create-network: "false"
  name: binauthpolicy-dep-default
spec:
  name: Config Connector Sample
  folderRef:
    # Replace "${FOLDER_ID?}" with the numeric ID of the parent folder
    external: "${FOLDER_ID?}"
  billingAccountRef:
    # Replace "${BILLING_ACCOUNT_ID?}" with the numeric ID for your billing account
    external: "${BILLING_ACCOUNT_ID?}"
---
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
  annotations:
    cnrm.cloud.google.com/project-id: binauthpolicy-dep-default
  name: binaryauthorizationpolicy-dep-default
spec:
  resourceID: binaryauthorization.googleapis.com

Namespace Policy

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
kind: BinaryAuthorizationPolicy
metadata:
  name: binaryauthorizationpolicy-sample-namespace
spec:
  projectRef:
    name: binauthzpolicy-dep-namespace
  admissionWhitelistPatterns:
    - namePattern: "gcr.io/*"
  kubernetesNamespaceAdmissionRules:
    test-namespace:
      evaluationMode: "REQUIRE_ATTESTATION"
      requireAttestationsBy:
        - name: binaryauthorizationpolicy-dep-namespace
      enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
  defaultAdmissionRule:
    evaluationMode: "REQUIRE_ATTESTATION"
    requireAttestationsBy:
      - name: binaryauthorizationpolicy-dep-namespace
    enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
  description: A sample Binary Authorization policy
  globalPolicyEvaluationMode: DISABLE
---
apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
kind: BinaryAuthorizationAttestor
metadata:
  name: binaryauthorizationpolicy-dep-namespace
spec:
  projectRef:
    name: binauthzpolicy-dep-namespace
  description: A sample binary authorization attestor.
  userOwnedDrydockNote:
    noteRef:
      name: binaryauthorizationpolicy-dep-namespace
---
apiVersion: containeranalysis.cnrm.cloud.google.com/v1beta1
kind: ContainerAnalysisNote
metadata:
  name: binaryauthorizationpolicy-dep-namespace
spec:
  projectRef:
    name: binauthzpolicy-dep-namespace
  package:
    name: test-package
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
  name: binauthzpolicy-dep-namespace
spec:
  name: Config Connector Sample
  organizationRef:
    # Replace "${ORG_ID?}" with the numeric ID for your organization
    external: "${ORG_ID?}"
  billingAccountRef:
    # Replace "${BILLING_ACCOUNT_ID?}" with the numeric ID for your billing account
    external: "${BILLING_ACCOUNT_ID?}"
---
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
  annotations:
    cnrm.cloud.google.com/disable-dependent-services: "false"
  name: binaryauthorizationpolicy-dep1-namespace
spec:
  projectRef:
    name: binauthzpolicy-dep-namespace
  resourceID: containeranalysis.googleapis.com
---
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
  annotations:
    cnrm.cloud.google.com/disable-dependent-services: "false"
  name: binaryauthorizationpolicy-dep2-namespace
spec:
  projectRef:
    name: binauthzpolicy-dep-namespace
  resourceID: binaryauthorization.googleapis.com

Service Account Policy

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
kind: BinaryAuthorizationPolicy
metadata:
  name: binaryauthorizationpolicy-sample-serviceaccount
spec:
  projectRef:
    name: binauthzpolicy-dep-sa
  admissionWhitelistPatterns:
    - namePattern: "gcr.io/*"
  kubernetesServiceAccountAdmissionRules:
    test-namespace:default:
      evaluationMode: "REQUIRE_ATTESTATION"
      requireAttestationsBy:
        - name: binaryauthorizationpolicy-dep-serviceaccount
      enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
  defaultAdmissionRule:
    evaluationMode: "REQUIRE_ATTESTATION"
    requireAttestationsBy:
      - name: binaryauthorizationpolicy-dep-serviceaccount
    enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
  description: A sample Binary Authorization policy
  globalPolicyEvaluationMode: DISABLE
---
apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
kind: BinaryAuthorizationAttestor
metadata:
  name: binaryauthorizationpolicy-dep-serviceaccount
spec:
  projectRef:
    name: binauthzpolicy-dep-sa
  description: A sample binary authorization attestor.
  userOwnedDrydockNote:
    noteRef:
      name: binaryauthorizationpolicy-dep-serviceaccount
---
apiVersion: containeranalysis.cnrm.cloud.google.com/v1beta1
kind: ContainerAnalysisNote
metadata:
  name: binaryauthorizationpolicy-dep-serviceaccount
spec:
  projectRef:
    name: binauthzpolicy-dep-sa
  package:
    name: test-package
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
  name: binauthzpolicy-dep-sa
spec:
  name: Config Connector Sample
  organizationRef:
    # Replace "${ORG_ID?}" with the numeric ID for your organization
    external: "${ORG_ID?}"
  billingAccountRef:
    # Replace "${BILLING_ACCOUNT_ID?}" with the numeric ID for your billing account
    external: "${BILLING_ACCOUNT_ID?}"
---
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
  annotations:
    cnrm.cloud.google.com/disable-dependent-services: "false"
  name: binaryauthorizationpolicy-dep1-serviceaccount
spec:
  projectRef:
    name: binauthzpolicy-dep-sa
  resourceID: containeranalysis.googleapis.com
---
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
  annotations:
    cnrm.cloud.google.com/disable-dependent-services: "false"
  name: binaryauthorizationpolicy-dep2-serviceaccount
spec:
  projectRef:
    name: binauthzpolicy-dep-sa
  resourceID: binaryauthorization.googleapis.com

Service Identity Policy

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
kind: BinaryAuthorizationPolicy
metadata:
  name: binaryauthorizationpolicy-sample-serviceidentity
spec:
  projectRef:
    name: binauthzpolicy-dep-si
  admissionWhitelistPatterns:
    - namePattern: "gcr.io/*"
  istioServiceIdentityAdmissionRules:
    spiffe://example.com/ns/test-ns/sa/default:
      evaluationMode: "REQUIRE_ATTESTATION"
      requireAttestationsBy:
        - name: binaryauthorizationpolicy-dep-serviceidentity
      enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
  defaultAdmissionRule:
    evaluationMode: "REQUIRE_ATTESTATION"
    requireAttestationsBy:
      - name: binaryauthorizationpolicy-dep-serviceidentity
    enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
  description: A sample Binary Authorization policy
  globalPolicyEvaluationMode: DISABLE
---
apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
kind: BinaryAuthorizationAttestor
metadata:
  name: binaryauthorizationpolicy-dep-serviceidentity
spec:
  projectRef:
    name: binauthzpolicy-dep-si
  description: A sample binary authorization attestor.
  userOwnedDrydockNote:
    noteRef:
      name: binaryauthorizationpolicy-dep-serviceidentity
---
apiVersion: containeranalysis.cnrm.cloud.google.com/v1beta1
kind: ContainerAnalysisNote
metadata:
  name: binaryauthorizationpolicy-dep-serviceidentity
spec:
  projectRef:
    name: binauthzpolicy-dep-si
  package:
    name: test-package
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
  name: binauthzpolicy-dep-si
spec:
  name: Config Connector Sample
  organizationRef:
    # Replace "${ORG_ID?}" with the numeric ID for your organization
    external: "${ORG_ID?}"
  billingAccountRef:
    # Replace "${BILLING_ACCOUNT_ID?}" with the numeric ID for your billing account
    external: "${BILLING_ACCOUNT_ID?}"
---
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
  annotations:
    cnrm.cloud.google.com/disable-dependent-services: "false"
  name: binaryauthorizationpolicy-dep1-serviceidentity
spec:
  projectRef:
    name: binauthzpolicy-dep-si
  resourceID: containeranalysis.googleapis.com
---
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
  annotations:
    cnrm.cloud.google.com/disable-dependent-services: "false"
  name: binaryauthorizationpolicy-dep2-serviceidentity
spec:
  projectRef:
    name: binauthzpolicy-dep-si
  resourceID: binaryauthorization.googleapis.com