public sealed class Policy : IMessage<Policy>, IEquatable<Policy>, IDeepCloneable<Policy>, IBufferMessage, IMessage
Reference documentation and code samples for the Binary Authorization v1 API class Policy.
A [policy][google.cloud.binaryauthorization.v1.Policy] for container image binary authorization.
Namespace
Google.Cloud.BinaryAuthorization.V1Assembly
Google.Cloud.BinaryAuthorization.V1.dll
Constructors
Policy()
public Policy()
Policy(Policy)
public Policy(Policy other)
Parameter | |
---|---|
Name | Description |
other | Policy |
Properties
AdmissionWhitelistPatterns
public RepeatedField<AdmissionWhitelistPattern> AdmissionWhitelistPatterns { get; }
Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.
Property Value | |
---|---|
Type | Description |
RepeatedFieldAdmissionWhitelistPattern |
ClusterAdmissionRules
public MapField<string, AdmissionRule> ClusterAdmissionRules { get; }
Optional. Per-cluster admission rules. Cluster spec format:
location.clusterId
. There can be at most one admission rule per cluster
spec.
A location
is either a compute zone (e.g. us-central1-a) or a region
(e.g. us-central1).
For clusterId
syntax restrictions see
https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
Property Value | |
---|---|
Type | Description |
MapFieldstringAdmissionRule |
DefaultAdmissionRule
public AdmissionRule DefaultAdmissionRule { get; set; }
Required. Default admission rule for a cluster without a per-cluster, per- kubernetes-service-account, or per-istio-service-identity admission rule.
Property Value | |
---|---|
Type | Description |
AdmissionRule |
Description
public string Description { get; set; }
Optional. A descriptive comment.
Property Value | |
---|---|
Type | Description |
string |
GlobalPolicyEvaluationMode
public Policy.Types.GlobalPolicyEvaluationMode GlobalPolicyEvaluationMode { get; set; }
Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.
Property Value | |
---|---|
Type | Description |
PolicyTypesGlobalPolicyEvaluationMode |
IstioServiceIdentityAdmissionRules
public MapField<string, AdmissionRule> IstioServiceIdentityAdmissionRules { get; }
Optional. Per-istio-service-identity admission rules. Istio service identity spec format: spiffe://<domain>/ns/<namespace>/sa/<serviceaccount> or <domain>/ns/<namespace>/sa/<serviceaccount> e.g. spiffe://example.com/ns/test-ns/sa/default
Property Value | |
---|---|
Type | Description |
MapFieldstringAdmissionRule |
KubernetesNamespaceAdmissionRules
public MapField<string, AdmissionRule> KubernetesNamespaceAdmissionRules { get; }
Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format: [a-z.-]+, e.g. 'some-namespace'
Property Value | |
---|---|
Type | Description |
MapFieldstringAdmissionRule |
KubernetesServiceAccountAdmissionRules
public MapField<string, AdmissionRule> KubernetesServiceAccountAdmissionRules { get; }
Optional. Per-kubernetes-service-account admission rules. Service account
spec format: namespace:serviceaccount
. e.g. 'test-ns:default'
Property Value | |
---|---|
Type | Description |
MapFieldstringAdmissionRule |
Name
public string Name { get; set; }
Output only. The resource name, in the format projects/*/policy
. There is
at most one policy per project.
Property Value | |
---|---|
Type | Description |
string |
PolicyName
public PolicyName PolicyName { get; set; }
PolicyName-typed view over the Name resource name property.
Property Value | |
---|---|
Type | Description |
PolicyName |
UpdateTime
public Timestamp UpdateTime { get; set; }
Output only. Time when the policy was last updated.
Property Value | |
---|---|
Type | Description |
Timestamp |