public final class Policy extends GeneratedMessageV3 implements PolicyOrBuilder
A policy for Binary Authorization.
Protobuf type google.cloud.binaryauthorization.v1beta1.Policy
Static Fields
ADMISSION_WHITELIST_PATTERNS_FIELD_NUMBER
public static final int ADMISSION_WHITELIST_PATTERNS_FIELD_NUMBER
Field Value
CLUSTER_ADMISSION_RULES_FIELD_NUMBER
public static final int CLUSTER_ADMISSION_RULES_FIELD_NUMBER
Field Value
DEFAULT_ADMISSION_RULE_FIELD_NUMBER
public static final int DEFAULT_ADMISSION_RULE_FIELD_NUMBER
Field Value
DESCRIPTION_FIELD_NUMBER
public static final int DESCRIPTION_FIELD_NUMBER
Field Value
GLOBAL_POLICY_EVALUATION_MODE_FIELD_NUMBER
public static final int GLOBAL_POLICY_EVALUATION_MODE_FIELD_NUMBER
Field Value
ISTIO_SERVICE_IDENTITY_ADMISSION_RULES_FIELD_NUMBER
public static final int ISTIO_SERVICE_IDENTITY_ADMISSION_RULES_FIELD_NUMBER
Field Value
KUBERNETES_NAMESPACE_ADMISSION_RULES_FIELD_NUMBER
public static final int KUBERNETES_NAMESPACE_ADMISSION_RULES_FIELD_NUMBER
Field Value
KUBERNETES_SERVICE_ACCOUNT_ADMISSION_RULES_FIELD_NUMBER
public static final int KUBERNETES_SERVICE_ACCOUNT_ADMISSION_RULES_FIELD_NUMBER
Field Value
NAME_FIELD_NUMBER
public static final int NAME_FIELD_NUMBER
Field Value
UPDATE_TIME_FIELD_NUMBER
public static final int UPDATE_TIME_FIELD_NUMBER
Field Value
Static Methods
getDefaultInstance()
public static Policy getDefaultInstance()
Returns
getDescriptor()
public static final Descriptors.Descriptor getDescriptor()
Returns
newBuilder()
public static Policy.Builder newBuilder()
Returns
newBuilder(Policy prototype)
public static Policy.Builder newBuilder(Policy prototype)
Parameter
| Name | Description |
| prototype | Policy
|
Returns
public static Policy parseDelimitedFrom(InputStream input)
Parameter
Returns
Exceptions
public static Policy parseDelimitedFrom(InputStream input, ExtensionRegistryLite extensionRegistry)
Parameters
Returns
Exceptions
parseFrom(byte[] data)
public static Policy parseFrom(byte[] data)
Parameter
| Name | Description |
| data | byte[]
|
Returns
Exceptions
parseFrom(byte[] data, ExtensionRegistryLite extensionRegistry)
public static Policy parseFrom(byte[] data, ExtensionRegistryLite extensionRegistry)
Parameters
Returns
Exceptions
parseFrom(ByteString data)
public static Policy parseFrom(ByteString data)
Parameter
Returns
Exceptions
parseFrom(ByteString data, ExtensionRegistryLite extensionRegistry)
public static Policy parseFrom(ByteString data, ExtensionRegistryLite extensionRegistry)
Parameters
Returns
Exceptions
public static Policy parseFrom(CodedInputStream input)
Parameter
Returns
Exceptions
public static Policy parseFrom(CodedInputStream input, ExtensionRegistryLite extensionRegistry)
Parameters
Returns
Exceptions
public static Policy parseFrom(InputStream input)
Parameter
Returns
Exceptions
public static Policy parseFrom(InputStream input, ExtensionRegistryLite extensionRegistry)
Parameters
Returns
Exceptions
parseFrom(ByteBuffer data)
public static Policy parseFrom(ByteBuffer data)
Parameter
Returns
Exceptions
parseFrom(ByteBuffer data, ExtensionRegistryLite extensionRegistry)
public static Policy parseFrom(ByteBuffer data, ExtensionRegistryLite extensionRegistry)
Parameters
Returns
Exceptions
parser()
public static Parser<Policy> parser()
Returns
Methods
containsClusterAdmissionRules(String key)
public boolean containsClusterAdmissionRules(String key)
Optional. Per-cluster admission rules. Cluster spec format:
location.clusterId. There can be at most one admission rule per cluster
spec.
A location is either a compute zone (e.g. us-central1-a) or a region
(e.g. us-central1).
For clusterId syntax restrictions see
https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
map<string, .google.cloud.binaryauthorization.v1beta1.AdmissionRule> cluster_admission_rules = 3 [(.google.api.field_behavior) = OPTIONAL];
containsIstioServiceIdentityAdmissionRules(String key)
public boolean containsIstioServiceIdentityAdmissionRules(String key)
Optional. Per-istio-service-identity admission rules. Istio service
identity spec format:
spiffe://<domain>/ns/<namespace>/sa/<serviceaccount> or
<domain>/ns/<namespace>/sa/<serviceaccount>
e.g. spiffe://example.com/ns/test-ns/sa/default
map<string, .google.cloud.binaryauthorization.v1beta1.AdmissionRule> istio_service_identity_admission_rules = 9 [(.google.api.field_behavior) = OPTIONAL];
containsKubernetesNamespaceAdmissionRules(String key)
public boolean containsKubernetesNamespaceAdmissionRules(String key)
Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format:
[a-z.-]+, e.g. some-namespace
map<string, .google.cloud.binaryauthorization.v1beta1.AdmissionRule> kubernetes_namespace_admission_rules = 10 [(.google.api.field_behavior) = OPTIONAL];
containsKubernetesServiceAccountAdmissionRules(String key)
public boolean containsKubernetesServiceAccountAdmissionRules(String key)
Optional. Per-kubernetes-service-account admission rules. Service account
spec format: namespace:serviceaccount. e.g. test-ns:default
map<string, .google.cloud.binaryauthorization.v1beta1.AdmissionRule> kubernetes_service_account_admission_rules = 8 [(.google.api.field_behavior) = OPTIONAL];
equals(Object obj)
public boolean equals(Object obj)
Parameter
Returns
Overrides
getAdmissionWhitelistPatterns(int index)
public AdmissionWhitelistPattern getAdmissionWhitelistPatterns(int index)
Optional. Admission policy allowlisting. A matching admission request will
always be permitted. This feature is typically used to exclude Google or
third-party infrastructure images from Binary Authorization policies.
repeated .google.cloud.binaryauthorization.v1beta1.AdmissionWhitelistPattern admission_whitelist_patterns = 2 [(.google.api.field_behavior) = OPTIONAL];
getAdmissionWhitelistPatternsCount()
public int getAdmissionWhitelistPatternsCount()
Optional. Admission policy allowlisting. A matching admission request will
always be permitted. This feature is typically used to exclude Google or
third-party infrastructure images from Binary Authorization policies.
repeated .google.cloud.binaryauthorization.v1beta1.AdmissionWhitelistPattern admission_whitelist_patterns = 2 [(.google.api.field_behavior) = OPTIONAL];
getAdmissionWhitelistPatternsList()
public List<AdmissionWhitelistPattern> getAdmissionWhitelistPatternsList()
Optional. Admission policy allowlisting. A matching admission request will
always be permitted. This feature is typically used to exclude Google or
third-party infrastructure images from Binary Authorization policies.
repeated .google.cloud.binaryauthorization.v1beta1.AdmissionWhitelistPattern admission_whitelist_patterns = 2 [(.google.api.field_behavior) = OPTIONAL];
getAdmissionWhitelistPatternsOrBuilder(int index)
public AdmissionWhitelistPatternOrBuilder getAdmissionWhitelistPatternsOrBuilder(int index)
Optional. Admission policy allowlisting. A matching admission request will
always be permitted. This feature is typically used to exclude Google or
third-party infrastructure images from Binary Authorization policies.
repeated .google.cloud.binaryauthorization.v1beta1.AdmissionWhitelistPattern admission_whitelist_patterns = 2 [(.google.api.field_behavior) = OPTIONAL];
getAdmissionWhitelistPatternsOrBuilderList()
public List<? extends AdmissionWhitelistPatternOrBuilder> getAdmissionWhitelistPatternsOrBuilderList()
Optional. Admission policy allowlisting. A matching admission request will
always be permitted. This feature is typically used to exclude Google or
third-party infrastructure images from Binary Authorization policies.
repeated .google.cloud.binaryauthorization.v1beta1.AdmissionWhitelistPattern admission_whitelist_patterns = 2 [(.google.api.field_behavior) = OPTIONAL];
| Type | Description |
| List<? extends com.google.cloud.binaryauthorization.v1beta1.AdmissionWhitelistPatternOrBuilder> | |
getClusterAdmissionRules()
public Map<String,AdmissionRule> getClusterAdmissionRules()
Returns
getClusterAdmissionRulesCount()
public int getClusterAdmissionRulesCount()
Optional. Per-cluster admission rules. Cluster spec format:
location.clusterId. There can be at most one admission rule per cluster
spec.
A location is either a compute zone (e.g. us-central1-a) or a region
(e.g. us-central1).
For clusterId syntax restrictions see
https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
map<string, .google.cloud.binaryauthorization.v1beta1.AdmissionRule> cluster_admission_rules = 3 [(.google.api.field_behavior) = OPTIONAL];
getClusterAdmissionRulesMap()
public Map<String,AdmissionRule> getClusterAdmissionRulesMap()
Optional. Per-cluster admission rules. Cluster spec format:
location.clusterId. There can be at most one admission rule per cluster
spec.
A location is either a compute zone (e.g. us-central1-a) or a region
(e.g. us-central1).
For clusterId syntax restrictions see
https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
map<string, .google.cloud.binaryauthorization.v1beta1.AdmissionRule> cluster_admission_rules = 3 [(.google.api.field_behavior) = OPTIONAL];
getClusterAdmissionRulesOrDefault(String key, AdmissionRule defaultValue)
public AdmissionRule getClusterAdmissionRulesOrDefault(String key, AdmissionRule defaultValue)
Optional. Per-cluster admission rules. Cluster spec format:
location.clusterId. There can be at most one admission rule per cluster
spec.
A location is either a compute zone (e.g. us-central1-a) or a region
(e.g. us-central1).
For clusterId syntax restrictions see
https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
map<string, .google.cloud.binaryauthorization.v1beta1.AdmissionRule> cluster_admission_rules = 3 [(.google.api.field_behavior) = OPTIONAL];
getClusterAdmissionRulesOrThrow(String key)
public AdmissionRule getClusterAdmissionRulesOrThrow(String key)
Optional. Per-cluster admission rules. Cluster spec format:
location.clusterId. There can be at most one admission rule per cluster
spec.
A location is either a compute zone (e.g. us-central1-a) or a region
(e.g. us-central1).
For clusterId syntax restrictions see
https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
map<string, .google.cloud.binaryauthorization.v1beta1.AdmissionRule> cluster_admission_rules = 3 [(.google.api.field_behavior) = OPTIONAL];
getDefaultAdmissionRule()
public AdmissionRule getDefaultAdmissionRule()
Required. Default admission rule for a cluster without a per-cluster, per-
kubernetes-service-account, or per-istio-service-identity admission rule.
.google.cloud.binaryauthorization.v1beta1.AdmissionRule default_admission_rule = 4 [(.google.api.field_behavior) = REQUIRED];
getDefaultAdmissionRuleOrBuilder()
public AdmissionRuleOrBuilder getDefaultAdmissionRuleOrBuilder()
Required. Default admission rule for a cluster without a per-cluster, per-
kubernetes-service-account, or per-istio-service-identity admission rule.
.google.cloud.binaryauthorization.v1beta1.AdmissionRule default_admission_rule = 4 [(.google.api.field_behavior) = REQUIRED];
getDefaultInstanceForType()
public Policy getDefaultInstanceForType()
Returns
getDescription()
public String getDescription()
Optional. A descriptive comment.
string description = 6 [(.google.api.field_behavior) = OPTIONAL];
| Type | Description |
| String | The description.
|
getDescriptionBytes()
public ByteString getDescriptionBytes()
Optional. A descriptive comment.
string description = 6 [(.google.api.field_behavior) = OPTIONAL];
| Type | Description |
| ByteString | The bytes for description.
|
getGlobalPolicyEvaluationMode()
public Policy.GlobalPolicyEvaluationMode getGlobalPolicyEvaluationMode()
Optional. Controls the evaluation of a Google-maintained global admission
policy for common system-level images. Images not covered by the global
policy will be subject to the project admission policy. This setting
has no effect when specified inside a global admission policy.
.google.cloud.binaryauthorization.v1beta1.Policy.GlobalPolicyEvaluationMode global_policy_evaluation_mode = 7 [(.google.api.field_behavior) = OPTIONAL];
getGlobalPolicyEvaluationModeValue()
public int getGlobalPolicyEvaluationModeValue()
Optional. Controls the evaluation of a Google-maintained global admission
policy for common system-level images. Images not covered by the global
policy will be subject to the project admission policy. This setting
has no effect when specified inside a global admission policy.
.google.cloud.binaryauthorization.v1beta1.Policy.GlobalPolicyEvaluationMode global_policy_evaluation_mode = 7 [(.google.api.field_behavior) = OPTIONAL];
| Type | Description |
| int | The enum numeric value on the wire for globalPolicyEvaluationMode.
|
getIstioServiceIdentityAdmissionRules()
public Map<String,AdmissionRule> getIstioServiceIdentityAdmissionRules()
Returns
getIstioServiceIdentityAdmissionRulesCount()
public int getIstioServiceIdentityAdmissionRulesCount()
Optional. Per-istio-service-identity admission rules. Istio service
identity spec format:
spiffe://<domain>/ns/<namespace>/sa/<serviceaccount> or
<domain>/ns/<namespace>/sa/<serviceaccount>
e.g. spiffe://example.com/ns/test-ns/sa/default
map<string, .google.cloud.binaryauthorization.v1beta1.AdmissionRule> istio_service_identity_admission_rules = 9 [(.google.api.field_behavior) = OPTIONAL];
getIstioServiceIdentityAdmissionRulesMap()
public Map<String,AdmissionRule> getIstioServiceIdentityAdmissionRulesMap()
Optional. Per-istio-service-identity admission rules. Istio service
identity spec format:
spiffe://<domain>/ns/<namespace>/sa/<serviceaccount> or
<domain>/ns/<namespace>/sa/<serviceaccount>
e.g. spiffe://example.com/ns/test-ns/sa/default
map<string, .google.cloud.binaryauthorization.v1beta1.AdmissionRule> istio_service_identity_admission_rules = 9 [(.google.api.field_behavior) = OPTIONAL];
getIstioServiceIdentityAdmissionRulesOrDefault(String key, AdmissionRule defaultValue)
public AdmissionRule getIstioServiceIdentityAdmissionRulesOrDefault(String key, AdmissionRule defaultValue)
Optional. Per-istio-service-identity admission rules. Istio service
identity spec format:
spiffe://<domain>/ns/<namespace>/sa/<serviceaccount> or
<domain>/ns/<namespace>/sa/<serviceaccount>
e.g. spiffe://example.com/ns/test-ns/sa/default
map<string, .google.cloud.binaryauthorization.v1beta1.AdmissionRule> istio_service_identity_admission_rules = 9 [(.google.api.field_behavior) = OPTIONAL];
getIstioServiceIdentityAdmissionRulesOrThrow(String key)
public AdmissionRule getIstioServiceIdentityAdmissionRulesOrThrow(String key)
Optional. Per-istio-service-identity admission rules. Istio service
identity spec format:
spiffe://<domain>/ns/<namespace>/sa/<serviceaccount> or
<domain>/ns/<namespace>/sa/<serviceaccount>
e.g. spiffe://example.com/ns/test-ns/sa/default
map<string, .google.cloud.binaryauthorization.v1beta1.AdmissionRule> istio_service_identity_admission_rules = 9 [(.google.api.field_behavior) = OPTIONAL];
getKubernetesNamespaceAdmissionRules()
public Map<String,AdmissionRule> getKubernetesNamespaceAdmissionRules()
Returns
getKubernetesNamespaceAdmissionRulesCount()
public int getKubernetesNamespaceAdmissionRulesCount()
Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format:
[a-z.-]+, e.g. some-namespace
map<string, .google.cloud.binaryauthorization.v1beta1.AdmissionRule> kubernetes_namespace_admission_rules = 10 [(.google.api.field_behavior) = OPTIONAL];
getKubernetesNamespaceAdmissionRulesMap()
public Map<String,AdmissionRule> getKubernetesNamespaceAdmissionRulesMap()
Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format:
[a-z.-]+, e.g. some-namespace
map<string, .google.cloud.binaryauthorization.v1beta1.AdmissionRule> kubernetes_namespace_admission_rules = 10 [(.google.api.field_behavior) = OPTIONAL];
getKubernetesNamespaceAdmissionRulesOrDefault(String key, AdmissionRule defaultValue)
public AdmissionRule getKubernetesNamespaceAdmissionRulesOrDefault(String key, AdmissionRule defaultValue)
Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format:
[a-z.-]+, e.g. some-namespace
map<string, .google.cloud.binaryauthorization.v1beta1.AdmissionRule> kubernetes_namespace_admission_rules = 10 [(.google.api.field_behavior) = OPTIONAL];
getKubernetesNamespaceAdmissionRulesOrThrow(String key)
public AdmissionRule getKubernetesNamespaceAdmissionRulesOrThrow(String key)
Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format:
[a-z.-]+, e.g. some-namespace
map<string, .google.cloud.binaryauthorization.v1beta1.AdmissionRule> kubernetes_namespace_admission_rules = 10 [(.google.api.field_behavior) = OPTIONAL];
getKubernetesServiceAccountAdmissionRules()
public Map<String,AdmissionRule> getKubernetesServiceAccountAdmissionRules()
Returns
getKubernetesServiceAccountAdmissionRulesCount()
public int getKubernetesServiceAccountAdmissionRulesCount()
Optional. Per-kubernetes-service-account admission rules. Service account
spec format: namespace:serviceaccount. e.g. test-ns:default
map<string, .google.cloud.binaryauthorization.v1beta1.AdmissionRule> kubernetes_service_account_admission_rules = 8 [(.google.api.field_behavior) = OPTIONAL];
getKubernetesServiceAccountAdmissionRulesMap()
public Map<String,AdmissionRule> getKubernetesServiceAccountAdmissionRulesMap()
Optional. Per-kubernetes-service-account admission rules. Service account
spec format: namespace:serviceaccount. e.g. test-ns:default
map<string, .google.cloud.binaryauthorization.v1beta1.AdmissionRule> kubernetes_service_account_admission_rules = 8 [(.google.api.field_behavior) = OPTIONAL];
getKubernetesServiceAccountAdmissionRulesOrDefault(String key, AdmissionRule defaultValue)
public AdmissionRule getKubernetesServiceAccountAdmissionRulesOrDefault(String key, AdmissionRule defaultValue)
Optional. Per-kubernetes-service-account admission rules. Service account
spec format: namespace:serviceaccount. e.g. test-ns:default
map<string, .google.cloud.binaryauthorization.v1beta1.AdmissionRule> kubernetes_service_account_admission_rules = 8 [(.google.api.field_behavior) = OPTIONAL];
getKubernetesServiceAccountAdmissionRulesOrThrow(String key)
public AdmissionRule getKubernetesServiceAccountAdmissionRulesOrThrow(String key)
Optional. Per-kubernetes-service-account admission rules. Service account
spec format: namespace:serviceaccount. e.g. test-ns:default
map<string, .google.cloud.binaryauthorization.v1beta1.AdmissionRule> kubernetes_service_account_admission_rules = 8 [(.google.api.field_behavior) = OPTIONAL];
getName()
Output only. The resource name, in the format projects/*/policy. There is
at most one policy per project.
string name = 1 [(.google.api.field_behavior) = OUTPUT_ONLY];
| Type | Description |
| String | The name.
|
getNameBytes()
public ByteString getNameBytes()
Output only. The resource name, in the format projects/*/policy. There is
at most one policy per project.
string name = 1 [(.google.api.field_behavior) = OUTPUT_ONLY];
getParserForType()
public Parser<Policy> getParserForType()
Returns
Overrides
getSerializedSize()
public int getSerializedSize()
Returns
Overrides
getUnknownFields()
public final UnknownFieldSet getUnknownFields()
Returns
Overrides
getUpdateTime()
public Timestamp getUpdateTime()
Output only. Time when the policy was last updated.
.google.protobuf.Timestamp update_time = 5 [(.google.api.field_behavior) = OUTPUT_ONLY];
getUpdateTimeOrBuilder()
public TimestampOrBuilder getUpdateTimeOrBuilder()
Output only. Time when the policy was last updated.
.google.protobuf.Timestamp update_time = 5 [(.google.api.field_behavior) = OUTPUT_ONLY];
hasDefaultAdmissionRule()
public boolean hasDefaultAdmissionRule()
Required. Default admission rule for a cluster without a per-cluster, per-
kubernetes-service-account, or per-istio-service-identity admission rule.
.google.cloud.binaryauthorization.v1beta1.AdmissionRule default_admission_rule = 4 [(.google.api.field_behavior) = REQUIRED];
| Type | Description |
| boolean | Whether the defaultAdmissionRule field is set.
|
hasUpdateTime()
public boolean hasUpdateTime()
Output only. Time when the policy was last updated.
.google.protobuf.Timestamp update_time = 5 [(.google.api.field_behavior) = OUTPUT_ONLY];
| Type | Description |
| boolean | Whether the updateTime field is set.
|
hashCode()
Returns
Overrides
internalGetFieldAccessorTable()
protected GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
Returns
Overrides
internalGetMapField(int number)
protected MapField internalGetMapField(int number)
Parameter
Returns
Overrides
isInitialized()
public final boolean isInitialized()
Returns
Overrides
newBuilderForType()
public Policy.Builder newBuilderForType()
Returns
newBuilderForType(GeneratedMessageV3.BuilderParent parent)
protected Policy.Builder newBuilderForType(GeneratedMessageV3.BuilderParent parent)
Parameter
Returns
Overrides
newInstance(GeneratedMessageV3.UnusedPrivateParameter unused)
protected Object newInstance(GeneratedMessageV3.UnusedPrivateParameter unused)
Parameter
Returns
Overrides
toBuilder()
public Policy.Builder toBuilder()
Returns
writeTo(CodedOutputStream output)
public void writeTo(CodedOutputStream output)
Parameter
Overrides
Exceptions
