Class Policy (1.7.0)

Policy(mapping=None, *, ignore_unknown_fields=False, **kwargs)

A policy for container image binary authorization.

Attributes

NameDescription
name str
Output only. The resource name, in the format projects/*/policy. There is at most one policy per project.
description str
Optional. A descriptive comment.
global_policy_evaluation_mode google.cloud.binaryauthorization_v1.types.Policy.GlobalPolicyEvaluationMode
Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.
admission_whitelist_patterns MutableSequence[google.cloud.binaryauthorization_v1.types.AdmissionWhitelistPattern]
Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.
cluster_admission_rules MutableMapping[str, google.cloud.binaryauthorization_v1.types.AdmissionRule]
Optional. Per-cluster admission rules. Cluster spec format: location.clusterId. There can be at most one admission rule per cluster spec. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). For clusterId syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
kubernetes_namespace_admission_rules MutableMapping[str, google.cloud.binaryauthorization_v1.types.AdmissionRule]
Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format: [a-z.-]+, e.g. 'some-namespace'
kubernetes_service_account_admission_rules MutableMapping[str, google.cloud.binaryauthorization_v1.types.AdmissionRule]
Optional. Per-kubernetes-service-account admission rules. Service account spec format: namespace:serviceaccount. e.g. 'test-ns:default'
istio_service_identity_admission_rules MutableMapping[str, google.cloud.binaryauthorization_v1.types.AdmissionRule]
Optional. Per-istio-service-identity admission rules. Istio service identity spec format: spiffe://
default_admission_rule google.cloud.binaryauthorization_v1.types.AdmissionRule
Required. Default admission rule for a cluster without a per-cluster, per- kubernetes-service-account, or per-istio-service-identity admission rule.
update_time google.protobuf.timestamp_pb2.Timestamp
Output only. Time when the policy was last updated.

Classes

ClusterAdmissionRulesEntry

ClusterAdmissionRulesEntry(mapping=None, *, ignore_unknown_fields=False, **kwargs)

The abstract base class for a message.

Parameters
NameDescription
kwargs dict

Keys and values corresponding to the fields of the message.

mapping Union[dict, .Message]

A dictionary or message to be used to determine the values for this message.

ignore_unknown_fields Optional(bool)

If True, do not raise errors for unknown fields. Only applied if mapping is a mapping type or there are keyword parameters.

GlobalPolicyEvaluationMode

GlobalPolicyEvaluationMode(value)

Values: GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED (0): Not specified: DISABLE is assumed. ENABLE (1): Enables system policy evaluation. DISABLE (2): Disables system policy evaluation.

IstioServiceIdentityAdmissionRulesEntry

IstioServiceIdentityAdmissionRulesEntry(
    mapping=None, *, ignore_unknown_fields=False, **kwargs
)

The abstract base class for a message.

Parameters
NameDescription
kwargs dict

Keys and values corresponding to the fields of the message.

mapping Union[dict, .Message]

A dictionary or message to be used to determine the values for this message.

ignore_unknown_fields Optional(bool)

If True, do not raise errors for unknown fields. Only applied if mapping is a mapping type or there are keyword parameters.

KubernetesNamespaceAdmissionRulesEntry

KubernetesNamespaceAdmissionRulesEntry(
    mapping=None, *, ignore_unknown_fields=False, **kwargs
)

The abstract base class for a message.

Parameters
NameDescription
kwargs dict

Keys and values corresponding to the fields of the message.

mapping Union[dict, .Message]

A dictionary or message to be used to determine the values for this message.

ignore_unknown_fields Optional(bool)

If True, do not raise errors for unknown fields. Only applied if mapping is a mapping type or there are keyword parameters.

KubernetesServiceAccountAdmissionRulesEntry

KubernetesServiceAccountAdmissionRulesEntry(
    mapping=None, *, ignore_unknown_fields=False, **kwargs
)

The abstract base class for a message.

Parameters
NameDescription
kwargs dict

Keys and values corresponding to the fields of the message.

mapping Union[dict, .Message]

A dictionary or message to be used to determine the values for this message.

ignore_unknown_fields Optional(bool)

If True, do not raise errors for unknown fields. Only applied if mapping is a mapping type or there are keyword parameters.