AdmissionRule(mapping=None, *, ignore_unknown_fields=False, **kwargs)An [admission rule][google.cloud.binaryauthorization.v1.AdmissionRule] specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied.
Images matching an [admission allowlist pattern][google.cloud.binaryauthorization.v1.AdmissionWhitelistPattern] are exempted from admission rules and will never block a pod creation.
Attributes | |
|---|---|
| Name | Description |
evaluation_mode |
google.cloud.binaryauthorization_v1.types.AdmissionRule.EvaluationMode
Required. How this admission rule will be evaluated. |
require_attestations_by |
MutableSequence[str]
Optional. The resource names of the attestors that must attest to a container image, in the format projects/*/attestors/*. Each attestor must exist before
a policy can reference it. To add an attestor to a policy
the principal issuing the policy change request must be able
to read the attestor resource.
Note: this field must be non-empty when the evaluation_mode
field specifies REQUIRE_ATTESTATION, otherwise it must be
empty.
|
enforcement_mode |
google.cloud.binaryauthorization_v1.types.AdmissionRule.EnforcementMode
Required. The action when a pod creation is denied by the admission rule. |
Classes
EnforcementMode
EnforcementMode(value)Defines the possible actions when a pod creation is denied by an admission rule.
Values: ENFORCEMENT_MODE_UNSPECIFIED (0): Do not use. ENFORCED_BLOCK_AND_AUDIT_LOG (1): Enforce the admission rule by blocking the pod creation. DRYRUN_AUDIT_LOG_ONLY (2): Dryrun mode: Audit logging only. This will allow the pod creation as if the admission request had specified break-glass.
EvaluationMode
EvaluationMode(value)Values: EVALUATION_MODE_UNSPECIFIED (0): Do not use. ALWAYS_ALLOW (1): This rule allows all all pod creations. REQUIRE_ATTESTATION (2): This rule allows a pod creation if all the attestors listed in 'require_attestations_by' have valid attestations for all of the images in the pod spec. ALWAYS_DENY (3): This rule denies all pod creations.