Reference documentation and code samples for the Binary Authorization V1beta1 API class Google::Cloud::BinaryAuthorization::V1beta1::Policy.
A policy for Binary Authorization.
Inherits
- Object
Extended By
- Google::Protobuf::MessageExts::ClassMethods
Includes
- Google::Protobuf::MessageExts
Methods
#admission_whitelist_patterns
def admission_whitelist_patterns() -> ::Array<::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionWhitelistPattern>
Returns
- (::Array<::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionWhitelistPattern>) — Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.
#admission_whitelist_patterns=
def admission_whitelist_patterns=(value) -> ::Array<::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionWhitelistPattern>
Parameter
- value (::Array<::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionWhitelistPattern>) — Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.
Returns
- (::Array<::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionWhitelistPattern>) — Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.
#cluster_admission_rules
def cluster_admission_rules() -> ::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}
Returns
-
(::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}) — Optional. Per-cluster admission rules. Cluster spec format:
location.clusterId
. There can be at most one admission rule per cluster spec. Alocation
is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). ForclusterId
syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
#cluster_admission_rules=
def cluster_admission_rules=(value) -> ::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}
Parameter
-
value (::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}) — Optional. Per-cluster admission rules. Cluster spec format:
location.clusterId
. There can be at most one admission rule per cluster spec. Alocation
is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). ForclusterId
syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
Returns
-
(::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}) — Optional. Per-cluster admission rules. Cluster spec format:
location.clusterId
. There can be at most one admission rule per cluster spec. Alocation
is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). ForclusterId
syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
#default_admission_rule
def default_admission_rule() -> ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule
Returns
- (::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule) — Required. Default admission rule for a cluster without a per-cluster, per- kubernetes-service-account, or per-istio-service-identity admission rule.
#default_admission_rule=
def default_admission_rule=(value) -> ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule
Parameter
- value (::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule) — Required. Default admission rule for a cluster without a per-cluster, per- kubernetes-service-account, or per-istio-service-identity admission rule.
Returns
- (::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule) — Required. Default admission rule for a cluster without a per-cluster, per- kubernetes-service-account, or per-istio-service-identity admission rule.
#description
def description() -> ::String
Returns
- (::String) — Optional. A descriptive comment.
#description=
def description=(value) -> ::String
Parameter
- value (::String) — Optional. A descriptive comment.
Returns
- (::String) — Optional. A descriptive comment.
#global_policy_evaluation_mode
def global_policy_evaluation_mode() -> ::Google::Cloud::BinaryAuthorization::V1beta1::Policy::GlobalPolicyEvaluationMode
Returns
- (::Google::Cloud::BinaryAuthorization::V1beta1::Policy::GlobalPolicyEvaluationMode) — Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.
#global_policy_evaluation_mode=
def global_policy_evaluation_mode=(value) -> ::Google::Cloud::BinaryAuthorization::V1beta1::Policy::GlobalPolicyEvaluationMode
Parameter
- value (::Google::Cloud::BinaryAuthorization::V1beta1::Policy::GlobalPolicyEvaluationMode) — Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.
Returns
- (::Google::Cloud::BinaryAuthorization::V1beta1::Policy::GlobalPolicyEvaluationMode) — Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.
#istio_service_identity_admission_rules
def istio_service_identity_admission_rules() -> ::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}
Returns
-
(::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}) — Optional. Per-istio-service-identity admission rules. Istio service
identity spec format:
spiffe://<domain>/ns/<namespace>/sa/<serviceaccount>
or<domain>/ns/<namespace>/sa/<serviceaccount>
e.g.spiffe://example.com/ns/test-ns/sa/default
#istio_service_identity_admission_rules=
def istio_service_identity_admission_rules=(value) -> ::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}
Parameter
-
value (::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}) — Optional. Per-istio-service-identity admission rules. Istio service
identity spec format:
spiffe://<domain>/ns/<namespace>/sa/<serviceaccount>
or<domain>/ns/<namespace>/sa/<serviceaccount>
e.g.spiffe://example.com/ns/test-ns/sa/default
Returns
-
(::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}) — Optional. Per-istio-service-identity admission rules. Istio service
identity spec format:
spiffe://<domain>/ns/<namespace>/sa/<serviceaccount>
or<domain>/ns/<namespace>/sa/<serviceaccount>
e.g.spiffe://example.com/ns/test-ns/sa/default
#kubernetes_namespace_admission_rules
def kubernetes_namespace_admission_rules() -> ::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}
Returns
-
(::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}) — Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format:
[a-z.-]+
, e.g.some-namespace
#kubernetes_namespace_admission_rules=
def kubernetes_namespace_admission_rules=(value) -> ::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}
Parameter
-
value (::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}) — Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format:
[a-z.-]+
, e.g.some-namespace
Returns
-
(::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}) — Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format:
[a-z.-]+
, e.g.some-namespace
#kubernetes_service_account_admission_rules
def kubernetes_service_account_admission_rules() -> ::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}
Returns
-
(::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}) — Optional. Per-kubernetes-service-account admission rules. Service account
spec format:
namespace:serviceaccount
. e.g.test-ns:default
#kubernetes_service_account_admission_rules=
def kubernetes_service_account_admission_rules=(value) -> ::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}
Parameter
-
value (::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}) — Optional. Per-kubernetes-service-account admission rules. Service account
spec format:
namespace:serviceaccount
. e.g.test-ns:default
Returns
-
(::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}) — Optional. Per-kubernetes-service-account admission rules. Service account
spec format:
namespace:serviceaccount
. e.g.test-ns:default
#name
def name() -> ::String
Returns
-
(::String) — Output only. The resource name, in the format
projects/*/policy
. There is at most one policy per project.
#update_time
def update_time() -> ::Google::Protobuf::Timestamp
Returns
- (::Google::Protobuf::Timestamp) — Output only. Time when the policy was last updated.