Class: Google::Apis::BinaryauthorizationV1::Policy
- Inherits:
-
Object
- Object
- Google::Apis::BinaryauthorizationV1::Policy
- Includes:
- Core::Hashable, Core::JsonObjectSupport
- Defined in:
- lib/google/apis/binaryauthorization_v1/classes.rb,
lib/google/apis/binaryauthorization_v1/representations.rb,
lib/google/apis/binaryauthorization_v1/representations.rb
Overview
A policy for container image binary authorization.
Instance Attribute Summary collapse
-
#admission_whitelist_patterns ⇒ Array<Google::Apis::BinaryauthorizationV1::AdmissionWhitelistPattern>
Optional.
-
#cluster_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1::AdmissionRule>
Optional.
-
#default_admission_rule ⇒ Google::Apis::BinaryauthorizationV1::AdmissionRule
An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied.
-
#description ⇒ String
Optional.
-
#etag ⇒ String
Optional.
-
#global_policy_evaluation_mode ⇒ String
Optional.
-
#istio_service_identity_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1::AdmissionRule>
Optional.
-
#kubernetes_namespace_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1::AdmissionRule>
Optional.
-
#kubernetes_service_account_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1::AdmissionRule>
Optional.
-
#name ⇒ String
Output only.
-
#update_time ⇒ String
Output only.
Instance Method Summary collapse
-
#initialize(**args) ⇒ Policy
constructor
A new instance of Policy.
-
#update!(**args) ⇒ Object
Update properties of this object.
Constructor Details
#initialize(**args) ⇒ Policy
Returns a new instance of Policy.
618 619 620 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 618 def initialize(**args) update!(**args) end |
Instance Attribute Details
#admission_whitelist_patterns ⇒ Array<Google::Apis::BinaryauthorizationV1::AdmissionWhitelistPattern>
Optional. Admission policy allowlisting. A matching admission request will
always be permitted. This feature is typically used to exclude Google or third-
party infrastructure images from Binary Authorization policies.
Corresponds to the JSON property admissionWhitelistPatterns
549 550 551 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 549 def admission_whitelist_patterns @admission_whitelist_patterns end |
#cluster_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1::AdmissionRule>
Optional. Per-cluster admission rules. Cluster spec format: location.
clusterId. There can be at most one admission rule per cluster spec. A
location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-
central1). For clusterId syntax restrictions see https://cloud.google.com/
container-engine/reference/rest/v1/projects.zones.clusters.
Corresponds to the JSON property clusterAdmissionRules
558 559 560 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 558 def cluster_admission_rules @cluster_admission_rules end |
#default_admission_rule ⇒ Google::Apis::BinaryauthorizationV1::AdmissionRule
An admission rule specifies either that all container images used in a pod
creation request must be attested to by one or more attestors, that all pod
creations will be allowed, or that all pod creations will be denied. Images
matching an admission allowlist pattern are exempted from admission rules and
will never block a pod creation.
Corresponds to the JSON property defaultAdmissionRule
567 568 569 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 567 def default_admission_rule @default_admission_rule end |
#description ⇒ String
Optional. A descriptive comment.
Corresponds to the JSON property description
572 573 574 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 572 def description @description end |
#etag ⇒ String
Optional. Used to prevent updating the policy when another request has updated
it since it was retrieved.
Corresponds to the JSON property etag
578 579 580 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 578 def etag @etag end |
#global_policy_evaluation_mode ⇒ String
Optional. Controls the evaluation of a Google-maintained global admission
policy for common system-level images. Images not covered by the global policy
will be subject to the project admission policy. This setting has no effect
when specified inside a global admission policy.
Corresponds to the JSON property globalPolicyEvaluationMode
586 587 588 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 586 def global_policy_evaluation_mode @global_policy_evaluation_mode end |
#istio_service_identity_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1::AdmissionRule>
Optional. Per-istio-service-identity admission rules. Istio service identity
spec format: spiffe:///ns//sa/ or /ns//sa/ e.g. spiffe://example.com/ns/
test-ns/sa/default
Corresponds to the JSON property istioServiceIdentityAdmissionRules
593 594 595 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 593 def istio_service_identity_admission_rules @istio_service_identity_admission_rules end |
#kubernetes_namespace_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1::AdmissionRule>
Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format:
[a-z.-]+, e.g. some-namespace
Corresponds to the JSON property kubernetesNamespaceAdmissionRules
599 600 601 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 599 def kubernetes_namespace_admission_rules @kubernetes_namespace_admission_rules end |
#kubernetes_service_account_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1::AdmissionRule>
Optional. Per-kubernetes-service-account admission rules. Service account spec
format: namespace:serviceaccount. e.g. test-ns:default
Corresponds to the JSON property kubernetesServiceAccountAdmissionRules
605 606 607 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 605 def kubernetes_service_account_admission_rules @kubernetes_service_account_admission_rules end |
#name ⇒ String
Output only. The resource name, in the format projects/*/policy. There is at
most one policy per project.
Corresponds to the JSON property name
611 612 613 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 611 def name @name end |
#update_time ⇒ String
Output only. Time when the policy was last updated.
Corresponds to the JSON property updateTime
616 617 618 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 616 def update_time @update_time end |
Instance Method Details
#update!(**args) ⇒ Object
Update properties of this object
623 624 625 626 627 628 629 630 631 632 633 634 635 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 623 def update!(**args) @admission_whitelist_patterns = args[:admission_whitelist_patterns] if args.key?(:admission_whitelist_patterns) @cluster_admission_rules = args[:cluster_admission_rules] if args.key?(:cluster_admission_rules) @default_admission_rule = args[:default_admission_rule] if args.key?(:default_admission_rule) @description = args[:description] if args.key?(:description) @etag = args[:etag] if args.key?(:etag) @global_policy_evaluation_mode = args[:global_policy_evaluation_mode] if args.key?(:global_policy_evaluation_mode) @istio_service_identity_admission_rules = args[:istio_service_identity_admission_rules] if args.key?(:istio_service_identity_admission_rules) @kubernetes_namespace_admission_rules = args[:kubernetes_namespace_admission_rules] if args.key?(:kubernetes_namespace_admission_rules) @kubernetes_service_account_admission_rules = args[:kubernetes_service_account_admission_rules] if args.key?(:kubernetes_service_account_admission_rules) @name = args[:name] if args.key?(:name) @update_time = args[:update_time] if args.key?(:update_time) end |