Class: Google::Apis::BinaryauthorizationV1::GkePolicy

Inherits:

Object

Object
Google::Apis::BinaryauthorizationV1::GkePolicy

show all

Includes:: Core::Hashable, Core::JsonObjectSupport

Defined in:: lib/google/apis/binaryauthorization_v1/classes.rb,
lib/google/apis/binaryauthorization_v1/representations.rb,
lib/google/apis/binaryauthorization_v1/representations.rb

Overview

A Binary Authorization policy for a GKE cluster. This is one type of policy that can occur as a PlatformPolicy.

Instance Attribute Summary collapse

#check_sets ⇒ Array<Google::Apis::BinaryauthorizationV1::CheckSet>
Optional.
#image_allowlist ⇒ Google::Apis::BinaryauthorizationV1::ImageAllowlist
Images that are exempted from normal checks based on name pattern only.

Instance Method Summary collapse

#initialize(**args) ⇒ GkePolicy constructor
A new instance of GkePolicy.
#update!(**args) ⇒ Object
Update properties of this object.

Constructor Details

#initialize(**args) ⇒ `GkePolicy`

Returns a new instance of GkePolicy.



580
581
582

# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 580

def initialize(**args)
   update!(**args)
end

Instance Attribute Details

#check_sets ⇒ `Array<Google::Apis::BinaryauthorizationV1::CheckSet>`

Optional. The CheckSets to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSets have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSets must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non- empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSets. Corresponds to the JSON property checkSets

Returns:

(Array<Google::Apis::BinaryauthorizationV1::CheckSet>)



573
574
575

# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 573

def check_sets
  @check_sets
end

#image_allowlist ⇒ `Google::Apis::BinaryauthorizationV1::ImageAllowlist`

Images that are exempted from normal checks based on name pattern only. Corresponds to the JSON property imageAllowlist

Returns:

(Google::Apis::BinaryauthorizationV1::ImageAllowlist)



578
579
580

# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 578

def image_allowlist
  @image_allowlist
end

Instance Method Details

#update!(**args) ⇒ `Object`

Update properties of this object

# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 585

def update!(**args)
  @check_sets = args[:check_sets] if args.key?(:check_sets)
  @image_allowlist = args[:image_allowlist] if args.key?(:image_allowlist)
end