Class: Google::Apis::BinaryauthorizationV1::GkePolicy

Inherits:

Object

Object
Google::Apis::BinaryauthorizationV1::GkePolicy

show all

Includes:: Core::Hashable, Core::JsonObjectSupport

Defined in:: lib/google/apis/binaryauthorization_v1/classes.rb,
lib/google/apis/binaryauthorization_v1/representations.rb,
lib/google/apis/binaryauthorization_v1/representations.rb

Overview

A Binary Authorization policy for a GKE cluster. This is one type of policy that can occur as a PlatformPolicy.

Instance Attribute Summary collapse

#check_sets ⇒ Array<Google::Apis::BinaryauthorizationV1::CheckSet>
Optional.
#image_allowlist ⇒ Google::Apis::BinaryauthorizationV1::ImageAllowlist
Images that are exempted from normal checks based on name pattern only.

Instance Method Summary collapse

#initialize(**args) ⇒ GkePolicy constructor
A new instance of GkePolicy.
#update!(**args) ⇒ Object
Update properties of this object.

Constructor Details

#initialize(**args) ⇒ `GkePolicy`

Returns a new instance of GkePolicy.



583
584
585

# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 583

def initialize(**args)
   update!(**args)
end

Instance Attribute Details

#check_sets ⇒ `Array<Google::Apis::BinaryauthorizationV1::CheckSet>`

Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod ( unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects. Corresponds to the JSON property checkSets

Returns:

(Array<Google::Apis::BinaryauthorizationV1::CheckSet>)



576
577
578

# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 576

def check_sets
  @check_sets
end

#image_allowlist ⇒ `Google::Apis::BinaryauthorizationV1::ImageAllowlist`

Images that are exempted from normal checks based on name pattern only. Corresponds to the JSON property imageAllowlist

Returns:

(Google::Apis::BinaryauthorizationV1::ImageAllowlist)



581
582
583

# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 581

def image_allowlist
  @image_allowlist
end

Instance Method Details

#update!(**args) ⇒ `Object`

Update properties of this object

# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 588

def update!(**args)
  @check_sets = args[:check_sets] if args.key?(:check_sets)
  @image_allowlist = args[:image_allowlist] if args.key?(:image_allowlist)
end