Class: Google::Apis::BinaryauthorizationV1::Policy
- Inherits:
-
Object
- Object
- Google::Apis::BinaryauthorizationV1::Policy
- Includes:
- Core::Hashable, Core::JsonObjectSupport
- Defined in:
- lib/google/apis/binaryauthorization_v1/classes.rb,
lib/google/apis/binaryauthorization_v1/representations.rb,
lib/google/apis/binaryauthorization_v1/representations.rb
Overview
A policy for container image binary authorization.
Instance Attribute Summary collapse
-
#admission_whitelist_patterns ⇒ Array<Google::Apis::BinaryauthorizationV1::AdmissionWhitelistPattern>
Optional.
-
#cluster_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1::AdmissionRule>
Optional.
-
#default_admission_rule ⇒ Google::Apis::BinaryauthorizationV1::AdmissionRule
An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied.
-
#description ⇒ String
Optional.
-
#etag ⇒ String
Optional.
-
#global_policy_evaluation_mode ⇒ String
Optional.
-
#istio_service_identity_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1::AdmissionRule>
Optional.
-
#kubernetes_namespace_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1::AdmissionRule>
Optional.
-
#kubernetes_service_account_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1::AdmissionRule>
Optional.
-
#name ⇒ String
Output only.
-
#update_time ⇒ String
Output only.
Instance Method Summary collapse
-
#initialize(**args) ⇒ Policy
constructor
A new instance of Policy.
-
#update!(**args) ⇒ Object
Update properties of this object.
Constructor Details
#initialize(**args) ⇒ Policy
Returns a new instance of Policy.
1307 1308 1309 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1307 def initialize(**args) update!(**args) end |
Instance Attribute Details
#admission_whitelist_patterns ⇒ Array<Google::Apis::BinaryauthorizationV1::AdmissionWhitelistPattern>
Optional. Admission policy allowlisting. A matching admission request will
always be permitted. This feature is typically used to exclude Google or third-
party infrastructure images from Binary Authorization policies.
Corresponds to the JSON property admissionWhitelistPatterns
1237 1238 1239 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1237 def admission_whitelist_patterns @admission_whitelist_patterns end |
#cluster_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1::AdmissionRule>
Optional. Per-cluster admission rules. Cluster spec format: location.
clusterId
. There can be at most one admission rule per cluster spec. A
location
is either a compute zone (e.g. us-central1-a) or a region (e.g. us-
central1). For clusterId
syntax restrictions see https://cloud.google.com/
container-engine/reference/rest/v1/projects.zones.clusters.
Corresponds to the JSON property clusterAdmissionRules
1246 1247 1248 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1246 def cluster_admission_rules @cluster_admission_rules end |
#default_admission_rule ⇒ Google::Apis::BinaryauthorizationV1::AdmissionRule
An admission rule specifies either that all container images used in a pod
creation request must be attested to by one or more attestors, that all pod
creations will be allowed, or that all pod creations will be denied. Images
matching an admission allowlist pattern are exempted from admission rules and
will never block a pod creation.
Corresponds to the JSON property defaultAdmissionRule
1255 1256 1257 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1255 def default_admission_rule @default_admission_rule end |
#description ⇒ String
Optional. A descriptive comment.
Corresponds to the JSON property description
1260 1261 1262 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1260 def description @description end |
#etag ⇒ String
Optional. A checksum, returned by the server, that can be sent on update
requests to ensure the policy has an up-to-date value before attempting to
update it. See https://google.aip.dev/154.
Corresponds to the JSON property etag
1267 1268 1269 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1267 def etag @etag end |
#global_policy_evaluation_mode ⇒ String
Optional. Controls the evaluation of a Google-maintained global admission
policy for common system-level images. Images not covered by the global policy
will be subject to the project admission policy. This setting has no effect
when specified inside a global admission policy.
Corresponds to the JSON property globalPolicyEvaluationMode
1275 1276 1277 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1275 def global_policy_evaluation_mode @global_policy_evaluation_mode end |
#istio_service_identity_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1::AdmissionRule>
Optional. Per-istio-service-identity admission rules. Istio service identity
spec format: spiffe:///ns//sa/
or /ns//sa/
e.g. spiffe://example.com/ns/
test-ns/sa/default
Corresponds to the JSON property istioServiceIdentityAdmissionRules
1282 1283 1284 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1282 def istio_service_identity_admission_rules @istio_service_identity_admission_rules end |
#kubernetes_namespace_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1::AdmissionRule>
Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format:
[a-z.-]+
, e.g. some-namespace
Corresponds to the JSON property kubernetesNamespaceAdmissionRules
1288 1289 1290 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1288 def kubernetes_namespace_admission_rules @kubernetes_namespace_admission_rules end |
#kubernetes_service_account_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1::AdmissionRule>
Optional. Per-kubernetes-service-account admission rules. Service account spec
format: namespace:serviceaccount
. e.g. test-ns:default
Corresponds to the JSON property kubernetesServiceAccountAdmissionRules
1294 1295 1296 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1294 def kubernetes_service_account_admission_rules @kubernetes_service_account_admission_rules end |
#name ⇒ String
Output only. The resource name, in the format projects/*/policy
. There is at
most one policy per project.
Corresponds to the JSON property name
1300 1301 1302 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1300 def name @name end |
#update_time ⇒ String
Output only. Time when the policy was last updated.
Corresponds to the JSON property updateTime
1305 1306 1307 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1305 def update_time @update_time end |
Instance Method Details
#update!(**args) ⇒ Object
Update properties of this object
1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 |
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1312 def update!(**args) @admission_whitelist_patterns = args[:admission_whitelist_patterns] if args.key?(:admission_whitelist_patterns) @cluster_admission_rules = args[:cluster_admission_rules] if args.key?(:cluster_admission_rules) @default_admission_rule = args[:default_admission_rule] if args.key?(:default_admission_rule) @description = args[:description] if args.key?(:description) @etag = args[:etag] if args.key?(:etag) @global_policy_evaluation_mode = args[:global_policy_evaluation_mode] if args.key?(:global_policy_evaluation_mode) @istio_service_identity_admission_rules = args[:istio_service_identity_admission_rules] if args.key?(:istio_service_identity_admission_rules) @kubernetes_namespace_admission_rules = args[:kubernetes_namespace_admission_rules] if args.key?(:kubernetes_namespace_admission_rules) @kubernetes_service_account_admission_rules = args[:kubernetes_service_account_admission_rules] if args.key?(:kubernetes_service_account_admission_rules) @name = args[:name] if args.key?(:name) @update_time = args[:update_time] if args.key?(:update_time) end |