Class: Google::Apis::BinaryauthorizationV1beta1::Policy
- Inherits:
-
Object
- Object
- Google::Apis::BinaryauthorizationV1beta1::Policy
- Includes:
- Core::Hashable, Core::JsonObjectSupport
- Defined in:
- lib/google/apis/binaryauthorization_v1beta1/classes.rb,
lib/google/apis/binaryauthorization_v1beta1/representations.rb,
lib/google/apis/binaryauthorization_v1beta1/representations.rb
Overview
A policy for Binary Authorization.
Instance Attribute Summary collapse
-
#admission_whitelist_patterns ⇒ Array<Google::Apis::BinaryauthorizationV1beta1::AdmissionWhitelistPattern>
Optional.
-
#cluster_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1beta1::AdmissionRule>
Optional.
-
#default_admission_rule ⇒ Google::Apis::BinaryauthorizationV1beta1::AdmissionRule
An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied.
-
#description ⇒ String
Optional.
-
#etag ⇒ String
Optional.
-
#global_policy_evaluation_mode ⇒ String
Optional.
-
#istio_service_identity_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1beta1::AdmissionRule>
Optional.
-
#kubernetes_namespace_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1beta1::AdmissionRule>
Optional.
-
#kubernetes_service_account_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1beta1::AdmissionRule>
Optional.
-
#name ⇒ String
Output only.
-
#update_time ⇒ String
Output only.
Instance Method Summary collapse
-
#initialize(**args) ⇒ Policy
constructor
A new instance of Policy.
-
#update!(**args) ⇒ Object
Update properties of this object.
Constructor Details
#initialize(**args) ⇒ Policy
Returns a new instance of Policy.
652 653 654 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 652 def initialize(**args) update!(**args) end |
Instance Attribute Details
#admission_whitelist_patterns ⇒ Array<Google::Apis::BinaryauthorizationV1beta1::AdmissionWhitelistPattern>
Optional. Admission policy allowlisting. A matching admission request will
always be permitted. This feature is typically used to exclude Google or third-
party infrastructure images from Binary Authorization policies.
Corresponds to the JSON property admissionWhitelistPatterns
582 583 584 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 582 def admission_whitelist_patterns @admission_whitelist_patterns end |
#cluster_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1beta1::AdmissionRule>
Optional. Per-cluster admission rules. Cluster spec format: location.
clusterId
. There can be at most one admission rule per cluster spec. A
location
is either a compute zone (e.g. us-central1-a) or a region (e.g. us-
central1). For clusterId
syntax restrictions see https://cloud.google.com/
container-engine/reference/rest/v1/projects.zones.clusters.
Corresponds to the JSON property clusterAdmissionRules
591 592 593 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 591 def cluster_admission_rules @cluster_admission_rules end |
#default_admission_rule ⇒ Google::Apis::BinaryauthorizationV1beta1::AdmissionRule
An admission rule specifies either that all container images used in a pod
creation request must be attested to by one or more attestors, that all pod
creations will be allowed, or that all pod creations will be denied. Images
matching an admission allowlist pattern are exempted from admission rules and
will never block a pod creation.
Corresponds to the JSON property defaultAdmissionRule
600 601 602 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 600 def default_admission_rule @default_admission_rule end |
#description ⇒ String
Optional. A descriptive comment.
Corresponds to the JSON property description
605 606 607 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 605 def description @description end |
#etag ⇒ String
Optional. A checksum, returned by the server, that can be sent on update
requests to ensure the policy has an up-to-date value before attempting to
update it. See https://google.aip.dev/154.
Corresponds to the JSON property etag
612 613 614 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 612 def etag @etag end |
#global_policy_evaluation_mode ⇒ String
Optional. Controls the evaluation of a Google-maintained global admission
policy for common system-level images. Images not covered by the global policy
will be subject to the project admission policy. This setting has no effect
when specified inside a global admission policy.
Corresponds to the JSON property globalPolicyEvaluationMode
620 621 622 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 620 def global_policy_evaluation_mode @global_policy_evaluation_mode end |
#istio_service_identity_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1beta1::AdmissionRule>
Optional. Per-istio-service-identity admission rules. Istio service identity
spec format: spiffe:///ns//sa/
or /ns//sa/
e.g. spiffe://example.com/ns/
test-ns/sa/default
Corresponds to the JSON property istioServiceIdentityAdmissionRules
627 628 629 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 627 def istio_service_identity_admission_rules @istio_service_identity_admission_rules end |
#kubernetes_namespace_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1beta1::AdmissionRule>
Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format:
[a-z.-]+
, e.g. some-namespace
Corresponds to the JSON property kubernetesNamespaceAdmissionRules
633 634 635 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 633 def kubernetes_namespace_admission_rules @kubernetes_namespace_admission_rules end |
#kubernetes_service_account_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1beta1::AdmissionRule>
Optional. Per-kubernetes-service-account admission rules. Service account spec
format: namespace:serviceaccount
. e.g. test-ns:default
Corresponds to the JSON property kubernetesServiceAccountAdmissionRules
639 640 641 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 639 def kubernetes_service_account_admission_rules @kubernetes_service_account_admission_rules end |
#name ⇒ String
Output only. The resource name, in the format projects/*/policy
. There is at
most one policy per project.
Corresponds to the JSON property name
645 646 647 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 645 def name @name end |
#update_time ⇒ String
Output only. Time when the policy was last updated.
Corresponds to the JSON property updateTime
650 651 652 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 650 def update_time @update_time end |
Instance Method Details
#update!(**args) ⇒ Object
Update properties of this object
657 658 659 660 661 662 663 664 665 666 667 668 669 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 657 def update!(**args) @admission_whitelist_patterns = args[:admission_whitelist_patterns] if args.key?(:admission_whitelist_patterns) @cluster_admission_rules = args[:cluster_admission_rules] if args.key?(:cluster_admission_rules) @default_admission_rule = args[:default_admission_rule] if args.key?(:default_admission_rule) @description = args[:description] if args.key?(:description) @etag = args[:etag] if args.key?(:etag) @global_policy_evaluation_mode = args[:global_policy_evaluation_mode] if args.key?(:global_policy_evaluation_mode) @istio_service_identity_admission_rules = args[:istio_service_identity_admission_rules] if args.key?(:istio_service_identity_admission_rules) @kubernetes_namespace_admission_rules = args[:kubernetes_namespace_admission_rules] if args.key?(:kubernetes_namespace_admission_rules) @kubernetes_service_account_admission_rules = args[:kubernetes_service_account_admission_rules] if args.key?(:kubernetes_service_account_admission_rules) @name = args[:name] if args.key?(:name) @update_time = args[:update_time] if args.key?(:update_time) end |