Class: Google::Apis::BinaryauthorizationV1beta1::Policy
- Inherits:
-
Object
- Object
- Google::Apis::BinaryauthorizationV1beta1::Policy
- Includes:
- Core::Hashable, Core::JsonObjectSupport
- Defined in:
- lib/google/apis/binaryauthorization_v1beta1/classes.rb,
lib/google/apis/binaryauthorization_v1beta1/representations.rb,
lib/google/apis/binaryauthorization_v1beta1/representations.rb
Overview
A policy for Binary Authorization.
Instance Attribute Summary collapse
-
#admission_whitelist_patterns ⇒ Array<Google::Apis::BinaryauthorizationV1beta1::AdmissionWhitelistPattern>
Optional.
-
#cluster_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1beta1::AdmissionRule>
Optional.
-
#default_admission_rule ⇒ Google::Apis::BinaryauthorizationV1beta1::AdmissionRule
An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied.
-
#description ⇒ String
Optional.
-
#etag ⇒ String
Optional.
-
#global_policy_evaluation_mode ⇒ String
Optional.
-
#istio_service_identity_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1beta1::AdmissionRule>
Optional.
-
#kubernetes_namespace_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1beta1::AdmissionRule>
Optional.
-
#kubernetes_service_account_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1beta1::AdmissionRule>
Optional.
-
#name ⇒ String
Output only.
-
#update_time ⇒ String
Output only.
Instance Method Summary collapse
-
#initialize(**args) ⇒ Policy
constructor
A new instance of Policy.
-
#update!(**args) ⇒ Object
Update properties of this object.
Constructor Details
#initialize(**args) ⇒ Policy
Returns a new instance of Policy.
627 628 629 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 627 def initialize(**args) update!(**args) end |
Instance Attribute Details
#admission_whitelist_patterns ⇒ Array<Google::Apis::BinaryauthorizationV1beta1::AdmissionWhitelistPattern>
Optional. Admission policy allowlisting. A matching admission request will
always be permitted. This feature is typically used to exclude Google or third-
party infrastructure images from Binary Authorization policies.
Corresponds to the JSON property admissionWhitelistPatterns
557 558 559 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 557 def admission_whitelist_patterns @admission_whitelist_patterns end |
#cluster_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1beta1::AdmissionRule>
Optional. Per-cluster admission rules. Cluster spec format: location.
clusterId
. There can be at most one admission rule per cluster spec. A
location
is either a compute zone (e.g. us-central1-a) or a region (e.g. us-
central1). For clusterId
syntax restrictions see https://cloud.google.com/
container-engine/reference/rest/v1/projects.zones.clusters.
Corresponds to the JSON property clusterAdmissionRules
566 567 568 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 566 def cluster_admission_rules @cluster_admission_rules end |
#default_admission_rule ⇒ Google::Apis::BinaryauthorizationV1beta1::AdmissionRule
An admission rule specifies either that all container images used in a pod
creation request must be attested to by one or more attestors, that all pod
creations will be allowed, or that all pod creations will be denied. Images
matching an admission allowlist pattern are exempted from admission rules and
will never block a pod creation.
Corresponds to the JSON property defaultAdmissionRule
575 576 577 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 575 def default_admission_rule @default_admission_rule end |
#description ⇒ String
Optional. A descriptive comment.
Corresponds to the JSON property description
580 581 582 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 580 def description @description end |
#etag ⇒ String
Optional. A checksum, returned by the server, that can be sent on update
requests to ensure the policy has an up-to-date value before attempting to
update it. See https://google.aip.dev/154.
Corresponds to the JSON property etag
587 588 589 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 587 def etag @etag end |
#global_policy_evaluation_mode ⇒ String
Optional. Controls the evaluation of a Google-maintained global admission
policy for common system-level images. Images not covered by the global policy
will be subject to the project admission policy. This setting has no effect
when specified inside a global admission policy.
Corresponds to the JSON property globalPolicyEvaluationMode
595 596 597 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 595 def global_policy_evaluation_mode @global_policy_evaluation_mode end |
#istio_service_identity_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1beta1::AdmissionRule>
Optional. Per-istio-service-identity admission rules. Istio service identity
spec format: spiffe:///ns//sa/
or /ns//sa/
e.g. spiffe://example.com/ns/
test-ns/sa/default
Corresponds to the JSON property istioServiceIdentityAdmissionRules
602 603 604 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 602 def istio_service_identity_admission_rules @istio_service_identity_admission_rules end |
#kubernetes_namespace_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1beta1::AdmissionRule>
Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format:
[a-z.-]+
, e.g. some-namespace
Corresponds to the JSON property kubernetesNamespaceAdmissionRules
608 609 610 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 608 def kubernetes_namespace_admission_rules @kubernetes_namespace_admission_rules end |
#kubernetes_service_account_admission_rules ⇒ Hash<String,Google::Apis::BinaryauthorizationV1beta1::AdmissionRule>
Optional. Per-kubernetes-service-account admission rules. Service account spec
format: namespace:serviceaccount
. e.g. test-ns:default
Corresponds to the JSON property kubernetesServiceAccountAdmissionRules
614 615 616 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 614 def kubernetes_service_account_admission_rules @kubernetes_service_account_admission_rules end |
#name ⇒ String
Output only. The resource name, in the format projects/*/policy
. There is at
most one policy per project.
Corresponds to the JSON property name
620 621 622 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 620 def name @name end |
#update_time ⇒ String
Output only. Time when the policy was last updated.
Corresponds to the JSON property updateTime
625 626 627 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 625 def update_time @update_time end |
Instance Method Details
#update!(**args) ⇒ Object
Update properties of this object
632 633 634 635 636 637 638 639 640 641 642 643 644 |
# File 'lib/google/apis/binaryauthorization_v1beta1/classes.rb', line 632 def update!(**args) @admission_whitelist_patterns = args[:admission_whitelist_patterns] if args.key?(:admission_whitelist_patterns) @cluster_admission_rules = args[:cluster_admission_rules] if args.key?(:cluster_admission_rules) @default_admission_rule = args[:default_admission_rule] if args.key?(:default_admission_rule) @description = args[:description] if args.key?(:description) @etag = args[:etag] if args.key?(:etag) @global_policy_evaluation_mode = args[:global_policy_evaluation_mode] if args.key?(:global_policy_evaluation_mode) @istio_service_identity_admission_rules = args[:istio_service_identity_admission_rules] if args.key?(:istio_service_identity_admission_rules) @kubernetes_namespace_admission_rules = args[:kubernetes_namespace_admission_rules] if args.key?(:kubernetes_namespace_admission_rules) @kubernetes_service_account_admission_rules = args[:kubernetes_service_account_admission_rules] if args.key?(:kubernetes_service_account_admission_rules) @name = args[:name] if args.key?(:name) @update_time = args[:update_time] if args.key?(:update_time) end |