Class: Google::Apis::BinaryauthorizationV1::Policy

Inherits:
Object
  • Object
show all
Includes:
Core::Hashable, Core::JsonObjectSupport
Defined in:
lib/google/apis/binaryauthorization_v1/classes.rb,
lib/google/apis/binaryauthorization_v1/representations.rb,
lib/google/apis/binaryauthorization_v1/representations.rb

Overview

A policy for container image binary authorization.

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(**args) ⇒ Policy

Returns a new instance of Policy.



1319
1320
1321
 
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1319

def initialize(**args)
   update!(**args)
end

Instance Attribute Details

#admission_whitelist_patternsArray<Google::Apis::BinaryauthorizationV1::AdmissionWhitelistPattern>

Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third- party infrastructure images from Binary Authorization policies. Corresponds to the JSON property admissionWhitelistPatterns

Returns:



1244
1245
1246
 
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1244

def admission_whitelist_patterns
  @admission_whitelist_patterns
end

#cluster_admission_rulesHash<String,Google::Apis::BinaryauthorizationV1::AdmissionRule>

Optional. A valid policy has only one of the following rule maps non-empty, i. e. only one of cluster_admission_rules, kubernetes_namespace_admission_rules, kubernetes_service_account_admission_rules, or istio_service_identity_admission_rules can be non-empty. Per-cluster admission rules. Cluster spec format: location.clusterId. There can be at most one admission rule per cluster spec. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). For clusterId syntax restrictions see https://cloud.google.com/container-engine/reference/ rest/v1/projects.zones.clusters. Corresponds to the JSON property clusterAdmissionRules

Returns:



1258
1259
1260
 
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1258

def cluster_admission_rules
  @cluster_admission_rules
end

#default_admission_ruleGoogle::Apis::BinaryauthorizationV1::AdmissionRule

An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation. Corresponds to the JSON property defaultAdmissionRule

Returns:



1267
1268
1269
 
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1267

def default_admission_rule
  @default_admission_rule
end

#descriptionString

Optional. A descriptive comment. Corresponds to the JSON property description

Returns:

  • (String) 


1272
1273
1274
 
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1272

def description
  @description
end

#etagString

Optional. A checksum, returned by the server, that can be sent on update requests to ensure the policy has an up-to-date value before attempting to update it. See https://google.aip.dev/154. Corresponds to the JSON property etag

Returns:

  • (String) 


1279
1280
1281
 
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1279

def etag
  @etag
end

#global_policy_evaluation_modeString

Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy. Corresponds to the JSON property globalPolicyEvaluationMode

Returns:

  • (String) 


1287
1288
1289
 
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1287

def global_policy_evaluation_mode
  @global_policy_evaluation_mode
end

#istio_service_identity_admission_rulesHash<String,Google::Apis::BinaryauthorizationV1::AdmissionRule>

Optional. Per-istio-service-identity admission rules. Istio service identity spec format: spiffe:///ns//sa/ or /ns//sa/ e.g. spiffe://example.com/ns/ test-ns/sa/default Corresponds to the JSON property istioServiceIdentityAdmissionRules

Returns:



1294
1295
1296
 
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1294

def istio_service_identity_admission_rules
  @istio_service_identity_admission_rules
end

#kubernetes_namespace_admission_rulesHash<String,Google::Apis::BinaryauthorizationV1::AdmissionRule>

Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format: [a-z.-]+, e.g. some-namespace Corresponds to the JSON property kubernetesNamespaceAdmissionRules

Returns:



1300
1301
1302
 
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1300

def kubernetes_namespace_admission_rules
  @kubernetes_namespace_admission_rules
end

#kubernetes_service_account_admission_rulesHash<String,Google::Apis::BinaryauthorizationV1::AdmissionRule>

Optional. Per-kubernetes-service-account admission rules. Service account spec format: namespace:serviceaccount. e.g. test-ns:default Corresponds to the JSON property kubernetesServiceAccountAdmissionRules

Returns:



1306
1307
1308
 
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1306

def 
  @kubernetes_service_account_admission_rules
end

#nameString

Output only. The resource name, in the format projects/*/policy. There is at most one policy per project. Corresponds to the JSON property name

Returns:

  • (String) 


1312
1313
1314
 
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1312

def name
  @name
end

#update_timeString

Output only. Time when the policy was last updated. Corresponds to the JSON property updateTime

Returns:

  • (String) 


1317
1318
1319
 
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1317

def update_time
  @update_time
end

Instance Method Details

#update!(**args) ⇒ Object

Update properties of this object



1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
 
# File 'lib/google/apis/binaryauthorization_v1/classes.rb', line 1324

def update!(**args)
  @admission_whitelist_patterns = args[:admission_whitelist_patterns] if args.key?(:admission_whitelist_patterns)
  @cluster_admission_rules = args[:cluster_admission_rules] if args.key?(:cluster_admission_rules)
  @default_admission_rule = args[:default_admission_rule] if args.key?(:default_admission_rule)
  @description = args[:description] if args.key?(:description)
  @etag = args[:etag] if args.key?(:etag)
  @global_policy_evaluation_mode = args[:global_policy_evaluation_mode] if args.key?(:global_policy_evaluation_mode)
  @istio_service_identity_admission_rules = args[:istio_service_identity_admission_rules] if args.key?(:istio_service_identity_admission_rules)
  @kubernetes_namespace_admission_rules = args[:kubernetes_namespace_admission_rules] if args.key?(:kubernetes_namespace_admission_rules)
  @kubernetes_service_account_admission_rules = args[:kubernetes_service_account_admission_rules] if args.key?(:kubernetes_service_account_admission_rules)
  @name = args[:name] if args.key?(:name)
  @update_time = args[:update_time] if args.key?(:update_time)
end