1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
<html><body>
<style>
body, h1, h2, h3, div, span, p, pre, a {
margin: 0;
padding: 0;
border: 0;
font-weight: inherit;
font-style: inherit;
font-size: 100%;
font-family: inherit;
vertical-align: baseline;
}
body {
font-size: 13px;
padding: 1em;
}
h1 {
font-size: 26px;
margin-bottom: 1em;
}
h2 {
font-size: 24px;
margin-bottom: 1em;
}
h3 {
font-size: 20px;
margin-bottom: 1em;
margin-top: 1em;
}
pre, code {
line-height: 1.5;
font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
}
pre {
margin-top: 0.5em;
}
h1, h2, h3, p {
font-family: Arial, sans serif;
}
h1, h2, h3 {
border-bottom: solid #CCC 1px;
}
.toc_element {
margin-top: 0.5em;
}
.firstline {
margin-left: 2 em;
}
.method {
margin-top: 1em;
border: solid 1px #CCC;
padding: 1em;
background: #EEE;
}
.details {
font-weight: bold;
font-size: 14px;
}
</style>
<h1><a href="binaryauthorization_v1beta1.html">Binary Authorization API</a> . <a href="binaryauthorization_v1beta1.systempolicy.html">systempolicy</a></h1>
<h2>Instance Methods</h2>
<p class="toc_element">
<code><a href="#close">close()</a></code></p>
<p class="firstline">Close httplib2 connections.</p>
<p class="toc_element">
<code><a href="#getPolicy">getPolicy(name, x__xgafv=None)</a></code></p>
<p class="firstline">Gets the current system policy in the specified location.</p>
<h3>Method Details</h3>
<div class="method">
<code class="details" id="close">close()</code>
<pre>Close httplib2 connections.</pre>
</div>
<div class="method">
<code class="details" id="getPolicy">getPolicy(name, x__xgafv=None)</code>
<pre>Gets the current system policy in the specified location.
Args:
name: string, Required. The resource name, in the format `locations/*/policy`. Note that the system policy is not associated with a project. (required)
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # A policy for Binary Authorization.
"admissionWhitelistPatterns": [ # Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.
{ # An admission allowlist pattern exempts images from checks by admission rules.
"namePattern": "A String", # An image name pattern to allowlist, in the form `registry/path/to/image`. This supports a trailing `*` as a wildcard, but this is allowed only in text after the `registry/` part. `*` wildcard does not match `/`, i.e., `gcr.io/nginx*` matches `gcr.io/nginx@latest`, but it does not match `gcr.io/nginx/image`. This also supports a trailing `**` wildcard which matches subdirectories, i.e., `gcr.io/nginx**` matches `gcr.io/nginx/image`.
},
],
"clusterAdmissionRules": { # Optional. Per-cluster admission rules. Cluster spec format: `location.clusterId`. There can be at most one admission rule per cluster spec. A `location` is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). For `clusterId` syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
"a_key": { # An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation.
"enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
"evaluationMode": "A String", # Required. How this admission rule will be evaluated.
"requireAttestationsBy": [
"A String",
],
},
},
"defaultAdmissionRule": { # An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation. # Required. Default admission rule for a cluster without a per-cluster, per- kubernetes-service-account, or per-istio-service-identity admission rule.
"enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
"evaluationMode": "A String", # Required. How this admission rule will be evaluated.
"requireAttestationsBy": [
"A String",
],
},
"description": "A String", # Optional. A descriptive comment.
"etag": "A String", # Optional. A checksum, returned by the server, that can be sent on update requests to ensure the policy has an up-to-date value before attempting to update it. See https://google.aip.dev/154.
"globalPolicyEvaluationMode": "A String", # Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.
"istioServiceIdentityAdmissionRules": { # Optional. Per-istio-service-identity admission rules. Istio service identity spec format: `spiffe:///ns//sa/` or `/ns//sa/` e.g. `spiffe://example.com/ns/test-ns/sa/default`
"a_key": { # An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation.
"enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
"evaluationMode": "A String", # Required. How this admission rule will be evaluated.
"requireAttestationsBy": [
"A String",
],
},
},
"kubernetesNamespaceAdmissionRules": { # Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format: `[a-z.-]+`, e.g. `some-namespace`
"a_key": { # An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation.
"enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
"evaluationMode": "A String", # Required. How this admission rule will be evaluated.
"requireAttestationsBy": [
"A String",
],
},
},
"kubernetesServiceAccountAdmissionRules": { # Optional. Per-kubernetes-service-account admission rules. Service account spec format: `namespace:serviceaccount`. e.g. `test-ns:default`
"a_key": { # An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation.
"enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
"evaluationMode": "A String", # Required. How this admission rule will be evaluated.
"requireAttestationsBy": [
"A String",
],
},
},
"name": "A String", # Output only. The resource name, in the format `projects/*/policy`. There is at most one policy per project.
"updateTime": "A String", # Output only. Time when the policy was last updated.
}</pre>
</div>
</body></html>
|
