Returns the attestors Resource.
Returns the policy Resource.
getPolicy(name, x__xgafv=None)
A policy specifies the attestors that must attest to
updatePolicy(name, body, x__xgafv=None)
Creates or updates a project's policy, and returns a copy of the
getPolicy(name, x__xgafv=None)
A policy specifies the attestors that must attest to
a container image, before the project is allowed to deploy that
image. There is at most one policy per project. All image admission
requests are permitted if a project has no policy.
Gets the policy for this project. Returns a default
policy if the project does not have one.
Args:
name: string, Required. The resource name of the policy to retrieve,
in the format `projects/*/policy`. (required)
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # A policy for container image binary authorization.
"updateTime": "A String", # Output only. Time when the policy was last updated.
"description": "A String", # Optional. A descriptive comment.
"defaultAdmissionRule": { # An admission rule specifies either that all container images # Required. Default admission rule for a cluster without a per-cluster, per-
# kubernetes-service-account, or per-istio-service-identity admission rule.
# used in a pod creation request must be attested to by one or more
# attestors, that all pod creations will be allowed, or that all
# pod creations will be denied.
#
# Images matching an admission whitelist pattern
# are exempted from admission rules and will never block a pod creation.
"enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
"requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
# a container image, in the format `projects/*/attestors/*`. Each
# attestor must exist before a policy can reference it. To add an attestor
# to a policy the principal issuing the policy change request must be able
# to read the attestor resource.
#
# Note: this field must be non-empty when the evaluation_mode field specifies
# REQUIRE_ATTESTATION, otherwise it must be empty.
"A String",
],
"evaluationMode": "A String", # Required. How this admission rule will be evaluated.
},
"admissionWhitelistPatterns": [ # Optional. Admission policy whitelisting. A matching admission request will
# always be permitted. This feature is typically used to exclude Google or
# third-party infrastructure images from Binary Authorization policies.
{ # An admission whitelist pattern exempts images
# from checks by admission rules.
"namePattern": "A String", # An image name pattern to whitelist, in the form `registry/path/to/image`.
# This supports a trailing `*` as a wildcard, but this is allowed only in
# text after the `registry/` part.
},
],
"globalPolicyEvaluationMode": "A String", # Optional. Controls the evaluation of a Google-maintained global admission
# policy for common system-level images. Images not covered by the global
# policy will be subject to the project admission policy. This setting
# has no effect when specified inside a global admission policy.
"clusterAdmissionRules": { # Optional. Per-cluster admission rules. Cluster spec format:
# `location.clusterId`. There can be at most one admission rule per cluster
# spec.
# A `location` is either a compute zone (e.g. us-central1-a) or a region
# (e.g. us-central1).
# For `clusterId` syntax restrictions see
# https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
"a_key": { # An admission rule specifies either that all container images
# used in a pod creation request must be attested to by one or more
# attestors, that all pod creations will be allowed, or that all
# pod creations will be denied.
#
# Images matching an admission whitelist pattern
# are exempted from admission rules and will never block a pod creation.
"enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
"requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
# a container image, in the format `projects/*/attestors/*`. Each
# attestor must exist before a policy can reference it. To add an attestor
# to a policy the principal issuing the policy change request must be able
# to read the attestor resource.
#
# Note: this field must be non-empty when the evaluation_mode field specifies
# REQUIRE_ATTESTATION, otherwise it must be empty.
"A String",
],
"evaluationMode": "A String", # Required. How this admission rule will be evaluated.
},
},
"name": "A String", # Output only. The resource name, in the format `projects/*/policy`. There is
# at most one policy per project.
}
updatePolicy(name, body, x__xgafv=None)
Creates or updates a project's policy, and returns a copy of the
new policy. A policy is always updated as a whole, to avoid race
conditions with concurrent policy enforcement (or management!)
requests. Returns NOT_FOUND if the project does not exist, INVALID_ARGUMENT
if the request is malformed.
Args:
name: string, Output only. The resource name, in the format `projects/*/policy`. There is
at most one policy per project. (required)
body: object, The request body. (required)
The object takes the form of:
{ # A policy for container image binary authorization.
"updateTime": "A String", # Output only. Time when the policy was last updated.
"description": "A String", # Optional. A descriptive comment.
"defaultAdmissionRule": { # An admission rule specifies either that all container images # Required. Default admission rule for a cluster without a per-cluster, per-
# kubernetes-service-account, or per-istio-service-identity admission rule.
# used in a pod creation request must be attested to by one or more
# attestors, that all pod creations will be allowed, or that all
# pod creations will be denied.
#
# Images matching an admission whitelist pattern
# are exempted from admission rules and will never block a pod creation.
"enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
"requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
# a container image, in the format `projects/*/attestors/*`. Each
# attestor must exist before a policy can reference it. To add an attestor
# to a policy the principal issuing the policy change request must be able
# to read the attestor resource.
#
# Note: this field must be non-empty when the evaluation_mode field specifies
# REQUIRE_ATTESTATION, otherwise it must be empty.
"A String",
],
"evaluationMode": "A String", # Required. How this admission rule will be evaluated.
},
"admissionWhitelistPatterns": [ # Optional. Admission policy whitelisting. A matching admission request will
# always be permitted. This feature is typically used to exclude Google or
# third-party infrastructure images from Binary Authorization policies.
{ # An admission whitelist pattern exempts images
# from checks by admission rules.
"namePattern": "A String", # An image name pattern to whitelist, in the form `registry/path/to/image`.
# This supports a trailing `*` as a wildcard, but this is allowed only in
# text after the `registry/` part.
},
],
"globalPolicyEvaluationMode": "A String", # Optional. Controls the evaluation of a Google-maintained global admission
# policy for common system-level images. Images not covered by the global
# policy will be subject to the project admission policy. This setting
# has no effect when specified inside a global admission policy.
"clusterAdmissionRules": { # Optional. Per-cluster admission rules. Cluster spec format:
# `location.clusterId`. There can be at most one admission rule per cluster
# spec.
# A `location` is either a compute zone (e.g. us-central1-a) or a region
# (e.g. us-central1).
# For `clusterId` syntax restrictions see
# https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
"a_key": { # An admission rule specifies either that all container images
# used in a pod creation request must be attested to by one or more
# attestors, that all pod creations will be allowed, or that all
# pod creations will be denied.
#
# Images matching an admission whitelist pattern
# are exempted from admission rules and will never block a pod creation.
"enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
"requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
# a container image, in the format `projects/*/attestors/*`. Each
# attestor must exist before a policy can reference it. To add an attestor
# to a policy the principal issuing the policy change request must be able
# to read the attestor resource.
#
# Note: this field must be non-empty when the evaluation_mode field specifies
# REQUIRE_ATTESTATION, otherwise it must be empty.
"A String",
],
"evaluationMode": "A String", # Required. How this admission rule will be evaluated.
},
},
"name": "A String", # Output only. The resource name, in the format `projects/*/policy`. There is
# at most one policy per project.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # A policy for container image binary authorization.
"updateTime": "A String", # Output only. Time when the policy was last updated.
"description": "A String", # Optional. A descriptive comment.
"defaultAdmissionRule": { # An admission rule specifies either that all container images # Required. Default admission rule for a cluster without a per-cluster, per-
# kubernetes-service-account, or per-istio-service-identity admission rule.
# used in a pod creation request must be attested to by one or more
# attestors, that all pod creations will be allowed, or that all
# pod creations will be denied.
#
# Images matching an admission whitelist pattern
# are exempted from admission rules and will never block a pod creation.
"enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
"requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
# a container image, in the format `projects/*/attestors/*`. Each
# attestor must exist before a policy can reference it. To add an attestor
# to a policy the principal issuing the policy change request must be able
# to read the attestor resource.
#
# Note: this field must be non-empty when the evaluation_mode field specifies
# REQUIRE_ATTESTATION, otherwise it must be empty.
"A String",
],
"evaluationMode": "A String", # Required. How this admission rule will be evaluated.
},
"admissionWhitelistPatterns": [ # Optional. Admission policy whitelisting. A matching admission request will
# always be permitted. This feature is typically used to exclude Google or
# third-party infrastructure images from Binary Authorization policies.
{ # An admission whitelist pattern exempts images
# from checks by admission rules.
"namePattern": "A String", # An image name pattern to whitelist, in the form `registry/path/to/image`.
# This supports a trailing `*` as a wildcard, but this is allowed only in
# text after the `registry/` part.
},
],
"globalPolicyEvaluationMode": "A String", # Optional. Controls the evaluation of a Google-maintained global admission
# policy for common system-level images. Images not covered by the global
# policy will be subject to the project admission policy. This setting
# has no effect when specified inside a global admission policy.
"clusterAdmissionRules": { # Optional. Per-cluster admission rules. Cluster spec format:
# `location.clusterId`. There can be at most one admission rule per cluster
# spec.
# A `location` is either a compute zone (e.g. us-central1-a) or a region
# (e.g. us-central1).
# For `clusterId` syntax restrictions see
# https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
"a_key": { # An admission rule specifies either that all container images
# used in a pod creation request must be attested to by one or more
# attestors, that all pod creations will be allowed, or that all
# pod creations will be denied.
#
# Images matching an admission whitelist pattern
# are exempted from admission rules and will never block a pod creation.
"enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
"requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
# a container image, in the format `projects/*/attestors/*`. Each
# attestor must exist before a policy can reference it. To add an attestor
# to a policy the principal issuing the policy change request must be able
# to read the attestor resource.
#
# Note: this field must be non-empty when the evaluation_mode field specifies
# REQUIRE_ATTESTATION, otherwise it must be empty.
"A String",
],
"evaluationMode": "A String", # Required. How this admission rule will be evaluated.
},
},
"name": "A String", # Output only. The resource name, in the format `projects/*/policy`. There is
# at most one policy per project.
}