Binary Authorization API . projects

Instance Methods

attestors()

Returns the attestors Resource.

policy()

Returns the policy Resource.

getPolicy(name, x__xgafv=None)

A policy specifies the attestors that must attest to

updatePolicy(name, body=None, x__xgafv=None)

Creates or updates a project's policy, and returns a copy of the

Method Details

getPolicy(name, x__xgafv=None)
A policy specifies the attestors that must attest to
a container image, before the project is allowed to deploy that
image. There is at most one policy per project. All image admission
requests are permitted if a project has no policy.

Gets the policy for this project. Returns a default
policy if the project does not have one.

Args:
  name: string, Required. The resource name of the policy to retrieve,
in the format `projects/*/policy`. (required)
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # A policy for container image binary authorization.
      "description": "A String", # Optional. A descriptive comment.
      "admissionWhitelistPatterns": [ # Optional. Admission policy whitelisting. A matching admission request will
          # always be permitted. This feature is typically used to exclude Google or
          # third-party infrastructure images from Binary Authorization policies.
        { # An admission whitelist pattern exempts images
            # from checks by admission rules.
          "namePattern": "A String", # An image name pattern to whitelist, in the form `registry/path/to/image`.
              # This supports a trailing `*` as a wildcard, but this is allowed only in
              # text after the `registry/` part.
        },
      ],
      "updateTime": "A String", # Output only. Time when the policy was last updated.
      "name": "A String", # Output only. The resource name, in the format `projects/*/policy`. There is
          # at most one policy per project.
      "defaultAdmissionRule": { # An admission rule specifies either that all container images # Required. Default admission rule for a cluster without a per-cluster, per-
          # kubernetes-service-account, or per-istio-service-identity admission rule.
          # used in a pod creation request must be attested to by one or more
          # attestors, that all pod creations will be allowed, or that all
          # pod creations will be denied.
          #
          # Images matching an admission whitelist pattern
          # are exempted from admission rules and will never block a pod creation.
        "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
        "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
        "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
            # a container image, in the format `projects/*/attestors/*`. Each
            # attestor must exist before a policy can reference it.  To add an attestor
            # to a policy the principal issuing the policy change request must be able
            # to read the attestor resource.
            #
            # Note: this field must be non-empty when the evaluation_mode field specifies
            # REQUIRE_ATTESTATION, otherwise it must be empty.
          "A String",
        ],
      },
      "globalPolicyEvaluationMode": "A String", # Optional. Controls the evaluation of a Google-maintained global admission
          # policy for common system-level images. Images not covered by the global
          # policy will be subject to the project admission policy. This setting
          # has no effect when specified inside a global admission policy.
      "clusterAdmissionRules": { # Optional. LINT.IfChange(cluster_regex)
          # Per-cluster admission rules. Cluster spec format:
          # `location.clusterId`. There can be at most one admission rule per cluster
          # spec.
          # A `location` is either a compute zone (e.g. us-central1-a) or a region
          # (e.g. us-central1).
          # For `clusterId` syntax restrictions see
          # https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
          # LINT.ThenChange(//depot/google3/cloud/console/web/binary_authorization/api/models/admission_rule_type.ts:cluster_regex)
        "a_key": { # An admission rule specifies either that all container images
            # used in a pod creation request must be attested to by one or more
            # attestors, that all pod creations will be allowed, or that all
            # pod creations will be denied.
            #
            # Images matching an admission whitelist pattern
            # are exempted from admission rules and will never block a pod creation.
          "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
          "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
          "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
              # a container image, in the format `projects/*/attestors/*`. Each
              # attestor must exist before a policy can reference it.  To add an attestor
              # to a policy the principal issuing the policy change request must be able
              # to read the attestor resource.
              #
              # Note: this field must be non-empty when the evaluation_mode field specifies
              # REQUIRE_ATTESTATION, otherwise it must be empty.
            "A String",
          ],
        },
      },
    }
updatePolicy(name, body=None, x__xgafv=None)
Creates or updates a project's policy, and returns a copy of the
new policy. A policy is always updated as a whole, to avoid race
conditions with concurrent policy enforcement (or management!)
requests. Returns NOT_FOUND if the project does not exist, INVALID_ARGUMENT
if the request is malformed.

Args:
  name: string, Output only. The resource name, in the format `projects/*/policy`. There is
at most one policy per project. (required)
  body: object, The request body.
    The object takes the form of:

{ # A policy for container image binary authorization.
    "description": "A String", # Optional. A descriptive comment.
    "admissionWhitelistPatterns": [ # Optional. Admission policy whitelisting. A matching admission request will
        # always be permitted. This feature is typically used to exclude Google or
        # third-party infrastructure images from Binary Authorization policies.
      { # An admission whitelist pattern exempts images
          # from checks by admission rules.
        "namePattern": "A String", # An image name pattern to whitelist, in the form `registry/path/to/image`.
            # This supports a trailing `*` as a wildcard, but this is allowed only in
            # text after the `registry/` part.
      },
    ],
    "updateTime": "A String", # Output only. Time when the policy was last updated.
    "name": "A String", # Output only. The resource name, in the format `projects/*/policy`. There is
        # at most one policy per project.
    "defaultAdmissionRule": { # An admission rule specifies either that all container images # Required. Default admission rule for a cluster without a per-cluster, per-
        # kubernetes-service-account, or per-istio-service-identity admission rule.
        # used in a pod creation request must be attested to by one or more
        # attestors, that all pod creations will be allowed, or that all
        # pod creations will be denied.
        #
        # Images matching an admission whitelist pattern
        # are exempted from admission rules and will never block a pod creation.
      "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
      "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
      "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
          # a container image, in the format `projects/*/attestors/*`. Each
          # attestor must exist before a policy can reference it.  To add an attestor
          # to a policy the principal issuing the policy change request must be able
          # to read the attestor resource.
          #
          # Note: this field must be non-empty when the evaluation_mode field specifies
          # REQUIRE_ATTESTATION, otherwise it must be empty.
        "A String",
      ],
    },
    "globalPolicyEvaluationMode": "A String", # Optional. Controls the evaluation of a Google-maintained global admission
        # policy for common system-level images. Images not covered by the global
        # policy will be subject to the project admission policy. This setting
        # has no effect when specified inside a global admission policy.
    "clusterAdmissionRules": { # Optional. LINT.IfChange(cluster_regex)
        # Per-cluster admission rules. Cluster spec format:
        # `location.clusterId`. There can be at most one admission rule per cluster
        # spec.
        # A `location` is either a compute zone (e.g. us-central1-a) or a region
        # (e.g. us-central1).
        # For `clusterId` syntax restrictions see
        # https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
        # LINT.ThenChange(//depot/google3/cloud/console/web/binary_authorization/api/models/admission_rule_type.ts:cluster_regex)
      "a_key": { # An admission rule specifies either that all container images
          # used in a pod creation request must be attested to by one or more
          # attestors, that all pod creations will be allowed, or that all
          # pod creations will be denied.
          #
          # Images matching an admission whitelist pattern
          # are exempted from admission rules and will never block a pod creation.
        "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
        "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
        "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
            # a container image, in the format `projects/*/attestors/*`. Each
            # attestor must exist before a policy can reference it.  To add an attestor
            # to a policy the principal issuing the policy change request must be able
            # to read the attestor resource.
            #
            # Note: this field must be non-empty when the evaluation_mode field specifies
            # REQUIRE_ATTESTATION, otherwise it must be empty.
          "A String",
        ],
      },
    },
  }

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # A policy for container image binary authorization.
      "description": "A String", # Optional. A descriptive comment.
      "admissionWhitelistPatterns": [ # Optional. Admission policy whitelisting. A matching admission request will
          # always be permitted. This feature is typically used to exclude Google or
          # third-party infrastructure images from Binary Authorization policies.
        { # An admission whitelist pattern exempts images
            # from checks by admission rules.
          "namePattern": "A String", # An image name pattern to whitelist, in the form `registry/path/to/image`.
              # This supports a trailing `*` as a wildcard, but this is allowed only in
              # text after the `registry/` part.
        },
      ],
      "updateTime": "A String", # Output only. Time when the policy was last updated.
      "name": "A String", # Output only. The resource name, in the format `projects/*/policy`. There is
          # at most one policy per project.
      "defaultAdmissionRule": { # An admission rule specifies either that all container images # Required. Default admission rule for a cluster without a per-cluster, per-
          # kubernetes-service-account, or per-istio-service-identity admission rule.
          # used in a pod creation request must be attested to by one or more
          # attestors, that all pod creations will be allowed, or that all
          # pod creations will be denied.
          #
          # Images matching an admission whitelist pattern
          # are exempted from admission rules and will never block a pod creation.
        "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
        "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
        "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
            # a container image, in the format `projects/*/attestors/*`. Each
            # attestor must exist before a policy can reference it.  To add an attestor
            # to a policy the principal issuing the policy change request must be able
            # to read the attestor resource.
            #
            # Note: this field must be non-empty when the evaluation_mode field specifies
            # REQUIRE_ATTESTATION, otherwise it must be empty.
          "A String",
        ],
      },
      "globalPolicyEvaluationMode": "A String", # Optional. Controls the evaluation of a Google-maintained global admission
          # policy for common system-level images. Images not covered by the global
          # policy will be subject to the project admission policy. This setting
          # has no effect when specified inside a global admission policy.
      "clusterAdmissionRules": { # Optional. LINT.IfChange(cluster_regex)
          # Per-cluster admission rules. Cluster spec format:
          # `location.clusterId`. There can be at most one admission rule per cluster
          # spec.
          # A `location` is either a compute zone (e.g. us-central1-a) or a region
          # (e.g. us-central1).
          # For `clusterId` syntax restrictions see
          # https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
          # LINT.ThenChange(//depot/google3/cloud/console/web/binary_authorization/api/models/admission_rule_type.ts:cluster_regex)
        "a_key": { # An admission rule specifies either that all container images
            # used in a pod creation request must be attested to by one or more
            # attestors, that all pod creations will be allowed, or that all
            # pod creations will be denied.
            #
            # Images matching an admission whitelist pattern
            # are exempted from admission rules and will never block a pod creation.
          "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
          "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
          "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
              # a container image, in the format `projects/*/attestors/*`. Each
              # attestor must exist before a policy can reference it.  To add an attestor
              # to a policy the principal issuing the policy change request must be able
              # to read the attestor resource.
              #
              # Note: this field must be non-empty when the evaluation_mode field specifies
              # REQUIRE_ATTESTATION, otherwise it must be empty.
            "A String",
          ],
        },
      },
    }