gcp.binaryauthorization.Policy
Explore with Pulumi AI
A policy for container image binary authorization.
To get more information about Policy, see:
- API documentation
- How-to Guides
Example Usage
Binary Authorization Policy Basic
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const note = new gcp.containeranalysis.Note("note", {
name: "test-attestor-note",
attestationAuthority: {
hint: {
humanReadableName: "My attestor",
},
},
});
const attestor = new gcp.binaryauthorization.Attestor("attestor", {
name: "test-attestor",
attestationAuthorityNote: {
noteReference: note.name,
},
});
const policy = new gcp.binaryauthorization.Policy("policy", {
admissionWhitelistPatterns: [{
namePattern: "gcr.io/google_containers/*",
}],
defaultAdmissionRule: {
evaluationMode: "ALWAYS_ALLOW",
enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG",
},
clusterAdmissionRules: [{
cluster: "us-central1-a.prod-cluster",
evaluationMode: "REQUIRE_ATTESTATION",
enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG",
requireAttestationsBies: [attestor.name],
}],
});
import pulumi
import pulumi_gcp as gcp
note = gcp.containeranalysis.Note("note",
name="test-attestor-note",
attestation_authority=gcp.containeranalysis.NoteAttestationAuthorityArgs(
hint=gcp.containeranalysis.NoteAttestationAuthorityHintArgs(
human_readable_name="My attestor",
),
))
attestor = gcp.binaryauthorization.Attestor("attestor",
name="test-attestor",
attestation_authority_note=gcp.binaryauthorization.AttestorAttestationAuthorityNoteArgs(
note_reference=note.name,
))
policy = gcp.binaryauthorization.Policy("policy",
admission_whitelist_patterns=[gcp.binaryauthorization.PolicyAdmissionWhitelistPatternArgs(
name_pattern="gcr.io/google_containers/*",
)],
default_admission_rule=gcp.binaryauthorization.PolicyDefaultAdmissionRuleArgs(
evaluation_mode="ALWAYS_ALLOW",
enforcement_mode="ENFORCED_BLOCK_AND_AUDIT_LOG",
),
cluster_admission_rules=[gcp.binaryauthorization.PolicyClusterAdmissionRuleArgs(
cluster="us-central1-a.prod-cluster",
evaluation_mode="REQUIRE_ATTESTATION",
enforcement_mode="ENFORCED_BLOCK_AND_AUDIT_LOG",
require_attestations_bies=[attestor.name],
)])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/containeranalysis"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
note, err := containeranalysis.NewNote(ctx, "note", &containeranalysis.NoteArgs{
Name: pulumi.String("test-attestor-note"),
AttestationAuthority: &containeranalysis.NoteAttestationAuthorityArgs{
Hint: &containeranalysis.NoteAttestationAuthorityHintArgs{
HumanReadableName: pulumi.String("My attestor"),
},
},
})
if err != nil {
return err
}
attestor, err := binaryauthorization.NewAttestor(ctx, "attestor", &binaryauthorization.AttestorArgs{
Name: pulumi.String("test-attestor"),
AttestationAuthorityNote: &binaryauthorization.AttestorAttestationAuthorityNoteArgs{
NoteReference: note.Name,
},
})
if err != nil {
return err
}
_, err = binaryauthorization.NewPolicy(ctx, "policy", &binaryauthorization.PolicyArgs{
AdmissionWhitelistPatterns: binaryauthorization.PolicyAdmissionWhitelistPatternArray{
&binaryauthorization.PolicyAdmissionWhitelistPatternArgs{
NamePattern: pulumi.String("gcr.io/google_containers/*"),
},
},
DefaultAdmissionRule: &binaryauthorization.PolicyDefaultAdmissionRuleArgs{
EvaluationMode: pulumi.String("ALWAYS_ALLOW"),
EnforcementMode: pulumi.String("ENFORCED_BLOCK_AND_AUDIT_LOG"),
},
ClusterAdmissionRules: binaryauthorization.PolicyClusterAdmissionRuleArray{
&binaryauthorization.PolicyClusterAdmissionRuleArgs{
Cluster: pulumi.String("us-central1-a.prod-cluster"),
EvaluationMode: pulumi.String("REQUIRE_ATTESTATION"),
EnforcementMode: pulumi.String("ENFORCED_BLOCK_AND_AUDIT_LOG"),
RequireAttestationsBies: pulumi.StringArray{
attestor.Name,
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var note = new Gcp.ContainerAnalysis.Note("note", new()
{
Name = "test-attestor-note",
AttestationAuthority = new Gcp.ContainerAnalysis.Inputs.NoteAttestationAuthorityArgs
{
Hint = new Gcp.ContainerAnalysis.Inputs.NoteAttestationAuthorityHintArgs
{
HumanReadableName = "My attestor",
},
},
});
var attestor = new Gcp.BinaryAuthorization.Attestor("attestor", new()
{
Name = "test-attestor",
AttestationAuthorityNote = new Gcp.BinaryAuthorization.Inputs.AttestorAttestationAuthorityNoteArgs
{
NoteReference = note.Name,
},
});
var policy = new Gcp.BinaryAuthorization.Policy("policy", new()
{
AdmissionWhitelistPatterns = new[]
{
new Gcp.BinaryAuthorization.Inputs.PolicyAdmissionWhitelistPatternArgs
{
NamePattern = "gcr.io/google_containers/*",
},
},
DefaultAdmissionRule = new Gcp.BinaryAuthorization.Inputs.PolicyDefaultAdmissionRuleArgs
{
EvaluationMode = "ALWAYS_ALLOW",
EnforcementMode = "ENFORCED_BLOCK_AND_AUDIT_LOG",
},
ClusterAdmissionRules = new[]
{
new Gcp.BinaryAuthorization.Inputs.PolicyClusterAdmissionRuleArgs
{
Cluster = "us-central1-a.prod-cluster",
EvaluationMode = "REQUIRE_ATTESTATION",
EnforcementMode = "ENFORCED_BLOCK_AND_AUDIT_LOG",
RequireAttestationsBies = new[]
{
attestor.Name,
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.containeranalysis.Note;
import com.pulumi.gcp.containeranalysis.NoteArgs;
import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityArgs;
import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityHintArgs;
import com.pulumi.gcp.binaryauthorization.Attestor;
import com.pulumi.gcp.binaryauthorization.AttestorArgs;
import com.pulumi.gcp.binaryauthorization.inputs.AttestorAttestationAuthorityNoteArgs;
import com.pulumi.gcp.binaryauthorization.Policy;
import com.pulumi.gcp.binaryauthorization.PolicyArgs;
import com.pulumi.gcp.binaryauthorization.inputs.PolicyAdmissionWhitelistPatternArgs;
import com.pulumi.gcp.binaryauthorization.inputs.PolicyDefaultAdmissionRuleArgs;
import com.pulumi.gcp.binaryauthorization.inputs.PolicyClusterAdmissionRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var note = new Note("note", NoteArgs.builder()
.name("test-attestor-note")
.attestationAuthority(NoteAttestationAuthorityArgs.builder()
.hint(NoteAttestationAuthorityHintArgs.builder()
.humanReadableName("My attestor")
.build())
.build())
.build());
var attestor = new Attestor("attestor", AttestorArgs.builder()
.name("test-attestor")
.attestationAuthorityNote(AttestorAttestationAuthorityNoteArgs.builder()
.noteReference(note.name())
.build())
.build());
var policy = new Policy("policy", PolicyArgs.builder()
.admissionWhitelistPatterns(PolicyAdmissionWhitelistPatternArgs.builder()
.namePattern("gcr.io/google_containers/*")
.build())
.defaultAdmissionRule(PolicyDefaultAdmissionRuleArgs.builder()
.evaluationMode("ALWAYS_ALLOW")
.enforcementMode("ENFORCED_BLOCK_AND_AUDIT_LOG")
.build())
.clusterAdmissionRules(PolicyClusterAdmissionRuleArgs.builder()
.cluster("us-central1-a.prod-cluster")
.evaluationMode("REQUIRE_ATTESTATION")
.enforcementMode("ENFORCED_BLOCK_AND_AUDIT_LOG")
.requireAttestationsBies(attestor.name())
.build())
.build());
}
}
resources:
policy:
type: gcp:binaryauthorization:Policy
properties:
admissionWhitelistPatterns:
- namePattern: gcr.io/google_containers/*
defaultAdmissionRule:
evaluationMode: ALWAYS_ALLOW
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
clusterAdmissionRules:
- cluster: us-central1-a.prod-cluster
evaluationMode: REQUIRE_ATTESTATION
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
requireAttestationsBies:
- ${attestor.name}
note:
type: gcp:containeranalysis:Note
properties:
name: test-attestor-note
attestationAuthority:
hint:
humanReadableName: My attestor
attestor:
type: gcp:binaryauthorization:Attestor
properties:
name: test-attestor
attestationAuthorityNote:
noteReference: ${note.name}
Binary Authorization Policy Global Evaluation
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const note = new gcp.containeranalysis.Note("note", {
name: "test-attestor-note",
attestationAuthority: {
hint: {
humanReadableName: "My attestor",
},
},
});
const attestor = new gcp.binaryauthorization.Attestor("attestor", {
name: "test-attestor",
attestationAuthorityNote: {
noteReference: note.name,
},
});
const policy = new gcp.binaryauthorization.Policy("policy", {
defaultAdmissionRule: {
evaluationMode: "REQUIRE_ATTESTATION",
enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG",
requireAttestationsBies: [attestor.name],
},
globalPolicyEvaluationMode: "ENABLE",
});
import pulumi
import pulumi_gcp as gcp
note = gcp.containeranalysis.Note("note",
name="test-attestor-note",
attestation_authority=gcp.containeranalysis.NoteAttestationAuthorityArgs(
hint=gcp.containeranalysis.NoteAttestationAuthorityHintArgs(
human_readable_name="My attestor",
),
))
attestor = gcp.binaryauthorization.Attestor("attestor",
name="test-attestor",
attestation_authority_note=gcp.binaryauthorization.AttestorAttestationAuthorityNoteArgs(
note_reference=note.name,
))
policy = gcp.binaryauthorization.Policy("policy",
default_admission_rule=gcp.binaryauthorization.PolicyDefaultAdmissionRuleArgs(
evaluation_mode="REQUIRE_ATTESTATION",
enforcement_mode="ENFORCED_BLOCK_AND_AUDIT_LOG",
require_attestations_bies=[attestor.name],
),
global_policy_evaluation_mode="ENABLE")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi-gcp/sdk/v7/go/gcp/containeranalysis"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
note, err := containeranalysis.NewNote(ctx, "note", &containeranalysis.NoteArgs{
Name: pulumi.String("test-attestor-note"),
AttestationAuthority: &containeranalysis.NoteAttestationAuthorityArgs{
Hint: &containeranalysis.NoteAttestationAuthorityHintArgs{
HumanReadableName: pulumi.String("My attestor"),
},
},
})
if err != nil {
return err
}
attestor, err := binaryauthorization.NewAttestor(ctx, "attestor", &binaryauthorization.AttestorArgs{
Name: pulumi.String("test-attestor"),
AttestationAuthorityNote: &binaryauthorization.AttestorAttestationAuthorityNoteArgs{
NoteReference: note.Name,
},
})
if err != nil {
return err
}
_, err = binaryauthorization.NewPolicy(ctx, "policy", &binaryauthorization.PolicyArgs{
DefaultAdmissionRule: &binaryauthorization.PolicyDefaultAdmissionRuleArgs{
EvaluationMode: pulumi.String("REQUIRE_ATTESTATION"),
EnforcementMode: pulumi.String("ENFORCED_BLOCK_AND_AUDIT_LOG"),
RequireAttestationsBies: pulumi.StringArray{
attestor.Name,
},
},
GlobalPolicyEvaluationMode: pulumi.String("ENABLE"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var note = new Gcp.ContainerAnalysis.Note("note", new()
{
Name = "test-attestor-note",
AttestationAuthority = new Gcp.ContainerAnalysis.Inputs.NoteAttestationAuthorityArgs
{
Hint = new Gcp.ContainerAnalysis.Inputs.NoteAttestationAuthorityHintArgs
{
HumanReadableName = "My attestor",
},
},
});
var attestor = new Gcp.BinaryAuthorization.Attestor("attestor", new()
{
Name = "test-attestor",
AttestationAuthorityNote = new Gcp.BinaryAuthorization.Inputs.AttestorAttestationAuthorityNoteArgs
{
NoteReference = note.Name,
},
});
var policy = new Gcp.BinaryAuthorization.Policy("policy", new()
{
DefaultAdmissionRule = new Gcp.BinaryAuthorization.Inputs.PolicyDefaultAdmissionRuleArgs
{
EvaluationMode = "REQUIRE_ATTESTATION",
EnforcementMode = "ENFORCED_BLOCK_AND_AUDIT_LOG",
RequireAttestationsBies = new[]
{
attestor.Name,
},
},
GlobalPolicyEvaluationMode = "ENABLE",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.containeranalysis.Note;
import com.pulumi.gcp.containeranalysis.NoteArgs;
import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityArgs;
import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityHintArgs;
import com.pulumi.gcp.binaryauthorization.Attestor;
import com.pulumi.gcp.binaryauthorization.AttestorArgs;
import com.pulumi.gcp.binaryauthorization.inputs.AttestorAttestationAuthorityNoteArgs;
import com.pulumi.gcp.binaryauthorization.Policy;
import com.pulumi.gcp.binaryauthorization.PolicyArgs;
import com.pulumi.gcp.binaryauthorization.inputs.PolicyDefaultAdmissionRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var note = new Note("note", NoteArgs.builder()
.name("test-attestor-note")
.attestationAuthority(NoteAttestationAuthorityArgs.builder()
.hint(NoteAttestationAuthorityHintArgs.builder()
.humanReadableName("My attestor")
.build())
.build())
.build());
var attestor = new Attestor("attestor", AttestorArgs.builder()
.name("test-attestor")
.attestationAuthorityNote(AttestorAttestationAuthorityNoteArgs.builder()
.noteReference(note.name())
.build())
.build());
var policy = new Policy("policy", PolicyArgs.builder()
.defaultAdmissionRule(PolicyDefaultAdmissionRuleArgs.builder()
.evaluationMode("REQUIRE_ATTESTATION")
.enforcementMode("ENFORCED_BLOCK_AND_AUDIT_LOG")
.requireAttestationsBies(attestor.name())
.build())
.globalPolicyEvaluationMode("ENABLE")
.build());
}
}
resources:
policy:
type: gcp:binaryauthorization:Policy
properties:
defaultAdmissionRule:
evaluationMode: REQUIRE_ATTESTATION
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
requireAttestationsBies:
- ${attestor.name}
globalPolicyEvaluationMode: ENABLE
note:
type: gcp:containeranalysis:Note
properties:
name: test-attestor-note
attestationAuthority:
hint:
humanReadableName: My attestor
attestor:
type: gcp:binaryauthorization:Attestor
properties:
name: test-attestor
attestationAuthorityNote:
noteReference: ${note.name}
Create Policy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Policy(name: string, args: PolicyArgs, opts?: CustomResourceOptions);
@overload
def Policy(resource_name: str,
args: PolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Policy(resource_name: str,
opts: Optional[ResourceOptions] = None,
default_admission_rule: Optional[PolicyDefaultAdmissionRuleArgs] = None,
admission_whitelist_patterns: Optional[Sequence[PolicyAdmissionWhitelistPatternArgs]] = None,
cluster_admission_rules: Optional[Sequence[PolicyClusterAdmissionRuleArgs]] = None,
description: Optional[str] = None,
global_policy_evaluation_mode: Optional[str] = None,
project: Optional[str] = None)
func NewPolicy(ctx *Context, name string, args PolicyArgs, opts ...ResourceOption) (*Policy, error)
public Policy(string name, PolicyArgs args, CustomResourceOptions? opts = null)
public Policy(String name, PolicyArgs args)
public Policy(String name, PolicyArgs args, CustomResourceOptions options)
type: gcp:binaryauthorization:Policy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args PolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args PolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args PolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args PolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args PolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var policyResource = new Gcp.BinaryAuthorization.Policy("policyResource", new()
{
DefaultAdmissionRule = new Gcp.BinaryAuthorization.Inputs.PolicyDefaultAdmissionRuleArgs
{
EnforcementMode = "string",
EvaluationMode = "string",
RequireAttestationsBies = new[]
{
"string",
},
},
AdmissionWhitelistPatterns = new[]
{
new Gcp.BinaryAuthorization.Inputs.PolicyAdmissionWhitelistPatternArgs
{
NamePattern = "string",
},
},
ClusterAdmissionRules = new[]
{
new Gcp.BinaryAuthorization.Inputs.PolicyClusterAdmissionRuleArgs
{
Cluster = "string",
EnforcementMode = "string",
EvaluationMode = "string",
RequireAttestationsBies = new[]
{
"string",
},
},
},
Description = "string",
GlobalPolicyEvaluationMode = "string",
Project = "string",
});
example, err := binaryauthorization.NewPolicy(ctx, "policyResource", &binaryauthorization.PolicyArgs{
DefaultAdmissionRule: &binaryauthorization.PolicyDefaultAdmissionRuleArgs{
EnforcementMode: pulumi.String("string"),
EvaluationMode: pulumi.String("string"),
RequireAttestationsBies: pulumi.StringArray{
pulumi.String("string"),
},
},
AdmissionWhitelistPatterns: binaryauthorization.PolicyAdmissionWhitelistPatternArray{
&binaryauthorization.PolicyAdmissionWhitelistPatternArgs{
NamePattern: pulumi.String("string"),
},
},
ClusterAdmissionRules: binaryauthorization.PolicyClusterAdmissionRuleArray{
&binaryauthorization.PolicyClusterAdmissionRuleArgs{
Cluster: pulumi.String("string"),
EnforcementMode: pulumi.String("string"),
EvaluationMode: pulumi.String("string"),
RequireAttestationsBies: pulumi.StringArray{
pulumi.String("string"),
},
},
},
Description: pulumi.String("string"),
GlobalPolicyEvaluationMode: pulumi.String("string"),
Project: pulumi.String("string"),
})
var policyResource = new Policy("policyResource", PolicyArgs.builder()
.defaultAdmissionRule(PolicyDefaultAdmissionRuleArgs.builder()
.enforcementMode("string")
.evaluationMode("string")
.requireAttestationsBies("string")
.build())
.admissionWhitelistPatterns(PolicyAdmissionWhitelistPatternArgs.builder()
.namePattern("string")
.build())
.clusterAdmissionRules(PolicyClusterAdmissionRuleArgs.builder()
.cluster("string")
.enforcementMode("string")
.evaluationMode("string")
.requireAttestationsBies("string")
.build())
.description("string")
.globalPolicyEvaluationMode("string")
.project("string")
.build());
policy_resource = gcp.binaryauthorization.Policy("policyResource",
default_admission_rule=gcp.binaryauthorization.PolicyDefaultAdmissionRuleArgs(
enforcement_mode="string",
evaluation_mode="string",
require_attestations_bies=["string"],
),
admission_whitelist_patterns=[gcp.binaryauthorization.PolicyAdmissionWhitelistPatternArgs(
name_pattern="string",
)],
cluster_admission_rules=[gcp.binaryauthorization.PolicyClusterAdmissionRuleArgs(
cluster="string",
enforcement_mode="string",
evaluation_mode="string",
require_attestations_bies=["string"],
)],
description="string",
global_policy_evaluation_mode="string",
project="string")
const policyResource = new gcp.binaryauthorization.Policy("policyResource", {
defaultAdmissionRule: {
enforcementMode: "string",
evaluationMode: "string",
requireAttestationsBies: ["string"],
},
admissionWhitelistPatterns: [{
namePattern: "string",
}],
clusterAdmissionRules: [{
cluster: "string",
enforcementMode: "string",
evaluationMode: "string",
requireAttestationsBies: ["string"],
}],
description: "string",
globalPolicyEvaluationMode: "string",
project: "string",
});
type: gcp:binaryauthorization:Policy
properties:
admissionWhitelistPatterns:
- namePattern: string
clusterAdmissionRules:
- cluster: string
enforcementMode: string
evaluationMode: string
requireAttestationsBies:
- string
defaultAdmissionRule:
enforcementMode: string
evaluationMode: string
requireAttestationsBies:
- string
description: string
globalPolicyEvaluationMode: string
project: string
Policy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The Policy resource accepts the following input properties:
- Default
Admission PolicyRule Default Admission Rule - Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
- Admission
Whitelist List<PolicyPatterns Admission Whitelist Pattern> - A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
- Cluster
Admission List<PolicyRules Cluster Admission Rule> - Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
- Description string
- A descriptive comment.
- Global
Policy stringEvaluation Mode - Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
- Project string
- Default
Admission PolicyRule Default Admission Rule Args - Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
- Admission
Whitelist []PolicyPatterns Admission Whitelist Pattern Args - A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
- Cluster
Admission []PolicyRules Cluster Admission Rule Args - Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
- Description string
- A descriptive comment.
- Global
Policy stringEvaluation Mode - Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
- Project string
- default
Admission PolicyRule Default Admission Rule - Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
- admission
Whitelist List<PolicyPatterns Admission Whitelist Pattern> - A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
- cluster
Admission List<PolicyRules Cluster Admission Rule> - Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
- description String
- A descriptive comment.
- global
Policy StringEvaluation Mode - Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
- project String
- default
Admission PolicyRule Default Admission Rule - Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
- admission
Whitelist PolicyPatterns Admission Whitelist Pattern[] - A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
- cluster
Admission PolicyRules Cluster Admission Rule[] - Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
- description string
- A descriptive comment.
- global
Policy stringEvaluation Mode - Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
- project string
- default_
admission_ Policyrule Default Admission Rule Args - Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
- admission_
whitelist_ Sequence[Policypatterns Admission Whitelist Pattern Args] - A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
- cluster_
admission_ Sequence[Policyrules Cluster Admission Rule Args] - Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
- description str
- A descriptive comment.
- global_
policy_ strevaluation_ mode - Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
- project str
- default
Admission Property MapRule - Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
- admission
Whitelist List<Property Map>Patterns - A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
- cluster
Admission List<Property Map>Rules - Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
- description String
- A descriptive comment.
- global
Policy StringEvaluation Mode - Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
- project String
Outputs
All input properties are implicitly available as output properties. Additionally, the Policy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing Policy Resource
Get an existing Policy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: PolicyState, opts?: CustomResourceOptions): Policy
@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
admission_whitelist_patterns: Optional[Sequence[PolicyAdmissionWhitelistPatternArgs]] = None,
cluster_admission_rules: Optional[Sequence[PolicyClusterAdmissionRuleArgs]] = None,
default_admission_rule: Optional[PolicyDefaultAdmissionRuleArgs] = None,
description: Optional[str] = None,
global_policy_evaluation_mode: Optional[str] = None,
project: Optional[str] = None) -> Policy
func GetPolicy(ctx *Context, name string, id IDInput, state *PolicyState, opts ...ResourceOption) (*Policy, error)
public static Policy Get(string name, Input<string> id, PolicyState? state, CustomResourceOptions? opts = null)
public static Policy get(String name, Output<String> id, PolicyState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Admission
Whitelist List<PolicyPatterns Admission Whitelist Pattern> - A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
- Cluster
Admission List<PolicyRules Cluster Admission Rule> - Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
- Default
Admission PolicyRule Default Admission Rule - Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
- Description string
- A descriptive comment.
- Global
Policy stringEvaluation Mode - Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
- Project string
- Admission
Whitelist []PolicyPatterns Admission Whitelist Pattern Args - A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
- Cluster
Admission []PolicyRules Cluster Admission Rule Args - Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
- Default
Admission PolicyRule Default Admission Rule Args - Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
- Description string
- A descriptive comment.
- Global
Policy stringEvaluation Mode - Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
- Project string
- admission
Whitelist List<PolicyPatterns Admission Whitelist Pattern> - A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
- cluster
Admission List<PolicyRules Cluster Admission Rule> - Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
- default
Admission PolicyRule Default Admission Rule - Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
- description String
- A descriptive comment.
- global
Policy StringEvaluation Mode - Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
- project String
- admission
Whitelist PolicyPatterns Admission Whitelist Pattern[] - A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
- cluster
Admission PolicyRules Cluster Admission Rule[] - Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
- default
Admission PolicyRule Default Admission Rule - Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
- description string
- A descriptive comment.
- global
Policy stringEvaluation Mode - Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
- project string
- admission_
whitelist_ Sequence[Policypatterns Admission Whitelist Pattern Args] - A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
- cluster_
admission_ Sequence[Policyrules Cluster Admission Rule Args] - Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
- default_
admission_ Policyrule Default Admission Rule Args - Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
- description str
- A descriptive comment.
- global_
policy_ strevaluation_ mode - Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
- project str
- admission
Whitelist List<Property Map>Patterns - A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules.
- cluster
Admission List<Property Map>Rules - Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: '{{location}}.{{clusterId}}'. A location is either a compute zone (e.g. 'us-central1-a') or a region (e.g. 'us-central1').
- default
Admission Property MapRule - Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
- description String
- A descriptive comment.
- global
Policy StringEvaluation Mode - Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]
- project String
Supporting Types
PolicyAdmissionWhitelistPattern, PolicyAdmissionWhitelistPatternArgs
- Name
Pattern string - An image name pattern to whitelist, in the form
registry/path/to/image
. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.
- Name
Pattern string - An image name pattern to whitelist, in the form
registry/path/to/image
. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.
- name
Pattern String - An image name pattern to whitelist, in the form
registry/path/to/image
. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.
- name
Pattern string - An image name pattern to whitelist, in the form
registry/path/to/image
. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.
- name_
pattern str - An image name pattern to whitelist, in the form
registry/path/to/image
. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.
- name
Pattern String - An image name pattern to whitelist, in the form
registry/path/to/image
. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.
PolicyClusterAdmissionRule, PolicyClusterAdmissionRuleArgs
- Cluster string
- The identifier for this object. Format specified above.
- Enforcement
Mode string - The action when a pod creation is denied by the admission rule.
Possible values are:
ENFORCED_BLOCK_AND_AUDIT_LOG
,DRYRUN_AUDIT_LOG_ONLY
. - Evaluation
Mode string - How this admission rule will be evaluated.
Possible values are:
ALWAYS_ALLOW
,REQUIRE_ATTESTATION
,ALWAYS_DENY
. - Require
Attestations List<string>Bies - The resource names of the attestors that must attest to a
container image. If the attestor is in a different project from the
policy, it should be specified in the format
projects/*/attestors/*
. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
- Cluster string
- The identifier for this object. Format specified above.
- Enforcement
Mode string - The action when a pod creation is denied by the admission rule.
Possible values are:
ENFORCED_BLOCK_AND_AUDIT_LOG
,DRYRUN_AUDIT_LOG_ONLY
. - Evaluation
Mode string - How this admission rule will be evaluated.
Possible values are:
ALWAYS_ALLOW
,REQUIRE_ATTESTATION
,ALWAYS_DENY
. - Require
Attestations []stringBies - The resource names of the attestors that must attest to a
container image. If the attestor is in a different project from the
policy, it should be specified in the format
projects/*/attestors/*
. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
- cluster String
- The identifier for this object. Format specified above.
- enforcement
Mode String - The action when a pod creation is denied by the admission rule.
Possible values are:
ENFORCED_BLOCK_AND_AUDIT_LOG
,DRYRUN_AUDIT_LOG_ONLY
. - evaluation
Mode String - How this admission rule will be evaluated.
Possible values are:
ALWAYS_ALLOW
,REQUIRE_ATTESTATION
,ALWAYS_DENY
. - require
Attestations List<String>Bies - The resource names of the attestors that must attest to a
container image. If the attestor is in a different project from the
policy, it should be specified in the format
projects/*/attestors/*
. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
- cluster string
- The identifier for this object. Format specified above.
- enforcement
Mode string - The action when a pod creation is denied by the admission rule.
Possible values are:
ENFORCED_BLOCK_AND_AUDIT_LOG
,DRYRUN_AUDIT_LOG_ONLY
. - evaluation
Mode string - How this admission rule will be evaluated.
Possible values are:
ALWAYS_ALLOW
,REQUIRE_ATTESTATION
,ALWAYS_DENY
. - require
Attestations string[]Bies - The resource names of the attestors that must attest to a
container image. If the attestor is in a different project from the
policy, it should be specified in the format
projects/*/attestors/*
. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
- cluster str
- The identifier for this object. Format specified above.
- enforcement_
mode str - The action when a pod creation is denied by the admission rule.
Possible values are:
ENFORCED_BLOCK_AND_AUDIT_LOG
,DRYRUN_AUDIT_LOG_ONLY
. - evaluation_
mode str - How this admission rule will be evaluated.
Possible values are:
ALWAYS_ALLOW
,REQUIRE_ATTESTATION
,ALWAYS_DENY
. - require_
attestations_ Sequence[str]bies - The resource names of the attestors that must attest to a
container image. If the attestor is in a different project from the
policy, it should be specified in the format
projects/*/attestors/*
. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
- cluster String
- The identifier for this object. Format specified above.
- enforcement
Mode String - The action when a pod creation is denied by the admission rule.
Possible values are:
ENFORCED_BLOCK_AND_AUDIT_LOG
,DRYRUN_AUDIT_LOG_ONLY
. - evaluation
Mode String - How this admission rule will be evaluated.
Possible values are:
ALWAYS_ALLOW
,REQUIRE_ATTESTATION
,ALWAYS_DENY
. - require
Attestations List<String>Bies - The resource names of the attestors that must attest to a
container image. If the attestor is in a different project from the
policy, it should be specified in the format
projects/*/attestors/*
. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
PolicyDefaultAdmissionRule, PolicyDefaultAdmissionRuleArgs
- Enforcement
Mode string - The action when a pod creation is denied by the admission rule.
Possible values are:
ENFORCED_BLOCK_AND_AUDIT_LOG
,DRYRUN_AUDIT_LOG_ONLY
. - Evaluation
Mode string - How this admission rule will be evaluated.
Possible values are:
ALWAYS_ALLOW
,REQUIRE_ATTESTATION
,ALWAYS_DENY
. - Require
Attestations List<string>Bies - The resource names of the attestors that must attest to a
container image. If the attestor is in a different project from the
policy, it should be specified in the format
projects/*/attestors/*
. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
- Enforcement
Mode string - The action when a pod creation is denied by the admission rule.
Possible values are:
ENFORCED_BLOCK_AND_AUDIT_LOG
,DRYRUN_AUDIT_LOG_ONLY
. - Evaluation
Mode string - How this admission rule will be evaluated.
Possible values are:
ALWAYS_ALLOW
,REQUIRE_ATTESTATION
,ALWAYS_DENY
. - Require
Attestations []stringBies - The resource names of the attestors that must attest to a
container image. If the attestor is in a different project from the
policy, it should be specified in the format
projects/*/attestors/*
. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
- enforcement
Mode String - The action when a pod creation is denied by the admission rule.
Possible values are:
ENFORCED_BLOCK_AND_AUDIT_LOG
,DRYRUN_AUDIT_LOG_ONLY
. - evaluation
Mode String - How this admission rule will be evaluated.
Possible values are:
ALWAYS_ALLOW
,REQUIRE_ATTESTATION
,ALWAYS_DENY
. - require
Attestations List<String>Bies - The resource names of the attestors that must attest to a
container image. If the attestor is in a different project from the
policy, it should be specified in the format
projects/*/attestors/*
. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
- enforcement
Mode string - The action when a pod creation is denied by the admission rule.
Possible values are:
ENFORCED_BLOCK_AND_AUDIT_LOG
,DRYRUN_AUDIT_LOG_ONLY
. - evaluation
Mode string - How this admission rule will be evaluated.
Possible values are:
ALWAYS_ALLOW
,REQUIRE_ATTESTATION
,ALWAYS_DENY
. - require
Attestations string[]Bies - The resource names of the attestors that must attest to a
container image. If the attestor is in a different project from the
policy, it should be specified in the format
projects/*/attestors/*
. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
- enforcement_
mode str - The action when a pod creation is denied by the admission rule.
Possible values are:
ENFORCED_BLOCK_AND_AUDIT_LOG
,DRYRUN_AUDIT_LOG_ONLY
. - evaluation_
mode str - How this admission rule will be evaluated.
Possible values are:
ALWAYS_ALLOW
,REQUIRE_ATTESTATION
,ALWAYS_DENY
. - require_
attestations_ Sequence[str]bies - The resource names of the attestors that must attest to a
container image. If the attestor is in a different project from the
policy, it should be specified in the format
projects/*/attestors/*
. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
- enforcement
Mode String - The action when a pod creation is denied by the admission rule.
Possible values are:
ENFORCED_BLOCK_AND_AUDIT_LOG
,DRYRUN_AUDIT_LOG_ONLY
. - evaluation
Mode String - How this admission rule will be evaluated.
Possible values are:
ALWAYS_ALLOW
,REQUIRE_ATTESTATION
,ALWAYS_DENY
. - require
Attestations List<String>Bies - The resource names of the attestors that must attest to a
container image. If the attestor is in a different project from the
policy, it should be specified in the format
projects/*/attestors/*
. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
Import
Policy can be imported using any of these accepted formats:
projects/{{project}}
{{project}}
When using the pulumi import
command, Policy can be imported using one of the formats above. For example:
$ pulumi import gcp:binaryauthorization/policy:Policy default projects/{{project}}
$ pulumi import gcp:binaryauthorization/policy:Policy default {{project}}
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- Google Cloud (GCP) Classic pulumi/pulumi-gcp
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
google-beta
Terraform Provider.