policies
Creates, updates, deletes, gets or lists a policies resource.
Overview
| Name | policies |
| Type | Resource |
| Id | google.binaryauthorization.policies |
Fields
The following fields are returned by SELECT queries:
- get
- list
- get_policy
Successful response
| Name | Datatype | Description |
|---|---|---|
name | string | Output only. The relative resource name of the Binary Authorization platform policy, in the form of projects/*/platforms/*/policies/*. |
description | string | Optional. A description comment about the policy. |
etag | string | Optional. Used to prevent updating the policy when another request has updated it since it was retrieved. |
gkePolicy | object | Optional. GKE platform-specific policy. (id: GkePolicy) |
updateTime | string (google-datetime) | Output only. Time when the policy was last updated. |
Successful response
| Name | Datatype | Description |
|---|---|---|
name | string | Output only. The relative resource name of the Binary Authorization platform policy, in the form of projects/*/platforms/*/policies/*. |
description | string | Optional. A description comment about the policy. |
etag | string | Optional. Used to prevent updating the policy when another request has updated it since it was retrieved. |
gkePolicy | object | Optional. GKE platform-specific policy. (id: GkePolicy) |
updateTime | string (google-datetime) | Output only. Time when the policy was last updated. |
Successful response
| Name | Datatype | Description |
|---|---|---|
name | string | Output only. The resource name, in the format projects/*/policy. There is at most one policy per project. |
admissionWhitelistPatterns | array | Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies. |
clusterAdmissionRules | object | Optional. A valid policy has only one of the following rule maps non-empty, i.e. only one of cluster_admission_rules, kubernetes_namespace_admission_rules, kubernetes_service_account_admission_rules, or istio_service_identity_admission_rules can be non-empty. Per-cluster admission rules. Cluster spec format: location.clusterId. There can be at most one admission rule per cluster spec. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). For clusterId syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters. |
defaultAdmissionRule | object | An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation. (id: AdmissionRule) |
description | string | Optional. A descriptive comment. |
etag | string | Optional. A checksum, returned by the server, that can be sent on update requests to ensure the policy has an up-to-date value before attempting to update it. See https://google.aip.dev/154. |
globalPolicyEvaluationMode | string | Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy. |
istioServiceIdentityAdmissionRules | object | Optional. Per-istio-service-identity admission rules. Istio service identity spec format: spiffe:///ns//sa/ or /ns//sa/ e.g. spiffe://example.com/ns/test-ns/sa/default |
kubernetesNamespaceAdmissionRules | object | Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format: [a-z.-]+, e.g. some-namespace |
kubernetesServiceAccountAdmissionRules | object | Optional. Per-kubernetes-service-account admission rules. Service account spec format: namespace:serviceaccount. e.g. test-ns:default |
updateTime | string (google-datetime) | Output only. Time when the policy was last updated. |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
get | select | projectsId, platformsId, policiesId | Gets a platform policy. Returns NOT_FOUND if the policy doesn't exist. | |
list | select | projectsId, platformsId | pageSize, pageToken | Lists platform policies owned by a project in the specified platform. Returns INVALID_ARGUMENT if the project or the platform doesn't exist. |
get_policy | select | projectsId | A policy specifies the attestors that must attest to a container image, before the project is allowed to deploy that image. There is at most one policy per project. All image admission requests are permitted if a project has no policy. Gets the policy for this project. Returns a default policy if the project does not have one. | |
create | insert | projectsId, platformsId | policyId | Creates a platform policy, and returns a copy of it. Returns NOT_FOUND if the project or platform doesn't exist, INVALID_ARGUMENT if the request is malformed, ALREADY_EXISTS if the policy already exists, and INVALID_ARGUMENT if the policy contains a platform-specific policy that does not match the platform value specified in the URL. |
replace_platform_policy | replace | projectsId, platformsId, policiesId | Replaces a platform policy. Returns NOT_FOUND if the policy doesn't exist. | |
update_policy | replace | projectsId | Creates or updates a project's policy, and returns a copy of the new policy. A policy is always updated as a whole, to avoid race conditions with concurrent policy enforcement (or management!) requests. Returns NOT_FOUND if the project does not exist, INVALID_ARGUMENT if the request is malformed. | |
delete | delete | projectsId, platformsId, policiesId | etag | Deletes a platform policy. Returns NOT_FOUND if the policy doesn't exist. |
evaluate | exec | projectsId, policiesId | Evaluates a Kubernetes object versus a GKE platform policy. Returns NOT_FOUND if the policy doesn't exist, INVALID_ARGUMENT if the policy or request is malformed and PERMISSION_DENIED if the client does not have sufficient permissions. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
platformsId | string | |
policiesId | string | |
projectsId | string | |
etag | string | |
pageSize | integer (int32) | |
pageToken | string | |
policyId | string |
SELECT examples
- get
- list
- get_policy
Gets a platform policy. Returns NOT_FOUND if the policy doesn't exist.
SELECT
name,
description,
etag,
gkePolicy,
updateTime
FROM google.binaryauthorization.policies
WHERE projectsId = '{{ projectsId }}' -- required
AND platformsId = '{{ platformsId }}' -- required
AND policiesId = '{{ policiesId }}' -- required;
Lists platform policies owned by a project in the specified platform. Returns INVALID_ARGUMENT if the project or the platform doesn't exist.
SELECT
name,
description,
etag,
gkePolicy,
updateTime
FROM google.binaryauthorization.policies
WHERE projectsId = '{{ projectsId }}' -- required
AND platformsId = '{{ platformsId }}' -- required
AND pageSize = '{{ pageSize }}'
AND pageToken = '{{ pageToken }}';
A policy specifies the attestors that must attest to a container image, before the project is allowed to deploy that image. There is at most one policy per project. All image admission requests are permitted if a project has no policy. Gets the policy for this project. Returns a default policy if the project does not have one.
SELECT
name,
admissionWhitelistPatterns,
clusterAdmissionRules,
defaultAdmissionRule,
description,
etag,
globalPolicyEvaluationMode,
istioServiceIdentityAdmissionRules,
kubernetesNamespaceAdmissionRules,
kubernetesServiceAccountAdmissionRules,
updateTime
FROM google.binaryauthorization.policies
WHERE projectsId = '{{ projectsId }}' -- required;
INSERT examples
- create
- Manifest
Creates a platform policy, and returns a copy of it. Returns NOT_FOUND if the project or platform doesn't exist, INVALID_ARGUMENT if the request is malformed, ALREADY_EXISTS if the policy already exists, and INVALID_ARGUMENT if the policy contains a platform-specific policy that does not match the platform value specified in the URL.
INSERT INTO google.binaryauthorization.policies (
data__description,
data__gkePolicy,
data__etag,
projectsId,
platformsId,
policyId
)
SELECT
'{{ description }}',
'{{ gkePolicy }}',
'{{ etag }}',
'{{ projectsId }}',
'{{ platformsId }}',
'{{ policyId }}'
RETURNING
name,
description,
etag,
gkePolicy,
updateTime
;
# Description fields are for documentation purposes
- name: policies
props:
- name: projectsId
value: string
description: Required parameter for the policies resource.
- name: platformsId
value: string
description: Required parameter for the policies resource.
- name: description
value: string
description: >
Optional. A description comment about the policy.
- name: gkePolicy
value: object
description: >
Optional. GKE platform-specific policy.
- name: etag
value: string
description: >
Optional. Used to prevent updating the policy when another request has updated it since it was retrieved.
- name: policyId
value: string
REPLACE examples
- replace_platform_policy
- update_policy
Replaces a platform policy. Returns NOT_FOUND if the policy doesn't exist.
REPLACE google.binaryauthorization.policies
SET
data__description = '{{ description }}',
data__gkePolicy = '{{ gkePolicy }}',
data__etag = '{{ etag }}'
WHERE
projectsId = '{{ projectsId }}' --required
AND platformsId = '{{ platformsId }}' --required
AND policiesId = '{{ policiesId }}' --required
RETURNING
name,
description,
etag,
gkePolicy,
updateTime;
Creates or updates a project's policy, and returns a copy of the new policy. A policy is always updated as a whole, to avoid race conditions with concurrent policy enforcement (or management!) requests. Returns NOT_FOUND if the project does not exist, INVALID_ARGUMENT if the request is malformed.
REPLACE google.binaryauthorization.policies
SET
data__description = '{{ description }}',
data__globalPolicyEvaluationMode = '{{ globalPolicyEvaluationMode }}',
data__admissionWhitelistPatterns = '{{ admissionWhitelistPatterns }}',
data__clusterAdmissionRules = '{{ clusterAdmissionRules }}',
data__kubernetesNamespaceAdmissionRules = '{{ kubernetesNamespaceAdmissionRules }}',
data__kubernetesServiceAccountAdmissionRules = '{{ kubernetesServiceAccountAdmissionRules }}',
data__istioServiceIdentityAdmissionRules = '{{ istioServiceIdentityAdmissionRules }}',
data__defaultAdmissionRule = '{{ defaultAdmissionRule }}',
data__etag = '{{ etag }}'
WHERE
projectsId = '{{ projectsId }}' --required
RETURNING
name,
admissionWhitelistPatterns,
clusterAdmissionRules,
defaultAdmissionRule,
description,
etag,
globalPolicyEvaluationMode,
istioServiceIdentityAdmissionRules,
kubernetesNamespaceAdmissionRules,
kubernetesServiceAccountAdmissionRules,
updateTime;
DELETE examples
- delete
Deletes a platform policy. Returns NOT_FOUND if the policy doesn't exist.
DELETE FROM google.binaryauthorization.policies
WHERE projectsId = '{{ projectsId }}' --required
AND platformsId = '{{ platformsId }}' --required
AND policiesId = '{{ policiesId }}' --required
AND etag = '{{ etag }}';
Lifecycle Methods
- evaluate
Evaluates a Kubernetes object versus a GKE platform policy. Returns NOT_FOUND if the policy doesn't exist, INVALID_ARGUMENT if the policy or request is malformed and PERMISSION_DENIED if the client does not have sufficient permissions.
EXEC google.binaryauthorization.policies.evaluate
@projectsId='{{ projectsId }}' --required,
@policiesId='{{ policiesId }}' --required
@@json=
'{
"resource": "{{ resource }}"
}';