Binary Authorization API . projects

Instance Methods

attestors()

Returns the attestors Resource.

platforms()

Returns the platforms Resource.

policy()

Returns the policy Resource.

close()

Close httplib2 connections.

getPolicy(name, x__xgafv=None)

A policy specifies the attestors that must attest to a container image, before the project is allowed to deploy that image. There is at most one policy per project. All image admission requests are permitted if a project has no policy. Gets the policy for this project. Returns a default policy if the project does not have one.

updatePolicy(name, body=None, x__xgafv=None)

Creates or updates a project's policy, and returns a copy of the new policy. A policy is always updated as a whole, to avoid race conditions with concurrent policy enforcement (or management!) requests. Returns `NOT_FOUND` if the project does not exist, `INVALID_ARGUMENT` if the request is malformed.

Method Details

close() 
Close httplib2 connections.
getPolicy(name, x__xgafv=None) 
A policy specifies the attestors that must attest to a container image, before the project is allowed to deploy that image. There is at most one policy per project. All image admission requests are permitted if a project has no policy. Gets the policy for this project. Returns a default policy if the project does not have one.

Args:
  name: string, Required. The resource name of the policy to retrieve, in the format `projects/*/policy`. (required)
  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # A policy for container image binary authorization.
  "admissionWhitelistPatterns": [ # Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.
    { # An admission allowlist pattern exempts images from checks by admission rules.
      "namePattern": "A String", # An image name pattern to allowlist, in the form `registry/path/to/image`. This supports a trailing `*` wildcard, but this is allowed only in text after the `registry/` part. This also supports a trailing `**` wildcard which matches subdirectories of a given entry.
    },
  ],
  "clusterAdmissionRules": { # Optional. Per-cluster admission rules. Cluster spec format: `location.clusterId`. There can be at most one admission rule per cluster spec. A `location` is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). For `clusterId` syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
    "a_key": { # An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation.
      "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
      "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
      "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to a container image, in the format `projects/*/attestors/*`. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the `evaluation_mode` field specifies `REQUIRE_ATTESTATION`, otherwise it must be empty.
        "A String",
      ],
    },
  },
  "defaultAdmissionRule": { # An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation. # Required. Default admission rule for a cluster without a per-cluster, per- kubernetes-service-account, or per-istio-service-identity admission rule.
    "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
    "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
    "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to a container image, in the format `projects/*/attestors/*`. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the `evaluation_mode` field specifies `REQUIRE_ATTESTATION`, otherwise it must be empty.
      "A String",
    ],
  },
  "description": "A String", # Optional. A descriptive comment.
  "etag": "A String", # Optional. A checksum, returned by the server, that can be sent on update requests to ensure the policy has an up-to-date value before attempting to update it. See https://google.aip.dev/154.
  "globalPolicyEvaluationMode": "A String", # Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.
  "istioServiceIdentityAdmissionRules": { # Optional. Per-istio-service-identity admission rules. Istio service identity spec format: `spiffe:///ns//sa/` or `/ns//sa/` e.g. `spiffe://example.com/ns/test-ns/sa/default`
    "a_key": { # An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation.
      "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
      "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
      "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to a container image, in the format `projects/*/attestors/*`. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the `evaluation_mode` field specifies `REQUIRE_ATTESTATION`, otherwise it must be empty.
        "A String",
      ],
    },
  },
  "kubernetesNamespaceAdmissionRules": { # Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format: `[a-z.-]+`, e.g. `some-namespace`
    "a_key": { # An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation.
      "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
      "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
      "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to a container image, in the format `projects/*/attestors/*`. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the `evaluation_mode` field specifies `REQUIRE_ATTESTATION`, otherwise it must be empty.
        "A String",
      ],
    },
  },
  "kubernetesServiceAccountAdmissionRules": { # Optional. Per-kubernetes-service-account admission rules. Service account spec format: `namespace:serviceaccount`. e.g. `test-ns:default`
    "a_key": { # An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation.
      "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
      "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
      "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to a container image, in the format `projects/*/attestors/*`. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the `evaluation_mode` field specifies `REQUIRE_ATTESTATION`, otherwise it must be empty.
        "A String",
      ],
    },
  },
  "name": "A String", # Output only. The resource name, in the format `projects/*/policy`. There is at most one policy per project.
  "updateTime": "A String", # Output only. Time when the policy was last updated.
}
updatePolicy(name, body=None, x__xgafv=None) 
Creates or updates a project's policy, and returns a copy of the new policy. A policy is always updated as a whole, to avoid race conditions with concurrent policy enforcement (or management!) requests. Returns `NOT_FOUND` if the project does not exist, `INVALID_ARGUMENT` if the request is malformed.

Args:
  name: string, Output only. The resource name, in the format `projects/*/policy`. There is at most one policy per project. (required)
  body: object, The request body.
    The object takes the form of:

{ # A policy for container image binary authorization.
  "admissionWhitelistPatterns": [ # Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.
    { # An admission allowlist pattern exempts images from checks by admission rules.
      "namePattern": "A String", # An image name pattern to allowlist, in the form `registry/path/to/image`. This supports a trailing `*` wildcard, but this is allowed only in text after the `registry/` part. This also supports a trailing `**` wildcard which matches subdirectories of a given entry.
    },
  ],
  "clusterAdmissionRules": { # Optional. Per-cluster admission rules. Cluster spec format: `location.clusterId`. There can be at most one admission rule per cluster spec. A `location` is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). For `clusterId` syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
    "a_key": { # An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation.
      "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
      "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
      "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to a container image, in the format `projects/*/attestors/*`. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the `evaluation_mode` field specifies `REQUIRE_ATTESTATION`, otherwise it must be empty.
        "A String",
      ],
    },
  },
  "defaultAdmissionRule": { # An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation. # Required. Default admission rule for a cluster without a per-cluster, per- kubernetes-service-account, or per-istio-service-identity admission rule.
    "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
    "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
    "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to a container image, in the format `projects/*/attestors/*`. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the `evaluation_mode` field specifies `REQUIRE_ATTESTATION`, otherwise it must be empty.
      "A String",
    ],
  },
  "description": "A String", # Optional. A descriptive comment.
  "etag": "A String", # Optional. A checksum, returned by the server, that can be sent on update requests to ensure the policy has an up-to-date value before attempting to update it. See https://google.aip.dev/154.
  "globalPolicyEvaluationMode": "A String", # Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.
  "istioServiceIdentityAdmissionRules": { # Optional. Per-istio-service-identity admission rules. Istio service identity spec format: `spiffe:///ns//sa/` or `/ns//sa/` e.g. `spiffe://example.com/ns/test-ns/sa/default`
    "a_key": { # An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation.
      "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
      "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
      "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to a container image, in the format `projects/*/attestors/*`. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the `evaluation_mode` field specifies `REQUIRE_ATTESTATION`, otherwise it must be empty.
        "A String",
      ],
    },
  },
  "kubernetesNamespaceAdmissionRules": { # Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format: `[a-z.-]+`, e.g. `some-namespace`
    "a_key": { # An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation.
      "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
      "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
      "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to a container image, in the format `projects/*/attestors/*`. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the `evaluation_mode` field specifies `REQUIRE_ATTESTATION`, otherwise it must be empty.
        "A String",
      ],
    },
  },
  "kubernetesServiceAccountAdmissionRules": { # Optional. Per-kubernetes-service-account admission rules. Service account spec format: `namespace:serviceaccount`. e.g. `test-ns:default`
    "a_key": { # An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation.
      "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
      "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
      "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to a container image, in the format `projects/*/attestors/*`. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the `evaluation_mode` field specifies `REQUIRE_ATTESTATION`, otherwise it must be empty.
        "A String",
      ],
    },
  },
  "name": "A String", # Output only. The resource name, in the format `projects/*/policy`. There is at most one policy per project.
  "updateTime": "A String", # Output only. Time when the policy was last updated.
}

  x__xgafv: string, V1 error format.
    Allowed values
      1 - v1 error format
      2 - v2 error format

Returns:
  An object of the form:

    { # A policy for container image binary authorization.
  "admissionWhitelistPatterns": [ # Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.
    { # An admission allowlist pattern exempts images from checks by admission rules.
      "namePattern": "A String", # An image name pattern to allowlist, in the form `registry/path/to/image`. This supports a trailing `*` wildcard, but this is allowed only in text after the `registry/` part. This also supports a trailing `**` wildcard which matches subdirectories of a given entry.
    },
  ],
  "clusterAdmissionRules": { # Optional. Per-cluster admission rules. Cluster spec format: `location.clusterId`. There can be at most one admission rule per cluster spec. A `location` is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). For `clusterId` syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
    "a_key": { # An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation.
      "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
      "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
      "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to a container image, in the format `projects/*/attestors/*`. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the `evaluation_mode` field specifies `REQUIRE_ATTESTATION`, otherwise it must be empty.
        "A String",
      ],
    },
  },
  "defaultAdmissionRule": { # An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation. # Required. Default admission rule for a cluster without a per-cluster, per- kubernetes-service-account, or per-istio-service-identity admission rule.
    "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
    "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
    "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to a container image, in the format `projects/*/attestors/*`. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the `evaluation_mode` field specifies `REQUIRE_ATTESTATION`, otherwise it must be empty.
      "A String",
    ],
  },
  "description": "A String", # Optional. A descriptive comment.
  "etag": "A String", # Optional. A checksum, returned by the server, that can be sent on update requests to ensure the policy has an up-to-date value before attempting to update it. See https://google.aip.dev/154.
  "globalPolicyEvaluationMode": "A String", # Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.
  "istioServiceIdentityAdmissionRules": { # Optional. Per-istio-service-identity admission rules. Istio service identity spec format: `spiffe:///ns//sa/` or `/ns//sa/` e.g. `spiffe://example.com/ns/test-ns/sa/default`
    "a_key": { # An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation.
      "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
      "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
      "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to a container image, in the format `projects/*/attestors/*`. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the `evaluation_mode` field specifies `REQUIRE_ATTESTATION`, otherwise it must be empty.
        "A String",
      ],
    },
  },
  "kubernetesNamespaceAdmissionRules": { # Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format: `[a-z.-]+`, e.g. `some-namespace`
    "a_key": { # An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation.
      "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
      "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
      "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to a container image, in the format `projects/*/attestors/*`. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the `evaluation_mode` field specifies `REQUIRE_ATTESTATION`, otherwise it must be empty.
        "A String",
      ],
    },
  },
  "kubernetesServiceAccountAdmissionRules": { # Optional. Per-kubernetes-service-account admission rules. Service account spec format: `namespace:serviceaccount`. e.g. `test-ns:default`
    "a_key": { # An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation.
      "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
      "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
      "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to a container image, in the format `projects/*/attestors/*`. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the `evaluation_mode` field specifies `REQUIRE_ATTESTATION`, otherwise it must be empty.
        "A String",
      ],
    },
  },
  "name": "A String", # Output only. The resource name, in the format `projects/*/policy`. There is at most one policy per project.
  "updateTime": "A String", # Output only. Time when the policy was last updated.
}