| <html><body> |
| <style> |
| |
| body, h1, h2, h3, div, span, p, pre, a { |
| margin: 0; |
| padding: 0; |
| border: 0; |
| font-weight: inherit; |
| font-style: inherit; |
| font-size: 100%; |
| font-family: inherit; |
| vertical-align: baseline; |
| } |
| |
| body { |
| font-size: 13px; |
| padding: 1em; |
| } |
| |
| h1 { |
| font-size: 26px; |
| margin-bottom: 1em; |
| } |
| |
| h2 { |
| font-size: 24px; |
| margin-bottom: 1em; |
| } |
| |
| h3 { |
| font-size: 20px; |
| margin-bottom: 1em; |
| margin-top: 1em; |
| } |
| |
| pre, code { |
| line-height: 1.5; |
| font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace; |
| } |
| |
| pre { |
| margin-top: 0.5em; |
| } |
| |
| h1, h2, h3, p { |
| font-family: Arial, sans serif; |
| } |
| |
| h1, h2, h3 { |
| border-bottom: solid #CCC 1px; |
| } |
| |
| .toc_element { |
| margin-top: 0.5em; |
| } |
| |
| .firstline { |
| margin-left: 2 em; |
| } |
| |
| .method { |
| margin-top: 1em; |
| border: solid 1px #CCC; |
| padding: 1em; |
| background: #EEE; |
| } |
| |
| .details { |
| font-weight: bold; |
| font-size: 14px; |
| } |
| |
| </style> |
| |
| <h1><a href="binaryauthorization_v1.html">Binary Authorization API</a> . <a href="binaryauthorization_v1.projects.html">projects</a></h1> |
| <h2>Instance Methods</h2> |
| <p class="toc_element"> |
| <code><a href="binaryauthorization_v1.projects.attestors.html">attestors()</a></code> |
| </p> |
| <p class="firstline">Returns the attestors Resource.</p> |
| |
| <p class="toc_element"> |
| <code><a href="binaryauthorization_v1.projects.policy.html">policy()</a></code> |
| </p> |
| <p class="firstline">Returns the policy Resource.</p> |
| |
| <p class="toc_element"> |
| <code><a href="#getPolicy">getPolicy(name, x__xgafv=None)</a></code></p> |
| <p class="firstline">A policy specifies the attestors that must attest to</p> |
| <p class="toc_element"> |
| <code><a href="#updatePolicy">updatePolicy(name, body=None, x__xgafv=None)</a></code></p> |
| <p class="firstline">Creates or updates a project's policy, and returns a copy of the</p> |
| <h3>Method Details</h3> |
| <div class="method"> |
| <code class="details" id="getPolicy">getPolicy(name, x__xgafv=None)</code> |
| <pre>A policy specifies the attestors that must attest to |
| a container image, before the project is allowed to deploy that |
| image. There is at most one policy per project. All image admission |
| requests are permitted if a project has no policy. |
| |
| Gets the policy for this project. Returns a default |
| policy if the project does not have one. |
| |
| Args: |
| name: string, Required. The resource name of the policy to retrieve, |
| in the format `projects/*/policy`. (required) |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # A policy for container image binary authorization. |
| "updateTime": "A String", # Output only. Time when the policy was last updated. |
| "description": "A String", # Optional. A descriptive comment. |
| "clusterAdmissionRules": { # Optional. Per-cluster admission rules. Cluster spec format: |
| # `location.clusterId`. There can be at most one admission rule per cluster |
| # spec. |
| # A `location` is either a compute zone (e.g. us-central1-a) or a region |
| # (e.g. us-central1). |
| # For `clusterId` syntax restrictions see |
| # https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters. |
| "a_key": { # An admission rule specifies either that all container images |
| # used in a pod creation request must be attested to by one or more |
| # attestors, that all pod creations will be allowed, or that all |
| # pod creations will be denied. |
| # |
| # Images matching an admission whitelist pattern |
| # are exempted from admission rules and will never block a pod creation. |
| "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule. |
| "evaluationMode": "A String", # Required. How this admission rule will be evaluated. |
| "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to |
| # a container image, in the format `projects/*/attestors/*`. Each |
| # attestor must exist before a policy can reference it. To add an attestor |
| # to a policy the principal issuing the policy change request must be able |
| # to read the attestor resource. |
| # |
| # Note: this field must be non-empty when the evaluation_mode field specifies |
| # REQUIRE_ATTESTATION, otherwise it must be empty. |
| "A String", |
| ], |
| }, |
| }, |
| "globalPolicyEvaluationMode": "A String", # Optional. Controls the evaluation of a Google-maintained global admission |
| # policy for common system-level images. Images not covered by the global |
| # policy will be subject to the project admission policy. This setting |
| # has no effect when specified inside a global admission policy. |
| "admissionWhitelistPatterns": [ # Optional. Admission policy whitelisting. A matching admission request will |
| # always be permitted. This feature is typically used to exclude Google or |
| # third-party infrastructure images from Binary Authorization policies. |
| { # An admission whitelist pattern exempts images |
| # from checks by admission rules. |
| "namePattern": "A String", # An image name pattern to whitelist, in the form `registry/path/to/image`. |
| # This supports a trailing `*` as a wildcard, but this is allowed only in |
| # text after the `registry/` part. |
| }, |
| ], |
| "name": "A String", # Output only. The resource name, in the format `projects/*/policy`. There is |
| # at most one policy per project. |
| "defaultAdmissionRule": { # An admission rule specifies either that all container images # Required. Default admission rule for a cluster without a per-cluster, per- |
| # kubernetes-service-account, or per-istio-service-identity admission rule. |
| # used in a pod creation request must be attested to by one or more |
| # attestors, that all pod creations will be allowed, or that all |
| # pod creations will be denied. |
| # |
| # Images matching an admission whitelist pattern |
| # are exempted from admission rules and will never block a pod creation. |
| "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule. |
| "evaluationMode": "A String", # Required. How this admission rule will be evaluated. |
| "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to |
| # a container image, in the format `projects/*/attestors/*`. Each |
| # attestor must exist before a policy can reference it. To add an attestor |
| # to a policy the principal issuing the policy change request must be able |
| # to read the attestor resource. |
| # |
| # Note: this field must be non-empty when the evaluation_mode field specifies |
| # REQUIRE_ATTESTATION, otherwise it must be empty. |
| "A String", |
| ], |
| }, |
| }</pre> |
| </div> |
| |
| <div class="method"> |
| <code class="details" id="updatePolicy">updatePolicy(name, body=None, x__xgafv=None)</code> |
| <pre>Creates or updates a project's policy, and returns a copy of the |
| new policy. A policy is always updated as a whole, to avoid race |
| conditions with concurrent policy enforcement (or management!) |
| requests. Returns NOT_FOUND if the project does not exist, INVALID_ARGUMENT |
| if the request is malformed. |
| |
| Args: |
| name: string, Output only. The resource name, in the format `projects/*/policy`. There is |
| at most one policy per project. (required) |
| body: object, The request body. |
| The object takes the form of: |
| |
| { # A policy for container image binary authorization. |
| "updateTime": "A String", # Output only. Time when the policy was last updated. |
| "description": "A String", # Optional. A descriptive comment. |
| "clusterAdmissionRules": { # Optional. Per-cluster admission rules. Cluster spec format: |
| # `location.clusterId`. There can be at most one admission rule per cluster |
| # spec. |
| # A `location` is either a compute zone (e.g. us-central1-a) or a region |
| # (e.g. us-central1). |
| # For `clusterId` syntax restrictions see |
| # https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters. |
| "a_key": { # An admission rule specifies either that all container images |
| # used in a pod creation request must be attested to by one or more |
| # attestors, that all pod creations will be allowed, or that all |
| # pod creations will be denied. |
| # |
| # Images matching an admission whitelist pattern |
| # are exempted from admission rules and will never block a pod creation. |
| "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule. |
| "evaluationMode": "A String", # Required. How this admission rule will be evaluated. |
| "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to |
| # a container image, in the format `projects/*/attestors/*`. Each |
| # attestor must exist before a policy can reference it. To add an attestor |
| # to a policy the principal issuing the policy change request must be able |
| # to read the attestor resource. |
| # |
| # Note: this field must be non-empty when the evaluation_mode field specifies |
| # REQUIRE_ATTESTATION, otherwise it must be empty. |
| "A String", |
| ], |
| }, |
| }, |
| "globalPolicyEvaluationMode": "A String", # Optional. Controls the evaluation of a Google-maintained global admission |
| # policy for common system-level images. Images not covered by the global |
| # policy will be subject to the project admission policy. This setting |
| # has no effect when specified inside a global admission policy. |
| "admissionWhitelistPatterns": [ # Optional. Admission policy whitelisting. A matching admission request will |
| # always be permitted. This feature is typically used to exclude Google or |
| # third-party infrastructure images from Binary Authorization policies. |
| { # An admission whitelist pattern exempts images |
| # from checks by admission rules. |
| "namePattern": "A String", # An image name pattern to whitelist, in the form `registry/path/to/image`. |
| # This supports a trailing `*` as a wildcard, but this is allowed only in |
| # text after the `registry/` part. |
| }, |
| ], |
| "name": "A String", # Output only. The resource name, in the format `projects/*/policy`. There is |
| # at most one policy per project. |
| "defaultAdmissionRule": { # An admission rule specifies either that all container images # Required. Default admission rule for a cluster without a per-cluster, per- |
| # kubernetes-service-account, or per-istio-service-identity admission rule. |
| # used in a pod creation request must be attested to by one or more |
| # attestors, that all pod creations will be allowed, or that all |
| # pod creations will be denied. |
| # |
| # Images matching an admission whitelist pattern |
| # are exempted from admission rules and will never block a pod creation. |
| "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule. |
| "evaluationMode": "A String", # Required. How this admission rule will be evaluated. |
| "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to |
| # a container image, in the format `projects/*/attestors/*`. Each |
| # attestor must exist before a policy can reference it. To add an attestor |
| # to a policy the principal issuing the policy change request must be able |
| # to read the attestor resource. |
| # |
| # Note: this field must be non-empty when the evaluation_mode field specifies |
| # REQUIRE_ATTESTATION, otherwise it must be empty. |
| "A String", |
| ], |
| }, |
| } |
| |
| x__xgafv: string, V1 error format. |
| Allowed values |
| 1 - v1 error format |
| 2 - v2 error format |
| |
| Returns: |
| An object of the form: |
| |
| { # A policy for container image binary authorization. |
| "updateTime": "A String", # Output only. Time when the policy was last updated. |
| "description": "A String", # Optional. A descriptive comment. |
| "clusterAdmissionRules": { # Optional. Per-cluster admission rules. Cluster spec format: |
| # `location.clusterId`. There can be at most one admission rule per cluster |
| # spec. |
| # A `location` is either a compute zone (e.g. us-central1-a) or a region |
| # (e.g. us-central1). |
| # For `clusterId` syntax restrictions see |
| # https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters. |
| "a_key": { # An admission rule specifies either that all container images |
| # used in a pod creation request must be attested to by one or more |
| # attestors, that all pod creations will be allowed, or that all |
| # pod creations will be denied. |
| # |
| # Images matching an admission whitelist pattern |
| # are exempted from admission rules and will never block a pod creation. |
| "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule. |
| "evaluationMode": "A String", # Required. How this admission rule will be evaluated. |
| "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to |
| # a container image, in the format `projects/*/attestors/*`. Each |
| # attestor must exist before a policy can reference it. To add an attestor |
| # to a policy the principal issuing the policy change request must be able |
| # to read the attestor resource. |
| # |
| # Note: this field must be non-empty when the evaluation_mode field specifies |
| # REQUIRE_ATTESTATION, otherwise it must be empty. |
| "A String", |
| ], |
| }, |
| }, |
| "globalPolicyEvaluationMode": "A String", # Optional. Controls the evaluation of a Google-maintained global admission |
| # policy for common system-level images. Images not covered by the global |
| # policy will be subject to the project admission policy. This setting |
| # has no effect when specified inside a global admission policy. |
| "admissionWhitelistPatterns": [ # Optional. Admission policy whitelisting. A matching admission request will |
| # always be permitted. This feature is typically used to exclude Google or |
| # third-party infrastructure images from Binary Authorization policies. |
| { # An admission whitelist pattern exempts images |
| # from checks by admission rules. |
| "namePattern": "A String", # An image name pattern to whitelist, in the form `registry/path/to/image`. |
| # This supports a trailing `*` as a wildcard, but this is allowed only in |
| # text after the `registry/` part. |
| }, |
| ], |
| "name": "A String", # Output only. The resource name, in the format `projects/*/policy`. There is |
| # at most one policy per project. |
| "defaultAdmissionRule": { # An admission rule specifies either that all container images # Required. Default admission rule for a cluster without a per-cluster, per- |
| # kubernetes-service-account, or per-istio-service-identity admission rule. |
| # used in a pod creation request must be attested to by one or more |
| # attestors, that all pod creations will be allowed, or that all |
| # pod creations will be denied. |
| # |
| # Images matching an admission whitelist pattern |
| # are exempted from admission rules and will never block a pod creation. |
| "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule. |
| "evaluationMode": "A String", # Required. How this admission rule will be evaluated. |
| "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to |
| # a container image, in the format `projects/*/attestors/*`. Each |
| # attestor must exist before a policy can reference it. To add an attestor |
| # to a policy the principal issuing the policy change request must be able |
| # to read the attestor resource. |
| # |
| # Note: this field must be non-empty when the evaluation_mode field specifies |
| # REQUIRE_ATTESTATION, otherwise it must be empty. |
| "A String", |
| ], |
| }, |
| }</pre> |
| </div> |
| |
| </body></html> |
