Policy

A policy for container image binary authorization.

To get more information about Policy, see:

API documentation
How-to Guides
- Official Documentation

Create a Policy Resource

new Policy(name: string, args: PolicyArgs, opts?: CustomResourceOptions);

def Policy(resource_name, opts=None, admission_whitelist_patterns=None, cluster_admission_rules=None, default_admission_rule=None, description=None, global_policy_evaluation_mode=None, project=None, __props__=None);

func NewPolicy(ctx *Context, name string, args PolicyArgs, opts ...ResourceOption) (*Policy, error)

public Policy(string name, PolicyArgs args, CustomResourceOptions? opts = null)

name string: The unique name of the resource.
args PolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
opts ResourceOptions: A bag of options that control this resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args PolicyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args PolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

Policy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Programming Model docs.

Inputs

The Policy resource accepts the following input properties:

DefaultAdmissionRule PolicyDefaultAdmissionRuleArgs: Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
AdmissionWhitelistPatterns List<PolicyAdmissionWhitelistPatternArgs>: A whitelist of image patterns to exclude from admission rules. If an image’s name matches a whitelist pattern, the image’s admission requests will always be permitted regardless of your admission rules. Structure is documented below.
ClusterAdmissionRules List<PolicyClusterAdmissionRuleArgs>: Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec.
Description string: A descriptive comment.
GlobalPolicyEvaluationMode string: Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy.
Project string: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

DefaultAdmissionRule PolicyDefaultAdmissionRule: Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
AdmissionWhitelistPatterns []PolicyAdmissionWhitelistPattern: A whitelist of image patterns to exclude from admission rules. If an image’s name matches a whitelist pattern, the image’s admission requests will always be permitted regardless of your admission rules. Structure is documented below.
ClusterAdmissionRules []PolicyClusterAdmissionRule: Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec.
Description string: A descriptive comment.
GlobalPolicyEvaluationMode string: Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy.
Project string: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

defaultAdmissionRule PolicyDefaultAdmissionRule: Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
admissionWhitelistPatterns PolicyAdmissionWhitelistPattern[]: A whitelist of image patterns to exclude from admission rules. If an image’s name matches a whitelist pattern, the image’s admission requests will always be permitted regardless of your admission rules. Structure is documented below.
clusterAdmissionRules PolicyClusterAdmissionRule[]: Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec.
description string: A descriptive comment.
globalPolicyEvaluationMode string: Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy.
project string: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

default_admission_rule Dict[PolicyDefaultAdmissionRule]: Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
admission_whitelist_patterns List[PolicyAdmissionWhitelistPattern]: A whitelist of image patterns to exclude from admission rules. If an image’s name matches a whitelist pattern, the image’s admission requests will always be permitted regardless of your admission rules. Structure is documented below.
cluster_admission_rules List[PolicyClusterAdmissionRule]: Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec.
description str: A descriptive comment.
global_policy_evaluation_mode str: Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy.
project str: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Outputs

All input properties are implicitly available as output properties. Additionally, the Policy resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.

Id string: The provider-assigned unique ID for this managed resource.

id string: The provider-assigned unique ID for this managed resource.

id str: The provider-assigned unique ID for this managed resource.

Look up an Existing Policy Resource

Get an existing Policy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: PolicyState, opts?: CustomResourceOptions): Policy

static get(resource_name, id, opts=None, admission_whitelist_patterns=None, cluster_admission_rules=None, default_admission_rule=None, description=None, global_policy_evaluation_mode=None, project=None, __props__=None);

func GetPolicy(ctx *Context, name string, id IDInput, state *PolicyState, opts ...ResourceOption) (*Policy, error)

public static Policy Get(string name, Input<string> id, PolicyState? state, CustomResourceOptions? opts = null)

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

AdmissionWhitelistPatterns List<PolicyAdmissionWhitelistPatternArgs>: A whitelist of image patterns to exclude from admission rules. If an image’s name matches a whitelist pattern, the image’s admission requests will always be permitted regardless of your admission rules. Structure is documented below.
ClusterAdmissionRules List<PolicyClusterAdmissionRuleArgs>: Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec.
DefaultAdmissionRule PolicyDefaultAdmissionRuleArgs: Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
Description string: A descriptive comment.
GlobalPolicyEvaluationMode string: Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy.
Project string: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

AdmissionWhitelistPatterns []PolicyAdmissionWhitelistPattern: A whitelist of image patterns to exclude from admission rules. If an image’s name matches a whitelist pattern, the image’s admission requests will always be permitted regardless of your admission rules. Structure is documented below.
ClusterAdmissionRules []PolicyClusterAdmissionRule: Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec.
DefaultAdmissionRule PolicyDefaultAdmissionRule: Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
Description string: A descriptive comment.
GlobalPolicyEvaluationMode string: Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy.
Project string: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

admissionWhitelistPatterns PolicyAdmissionWhitelistPattern[]: A whitelist of image patterns to exclude from admission rules. If an image’s name matches a whitelist pattern, the image’s admission requests will always be permitted regardless of your admission rules. Structure is documented below.
clusterAdmissionRules PolicyClusterAdmissionRule[]: Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec.
defaultAdmissionRule PolicyDefaultAdmissionRule: Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
description string: A descriptive comment.
globalPolicyEvaluationMode string: Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy.
project string: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

admission_whitelist_patterns List[PolicyAdmissionWhitelistPattern]: A whitelist of image patterns to exclude from admission rules. If an image’s name matches a whitelist pattern, the image’s admission requests will always be permitted regardless of your admission rules. Structure is documented below.
cluster_admission_rules List[PolicyClusterAdmissionRule]: Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec.
default_admission_rule Dict[PolicyDefaultAdmissionRule]: Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
description str: A descriptive comment.
global_policy_evaluation_mode str: Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy.
project str: The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Supporting Types

PolicyAdmissionWhitelistPattern

See the input and output API doc for this type.

NamePattern string: An image name pattern to whitelist, in the form registry/path/to/image. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.

NamePattern string: An image name pattern to whitelist, in the form registry/path/to/image. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.

namePattern string: An image name pattern to whitelist, in the form registry/path/to/image. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.

namePattern str: An image name pattern to whitelist, in the form registry/path/to/image. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.

PolicyClusterAdmissionRule

See the input and output API doc for this type.

Cluster string: The identifier for this object. Format specified above.
EnforcementMode string: The action when a pod creation is denied by the admission rule.
EvaluationMode string: How this admission rule will be evaluated.
RequireAttestationsBies List<string>: The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

Cluster string: The identifier for this object. Format specified above.
EnforcementMode string: The action when a pod creation is denied by the admission rule.
EvaluationMode string: How this admission rule will be evaluated.
RequireAttestationsBies []string: The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

cluster string: The identifier for this object. Format specified above.
enforcementMode string: The action when a pod creation is denied by the admission rule.
evaluationMode string: How this admission rule will be evaluated.
requireAttestationsBies string[]: The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

cluster str: The identifier for this object. Format specified above.
enforcementMode str: The action when a pod creation is denied by the admission rule.
evaluationMode str: How this admission rule will be evaluated.
requireAttestationsBies List[str]: The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

PolicyDefaultAdmissionRule

See the input and output API doc for this type.

EnforcementMode string: The action when a pod creation is denied by the admission rule.
EvaluationMode string: How this admission rule will be evaluated.
RequireAttestationsBies List<string>: The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

EnforcementMode string: The action when a pod creation is denied by the admission rule.
EvaluationMode string: How this admission rule will be evaluated.
RequireAttestationsBies []string: The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

enforcementMode string: The action when a pod creation is denied by the admission rule.
evaluationMode string: How this admission rule will be evaluated.
requireAttestationsBies string[]: The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

enforcementMode str: The action when a pod creation is denied by the admission rule.
evaluationMode str: How this admission rule will be evaluated.
requireAttestationsBies List[str]: The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

Package Details

Repository: https://github.com/pulumi/pulumi-gcp
License: Apache-2.0
Notes: This Pulumi package is based on the google-beta Terraform Provider.

The Pulumi Platform

Get Started

Migrate to Pulumi

Solutions for All Teams and Engineers

Any Code

Any Cloud

Policy

Create a Policy Resource

Policy Resource Properties

Inputs

Outputs

Look up an Existing Policy Resource

Supporting Types

PolicyAdmissionWhitelistPattern

PolicyClusterAdmissionRule

PolicyDefaultAdmissionRule

Package Details

On This Page