1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: apiextensions.k8s.io/v1
16kind: CustomResourceDefinition
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 creationTimestamp: null
21 labels:
22 cnrm.cloud.google.com/dcl2crd: "true"
23 cnrm.cloud.google.com/managed-by-kcc: "true"
24 cnrm.cloud.google.com/stability-level: stable
25 cnrm.cloud.google.com/system: "true"
26 name: binaryauthorizationpolicies.binaryauthorization.cnrm.cloud.google.com
27spec:
28 group: binaryauthorization.cnrm.cloud.google.com
29 names:
30 categories:
31 - gcp
32 kind: BinaryAuthorizationPolicy
33 plural: binaryauthorizationpolicies
34 shortNames:
35 - gcpbinaryauthorizationpolicy
36 - gcpbinaryauthorizationpolicies
37 singular: binaryauthorizationpolicy
38 scope: Namespaced
39 versions:
40 - additionalPrinterColumns:
41 - jsonPath: .metadata.creationTimestamp
42 name: Age
43 type: date
44 - description: When 'True', the most recent reconcile of the resource succeeded
45 jsonPath: .status.conditions[?(@.type=='Ready')].status
46 name: Ready
47 type: string
48 - description: The reason for the value in 'Ready'
49 jsonPath: .status.conditions[?(@.type=='Ready')].reason
50 name: Status
51 type: string
52 - description: The last transition time for the value in 'Status'
53 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
54 name: Status Age
55 type: date
56 name: v1beta1
57 schema:
58 openAPIV3Schema:
59 properties:
60 apiVersion:
61 description: 'apiVersion defines the versioned schema of this representation
62 of an object. Servers should convert recognized schemas to the latest
63 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
64 type: string
65 kind:
66 description: 'kind is a string value representing the REST resource this
67 object represents. Servers may infer this from the endpoint the client
68 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
69 type: string
70 metadata:
71 type: object
72 spec:
73 properties:
74 admissionWhitelistPatterns:
75 description: Optional. Admission policy allowlisting. A matching admission
76 request will always be permitted. This feature is typically used
77 to exclude Google or third-party infrastructure images from Binary
78 Authorization policies.
79 items:
80 properties:
81 namePattern:
82 description: An image name pattern to allowlist, in the form
83 `registry/path/to/image`. This supports a trailing `*` as
84 a wildcard, but this is allowed only in text after the `registry/`
85 part.
86 type: string
87 type: object
88 type: array
89 clusterAdmissionRules:
90 additionalProperties:
91 properties:
92 enforcementMode:
93 description: 'Required. The action when a pod creation is denied
94 by the admission rule. Possible values: ENFORCEMENT_MODE_UNSPECIFIED,
95 ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY'
96 type: string
97 evaluationMode:
98 description: 'Required. How this admission rule will be evaluated.
99 Possible values: ALWAYS_ALLOW, ALWAYS_DENY, REQUIRE_ATTESTATION'
100 type: string
101 requireAttestationsBy:
102 items:
103 oneOf:
104 - not:
105 required:
106 - external
107 required:
108 - name
109 - not:
110 anyOf:
111 - required:
112 - name
113 - required:
114 - namespace
115 required:
116 - external
117 properties:
118 external:
119 description: 'Allowed value: The Google Cloud resource
120 name of a `BinaryAuthorizationAttestor` resource (format:
121 `projects/{{project}}/attestors/{{name}}`).'
122 type: string
123 name:
124 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
125 type: string
126 namespace:
127 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
128 type: string
129 type: object
130 type: array
131 required:
132 - enforcementMode
133 - evaluationMode
134 type: object
135 description: 'Optional. Per-cluster admission rules. Cluster spec
136 format: location.clusterId. There can be at most one admission rule
137 per cluster spec. A location is either a compute zone (e.g. us-central1-a)
138 or a region (e.g. us-central1). For clusterId syntax restrictions
139 see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.'
140 type: object
141 defaultAdmissionRule:
142 description: Required. Default admission rule for a cluster without
143 a per-cluster, per-kubernetes-service-account, or per-istio-service-identity
144 admission rule.
145 properties:
146 enforcementMode:
147 description: 'Required. The action when a pod creation is denied
148 by the admission rule. Possible values: ENFORCEMENT_MODE_UNSPECIFIED,
149 ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY'
150 type: string
151 evaluationMode:
152 description: 'Required. How this admission rule will be evaluated.
153 Possible values: ALWAYS_ALLOW, ALWAYS_DENY, REQUIRE_ATTESTATION'
154 type: string
155 requireAttestationsBy:
156 items:
157 oneOf:
158 - not:
159 required:
160 - external
161 required:
162 - name
163 - not:
164 anyOf:
165 - required:
166 - name
167 - required:
168 - namespace
169 required:
170 - external
171 properties:
172 external:
173 description: 'Allowed value: The Google Cloud resource name
174 of a `BinaryAuthorizationAttestor` resource (format: `projects/{{project}}/attestors/{{name}}`).'
175 type: string
176 name:
177 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
178 type: string
179 namespace:
180 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
181 type: string
182 type: object
183 type: array
184 required:
185 - enforcementMode
186 - evaluationMode
187 type: object
188 description:
189 description: Optional. A descriptive comment.
190 type: string
191 globalPolicyEvaluationMode:
192 description: 'Optional. Controls the evaluation of a Google-maintained
193 global admission policy for common system-level images. Images not
194 covered by the global policy will be subject to the project admission
195 policy. This setting has no effect when specified inside a global
196 admission policy. Possible values: GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED,
197 ENABLE, DISABLE'
198 type: string
199 istioServiceIdentityAdmissionRules:
200 additionalProperties:
201 properties:
202 enforcementMode:
203 description: 'Required. The action when a pod creation is denied
204 by the admission rule. Possible values: ENFORCEMENT_MODE_UNSPECIFIED,
205 ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY'
206 type: string
207 evaluationMode:
208 description: 'Required. How this admission rule will be evaluated.
209 Possible values: ALWAYS_ALLOW, ALWAYS_DENY, REQUIRE_ATTESTATION'
210 type: string
211 requireAttestationsBy:
212 items:
213 oneOf:
214 - not:
215 required:
216 - external
217 required:
218 - name
219 - not:
220 anyOf:
221 - required:
222 - name
223 - required:
224 - namespace
225 required:
226 - external
227 properties:
228 external:
229 description: 'Allowed value: The Google Cloud resource
230 name of a `BinaryAuthorizationAttestor` resource (format:
231 `projects/{{project}}/attestors/{{name}}`).'
232 type: string
233 name:
234 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
235 type: string
236 namespace:
237 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
238 type: string
239 type: object
240 type: array
241 required:
242 - enforcementMode
243 - evaluationMode
244 type: object
245 description: 'Optional. Per-istio-service-identity admission rules.
246 Istio service identity spec format: spiffe:///ns//sa/ or /ns//sa/
247 e.g. spiffe://example.com/ns/test-ns/sa/default'
248 type: object
249 kubernetesNamespaceAdmissionRules:
250 additionalProperties:
251 properties:
252 enforcementMode:
253 description: 'Required. The action when a pod creation is denied
254 by the admission rule. Possible values: ENFORCEMENT_MODE_UNSPECIFIED,
255 ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY'
256 type: string
257 evaluationMode:
258 description: 'Required. How this admission rule will be evaluated.
259 Possible values: ALWAYS_ALLOW, ALWAYS_DENY, REQUIRE_ATTESTATION'
260 type: string
261 requireAttestationsBy:
262 items:
263 oneOf:
264 - not:
265 required:
266 - external
267 required:
268 - name
269 - not:
270 anyOf:
271 - required:
272 - name
273 - required:
274 - namespace
275 required:
276 - external
277 properties:
278 external:
279 description: 'Allowed value: The Google Cloud resource
280 name of a `BinaryAuthorizationAttestor` resource (format:
281 `projects/{{project}}/attestors/{{name}}`).'
282 type: string
283 name:
284 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
285 type: string
286 namespace:
287 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
288 type: string
289 type: object
290 type: array
291 required:
292 - enforcementMode
293 - evaluationMode
294 type: object
295 description: 'Optional. Per-kubernetes-namespace admission rules.
296 K8s namespace spec format: [a-z.-]+, e.g. ''some-namespace'''
297 type: object
298 kubernetesServiceAccountAdmissionRules:
299 additionalProperties:
300 properties:
301 enforcementMode:
302 description: 'Required. The action when a pod creation is denied
303 by the admission rule. Possible values: ENFORCEMENT_MODE_UNSPECIFIED,
304 ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY'
305 type: string
306 evaluationMode:
307 description: 'Required. How this admission rule will be evaluated.
308 Possible values: ALWAYS_ALLOW, ALWAYS_DENY, REQUIRE_ATTESTATION'
309 type: string
310 requireAttestationsBy:
311 items:
312 oneOf:
313 - not:
314 required:
315 - external
316 required:
317 - name
318 - not:
319 anyOf:
320 - required:
321 - name
322 - required:
323 - namespace
324 required:
325 - external
326 properties:
327 external:
328 description: 'Allowed value: The Google Cloud resource
329 name of a `BinaryAuthorizationAttestor` resource (format:
330 `projects/{{project}}/attestors/{{name}}`).'
331 type: string
332 name:
333 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
334 type: string
335 namespace:
336 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
337 type: string
338 type: object
339 type: array
340 required:
341 - enforcementMode
342 - evaluationMode
343 type: object
344 description: 'Optional. Per-kubernetes-service-account admission rules.
345 Service account spec format: namespace:serviceaccount. e.g. ''test-ns:default'''
346 type: object
347 projectRef:
348 description: Immutable. The Project that this resource belongs to.
349 oneOf:
350 - not:
351 required:
352 - external
353 required:
354 - name
355 - not:
356 anyOf:
357 - required:
358 - name
359 - required:
360 - namespace
361 required:
362 - external
363 properties:
364 external:
365 description: |-
366 The project of the resource.
367
368 Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).
369 type: string
370 name:
371 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
372 type: string
373 namespace:
374 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
375 type: string
376 type: object
377 required:
378 - defaultAdmissionRule
379 - projectRef
380 type: object
381 status:
382 properties:
383 conditions:
384 description: Conditions represent the latest available observation
385 of the resource's current state.
386 items:
387 properties:
388 lastTransitionTime:
389 description: Last time the condition transitioned from one status
390 to another.
391 type: string
392 message:
393 description: Human-readable message indicating details about
394 last transition.
395 type: string
396 reason:
397 description: Unique, one-word, CamelCase reason for the condition's
398 last transition.
399 type: string
400 status:
401 description: Status is the status of the condition. Can be True,
402 False, Unknown.
403 type: string
404 type:
405 description: Type is the type of the condition.
406 type: string
407 type: object
408 type: array
409 observedGeneration:
410 description: ObservedGeneration is the generation of the resource
411 that was most recently observed by the Config Connector controller.
412 If this is equal to metadata.generation, then that means that the
413 current reported status reflects the most recent desired state of
414 the resource.
415 type: integer
416 selfLink:
417 description: Output only. The resource name, in the format `projects/*/policy`.
418 There is at most one policy per project.
419 type: string
420 updateTime:
421 description: Output only. Time when the policy was last updated.
422 format: date-time
423 type: string
424 type: object
425 required:
426 - spec
427 type: object
428 served: true
429 storage: true
430 subresources:
431 status: {}
432status:
433 acceptedNames:
434 kind: ""
435 plural: ""
436 conditions: []
437 storedVersions: []
View as plain text