# Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. fullname: - spec shortname: spec description: "" type: object requirementlevel: Required children: - fullname: - spec - admissionWhitelistPatterns shortname: admissionWhitelistPatterns description: Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies. type: list (object) requirementlevel: Optional children: - fullname: - spec - admissionWhitelistPatterns - '[]' shortname: '[]' description: "" type: object requirementlevel: Optional children: - fullname: - spec - admissionWhitelistPatterns - '[]' - namePattern shortname: namePattern description: An image name pattern to allowlist, in the form `registry/path/to/image`. This supports a trailing `*` as a wildcard, but this is allowed only in text after the `registry/` part. type: string requirementlevel: Optional children: [] additionalproperties: [] additionalproperties: [] additionalproperties: [] - fullname: - spec - clusterAdmissionRules shortname: clusterAdmissionRules description: 'Optional. Per-cluster admission rules. Cluster spec format: location.clusterId. There can be at most one admission rule per cluster spec. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). For clusterId syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.' type: 'map (key: string, value: object)' requirementlevel: Optional children: [] additionalproperties: - fullname: - spec - clusterAdmissionRules - enforcementMode shortname: enforcementMode description: 'Required. The action when a pod creation is denied by the admission rule. Possible values: ENFORCEMENT_MODE_UNSPECIFIED, ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY' type: string requirementlevel: RequiredWhenParentPresent children: [] additionalproperties: [] - fullname: - spec - clusterAdmissionRules - evaluationMode shortname: evaluationMode description: 'Required. How this admission rule will be evaluated. Possible values: ALWAYS_ALLOW, ALWAYS_DENY, REQUIRE_ATTESTATION' type: string requirementlevel: RequiredWhenParentPresent children: [] additionalproperties: [] - fullname: - spec - clusterAdmissionRules - requireAttestationsBy shortname: requireAttestationsBy description: "" type: list (object) requirementlevel: Optional children: - fullname: - spec - clusterAdmissionRules - requireAttestationsBy - '[]' shortname: '[]' description: "" type: object requirementlevel: Optional children: - fullname: - spec - clusterAdmissionRules - requireAttestationsBy - '[]' - external shortname: external description: 'Allowed value: The Google Cloud resource name of a `BinaryAuthorizationAttestor` resource (format: `projects/{{project}}/attestors/{{name}}`).' type: string requirementlevel: Optional children: [] additionalproperties: [] - fullname: - spec - clusterAdmissionRules - requireAttestationsBy - '[]' - name shortname: name description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string requirementlevel: Optional children: [] additionalproperties: [] - fullname: - spec - clusterAdmissionRules - requireAttestationsBy - '[]' - namespace shortname: namespace description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string requirementlevel: Optional children: [] additionalproperties: [] additionalproperties: [] additionalproperties: [] - fullname: - spec - defaultAdmissionRule shortname: defaultAdmissionRule description: Required. Default admission rule for a cluster without a per-cluster, per-kubernetes-service-account, or per-istio-service-identity admission rule. type: object requirementlevel: Required children: - fullname: - spec - defaultAdmissionRule - enforcementMode shortname: enforcementMode description: 'Required. The action when a pod creation is denied by the admission rule. Possible values: ENFORCEMENT_MODE_UNSPECIFIED, ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY' type: string requirementlevel: Required children: [] additionalproperties: [] - fullname: - spec - defaultAdmissionRule - evaluationMode shortname: evaluationMode description: 'Required. How this admission rule will be evaluated. Possible values: ALWAYS_ALLOW, ALWAYS_DENY, REQUIRE_ATTESTATION' type: string requirementlevel: Required children: [] additionalproperties: [] - fullname: - spec - defaultAdmissionRule - requireAttestationsBy shortname: requireAttestationsBy description: "" type: list (object) requirementlevel: Optional children: - fullname: - spec - defaultAdmissionRule - requireAttestationsBy - '[]' shortname: '[]' description: "" type: object requirementlevel: Optional children: - fullname: - spec - defaultAdmissionRule - requireAttestationsBy - '[]' - external shortname: external description: 'Allowed value: The Google Cloud resource name of a `BinaryAuthorizationAttestor` resource (format: `projects/{{project}}/attestors/{{name}}`).' type: string requirementlevel: Optional children: [] additionalproperties: [] - fullname: - spec - defaultAdmissionRule - requireAttestationsBy - '[]' - name shortname: name description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string requirementlevel: Optional children: [] additionalproperties: [] - fullname: - spec - defaultAdmissionRule - requireAttestationsBy - '[]' - namespace shortname: namespace description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string requirementlevel: Optional children: [] additionalproperties: [] additionalproperties: [] additionalproperties: [] additionalproperties: [] - fullname: - spec - description shortname: description description: Optional. A descriptive comment. type: string requirementlevel: Optional children: [] additionalproperties: [] - fullname: - spec - globalPolicyEvaluationMode shortname: globalPolicyEvaluationMode description: 'Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy. Possible values: GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED, ENABLE, DISABLE' type: string requirementlevel: Optional children: [] additionalproperties: [] - fullname: - spec - istioServiceIdentityAdmissionRules shortname: istioServiceIdentityAdmissionRules description: 'Optional. Per-istio-service-identity admission rules. Istio service identity spec format: spiffe:///ns//sa/ or /ns//sa/ e.g. spiffe://example.com/ns/test-ns/sa/default' type: 'map (key: string, value: object)' requirementlevel: Optional children: [] additionalproperties: - fullname: - spec - istioServiceIdentityAdmissionRules - enforcementMode shortname: enforcementMode description: 'Required. The action when a pod creation is denied by the admission rule. Possible values: ENFORCEMENT_MODE_UNSPECIFIED, ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY' type: string requirementlevel: RequiredWhenParentPresent children: [] additionalproperties: [] - fullname: - spec - istioServiceIdentityAdmissionRules - evaluationMode shortname: evaluationMode description: 'Required. How this admission rule will be evaluated. Possible values: ALWAYS_ALLOW, ALWAYS_DENY, REQUIRE_ATTESTATION' type: string requirementlevel: RequiredWhenParentPresent children: [] additionalproperties: [] - fullname: - spec - istioServiceIdentityAdmissionRules - requireAttestationsBy shortname: requireAttestationsBy description: "" type: list (object) requirementlevel: Optional children: - fullname: - spec - istioServiceIdentityAdmissionRules - requireAttestationsBy - '[]' shortname: '[]' description: "" type: object requirementlevel: Optional children: - fullname: - spec - istioServiceIdentityAdmissionRules - requireAttestationsBy - '[]' - external shortname: external description: 'Allowed value: The Google Cloud resource name of a `BinaryAuthorizationAttestor` resource (format: `projects/{{project}}/attestors/{{name}}`).' type: string requirementlevel: Optional children: [] additionalproperties: [] - fullname: - spec - istioServiceIdentityAdmissionRules - requireAttestationsBy - '[]' - name shortname: name description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string requirementlevel: Optional children: [] additionalproperties: [] - fullname: - spec - istioServiceIdentityAdmissionRules - requireAttestationsBy - '[]' - namespace shortname: namespace description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string requirementlevel: Optional children: [] additionalproperties: [] additionalproperties: [] additionalproperties: [] - fullname: - spec - kubernetesNamespaceAdmissionRules shortname: kubernetesNamespaceAdmissionRules description: 'Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format: [a-z.-]+, e.g. ''some-namespace''' type: 'map (key: string, value: object)' requirementlevel: Optional children: [] additionalproperties: - fullname: - spec - kubernetesNamespaceAdmissionRules - enforcementMode shortname: enforcementMode description: 'Required. The action when a pod creation is denied by the admission rule. Possible values: ENFORCEMENT_MODE_UNSPECIFIED, ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY' type: string requirementlevel: RequiredWhenParentPresent children: [] additionalproperties: [] - fullname: - spec - kubernetesNamespaceAdmissionRules - evaluationMode shortname: evaluationMode description: 'Required. How this admission rule will be evaluated. Possible values: ALWAYS_ALLOW, ALWAYS_DENY, REQUIRE_ATTESTATION' type: string requirementlevel: RequiredWhenParentPresent children: [] additionalproperties: [] - fullname: - spec - kubernetesNamespaceAdmissionRules - requireAttestationsBy shortname: requireAttestationsBy description: "" type: list (object) requirementlevel: Optional children: - fullname: - spec - kubernetesNamespaceAdmissionRules - requireAttestationsBy - '[]' shortname: '[]' description: "" type: object requirementlevel: Optional children: - fullname: - spec - kubernetesNamespaceAdmissionRules - requireAttestationsBy - '[]' - external shortname: external description: 'Allowed value: The Google Cloud resource name of a `BinaryAuthorizationAttestor` resource (format: `projects/{{project}}/attestors/{{name}}`).' type: string requirementlevel: Optional children: [] additionalproperties: [] - fullname: - spec - kubernetesNamespaceAdmissionRules - requireAttestationsBy - '[]' - name shortname: name description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string requirementlevel: Optional children: [] additionalproperties: [] - fullname: - spec - kubernetesNamespaceAdmissionRules - requireAttestationsBy - '[]' - namespace shortname: namespace description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string requirementlevel: Optional children: [] additionalproperties: [] additionalproperties: [] additionalproperties: [] - fullname: - spec - kubernetesServiceAccountAdmissionRules shortname: kubernetesServiceAccountAdmissionRules description: 'Optional. Per-kubernetes-service-account admission rules. Service account spec format: namespace:serviceaccount. e.g. ''test-ns:default''' type: 'map (key: string, value: object)' requirementlevel: Optional children: [] additionalproperties: - fullname: - spec - kubernetesServiceAccountAdmissionRules - enforcementMode shortname: enforcementMode description: 'Required. The action when a pod creation is denied by the admission rule. Possible values: ENFORCEMENT_MODE_UNSPECIFIED, ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY' type: string requirementlevel: RequiredWhenParentPresent children: [] additionalproperties: [] - fullname: - spec - kubernetesServiceAccountAdmissionRules - evaluationMode shortname: evaluationMode description: 'Required. How this admission rule will be evaluated. Possible values: ALWAYS_ALLOW, ALWAYS_DENY, REQUIRE_ATTESTATION' type: string requirementlevel: RequiredWhenParentPresent children: [] additionalproperties: [] - fullname: - spec - kubernetesServiceAccountAdmissionRules - requireAttestationsBy shortname: requireAttestationsBy description: "" type: list (object) requirementlevel: Optional children: - fullname: - spec - kubernetesServiceAccountAdmissionRules - requireAttestationsBy - '[]' shortname: '[]' description: "" type: object requirementlevel: Optional children: - fullname: - spec - kubernetesServiceAccountAdmissionRules - requireAttestationsBy - '[]' - external shortname: external description: 'Allowed value: The Google Cloud resource name of a `BinaryAuthorizationAttestor` resource (format: `projects/{{project}}/attestors/{{name}}`).' type: string requirementlevel: Optional children: [] additionalproperties: [] - fullname: - spec - kubernetesServiceAccountAdmissionRules - requireAttestationsBy - '[]' - name shortname: name description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string requirementlevel: Optional children: [] additionalproperties: [] - fullname: - spec - kubernetesServiceAccountAdmissionRules - requireAttestationsBy - '[]' - namespace shortname: namespace description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string requirementlevel: Optional children: [] additionalproperties: [] additionalproperties: [] additionalproperties: [] - fullname: - spec - projectRef shortname: projectRef description: Immutable. The Project that this resource belongs to. type: object requirementlevel: Required children: - fullname: - spec - projectRef - external shortname: external description: |- The project of the resource. Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`). type: string requirementlevel: Optional children: [] additionalproperties: [] - fullname: - spec - projectRef - name shortname: name description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string requirementlevel: Optional children: [] additionalproperties: [] - fullname: - spec - projectRef - namespace shortname: namespace description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string requirementlevel: Optional children: [] additionalproperties: [] additionalproperties: [] additionalproperties: []