Binary Authorization Policy

Binary Authorization Policy is a Google Cloud resource that defines rules for container image deployment security. It ensures that only trusted and verified container images are allowed to run on Google Kubernetes Engine or Cloud Run. The policy enforces signature verification and attestation checks before deployment, helping maintain compliance and prevent unauthorized code execution.

gcp.binaryauthorization_policy

Fields

TitleIDTypeData TypeDescription
_keycorestring
admission_whitelist_patternscorejsonOptional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.
ancestorscorearray<string>
datadog_display_namecorestring
default_admission_rulecorejsonRequired. Default admission rule for a cluster without a per-cluster, per- kubernetes-service-account, or per-istio-service-identity admission rule.
descriptioncorestringOptional. A descriptive comment.
etagcorestringOptional. A checksum, returned by the server, that can be sent on update requests to ensure the policy has an up-to-date value before attempting to update it. See https://google.aip.dev/154.
global_policy_evaluation_modecorestringOptional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.
labelscorearray<string>
namecorestringOutput only. The resource name, in the format `projects/*/policy`. There is at most one policy per project.
organization_idcorestring
parentcorestring
project_idcorestring
project_numbercorestring
region_idcorestring
resource_namecorestring
tagscorehstore_csv
update_timecoretimestampOutput only. Time when the policy was last updated.
zone_idcorestring