This product is not supported for your selected
Datadog site. (
).
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
gcp_binaryauthorization_policy
admission_whitelist_patterns
Type: UNORDERED_LIST_STRUCT
Provider name: admissionWhitelistPatterns
Description: Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.
name_pattern
Type: STRING
Provider name: namePattern
Description: An image name pattern to allowlist, in the form registry/path/to/image. This supports a trailing * wildcard, but this is allowed only in text after the registry/ part. This also supports a trailing ** wildcard which matches subdirectories of a given entry.
ancestors
Type: UNORDERED_LIST_STRING
default_admission_rule
Type: STRUCT
Provider name: defaultAdmissionRule
Description: Required. Default admission rule for a cluster without a per-cluster, per- kubernetes-service-account, or per-istio-service-identity admission rule.
enforcement_mode
Type: STRING
Provider name: enforcementMode
Description: Required. The action when a pod creation is denied by the admission rule.
Possible values:
ENFORCEMENT_MODE_UNSPECIFIED - Do not use.
ENFORCED_BLOCK_AND_AUDIT_LOG - Enforce the admission rule by blocking the pod creation.
DRYRUN_AUDIT_LOG_ONLY - Dryrun mode: Audit logging only. This will allow the pod creation as if the admission request had specified break-glass.
evaluation_mode
Type: STRING
Provider name: evaluationMode
Description: Required. How this admission rule will be evaluated.
Possible values:
EVALUATION_MODE_UNSPECIFIED - Do not use.
ALWAYS_ALLOW - This rule allows all pod creations.
REQUIRE_ATTESTATION - This rule allows a pod creation if all the attestors listed in require_attestations_by have valid attestations for all of the images in the pod spec.
ALWAYS_DENY - This rule denies all pod creations.
require_attestations_by
Type: UNORDERED_LIST_STRING
Provider name: requireAttestationsBy
Description: Optional. The resource names of the attestors that must attest to a container image, in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.
description
Type: STRING
Provider name: description
Description: Optional. A descriptive comment.
etag
Type: STRING
Provider name: etag
Description: Optional. A checksum, returned by the server, that can be sent on update requests to ensure the policy has an up-to-date value before attempting to update it. See https://google.aip.dev/154.
global_policy_evaluation_mode
Type: STRING
Provider name: globalPolicyEvaluationMode
Description: Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.
Possible values:
GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED - Not specified: DISABLE is assumed.
ENABLE - Enables system policy evaluation.
DISABLE - Disables system policy evaluation.
labels
Type: UNORDERED_LIST_STRING
name
Type: STRING
Provider name: name
Description: Output only. The resource name, in the format projects/*/policy. There is at most one policy per project.
organization_id
Type: STRING
parent
Type: STRING
project_id
Type: STRING
project_number
Type: STRING
resource_name
Type: STRING
Type: UNORDERED_LIST_STRING
update_time
Type: TIMESTAMP
Provider name: updateTime
Description: Output only. Time when the policy was last updated.
