This product is not supported for your selected Datadog site. ().

gcp_binaryauthorization_policy

admission_whitelist_patterns

Type: UNORDERED_LIST_STRUCT
Provider name: admissionWhitelistPatterns
Description: Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.

  • name_pattern
    Type: STRING
    Provider name: namePattern
    Description: An image name pattern to allowlist, in the form registry/path/to/image. This supports a trailing * wildcard, but this is allowed only in text after the registry/ part. This also supports a trailing ** wildcard which matches subdirectories of a given entry.

ancestors

Type: UNORDERED_LIST_STRING

default_admission_rule

Type: STRUCT
Provider name: defaultAdmissionRule
Description: Required. Default admission rule for a cluster without a per-cluster, per- kubernetes-service-account, or per-istio-service-identity admission rule.

  • enforcement_mode
    Type: STRING
    Provider name: enforcementMode
    Description: Required. The action when a pod creation is denied by the admission rule.
    Possible values:
    • ENFORCEMENT_MODE_UNSPECIFIED - Do not use.
    • ENFORCED_BLOCK_AND_AUDIT_LOG - Enforce the admission rule by blocking the pod creation.
    • DRYRUN_AUDIT_LOG_ONLY - Dryrun mode: Audit logging only. This will allow the pod creation as if the admission request had specified break-glass.
  • evaluation_mode
    Type: STRING
    Provider name: evaluationMode
    Description: Required. How this admission rule will be evaluated.
    Possible values:
    • EVALUATION_MODE_UNSPECIFIED - Do not use.
    • ALWAYS_ALLOW - This rule allows all pod creations.
    • REQUIRE_ATTESTATION - This rule allows a pod creation if all the attestors listed in require_attestations_by have valid attestations for all of the images in the pod spec.
    • ALWAYS_DENY - This rule denies all pod creations.
  • require_attestations_by
    Type: UNORDERED_LIST_STRING
    Provider name: requireAttestationsBy
    Description: Optional. The resource names of the attestors that must attest to a container image, in the format projects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

description

Type: STRING
Provider name: description
Description: Optional. A descriptive comment.

etag

Type: STRING
Provider name: etag
Description: Optional. A checksum, returned by the server, that can be sent on update requests to ensure the policy has an up-to-date value before attempting to update it. See https://google.aip.dev/154.

global_policy_evaluation_mode

Type: STRING
Provider name: globalPolicyEvaluationMode
Description: Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.
Possible values:

  • GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED - Not specified: DISABLE is assumed.
  • ENABLE - Enables system policy evaluation.
  • DISABLE - Disables system policy evaluation.

labels

Type: UNORDERED_LIST_STRING

name

Type: STRING
Provider name: name
Description: Output only. The resource name, in the format projects/*/policy. There is at most one policy per project.

organization_id

Type: STRING

parent

Type: STRING

project_id

Type: STRING

project_number

Type: STRING

resource_name

Type: STRING

tags

Type: UNORDERED_LIST_STRING

update_time

Type: TIMESTAMP
Provider name: updateTime
Description: Output only. Time when the policy was last updated.