Google Cloud Binary Authorization · Schema
Google Cloud Binary Authorization Policy
Schema for a Binary Authorization policy, which defines the rules for deploying container images to Google Cloud environments.
AttestationContainer SecurityDevSecOpsKubernetesPolicy EnforcementSupply Chain Security
Properties
| Name | Type | Description |
|---|---|---|
| name | string | The resource name of the policy |
| globalPolicyEvaluationMode | string | Whether to enable the global policy evaluation mode |
| admissionWhitelistPatterns | array | Image name patterns that are always allowed to be deployed |
| defaultAdmissionRule | object | The default admission rule for the policy |
| clusterAdmissionRules | object | Per-cluster admission rules keyed by cluster resource ID |
| kubernetesNamespaceAdmissionRules | object | Per-namespace admission rules |
| kubernetesServiceAccountAdmissionRules | object | Per-service-account admission rules |
| updateTime | string | The time when the policy was last updated |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://cloud.google.com/schemas/binaryauthorization/policy.json",
"title": "Google Cloud Binary Authorization Policy",
"description": "Schema for a Binary Authorization policy, which defines the rules for deploying container images to Google Cloud environments.",
"type": "object",
"required": ["defaultAdmissionRule"],
"properties": {
"name": {
"type": "string",
"description": "The resource name of the policy"
},
"globalPolicyEvaluationMode": {
"type": "string",
"description": "Whether to enable the global policy evaluation mode",
"enum": ["ENABLE", "DISABLE"]
},
"admissionWhitelistPatterns": {
"type": "array",
"description": "Image name patterns that are always allowed to be deployed",
"items": {
"$ref": "#/$defs/AdmissionWhitelistPattern"
}
},
"defaultAdmissionRule": {
"$ref": "#/$defs/AdmissionRule",
"description": "The default admission rule for the policy"
},
"clusterAdmissionRules": {
"type": "object",
"description": "Per-cluster admission rules keyed by cluster resource ID",
"additionalProperties": {
"$ref": "#/$defs/AdmissionRule"
}
},
"kubernetesNamespaceAdmissionRules": {
"type": "object",
"description": "Per-namespace admission rules",
"additionalProperties": {
"$ref": "#/$defs/AdmissionRule"
}
},
"kubernetesServiceAccountAdmissionRules": {
"type": "object",
"description": "Per-service-account admission rules",
"additionalProperties": {
"$ref": "#/$defs/AdmissionRule"
}
},
"updateTime": {
"type": "string",
"format": "date-time",
"description": "The time when the policy was last updated"
}
},
"$defs": {
"AdmissionRule": {
"type": "object",
"description": "An admission rule specifies what action to take when a container image matches the rule",
"required": ["evaluationMode", "enforcementMode"],
"properties": {
"evaluationMode": {
"type": "string",
"description": "How this admission rule will be evaluated",
"enum": ["ALWAYS_ALLOW", "ALWAYS_DENY", "REQUIRE_ATTESTATION"]
},
"requireAttestationsBy": {
"type": "array",
"description": "Resource names of attestors required by this rule",
"items": {
"type": "string"
}
},
"enforcementMode": {
"type": "string",
"description": "The action when a pod creation is denied by the admission rule",
"enum": ["ENFORCED_BLOCK_AND_AUDIT_LOG", "DRYRUN_AUDIT_LOG_ONLY"]
}
}
},
"AdmissionWhitelistPattern": {
"type": "object",
"description": "An image name pattern to allow",
"properties": {
"namePattern": {
"type": "string",
"description": "An image name pattern to allowlist, in the form registry/path/to/image"
}
}
}
}
}