1<html><body>
2<style>
3
4body, h1, h2, h3, div, span, p, pre, a {
5  margin: 0;
6  padding: 0;
7  border: 0;
8  font-weight: inherit;
9  font-style: inherit;
10  font-size: 100%;
11  font-family: inherit;
12  vertical-align: baseline;
13}
14
15body {
16  font-size: 13px;
17  padding: 1em;
18}
19
20h1 {
21  font-size: 26px;
22  margin-bottom: 1em;
23}
24
25h2 {
26  font-size: 24px;
27  margin-bottom: 1em;
28}
29
30h3 {
31  font-size: 20px;
32  margin-bottom: 1em;
33  margin-top: 1em;
34}
35
36pre, code {
37  line-height: 1.5;
38  font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
39}
40
41pre {
42  margin-top: 0.5em;
43}
44
45h1, h2, h3, p {
46  font-family: Arial, sans serif;
47}
48
49h1, h2, h3 {
50  border-bottom: solid #CCC 1px;
51}
52
53.toc_element {
54  margin-top: 0.5em;
55}
56
57.firstline {
58  margin-left: 2 em;
59}
60
61.method  {
62  margin-top: 1em;
63  border: solid 1px #CCC;
64  padding: 1em;
65  background: #EEE;
66}
67
68.details {
69  font-weight: bold;
70  font-size: 14px;
71}
72
73</style>
74
75<h1><a href="binaryauthorization_v1beta1.html">Binary Authorization API</a> . <a href="binaryauthorization_v1beta1.projects.html">projects</a></h1>
76<h2>Instance Methods</h2>
77<p class="toc_element">
78  <code><a href="binaryauthorization_v1beta1.projects.attestors.html">attestors()</a></code>
79</p>
80<p class="firstline">Returns the attestors Resource.</p>
81
82<p class="toc_element">
83  <code><a href="binaryauthorization_v1beta1.projects.policy.html">policy()</a></code>
84</p>
85<p class="firstline">Returns the policy Resource.</p>
86
87<p class="toc_element">
88  <code><a href="#getPolicy">getPolicy(name, x__xgafv=None)</a></code></p>
89<p class="firstline">A policy specifies the attestors that must attest to</p>
90<p class="toc_element">
91  <code><a href="#updatePolicy">updatePolicy(name, body, x__xgafv=None)</a></code></p>
92<p class="firstline">Creates or updates a project's policy, and returns a copy of the</p>
93<h3>Method Details</h3>
94<div class="method">
95    <code class="details" id="getPolicy">getPolicy(name, x__xgafv=None)</code>
96  <pre>A policy specifies the attestors that must attest to
97a container image, before the project is allowed to deploy that
98image. There is at most one policy per project. All image admission
99requests are permitted if a project has no policy.
100
101Gets the policy for this project. Returns a default
102policy if the project does not have one.
103
104Args:
105  name: string, Required. The resource name of the policy to retrieve,
106in the format `projects/*/policy`. (required)
107  x__xgafv: string, V1 error format.
108    Allowed values
109      1 - v1 error format
110      2 - v2 error format
111
112Returns:
113  An object of the form:
114
115    { # A policy for container image binary authorization.
116    "updateTime": "A String", # Output only. Time when the policy was last updated.
117    "description": "A String", # Optional. A descriptive comment.
118    "defaultAdmissionRule": { # An admission rule specifies either that all container images # Required. Default admission rule for a cluster without a per-cluster, per-
119        # kubernetes-service-account, or per-istio-service-identity admission rule.
120        # used in a pod creation request must be attested to by one or more
121        # attestors, that all pod creations will be allowed, or that all
122        # pod creations will be denied.
123        #
124        # Images matching an admission whitelist pattern
125        # are exempted from admission rules and will never block a pod creation.
126      "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
127      "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
128          # a container image, in the format `projects/*/attestors/*`. Each
129          # attestor must exist before a policy can reference it.  To add an attestor
130          # to a policy the principal issuing the policy change request must be able
131          # to read the attestor resource.
132          #
133          # Note: this field must be non-empty when the evaluation_mode field specifies
134          # REQUIRE_ATTESTATION, otherwise it must be empty.
135        "A String",
136      ],
137      "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
138    },
139    "admissionWhitelistPatterns": [ # Optional. Admission policy whitelisting. A matching admission request will
140        # always be permitted. This feature is typically used to exclude Google or
141        # third-party infrastructure images from Binary Authorization policies.
142      { # An admission whitelist pattern exempts images
143          # from checks by admission rules.
144        "namePattern": "A String", # An image name pattern to whitelist, in the form `registry/path/to/image`.
145            # This supports a trailing `*` as a wildcard, but this is allowed only in
146            # text after the `registry/` part.
147      },
148    ],
149    "globalPolicyEvaluationMode": "A String", # Optional. Controls the evaluation of a Google-maintained global admission
150        # policy for common system-level images. Images not covered by the global
151        # policy will be subject to the project admission policy. This setting
152        # has no effect when specified inside a global admission policy.
153    "clusterAdmissionRules": { # Optional. Per-cluster admission rules. Cluster spec format:
154        # `location.clusterId`. There can be at most one admission rule per cluster
155        # spec.
156        # A `location` is either a compute zone (e.g. us-central1-a) or a region
157        # (e.g. us-central1).
158        # For `clusterId` syntax restrictions see
159        # https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
160      "a_key": { # An admission rule specifies either that all container images
161          # used in a pod creation request must be attested to by one or more
162          # attestors, that all pod creations will be allowed, or that all
163          # pod creations will be denied.
164          #
165          # Images matching an admission whitelist pattern
166          # are exempted from admission rules and will never block a pod creation.
167        "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
168        "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
169            # a container image, in the format `projects/*/attestors/*`. Each
170            # attestor must exist before a policy can reference it.  To add an attestor
171            # to a policy the principal issuing the policy change request must be able
172            # to read the attestor resource.
173            #
174            # Note: this field must be non-empty when the evaluation_mode field specifies
175            # REQUIRE_ATTESTATION, otherwise it must be empty.
176          "A String",
177        ],
178        "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
179      },
180    },
181    "name": "A String", # Output only. The resource name, in the format `projects/*/policy`. There is
182        # at most one policy per project.
183  }</pre>
184</div>
185
186<div class="method">
187    <code class="details" id="updatePolicy">updatePolicy(name, body, x__xgafv=None)</code>
188  <pre>Creates or updates a project's policy, and returns a copy of the
189new policy. A policy is always updated as a whole, to avoid race
190conditions with concurrent policy enforcement (or management!)
191requests. Returns NOT_FOUND if the project does not exist, INVALID_ARGUMENT
192if the request is malformed.
193
194Args:
195  name: string, Output only. The resource name, in the format `projects/*/policy`. There is
196at most one policy per project. (required)
197  body: object, The request body. (required)
198    The object takes the form of:
199
200{ # A policy for container image binary authorization.
201  "updateTime": "A String", # Output only. Time when the policy was last updated.
202  "description": "A String", # Optional. A descriptive comment.
203  "defaultAdmissionRule": { # An admission rule specifies either that all container images # Required. Default admission rule for a cluster without a per-cluster, per-
204      # kubernetes-service-account, or per-istio-service-identity admission rule.
205      # used in a pod creation request must be attested to by one or more
206      # attestors, that all pod creations will be allowed, or that all
207      # pod creations will be denied.
208      #
209      # Images matching an admission whitelist pattern
210      # are exempted from admission rules and will never block a pod creation.
211    "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
212    "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
213        # a container image, in the format `projects/*/attestors/*`. Each
214        # attestor must exist before a policy can reference it.  To add an attestor
215        # to a policy the principal issuing the policy change request must be able
216        # to read the attestor resource.
217        #
218        # Note: this field must be non-empty when the evaluation_mode field specifies
219        # REQUIRE_ATTESTATION, otherwise it must be empty.
220      "A String",
221    ],
222    "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
223  },
224  "admissionWhitelistPatterns": [ # Optional. Admission policy whitelisting. A matching admission request will
225      # always be permitted. This feature is typically used to exclude Google or
226      # third-party infrastructure images from Binary Authorization policies.
227    { # An admission whitelist pattern exempts images
228        # from checks by admission rules.
229      "namePattern": "A String", # An image name pattern to whitelist, in the form `registry/path/to/image`.
230          # This supports a trailing `*` as a wildcard, but this is allowed only in
231          # text after the `registry/` part.
232    },
233  ],
234  "globalPolicyEvaluationMode": "A String", # Optional. Controls the evaluation of a Google-maintained global admission
235      # policy for common system-level images. Images not covered by the global
236      # policy will be subject to the project admission policy. This setting
237      # has no effect when specified inside a global admission policy.
238  "clusterAdmissionRules": { # Optional. Per-cluster admission rules. Cluster spec format:
239      # `location.clusterId`. There can be at most one admission rule per cluster
240      # spec.
241      # A `location` is either a compute zone (e.g. us-central1-a) or a region
242      # (e.g. us-central1).
243      # For `clusterId` syntax restrictions see
244      # https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
245    "a_key": { # An admission rule specifies either that all container images
246        # used in a pod creation request must be attested to by one or more
247        # attestors, that all pod creations will be allowed, or that all
248        # pod creations will be denied.
249        #
250        # Images matching an admission whitelist pattern
251        # are exempted from admission rules and will never block a pod creation.
252      "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
253      "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
254          # a container image, in the format `projects/*/attestors/*`. Each
255          # attestor must exist before a policy can reference it.  To add an attestor
256          # to a policy the principal issuing the policy change request must be able
257          # to read the attestor resource.
258          #
259          # Note: this field must be non-empty when the evaluation_mode field specifies
260          # REQUIRE_ATTESTATION, otherwise it must be empty.
261        "A String",
262      ],
263      "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
264    },
265  },
266  "name": "A String", # Output only. The resource name, in the format `projects/*/policy`. There is
267      # at most one policy per project.
268}
269
270  x__xgafv: string, V1 error format.
271    Allowed values
272      1 - v1 error format
273      2 - v2 error format
274
275Returns:
276  An object of the form:
277
278    { # A policy for container image binary authorization.
279    "updateTime": "A String", # Output only. Time when the policy was last updated.
280    "description": "A String", # Optional. A descriptive comment.
281    "defaultAdmissionRule": { # An admission rule specifies either that all container images # Required. Default admission rule for a cluster without a per-cluster, per-
282        # kubernetes-service-account, or per-istio-service-identity admission rule.
283        # used in a pod creation request must be attested to by one or more
284        # attestors, that all pod creations will be allowed, or that all
285        # pod creations will be denied.
286        #
287        # Images matching an admission whitelist pattern
288        # are exempted from admission rules and will never block a pod creation.
289      "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
290      "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
291          # a container image, in the format `projects/*/attestors/*`. Each
292          # attestor must exist before a policy can reference it.  To add an attestor
293          # to a policy the principal issuing the policy change request must be able
294          # to read the attestor resource.
295          #
296          # Note: this field must be non-empty when the evaluation_mode field specifies
297          # REQUIRE_ATTESTATION, otherwise it must be empty.
298        "A String",
299      ],
300      "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
301    },
302    "admissionWhitelistPatterns": [ # Optional. Admission policy whitelisting. A matching admission request will
303        # always be permitted. This feature is typically used to exclude Google or
304        # third-party infrastructure images from Binary Authorization policies.
305      { # An admission whitelist pattern exempts images
306          # from checks by admission rules.
307        "namePattern": "A String", # An image name pattern to whitelist, in the form `registry/path/to/image`.
308            # This supports a trailing `*` as a wildcard, but this is allowed only in
309            # text after the `registry/` part.
310      },
311    ],
312    "globalPolicyEvaluationMode": "A String", # Optional. Controls the evaluation of a Google-maintained global admission
313        # policy for common system-level images. Images not covered by the global
314        # policy will be subject to the project admission policy. This setting
315        # has no effect when specified inside a global admission policy.
316    "clusterAdmissionRules": { # Optional. Per-cluster admission rules. Cluster spec format:
317        # `location.clusterId`. There can be at most one admission rule per cluster
318        # spec.
319        # A `location` is either a compute zone (e.g. us-central1-a) or a region
320        # (e.g. us-central1).
321        # For `clusterId` syntax restrictions see
322        # https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
323      "a_key": { # An admission rule specifies either that all container images
324          # used in a pod creation request must be attested to by one or more
325          # attestors, that all pod creations will be allowed, or that all
326          # pod creations will be denied.
327          #
328          # Images matching an admission whitelist pattern
329          # are exempted from admission rules and will never block a pod creation.
330        "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
331        "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
332            # a container image, in the format `projects/*/attestors/*`. Each
333            # attestor must exist before a policy can reference it.  To add an attestor
334            # to a policy the principal issuing the policy change request must be able
335            # to read the attestor resource.
336            #
337            # Note: this field must be non-empty when the evaluation_mode field specifies
338            # REQUIRE_ATTESTATION, otherwise it must be empty.
339          "A String",
340        ],
341        "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
342      },
343    },
344    "name": "A String", # Output only. The resource name, in the format `projects/*/policy`. There is
345        # at most one policy per project.
346  }</pre>
347</div>
348
349</body></html>