pulumi-gcp-kotlin/com.pulumi.gcp.binaryauthorization.kotlin/PolicyArgs

PolicyArgs

data class PolicyArgs(val admissionWhitelistPatterns: Output<List<PolicyAdmissionWhitelistPatternArgs>>? = null, val clusterAdmissionRules: Output<List<PolicyClusterAdmissionRuleArgs>>? = null, val defaultAdmissionRule: Output<PolicyDefaultAdmissionRuleArgs>? = null, val description: Output<String>? = null, val globalPolicyEvaluationMode: Output<String>? = null, val project: Output<String>? = null) : ConvertibleToJava<PolicyArgs>

A policy for container image binary authorization. To get more information about Policy, see:

Example Usage

Binary Authorization Policy Basic

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.containeranalysis.Note;
import com.pulumi.gcp.containeranalysis.NoteArgs;
import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityArgs;
import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityHintArgs;
import com.pulumi.gcp.binaryauthorization.Attestor;
import com.pulumi.gcp.binaryauthorization.AttestorArgs;
import com.pulumi.gcp.binaryauthorization.inputs.AttestorAttestationAuthorityNoteArgs;
import com.pulumi.gcp.binaryauthorization.Policy;
import com.pulumi.gcp.binaryauthorization.PolicyArgs;
import com.pulumi.gcp.binaryauthorization.inputs.PolicyAdmissionWhitelistPatternArgs;
import com.pulumi.gcp.binaryauthorization.inputs.PolicyDefaultAdmissionRuleArgs;
import com.pulumi.gcp.binaryauthorization.inputs.PolicyClusterAdmissionRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var note = new Note("note", NoteArgs.builder()
            .attestationAuthority(NoteAttestationAuthorityArgs.builder()
                .hint(NoteAttestationAuthorityHintArgs.builder()
                    .humanReadableName("My attestor")
                    .build())
                .build())
            .build());
        var attestor = new Attestor("attestor", AttestorArgs.builder()
            .attestationAuthorityNote(AttestorAttestationAuthorityNoteArgs.builder()
                .noteReference(note.name())
                .build())
            .build());
        var policy = new Policy("policy", PolicyArgs.builder()
            .admissionWhitelistPatterns(PolicyAdmissionWhitelistPatternArgs.builder()
                .namePattern("gcr.io/google_containers/*")
                .build())
            .defaultAdmissionRule(PolicyDefaultAdmissionRuleArgs.builder()
                .evaluationMode("ALWAYS_ALLOW")
                .enforcementMode("ENFORCED_BLOCK_AND_AUDIT_LOG")
                .build())
            .clusterAdmissionRules(PolicyClusterAdmissionRuleArgs.builder()
                .cluster("us-central1-a.prod-cluster")
                .evaluationMode("REQUIRE_ATTESTATION")
                .enforcementMode("ENFORCED_BLOCK_AND_AUDIT_LOG")
                .requireAttestationsBies(attestor.name())
                .build())
            .build());
    }
}
Content copied to clipboard

Binary Authorization Policy Global Evaluation

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.containeranalysis.Note;
import com.pulumi.gcp.containeranalysis.NoteArgs;
import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityArgs;
import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityHintArgs;
import com.pulumi.gcp.binaryauthorization.Attestor;
import com.pulumi.gcp.binaryauthorization.AttestorArgs;
import com.pulumi.gcp.binaryauthorization.inputs.AttestorAttestationAuthorityNoteArgs;
import com.pulumi.gcp.binaryauthorization.Policy;
import com.pulumi.gcp.binaryauthorization.PolicyArgs;
import com.pulumi.gcp.binaryauthorization.inputs.PolicyDefaultAdmissionRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var note = new Note("note", NoteArgs.builder()
            .attestationAuthority(NoteAttestationAuthorityArgs.builder()
                .hint(NoteAttestationAuthorityHintArgs.builder()
                    .humanReadableName("My attestor")
                    .build())
                .build())
            .build());
        var attestor = new Attestor("attestor", AttestorArgs.builder()
            .attestationAuthorityNote(AttestorAttestationAuthorityNoteArgs.builder()
                .noteReference(note.name())
                .build())
            .build());
        var policy = new Policy("policy", PolicyArgs.builder()
            .defaultAdmissionRule(PolicyDefaultAdmissionRuleArgs.builder()
                .evaluationMode("REQUIRE_ATTESTATION")
                .enforcementMode("ENFORCED_BLOCK_AND_AUDIT_LOG")
                .requireAttestationsBies(attestor.name())
                .build())
            .globalPolicyEvaluationMode("ENABLE")
            .build());
    }
}
Content copied to clipboard

Import

Policy can be imported using any of these accepted formats

$ pulumi import gcp:binaryauthorization/policy:Policy default projects/{{project}}
Content copied to clipboard
$ pulumi import gcp:binaryauthorization/policy:Policy default {{project}}
Content copied to clipboard

Constructors

Link copied to clipboard
fun PolicyArgs(admissionWhitelistPatterns: Output<List<PolicyAdmissionWhitelistPatternArgs>>? = null, clusterAdmissionRules: Output<List<PolicyClusterAdmissionRuleArgs>>? = null, defaultAdmissionRule: Output<PolicyDefaultAdmissionRuleArgs>? = null, description: Output<String>? = null, globalPolicyEvaluationMode: Output<String>? = null, project: Output<String>? = null)

Functions

Link copied to clipboard
open override fun toJava(): PolicyArgs

Properties

Link copied to clipboard
val admissionWhitelistPatterns: Output<List<PolicyAdmissionWhitelistPatternArgs>>? = null

A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules. Structure is documented below.

Link copied to clipboard
val clusterAdmissionRules: Output<List<PolicyClusterAdmissionRuleArgs>>? = null

Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: {{location}}.{{clusterId}}. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). Structure is documented below.

Link copied to clipboard
val defaultAdmissionRule: Output<PolicyDefaultAdmissionRuleArgs>? = null

Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

Link copied to clipboard
val description: Output<String>? = null

A descriptive comment.

Link copied to clipboard
val globalPolicyEvaluationMode: Output<String>? = null

Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values are: ENABLE, DISABLE.

Link copied to clipboard
val project: Output<String>? = null

The ID of the project in which the resource belongs. If it is not provided, the provider project is used. */