pulumi-gcp-kotlin/com.pulumi.gcp.binaryauthorization.kotlin/Policy

Policy

class Policy : KotlinCustomResource

A policy for container image binary authorization. To get more information about Policy, see:

Example Usage

Binary Authorization Policy Basic

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.containeranalysis.Note;
import com.pulumi.gcp.containeranalysis.NoteArgs;
import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityArgs;
import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityHintArgs;
import com.pulumi.gcp.binaryauthorization.Attestor;
import com.pulumi.gcp.binaryauthorization.AttestorArgs;
import com.pulumi.gcp.binaryauthorization.inputs.AttestorAttestationAuthorityNoteArgs;
import com.pulumi.gcp.binaryauthorization.Policy;
import com.pulumi.gcp.binaryauthorization.PolicyArgs;
import com.pulumi.gcp.binaryauthorization.inputs.PolicyAdmissionWhitelistPatternArgs;
import com.pulumi.gcp.binaryauthorization.inputs.PolicyDefaultAdmissionRuleArgs;
import com.pulumi.gcp.binaryauthorization.inputs.PolicyClusterAdmissionRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var note = new Note("note", NoteArgs.builder()
            .attestationAuthority(NoteAttestationAuthorityArgs.builder()
                .hint(NoteAttestationAuthorityHintArgs.builder()
                    .humanReadableName("My attestor")
                    .build())
                .build())
            .build());
        var attestor = new Attestor("attestor", AttestorArgs.builder()
            .attestationAuthorityNote(AttestorAttestationAuthorityNoteArgs.builder()
                .noteReference(note.name())
                .build())
            .build());
        var policy = new Policy("policy", PolicyArgs.builder()
            .admissionWhitelistPatterns(PolicyAdmissionWhitelistPatternArgs.builder()
                .namePattern("gcr.io/google_containers/*")
                .build())
            .defaultAdmissionRule(PolicyDefaultAdmissionRuleArgs.builder()
                .evaluationMode("ALWAYS_ALLOW")
                .enforcementMode("ENFORCED_BLOCK_AND_AUDIT_LOG")
                .build())
            .clusterAdmissionRules(PolicyClusterAdmissionRuleArgs.builder()
                .cluster("us-central1-a.prod-cluster")
                .evaluationMode("REQUIRE_ATTESTATION")
                .enforcementMode("ENFORCED_BLOCK_AND_AUDIT_LOG")
                .requireAttestationsBies(attestor.name())
                .build())
            .build());
    }
}
Content copied to clipboard

Binary Authorization Policy Global Evaluation

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.containeranalysis.Note;
import com.pulumi.gcp.containeranalysis.NoteArgs;
import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityArgs;
import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityHintArgs;
import com.pulumi.gcp.binaryauthorization.Attestor;
import com.pulumi.gcp.binaryauthorization.AttestorArgs;
import com.pulumi.gcp.binaryauthorization.inputs.AttestorAttestationAuthorityNoteArgs;
import com.pulumi.gcp.binaryauthorization.Policy;
import com.pulumi.gcp.binaryauthorization.PolicyArgs;
import com.pulumi.gcp.binaryauthorization.inputs.PolicyDefaultAdmissionRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var note = new Note("note", NoteArgs.builder()
            .attestationAuthority(NoteAttestationAuthorityArgs.builder()
                .hint(NoteAttestationAuthorityHintArgs.builder()
                    .humanReadableName("My attestor")
                    .build())
                .build())
            .build());
        var attestor = new Attestor("attestor", AttestorArgs.builder()
            .attestationAuthorityNote(AttestorAttestationAuthorityNoteArgs.builder()
                .noteReference(note.name())
                .build())
            .build());
        var policy = new Policy("policy", PolicyArgs.builder()
            .defaultAdmissionRule(PolicyDefaultAdmissionRuleArgs.builder()
                .evaluationMode("REQUIRE_ATTESTATION")
                .enforcementMode("ENFORCED_BLOCK_AND_AUDIT_LOG")
                .requireAttestationsBies(attestor.name())
                .build())
            .globalPolicyEvaluationMode("ENABLE")
            .build());
    }
}
Content copied to clipboard

Import

Policy can be imported using any of these accepted formats

$ pulumi import gcp:binaryauthorization/policy:Policy default projects/{{project}}
Content copied to clipboard
$ pulumi import gcp:binaryauthorization/policy:Policy default {{project}}
Content copied to clipboard

*/

Properties

Link copied to clipboard
val admissionWhitelistPatterns: Output<List<PolicyAdmissionWhitelistPattern>>?

A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules. Structure is documented below.

Link copied to clipboard
val clusterAdmissionRules: Output<List<PolicyClusterAdmissionRule>>?

Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: {{location}}.{{clusterId}}. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). Structure is documented below.

Link copied to clipboard
val defaultAdmissionRule: Output<PolicyDefaultAdmissionRule>

Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

Link copied to clipboard
val description: Output<String>?

A descriptive comment.

Link copied to clipboard
val globalPolicyEvaluationMode: Output<String>

Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values are: ENABLE, DISABLE.

Link copied to clipboard
val id: Output<String>
Link copied to clipboard
val project: Output<String>

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

Link copied to clipboard
val pulumiChildResources: Set<KotlinResource>
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
val urn: Output<String>