4.9 KiB
| layout | page_title | sidebar_current | description |
|---|---|---|---|
| Google: google_binary_authorization_policy | docs-google-binary-authorization-policy | A policy for container image binary authorization. |
google_binary_authorization_policy
A policy for container image binary authorization.
To get more information about Policy, see:
- API documentation
- How-to Guides
Example Usage
resource "google_container_analysis_note" "note" {
name = "test-attestor-note"
attestation_authority {
hint {
human_readable_name = "My attestor"
}
}
}
resource "google_binary_authorization_attestor" "attestor" {
name = "test-attestor"
attestation_authority_note {
note_reference = "${google_container_analysis_note.note.name}"
}
}
resource "google_binary_authorization_policy" "policy" {
admission_whitelist_patterns {
name_pattern= "gcr.io/google_containers/*"
}
default_admission_rule {
evaluation_mode = "ALWAYS_ALLOW"
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
}
cluster_admission_rules {
cluster = "us-central1-a.prod-cluster"
evaluation_mode = "REQUIRE_ATTESTATION"
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
require_attestations_by = ["${google_binary_authorization_attestor.attestor.name}"]
}
}
Argument Reference
The following arguments are supported:
default_admission_rule- (Required) Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.
The default_admission_rule block supports:
-
evaluation_mode- (Required) How this admission rule will be evaluated. -
require_attestations_by- (Optional) The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the formatprojects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty. -
enforcement_mode- (Required) The action when a pod creation is denied by the admission rule.
-
description- (Optional) A descriptive comment. -
admission_whitelist_patterns- (Optional) Admission policy whitelisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies. Structure is documented below. -
cluster_admission_rules- (Optional) Admission policy whitelisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies. -
project- (Optional) The ID of the project in which the resource belongs. If it is not provided, the provider project is used.
The admission_whitelist_patterns block supports:
name_pattern- (Optional) An image name pattern to whitelist, in the formregistry/path/to/image. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.
The cluster_admission_rules block supports:
-
evaluation_mode- (Optional) How this admission rule will be evaluated. -
require_attestations_by- (Optional) The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the formatprojects/*/attestors/*. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty. -
enforcement_mode- (Optional) The action when a pod creation is denied by the admission rule.
Import
Policy can be imported using any of these accepted formats:
$ terraform import google_binary_authorization_policy.default projects/{{project}}
$ terraform import google_binary_authorization_policy.default {{project}}