BinaryAuthorizationPolicy
| Property | Value |
|---|---|
| Google Cloud Service Name | Binary Authorization |
| Google Cloud Service Documentation | /binary-authorization/docs/ |
| Google Cloud REST Resource Name | binaryauthorization/v1beta1/projects.policy |
| Google Cloud REST Resource Documentation | /binary-authorization/docs/reference/rest/v1beta1/projects.policy |
| Config Connector Resource Short Names | gcpbinaryauthorizationpolicy gcpbinaryauthorizationpolicies binaryauthorizationpolicy |
| Config Connector Service Name | binaryauthorization.googleapis.com |
| Config Connector Resource Fully Qualified Name | binaryauthorizationpolicies.binaryauthorization.cnrm.cloud.google.com |
| Can Be Referenced by IAMPolicy/IAMPolicyMember | Yes |
| IAMPolicy/IAMPartialPolicy Supports Conditions | Yes |
| IAMPolicyMember Supports Conditions | No |
| Supports IAM Audit Configs | No |
| IAM External Reference Format |
projects/{{project}}/policy |
| Config Connector Default Average Reconcile Interval In Seconds | 600 |
Custom Resource Definition Properties
Spec
Schema
admissionWhitelistPatterns:
- namePattern: string
clusterAdmissionRules:
string: object
defaultAdmissionRule:
enforcementMode: string
evaluationMode: string
requireAttestationsBy:
- external: string
name: string
namespace: string
description: string
globalPolicyEvaluationMode: string
istioServiceIdentityAdmissionRules:
string: object
kubernetesNamespaceAdmissionRules:
string: object
kubernetesServiceAccountAdmissionRules:
string: object
projectRef:
external: string
name: string
namespace: string
| Fields | |
|---|---|
|
Optional |
Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies. |
|
Optional |
|
|
Optional |
An image name pattern to allowlist, in the form `registry/path/to/image`. This supports a trailing `*` as a wildcard, but this is allowed only in text after the `registry/` part. |
|
Optional |
Optional. Per-cluster admission rules. Cluster spec format: location.clusterId. There can be at most one admission rule per cluster spec. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). For clusterId syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters. |
|
Required |
Required. Default admission rule for a cluster without a per-cluster, per-kubernetes-service-account, or per-istio-service-identity admission rule. |
|
Required |
Required. The action when a pod creation is denied by the admission rule. Possible values: ENFORCEMENT_MODE_UNSPECIFIED, ENFORCED_BLOCK_AND_AUDIT_LOG, DRYRUN_AUDIT_LOG_ONLY |
|
Required |
Required. How this admission rule will be evaluated. Possible values: ALWAYS_ALLOW, ALWAYS_DENY, REQUIRE_ATTESTATION |
|
Optional |
|
|
Optional |
|
|
Optional |
Allowed value: The Google Cloud resource name of a `BinaryAuthorizationAttestor` resource (format: `projects/{{project}}/attestors/{{name}}`). |
|
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
|
Optional |
Optional. A descriptive comment. |
|
Optional |
Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy. Possible values: GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED, ENABLE, DISABLE |
|
Optional |
Optional. Per-istio-service-identity admission rules. Istio service identity spec format: spiffe:///ns//sa/ or /ns//sa/ e.g. spiffe://example.com/ns/test-ns/sa/default |
|
Optional |
Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format: [a-z.-]+, e.g. 'some-namespace' |
|
Optional |
Optional. Per-kubernetes-service-account admission rules. Service account spec format: namespace:serviceaccount. e.g. 'test-ns:default' |
|
Required |
Immutable. The Project that this resource belongs to. |
|
Optional |
The project of the resource. Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`). |
|
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
Status
Schema
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
observedGeneration: integer
selfLink: string
updateTime: string
| Fields | |
|---|---|
conditions |
Conditions represent the latest available observation of the resource's current state. |
conditions[] |
|
conditions[].lastTransitionTime |
Last time the condition transitioned from one status to another. |
conditions[].message |
Human-readable message indicating details about last transition. |
conditions[].reason |
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions[].status |
Status is the status of the condition. Can be True, False, Unknown. |
conditions[].type |
Type is the type of the condition. |
observedGeneration |
ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. |
selfLink |
Output only. The resource name, in the format `projects/*/policy`. There is at most one policy per project. |
updateTime |
Output only. Time when the policy was last updated. |
Sample YAML(s)
Cluster Policy
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
kind: BinaryAuthorizationPolicy
metadata:
name: binaryauthorizationpolicy-sample-cluster
spec:
projectRef:
name: binauthzpolicy-dep-cluster
admissionWhitelistPatterns:
- namePattern: "gcr.io/*"
clusterAdmissionRules:
us-west1-a.test-cluster:
evaluationMode: "REQUIRE_ATTESTATION"
requireAttestationsBy:
- name: binaryauthorizationpolicy-dep-cluster
enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
defaultAdmissionRule:
evaluationMode: "REQUIRE_ATTESTATION"
requireAttestationsBy:
- name: binaryauthorizationpolicy-dep-cluster
enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
description: A sample Binary Authorization policy with a cluster admission rule
globalPolicyEvaluationMode: DISABLE
---
apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
kind: BinaryAuthorizationAttestor
metadata:
name: binaryauthorizationpolicy-dep-cluster
spec:
projectRef:
name: binauthzpolicy-dep-cluster
description: A sample binary authorization attestor.
userOwnedDrydockNote:
noteRef:
name: binaryauthorizationpolicy-dep-cluster
---
apiVersion: containeranalysis.cnrm.cloud.google.com/v1beta1
kind: ContainerAnalysisNote
metadata:
name: binaryauthorizationpolicy-dep-cluster
spec:
projectRef:
name: binauthzpolicy-dep-cluster
package:
name: test-package
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
name: binauthzpolicy-dep-cluster
spec:
name: Config Connector Sample
organizationRef:
# Replace "${ORG_ID?}" with the numeric ID for your organization
external: "${ORG_ID?}"
billingAccountRef:
# Replace "${BILLING_ACCOUNT_ID?}" with the numeric ID for your billing account
external: "${BILLING_ACCOUNT_ID?}"
---
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
annotations:
cnrm.cloud.google.com/disable-dependent-services: "false"
name: binaryauthorizationpolicy-dep1-cluster
spec:
projectRef:
name: binauthzpolicy-dep-cluster
resourceID: containeranalysis.googleapis.com
---
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
annotations:
cnrm.cloud.google.com/disable-dependent-services: "false"
name: binaryauthorizationpolicy-dep2-cluster
spec:
projectRef:
name: binauthzpolicy-dep-cluster
resourceID: binaryauthorization.googleapis.com
Default Policy
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
kind: BinaryAuthorizationPolicy
metadata:
name: binaryauthorizationpolicy-sample-default
spec:
projectRef:
name: binauthpolicy-dep-default
admissionWhitelistPatterns:
- namePattern: "gcr.io/google_containers/*"
- namePattern: "gcr.io/google-containers/*"
- namePattern: "registry.k8s.io/*"
- namePattern: "gke.gcr.io/*"
- namePattern: "gcr.io/stackdriver-agents/*"
defaultAdmissionRule:
enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
evaluationMode: "ALWAYS_ALLOW"
globalPolicyEvaluationMode: ENABLE
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
annotations:
cnrm.cloud.google.com/auto-create-network: "false"
name: binauthpolicy-dep-default
spec:
name: Config Connector Sample
folderRef:
# Replace "${FOLDER_ID?}" with the numeric ID of the parent folder
external: "${FOLDER_ID?}"
billingAccountRef:
# Replace "${BILLING_ACCOUNT_ID?}" with the numeric ID for your billing account
external: "${BILLING_ACCOUNT_ID?}"
---
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
annotations:
cnrm.cloud.google.com/project-id: binauthpolicy-dep-default
name: binaryauthorizationpolicy-dep-default
spec:
resourceID: binaryauthorization.googleapis.com
Namespace Policy
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
kind: BinaryAuthorizationPolicy
metadata:
name: binaryauthorizationpolicy-sample-namespace
spec:
projectRef:
name: binauthzpolicy-dep-namespace
admissionWhitelistPatterns:
- namePattern: "gcr.io/*"
kubernetesNamespaceAdmissionRules:
test-namespace:
evaluationMode: "REQUIRE_ATTESTATION"
requireAttestationsBy:
- name: binaryauthorizationpolicy-dep-namespace
enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
defaultAdmissionRule:
evaluationMode: "REQUIRE_ATTESTATION"
requireAttestationsBy:
- name: binaryauthorizationpolicy-dep-namespace
enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
description: A sample Binary Authorization policy
globalPolicyEvaluationMode: DISABLE
---
apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
kind: BinaryAuthorizationAttestor
metadata:
name: binaryauthorizationpolicy-dep-namespace
spec:
projectRef:
name: binauthzpolicy-dep-namespace
description: A sample binary authorization attestor.
userOwnedDrydockNote:
noteRef:
name: binaryauthorizationpolicy-dep-namespace
---
apiVersion: containeranalysis.cnrm.cloud.google.com/v1beta1
kind: ContainerAnalysisNote
metadata:
name: binaryauthorizationpolicy-dep-namespace
spec:
projectRef:
name: binauthzpolicy-dep-namespace
package:
name: test-package
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
name: binauthzpolicy-dep-namespace
spec:
name: Config Connector Sample
organizationRef:
# Replace "${ORG_ID?}" with the numeric ID for your organization
external: "${ORG_ID?}"
billingAccountRef:
# Replace "${BILLING_ACCOUNT_ID?}" with the numeric ID for your billing account
external: "${BILLING_ACCOUNT_ID?}"
---
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
annotations:
cnrm.cloud.google.com/disable-dependent-services: "false"
name: binaryauthorizationpolicy-dep1-namespace
spec:
projectRef:
name: binauthzpolicy-dep-namespace
resourceID: containeranalysis.googleapis.com
---
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
annotations:
cnrm.cloud.google.com/disable-dependent-services: "false"
name: binaryauthorizationpolicy-dep2-namespace
spec:
projectRef:
name: binauthzpolicy-dep-namespace
resourceID: binaryauthorization.googleapis.com
Service Account Policy
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
kind: BinaryAuthorizationPolicy
metadata:
name: binaryauthorizationpolicy-sample-serviceaccount
spec:
projectRef:
name: binauthzpolicy-dep-sa
admissionWhitelistPatterns:
- namePattern: "gcr.io/*"
kubernetesServiceAccountAdmissionRules:
test-namespace:default:
evaluationMode: "REQUIRE_ATTESTATION"
requireAttestationsBy:
- name: binaryauthorizationpolicy-dep-serviceaccount
enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
defaultAdmissionRule:
evaluationMode: "REQUIRE_ATTESTATION"
requireAttestationsBy:
- name: binaryauthorizationpolicy-dep-serviceaccount
enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
description: A sample Binary Authorization policy
globalPolicyEvaluationMode: DISABLE
---
apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
kind: BinaryAuthorizationAttestor
metadata:
name: binaryauthorizationpolicy-dep-serviceaccount
spec:
projectRef:
name: binauthzpolicy-dep-sa
description: A sample binary authorization attestor.
userOwnedDrydockNote:
noteRef:
name: binaryauthorizationpolicy-dep-serviceaccount
---
apiVersion: containeranalysis.cnrm.cloud.google.com/v1beta1
kind: ContainerAnalysisNote
metadata:
name: binaryauthorizationpolicy-dep-serviceaccount
spec:
projectRef:
name: binauthzpolicy-dep-sa
package:
name: test-package
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
name: binauthzpolicy-dep-sa
spec:
name: Config Connector Sample
organizationRef:
# Replace "${ORG_ID?}" with the numeric ID for your organization
external: "${ORG_ID?}"
billingAccountRef:
# Replace "${BILLING_ACCOUNT_ID?}" with the numeric ID for your billing account
external: "${BILLING_ACCOUNT_ID?}"
---
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
annotations:
cnrm.cloud.google.com/disable-dependent-services: "false"
name: binaryauthorizationpolicy-dep1-serviceaccount
spec:
projectRef:
name: binauthzpolicy-dep-sa
resourceID: containeranalysis.googleapis.com
---
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
annotations:
cnrm.cloud.google.com/disable-dependent-services: "false"
name: binaryauthorizationpolicy-dep2-serviceaccount
spec:
projectRef:
name: binauthzpolicy-dep-sa
resourceID: binaryauthorization.googleapis.com
Service Identity Policy
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
kind: BinaryAuthorizationPolicy
metadata:
name: binaryauthorizationpolicy-sample-serviceidentity
spec:
projectRef:
name: binauthzpolicy-dep-si
admissionWhitelistPatterns:
- namePattern: "gcr.io/*"
istioServiceIdentityAdmissionRules:
spiffe://example.com/ns/test-ns/sa/default:
evaluationMode: "REQUIRE_ATTESTATION"
requireAttestationsBy:
- name: binaryauthorizationpolicy-dep-serviceidentity
enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
defaultAdmissionRule:
evaluationMode: "REQUIRE_ATTESTATION"
requireAttestationsBy:
- name: binaryauthorizationpolicy-dep-serviceidentity
enforcementMode: "ENFORCED_BLOCK_AND_AUDIT_LOG"
description: A sample Binary Authorization policy
globalPolicyEvaluationMode: DISABLE
---
apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
kind: BinaryAuthorizationAttestor
metadata:
name: binaryauthorizationpolicy-dep-serviceidentity
spec:
projectRef:
name: binauthzpolicy-dep-si
description: A sample binary authorization attestor.
userOwnedDrydockNote:
noteRef:
name: binaryauthorizationpolicy-dep-serviceidentity
---
apiVersion: containeranalysis.cnrm.cloud.google.com/v1beta1
kind: ContainerAnalysisNote
metadata:
name: binaryauthorizationpolicy-dep-serviceidentity
spec:
projectRef:
name: binauthzpolicy-dep-si
package:
name: test-package
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
name: binauthzpolicy-dep-si
spec:
name: Config Connector Sample
organizationRef:
# Replace "${ORG_ID?}" with the numeric ID for your organization
external: "${ORG_ID?}"
billingAccountRef:
# Replace "${BILLING_ACCOUNT_ID?}" with the numeric ID for your billing account
external: "${BILLING_ACCOUNT_ID?}"
---
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
annotations:
cnrm.cloud.google.com/disable-dependent-services: "false"
name: binaryauthorizationpolicy-dep1-serviceidentity
spec:
projectRef:
name: binauthzpolicy-dep-si
resourceID: containeranalysis.googleapis.com
---
apiVersion: serviceusage.cnrm.cloud.google.com/v1beta1
kind: Service
metadata:
annotations:
cnrm.cloud.google.com/disable-dependent-services: "false"
name: binaryauthorizationpolicy-dep2-serviceidentity
spec:
projectRef:
name: binauthzpolicy-dep-si
resourceID: binaryauthorization.googleapis.com