docs/dyn/binaryauthorization_v1beta1.projects.html - platform/external/python/google-api-python-client - Git at Google

 <html><body>
 <style>

 body, h1, h2, h3, div, span, p, pre, a {
   margin: 0;
   padding: 0;
   border: 0;
   font-weight: inherit;
   font-style: inherit;
   font-size: 100%;
   font-family: inherit;
   vertical-align: baseline;
 }

 body {
   font-size: 13px;
   padding: 1em;
 }

 h1 {
   font-size: 26px;
   margin-bottom: 1em;
 }

 h2 {
   font-size: 24px;
   margin-bottom: 1em;
 }

 h3 {
   font-size: 20px;
   margin-bottom: 1em;
   margin-top: 1em;
 }

 pre, code {
   line-height: 1.5;
   font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
 }

 pre {
   margin-top: 0.5em;
 }

 h1, h2, h3, p {
   font-family: Arial, sans serif;
 }

 h1, h2, h3 {
   border-bottom: solid #CCC 1px;
 }

 .toc_element {
   margin-top: 0.5em;
 }

 .firstline {
   margin-left: 2 em;
 }

 .method  {
   margin-top: 1em;
   border: solid 1px #CCC;
   padding: 1em;
   background: #EEE;
 }

 .details {
   font-weight: bold;
   font-size: 14px;
 }

 </style>

 <h1><a href="binaryauthorization_v1beta1.html">Binary Authorization API</a> . <a href="binaryauthorization_v1beta1.projects.html">projects</a></h1>
 <h2>Instance Methods</h2>
 <p class="toc_element">
   <code><a href="binaryauthorization_v1beta1.projects.attestors.html">attestors()</a></code>
 </p>
 <p class="firstline">Returns the attestors Resource.</p>

 <p class="toc_element">
   <code><a href="binaryauthorization_v1beta1.projects.policy.html">policy()</a></code>
 </p>
 <p class="firstline">Returns the policy Resource.</p>

 <p class="toc_element">
   <code><a href="#getPolicy">getPolicy(name, x__xgafv=None)</a></code></p>
 <p class="firstline">A policy specifies the attestors that must attest to</p>
 <p class="toc_element">
   <code><a href="#updatePolicy">updatePolicy(name, body, x__xgafv=None)</a></code></p>
 <p class="firstline">Creates or updates a project's policy, and returns a copy of the</p>
 <h3>Method Details</h3>
 <div class="method">
     <code class="details" id="getPolicy">getPolicy(name, x__xgafv=None)</code>
   <pre>A policy specifies the attestors that must attest to
 a container image, before the project is allowed to deploy that
 image. There is at most one policy per project. All image admission
 requests are permitted if a project has no policy.

 Gets the policy for this project. Returns a default
 policy if the project does not have one.

 Args:
   name: string, Required. The resource name of the policy to retrieve,
 in the format `projects/*/policy`. (required)
   x__xgafv: string, V1 error format.
     Allowed values
       1 - v1 error format
       2 - v2 error format

 Returns:
   An object of the form:

     { # A policy for container image binary authorization.
     "updateTime": "A String", # Output only. Time when the policy was last updated.
     "description": "A String", # Optional. A descriptive comment.
     "defaultAdmissionRule": { # An admission rule specifies either that all container images # Required. Default admission rule for a cluster without a per-cluster, per-
         # kubernetes-service-account, or per-istio-service-identity admission rule.
         # used in a pod creation request must be attested to by one or more
         # attestors, that all pod creations will be allowed, or that all
         # pod creations will be denied.
         #
         # Images matching an admission whitelist pattern
         # are exempted from admission rules and will never block a pod creation.
       "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
       "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
           # a container image, in the format `projects/*/attestors/*`. Each
           # attestor must exist before a policy can reference it.  To add an attestor
           # to a policy the principal issuing the policy change request must be able
           # to read the attestor resource.
           #
           # Note: this field must be non-empty when the evaluation_mode field specifies
           # REQUIRE_ATTESTATION, otherwise it must be empty.
         "A String",
       ],
       "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
     },
     "admissionWhitelistPatterns": [ # Optional. Admission policy whitelisting. A matching admission request will
         # always be permitted. This feature is typically used to exclude Google or
         # third-party infrastructure images from Binary Authorization policies.
       { # An admission whitelist pattern exempts images
           # from checks by admission rules.
         "namePattern": "A String", # An image name pattern to whitelist, in the form `registry/path/to/image`.
             # This supports a trailing `*` as a wildcard, but this is allowed only in
             # text after the `registry/` part.
       },
     ],
     "globalPolicyEvaluationMode": "A String", # Optional. Controls the evaluation of a Google-maintained global admission
         # policy for common system-level images. Images not covered by the global
         # policy will be subject to the project admission policy. This setting
         # has no effect when specified inside a global admission policy.
     "clusterAdmissionRules": { # Optional. Per-cluster admission rules. Cluster spec format:
         # `location.clusterId`. There can be at most one admission rule per cluster
         # spec.
         # A `location` is either a compute zone (e.g. us-central1-a) or a region
         # (e.g. us-central1).
         # For `clusterId` syntax restrictions see
         # https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
       "a_key": { # An admission rule specifies either that all container images
           # used in a pod creation request must be attested to by one or more
           # attestors, that all pod creations will be allowed, or that all
           # pod creations will be denied.
           #
           # Images matching an admission whitelist pattern
           # are exempted from admission rules and will never block a pod creation.
         "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
         "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
             # a container image, in the format `projects/*/attestors/*`. Each
             # attestor must exist before a policy can reference it.  To add an attestor
             # to a policy the principal issuing the policy change request must be able
             # to read the attestor resource.
             #
             # Note: this field must be non-empty when the evaluation_mode field specifies
             # REQUIRE_ATTESTATION, otherwise it must be empty.
           "A String",
         ],
         "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
       },
     },
     "name": "A String", # Output only. The resource name, in the format `projects/*/policy`. There is
         # at most one policy per project.
   }</pre>
 </div>

 <div class="method">
     <code class="details" id="updatePolicy">updatePolicy(name, body, x__xgafv=None)</code>
   <pre>Creates or updates a project's policy, and returns a copy of the
 new policy. A policy is always updated as a whole, to avoid race
 conditions with concurrent policy enforcement (or management!)
 requests. Returns NOT_FOUND if the project does not exist, INVALID_ARGUMENT
 if the request is malformed.

 Args:
   name: string, Output only. The resource name, in the format `projects/*/policy`. There is
 at most one policy per project. (required)
   body: object, The request body. (required)
     The object takes the form of:

 { # A policy for container image binary authorization.
   "updateTime": "A String", # Output only. Time when the policy was last updated.
   "description": "A String", # Optional. A descriptive comment.
   "defaultAdmissionRule": { # An admission rule specifies either that all container images # Required. Default admission rule for a cluster without a per-cluster, per-
       # kubernetes-service-account, or per-istio-service-identity admission rule.
       # used in a pod creation request must be attested to by one or more
       # attestors, that all pod creations will be allowed, or that all
       # pod creations will be denied.
       #
       # Images matching an admission whitelist pattern
       # are exempted from admission rules and will never block a pod creation.
     "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
     "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
         # a container image, in the format `projects/*/attestors/*`. Each
         # attestor must exist before a policy can reference it.  To add an attestor
         # to a policy the principal issuing the policy change request must be able
         # to read the attestor resource.
         #
         # Note: this field must be non-empty when the evaluation_mode field specifies
         # REQUIRE_ATTESTATION, otherwise it must be empty.
       "A String",
     ],
     "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
   },
   "admissionWhitelistPatterns": [ # Optional. Admission policy whitelisting. A matching admission request will
       # always be permitted. This feature is typically used to exclude Google or
       # third-party infrastructure images from Binary Authorization policies.
     { # An admission whitelist pattern exempts images
         # from checks by admission rules.
       "namePattern": "A String", # An image name pattern to whitelist, in the form `registry/path/to/image`.
           # This supports a trailing `*` as a wildcard, but this is allowed only in
           # text after the `registry/` part.
     },
   ],
   "globalPolicyEvaluationMode": "A String", # Optional. Controls the evaluation of a Google-maintained global admission
       # policy for common system-level images. Images not covered by the global
       # policy will be subject to the project admission policy. This setting
       # has no effect when specified inside a global admission policy.
   "clusterAdmissionRules": { # Optional. Per-cluster admission rules. Cluster spec format:
       # `location.clusterId`. There can be at most one admission rule per cluster
       # spec.
       # A `location` is either a compute zone (e.g. us-central1-a) or a region
       # (e.g. us-central1).
       # For `clusterId` syntax restrictions see
       # https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
     "a_key": { # An admission rule specifies either that all container images
         # used in a pod creation request must be attested to by one or more
         # attestors, that all pod creations will be allowed, or that all
         # pod creations will be denied.
         #
         # Images matching an admission whitelist pattern
         # are exempted from admission rules and will never block a pod creation.
       "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
       "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
           # a container image, in the format `projects/*/attestors/*`. Each
           # attestor must exist before a policy can reference it.  To add an attestor
           # to a policy the principal issuing the policy change request must be able
           # to read the attestor resource.
           #
           # Note: this field must be non-empty when the evaluation_mode field specifies
           # REQUIRE_ATTESTATION, otherwise it must be empty.
         "A String",
       ],
       "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
     },
   },
   "name": "A String", # Output only. The resource name, in the format `projects/*/policy`. There is
       # at most one policy per project.
 }

   x__xgafv: string, V1 error format.
     Allowed values
       1 - v1 error format
       2 - v2 error format

 Returns:
   An object of the form:

     { # A policy for container image binary authorization.
     "updateTime": "A String", # Output only. Time when the policy was last updated.
     "description": "A String", # Optional. A descriptive comment.
     "defaultAdmissionRule": { # An admission rule specifies either that all container images # Required. Default admission rule for a cluster without a per-cluster, per-
         # kubernetes-service-account, or per-istio-service-identity admission rule.
         # used in a pod creation request must be attested to by one or more
         # attestors, that all pod creations will be allowed, or that all
         # pod creations will be denied.
         #
         # Images matching an admission whitelist pattern
         # are exempted from admission rules and will never block a pod creation.
       "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
       "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
           # a container image, in the format `projects/*/attestors/*`. Each
           # attestor must exist before a policy can reference it.  To add an attestor
           # to a policy the principal issuing the policy change request must be able
           # to read the attestor resource.
           #
           # Note: this field must be non-empty when the evaluation_mode field specifies
           # REQUIRE_ATTESTATION, otherwise it must be empty.
         "A String",
       ],
       "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
     },
     "admissionWhitelistPatterns": [ # Optional. Admission policy whitelisting. A matching admission request will
         # always be permitted. This feature is typically used to exclude Google or
         # third-party infrastructure images from Binary Authorization policies.
       { # An admission whitelist pattern exempts images
           # from checks by admission rules.
         "namePattern": "A String", # An image name pattern to whitelist, in the form `registry/path/to/image`.
             # This supports a trailing `*` as a wildcard, but this is allowed only in
             # text after the `registry/` part.
       },
     ],
     "globalPolicyEvaluationMode": "A String", # Optional. Controls the evaluation of a Google-maintained global admission
         # policy for common system-level images. Images not covered by the global
         # policy will be subject to the project admission policy. This setting
         # has no effect when specified inside a global admission policy.
     "clusterAdmissionRules": { # Optional. Per-cluster admission rules. Cluster spec format:
         # `location.clusterId`. There can be at most one admission rule per cluster
         # spec.
         # A `location` is either a compute zone (e.g. us-central1-a) or a region
         # (e.g. us-central1).
         # For `clusterId` syntax restrictions see
         # https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
       "a_key": { # An admission rule specifies either that all container images
           # used in a pod creation request must be attested to by one or more
           # attestors, that all pod creations will be allowed, or that all
           # pod creations will be denied.
           #
           # Images matching an admission whitelist pattern
           # are exempted from admission rules and will never block a pod creation.
         "enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
         "requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
             # a container image, in the format `projects/*/attestors/*`. Each
             # attestor must exist before a policy can reference it.  To add an attestor
             # to a policy the principal issuing the policy change request must be able
             # to read the attestor resource.
             #
             # Note: this field must be non-empty when the evaluation_mode field specifies
             # REQUIRE_ATTESTATION, otherwise it must be empty.
           "A String",
         ],
         "evaluationMode": "A String", # Required. How this admission rule will be evaluated.
       },
     },
     "name": "A String", # Output only. The resource name, in the format `projects/*/policy`. There is
         # at most one policy per project.
   }</pre>
 </div>

 </body></html>
	<html><body>
	<style>

	body, h1, h2, h3, div, span, p, pre, a {
	margin: 0;
	padding: 0;
	border: 0;
	font-weight: inherit;
	font-style: inherit;
	font-size: 100%;
	font-family: inherit;
	vertical-align: baseline;
	}

	body {
	font-size: 13px;
	padding: 1em;
	}

	h1 {
	font-size: 26px;
	margin-bottom: 1em;
	}

	h2 {
	font-size: 24px;
	margin-bottom: 1em;
	}

	h3 {
	font-size: 20px;
	margin-bottom: 1em;
	margin-top: 1em;
	}

	pre, code {
	line-height: 1.5;
	font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
	}

	pre {
	margin-top: 0.5em;
	}

	h1, h2, h3, p {
	font-family: Arial, sans serif;
	}

	h1, h2, h3 {
	border-bottom: solid #CCC 1px;
	}

	.toc_element {
	margin-top: 0.5em;
	}

	.firstline {
	margin-left: 2 em;
	}

	.method {
	margin-top: 1em;
	border: solid 1px #CCC;
	padding: 1em;
	background: #EEE;
	}

	.details {
	font-weight: bold;
	font-size: 14px;
	}

	</style>

	<h1><a href="binaryauthorization_v1beta1.html">Binary Authorization API</a> . <a href="binaryauthorization_v1beta1.projects.html">projects</a></h1>
	<h2>Instance Methods</h2>
	<p class="toc_element">
	<code><a href="binaryauthorization_v1beta1.projects.attestors.html">attestors()</a></code>
	</p>
	<p class="firstline">Returns the attestors Resource.</p>

	<p class="toc_element">
	<code><a href="binaryauthorization_v1beta1.projects.policy.html">policy()</a></code>
	</p>
	<p class="firstline">Returns the policy Resource.</p>

	<p class="toc_element">
	<code><a href="#getPolicy">getPolicy(name, x__xgafv=None)</a></code></p>
	<p class="firstline">A policy specifies the attestors that must attest to</p>
	<p class="toc_element">
	<code><a href="#updatePolicy">updatePolicy(name, body, x__xgafv=None)</a></code></p>
	<p class="firstline">Creates or updates a project's policy, and returns a copy of the</p>
	<h3>Method Details</h3>
	<div class="method">
	<code class="details" id="getPolicy">getPolicy(name, x__xgafv=None)</code>
	<pre>A policy specifies the attestors that must attest to
	a container image, before the project is allowed to deploy that
	image. There is at most one policy per project. All image admission
	requests are permitted if a project has no policy.

	Gets the policy for this project. Returns a default
	policy if the project does not have one.

	Args:
	name: string, Required. The resource name of the policy to retrieve,
	in the format `projects/*/policy`. (required)
	x__xgafv: string, V1 error format.
	Allowed values
	1 - v1 error format
	2 - v2 error format

	Returns:
	An object of the form:

	{ # A policy for container image binary authorization.
	"updateTime": "A String", # Output only. Time when the policy was last updated.
	"description": "A String", # Optional. A descriptive comment.
	"defaultAdmissionRule": { # An admission rule specifies either that all container images # Required. Default admission rule for a cluster without a per-cluster, per-
	# kubernetes-service-account, or per-istio-service-identity admission rule.
	# used in a pod creation request must be attested to by one or more
	# attestors, that all pod creations will be allowed, or that all
	# pod creations will be denied.
	#
	# Images matching an admission whitelist pattern
	# are exempted from admission rules and will never block a pod creation.
	"enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
	"requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
	# a container image, in the format `projects//attestors/`. Each
	# attestor must exist before a policy can reference it. To add an attestor
	# to a policy the principal issuing the policy change request must be able
	# to read the attestor resource.
	#
	# Note: this field must be non-empty when the evaluation_mode field specifies
	# REQUIRE_ATTESTATION, otherwise it must be empty.
	"A String",
	],
	"evaluationMode": "A String", # Required. How this admission rule will be evaluated.
	},
	"admissionWhitelistPatterns": [ # Optional. Admission policy whitelisting. A matching admission request will
	# always be permitted. This feature is typically used to exclude Google or
	# third-party infrastructure images from Binary Authorization policies.
	{ # An admission whitelist pattern exempts images
	# from checks by admission rules.
	"namePattern": "A String", # An image name pattern to whitelist, in the form `registry/path/to/image`.
	# This supports a trailing `*` as a wildcard, but this is allowed only in
	# text after the `registry/` part.
	},
	],
	"globalPolicyEvaluationMode": "A String", # Optional. Controls the evaluation of a Google-maintained global admission
	# policy for common system-level images. Images not covered by the global
	# policy will be subject to the project admission policy. This setting
	# has no effect when specified inside a global admission policy.
	"clusterAdmissionRules": { # Optional. Per-cluster admission rules. Cluster spec format:
	# `location.clusterId`. There can be at most one admission rule per cluster
	# spec.
	# A `location` is either a compute zone (e.g. us-central1-a) or a region
	# (e.g. us-central1).
	# For `clusterId` syntax restrictions see
	# https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
	"a_key": { # An admission rule specifies either that all container images
	# used in a pod creation request must be attested to by one or more
	# attestors, that all pod creations will be allowed, or that all
	# pod creations will be denied.
	#
	# Images matching an admission whitelist pattern
	# are exempted from admission rules and will never block a pod creation.
	"enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
	"requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
	# a container image, in the format `projects//attestors/`. Each
	# attestor must exist before a policy can reference it. To add an attestor
	# to a policy the principal issuing the policy change request must be able
	# to read the attestor resource.
	#
	# Note: this field must be non-empty when the evaluation_mode field specifies
	# REQUIRE_ATTESTATION, otherwise it must be empty.
	"A String",
	],
	"evaluationMode": "A String", # Required. How this admission rule will be evaluated.
	},
	},
	"name": "A String", # Output only. The resource name, in the format `projects/*/policy`. There is
	# at most one policy per project.
	}</pre>
	</div>

	<div class="method">
	<code class="details" id="updatePolicy">updatePolicy(name, body, x__xgafv=None)</code>
	<pre>Creates or updates a project's policy, and returns a copy of the
	new policy. A policy is always updated as a whole, to avoid race
	conditions with concurrent policy enforcement (or management!)
	requests. Returns NOT_FOUND if the project does not exist, INVALID_ARGUMENT
	if the request is malformed.

	Args:
	name: string, Output only. The resource name, in the format `projects/*/policy`. There is
	at most one policy per project. (required)
	body: object, The request body. (required)
	The object takes the form of:

	{ # A policy for container image binary authorization.
	"updateTime": "A String", # Output only. Time when the policy was last updated.
	"description": "A String", # Optional. A descriptive comment.
	"defaultAdmissionRule": { # An admission rule specifies either that all container images # Required. Default admission rule for a cluster without a per-cluster, per-
	# kubernetes-service-account, or per-istio-service-identity admission rule.
	# used in a pod creation request must be attested to by one or more
	# attestors, that all pod creations will be allowed, or that all
	# pod creations will be denied.
	#
	# Images matching an admission whitelist pattern
	# are exempted from admission rules and will never block a pod creation.
	"enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
	"requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
	# a container image, in the format `projects//attestors/`. Each
	# attestor must exist before a policy can reference it. To add an attestor
	# to a policy the principal issuing the policy change request must be able
	# to read the attestor resource.
	#
	# Note: this field must be non-empty when the evaluation_mode field specifies
	# REQUIRE_ATTESTATION, otherwise it must be empty.
	"A String",
	],
	"evaluationMode": "A String", # Required. How this admission rule will be evaluated.
	},
	"admissionWhitelistPatterns": [ # Optional. Admission policy whitelisting. A matching admission request will
	# always be permitted. This feature is typically used to exclude Google or
	# third-party infrastructure images from Binary Authorization policies.
	{ # An admission whitelist pattern exempts images
	# from checks by admission rules.
	"namePattern": "A String", # An image name pattern to whitelist, in the form `registry/path/to/image`.
	# This supports a trailing `*` as a wildcard, but this is allowed only in
	# text after the `registry/` part.
	},
	],
	"globalPolicyEvaluationMode": "A String", # Optional. Controls the evaluation of a Google-maintained global admission
	# policy for common system-level images. Images not covered by the global
	# policy will be subject to the project admission policy. This setting
	# has no effect when specified inside a global admission policy.
	"clusterAdmissionRules": { # Optional. Per-cluster admission rules. Cluster spec format:
	# `location.clusterId`. There can be at most one admission rule per cluster
	# spec.
	# A `location` is either a compute zone (e.g. us-central1-a) or a region
	# (e.g. us-central1).
	# For `clusterId` syntax restrictions see
	# https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
	"a_key": { # An admission rule specifies either that all container images
	# used in a pod creation request must be attested to by one or more
	# attestors, that all pod creations will be allowed, or that all
	# pod creations will be denied.
	#
	# Images matching an admission whitelist pattern
	# are exempted from admission rules and will never block a pod creation.
	"enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
	"requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
	# a container image, in the format `projects//attestors/`. Each
	# attestor must exist before a policy can reference it. To add an attestor
	# to a policy the principal issuing the policy change request must be able
	# to read the attestor resource.
	#
	# Note: this field must be non-empty when the evaluation_mode field specifies
	# REQUIRE_ATTESTATION, otherwise it must be empty.
	"A String",
	],
	"evaluationMode": "A String", # Required. How this admission rule will be evaluated.
	},
	},
	"name": "A String", # Output only. The resource name, in the format `projects/*/policy`. There is
	# at most one policy per project.
	}

	x__xgafv: string, V1 error format.
	Allowed values
	1 - v1 error format
	2 - v2 error format

	Returns:
	An object of the form:

	{ # A policy for container image binary authorization.
	"updateTime": "A String", # Output only. Time when the policy was last updated.
	"description": "A String", # Optional. A descriptive comment.
	"defaultAdmissionRule": { # An admission rule specifies either that all container images # Required. Default admission rule for a cluster without a per-cluster, per-
	# kubernetes-service-account, or per-istio-service-identity admission rule.
	# used in a pod creation request must be attested to by one or more
	# attestors, that all pod creations will be allowed, or that all
	# pod creations will be denied.
	#
	# Images matching an admission whitelist pattern
	# are exempted from admission rules and will never block a pod creation.
	"enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
	"requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
	# a container image, in the format `projects//attestors/`. Each
	# attestor must exist before a policy can reference it. To add an attestor
	# to a policy the principal issuing the policy change request must be able
	# to read the attestor resource.
	#
	# Note: this field must be non-empty when the evaluation_mode field specifies
	# REQUIRE_ATTESTATION, otherwise it must be empty.
	"A String",
	],
	"evaluationMode": "A String", # Required. How this admission rule will be evaluated.
	},
	"admissionWhitelistPatterns": [ # Optional. Admission policy whitelisting. A matching admission request will
	# always be permitted. This feature is typically used to exclude Google or
	# third-party infrastructure images from Binary Authorization policies.
	{ # An admission whitelist pattern exempts images
	# from checks by admission rules.
	"namePattern": "A String", # An image name pattern to whitelist, in the form `registry/path/to/image`.
	# This supports a trailing `*` as a wildcard, but this is allowed only in
	# text after the `registry/` part.
	},
	],
	"globalPolicyEvaluationMode": "A String", # Optional. Controls the evaluation of a Google-maintained global admission
	# policy for common system-level images. Images not covered by the global
	# policy will be subject to the project admission policy. This setting
	# has no effect when specified inside a global admission policy.
	"clusterAdmissionRules": { # Optional. Per-cluster admission rules. Cluster spec format:
	# `location.clusterId`. There can be at most one admission rule per cluster
	# spec.
	# A `location` is either a compute zone (e.g. us-central1-a) or a region
	# (e.g. us-central1).
	# For `clusterId` syntax restrictions see
	# https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
	"a_key": { # An admission rule specifies either that all container images
	# used in a pod creation request must be attested to by one or more
	# attestors, that all pod creations will be allowed, or that all
	# pod creations will be denied.
	#
	# Images matching an admission whitelist pattern
	# are exempted from admission rules and will never block a pod creation.
	"enforcementMode": "A String", # Required. The action when a pod creation is denied by the admission rule.
	"requireAttestationsBy": [ # Optional. The resource names of the attestors that must attest to
	# a container image, in the format `projects//attestors/`. Each
	# attestor must exist before a policy can reference it. To add an attestor
	# to a policy the principal issuing the policy change request must be able
	# to read the attestor resource.
	#
	# Note: this field must be non-empty when the evaluation_mode field specifies
	# REQUIRE_ATTESTATION, otherwise it must be empty.
	"A String",
	],
	"evaluationMode": "A String", # Required. How this admission rule will be evaluated.
	},
	},
	"name": "A String", # Output only. The resource name, in the format `projects/*/policy`. There is
	# at most one policy per project.
	}</pre>
	</div>

	</body></html>