Package com.pulumi.gcp.binaryauthorization

Class Policy

java.lang.Object

com.pulumi.resources.Resource

com.pulumi.resources.CustomResource

com.pulumi.gcp.binaryauthorization.Policy

public class Policy
extends com.pulumi.resources.CustomResource

A policy for container image binary authorization. To get more information about Policy, see: * [API documentation](https://cloud.google.com/binary-authorization/docs/reference/rest/) * How-to Guides * [Official Documentation](https://cloud.google.com/binary-authorization/) ## Example Usage ### Binary Authorization Policy Basic ```java package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.gcp.containeranalysis.Note; import com.pulumi.gcp.containeranalysis.NoteArgs; import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityArgs; import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityHintArgs; import com.pulumi.gcp.binaryauthorization.Attestor; import com.pulumi.gcp.binaryauthorization.AttestorArgs; import com.pulumi.gcp.binaryauthorization.inputs.AttestorAttestationAuthorityNoteArgs; import com.pulumi.gcp.binaryauthorization.Policy; import com.pulumi.gcp.binaryauthorization.PolicyArgs; import com.pulumi.gcp.binaryauthorization.inputs.PolicyAdmissionWhitelistPatternArgs; import com.pulumi.gcp.binaryauthorization.inputs.PolicyDefaultAdmissionRuleArgs; import com.pulumi.gcp.binaryauthorization.inputs.PolicyClusterAdmissionRuleArgs; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var note = new Note("note", NoteArgs.builder() .attestationAuthority(NoteAttestationAuthorityArgs.builder() .hint(NoteAttestationAuthorityHintArgs.builder() .humanReadableName("My attestor") .build()) .build()) .build()); var attestor = new Attestor("attestor", AttestorArgs.builder() .attestationAuthorityNote(AttestorAttestationAuthorityNoteArgs.builder() .noteReference(note.name()) .build()) .build()); var policy = new Policy("policy", PolicyArgs.builder() .admissionWhitelistPatterns(PolicyAdmissionWhitelistPatternArgs.builder() .namePattern("gcr.io/google_containers/*") .build()) .defaultAdmissionRule(PolicyDefaultAdmissionRuleArgs.builder() .evaluationMode("ALWAYS_ALLOW") .enforcementMode("ENFORCED_BLOCK_AND_AUDIT_LOG") .build()) .clusterAdmissionRules(PolicyClusterAdmissionRuleArgs.builder() .cluster("us-central1-a.prod-cluster") .evaluationMode("REQUIRE_ATTESTATION") .enforcementMode("ENFORCED_BLOCK_AND_AUDIT_LOG") .requireAttestationsBies(attestor.name()) .build()) .build()); } } ``` ### Binary Authorization Policy Global Evaluation ```java package generated_program; import com.pulumi.Context; import com.pulumi.Pulumi; import com.pulumi.core.Output; import com.pulumi.gcp.containeranalysis.Note; import com.pulumi.gcp.containeranalysis.NoteArgs; import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityArgs; import com.pulumi.gcp.containeranalysis.inputs.NoteAttestationAuthorityHintArgs; import com.pulumi.gcp.binaryauthorization.Attestor; import com.pulumi.gcp.binaryauthorization.AttestorArgs; import com.pulumi.gcp.binaryauthorization.inputs.AttestorAttestationAuthorityNoteArgs; import com.pulumi.gcp.binaryauthorization.Policy; import com.pulumi.gcp.binaryauthorization.PolicyArgs; import com.pulumi.gcp.binaryauthorization.inputs.PolicyDefaultAdmissionRuleArgs; import java.util.List; import java.util.ArrayList; import java.util.Map; import java.io.File; import java.nio.file.Files; import java.nio.file.Paths; public class App { public static void main(String[] args) { Pulumi.run(App::stack); } public static void stack(Context ctx) { var note = new Note("note", NoteArgs.builder() .attestationAuthority(NoteAttestationAuthorityArgs.builder() .hint(NoteAttestationAuthorityHintArgs.builder() .humanReadableName("My attestor") .build()) .build()) .build()); var attestor = new Attestor("attestor", AttestorArgs.builder() .attestationAuthorityNote(AttestorAttestationAuthorityNoteArgs.builder() .noteReference(note.name()) .build()) .build()); var policy = new Policy("policy", PolicyArgs.builder() .defaultAdmissionRule(PolicyDefaultAdmissionRuleArgs.builder() .evaluationMode("REQUIRE_ATTESTATION") .enforcementMode("ENFORCED_BLOCK_AND_AUDIT_LOG") .requireAttestationsBies(attestor.name()) .build()) .globalPolicyEvaluationMode("ENABLE") .build()); } } ``` ## Import Policy can be imported using any of these accepted formats ```sh $ pulumi import gcp:binaryauthorization/policy:Policy default projects/{{project}} ``` ```sh $ pulumi import gcp:binaryauthorization/policy:Policy default {{project}} ```

Nested Class Summary

Nested classes/interfaces inherited from class com.pulumi.resources.CustomResource

com.pulumi.resources.CustomResource.CustomResourceInternal

Nested classes/interfaces inherited from class com.pulumi.resources.Resource

com.pulumi.resources.Resource.LazyField<T extends java.lang.Object>, com.pulumi.resources.Resource.LazyFields, com.pulumi.resources.Resource.ResourceInternal

Field Summary

Fields inherited from class com.pulumi.resources.Resource

childResources, remote

Constructor Summary

Constructors

Constructor	Description
Policy(java.lang.String name)
Policy(java.lang.String name, PolicyArgs args)
Policy(java.lang.String name, PolicyArgs args, com.pulumi.resources.CustomResourceOptions options)

Method Summary

Modifier and Type	Method	Description
com.pulumi.core.Output<java.util.Optional<java.util.List<PolicyAdmissionWhitelistPattern>>>	admissionWhitelistPatterns()
com.pulumi.core.Output<java.util.Optional<java.util.List<PolicyClusterAdmissionRule>>>	clusterAdmissionRules()
com.pulumi.core.Output<PolicyDefaultAdmissionRule>	defaultAdmissionRule()
com.pulumi.core.Output<java.util.Optional<java.lang.String>>	description()
static Policy	get(java.lang.String name, com.pulumi.core.Output<java.lang.String> id, PolicyState state, com.pulumi.resources.CustomResourceOptions options)	Get an existing Host resource's state with the given name, ID, and optional extra properties used to qualify the lookup.
com.pulumi.core.Output<java.lang.String>	globalPolicyEvaluationMode()
com.pulumi.core.Output<java.lang.String>	project()

Methods inherited from class com.pulumi.resources.CustomResource

getId, idFuture

Methods inherited from class com.pulumi.resources.Resource

getChildResources, getResourceName, getResourceType, getUrn

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

Policy

public Policy(java.lang.String name)

Parameters:

name - The _unique_ name of the resulting resource.

Policy

public Policy(java.lang.String name,
              PolicyArgs args)

Parameters:

name - The _unique_ name of the resulting resource.

args - The arguments to use to populate this resource's properties.

Policy

public Policy(java.lang.String name,
              PolicyArgs args,
              @Nullable
              com.pulumi.resources.CustomResourceOptions options)

Parameters:

name - The _unique_ name of the resulting resource.

args - The arguments to use to populate this resource's properties.

options - A bag of options that control this resource's behavior.

Method Detail

admissionWhitelistPatterns

public com.pulumi.core.Output<java.util.Optional<java.util.List<PolicyAdmissionWhitelistPattern>>> admissionWhitelistPatterns()

Returns:

A whitelist of image patterns to exclude from admission rules. If an image's name matches a whitelist pattern, the image's admission requests will always be permitted regardless of your admission rules. Structure is documented below.

clusterAdmissionRules

public com.pulumi.core.Output<java.util.Optional<java.util.List<PolicyClusterAdmissionRule>>> clusterAdmissionRules()

Returns:

Per-cluster admission rules. An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. There can be at most one admission rule per cluster spec. Identifier format: `{{location}}.{{clusterId}}`. A location is either a compute zone (e.g. `us-central1-a`) or a region (e.g. `us-central1`). Structure is documented below.

defaultAdmissionRule

public com.pulumi.core.Output<PolicyDefaultAdmissionRule> defaultAdmissionRule()

Returns:

Default admission rule for a cluster without a per-cluster admission rule. Structure is documented below.

description

public com.pulumi.core.Output<java.util.Optional<java.lang.String>> description()

Returns:

A descriptive comment.

globalPolicyEvaluationMode

public com.pulumi.core.Output<java.lang.String> globalPolicyEvaluationMode()

Returns:

Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values are: `ENABLE`, `DISABLE`.

project

public com.pulumi.core.Output<java.lang.String> project()

Returns:

The ID of the project in which the resource belongs. If it is not provided, the provider project is used.

get

public static Policy get(java.lang.String name,
                         com.pulumi.core.Output<java.lang.String> id,
                         @Nullable
                         PolicyState state,
                         @Nullable
                         com.pulumi.resources.CustomResourceOptions options)

Get an existing Host resource's state with the given name, ID, and optional extra properties used to qualify the lookup.

Parameters:

name - The _unique_ name of the resulting resource.

id - The _unique_ provider ID of the resource to lookup.

state -

options - Optional settings to control the behavior of the CustomResource.