Google Binary Authorization Policy

google_binary_authorization_policy (Terraform)

The Policy in Binary Authorization can be configured in Terraform with the resource name google_binary_authorization_policy. The following sections describe 3 examples of how to use the resource and its parameters.

Example Usage from GitHub

rosmo/gke-commonground-haven

resource "google_binary_authorization_policy" "binauthz-policy" {
  project = var.project_id

  dynamic "admission_whitelist_patterns" {
    for_each = var.compliance_testing_use ? concat(var.admission_allowlist, local.compliance_containers) : var.admission_allowlist
    content {

niveklabs/google

resource "google_binary_authorization_policy" "this" {
  description                   = var.description
  global_policy_evaluation_mode = var.global_policy_evaluation_mode
  project                       = var.project

  dynamic "admission_whitelist_patterns" {

mathieu-benoit/mygkecluster

resource "google_binary_authorization_policy" "policy" {
    admission_whitelist_patterns {
        name_pattern = "$region-docker.pkg.dev/$projectId/$containerRegistryName/*"
    }

    default_admission_rule {

Parameters

• description optional - string

A descriptive comment.

• global_policy_evaluation_mode optional computed - string

Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. Possible values: ["ENABLE", "DISABLE"]

• id optional computed - string
• project optional computed - string
• admission_whitelist_patterns list block
  • name_pattern required - string

  An image name pattern to whitelist, in the form 'registry/path/to/image'. This supports a trailing * as a wildcard, but this is allowed only in text after the registry/ part.

• cluster_admission_rules set block
  • cluster required - string
  • enforcement_mode required - string

  The action when a pod creation is denied by the admission rule. Possible values: ["ENFORCED_BLOCK_AND_AUDIT_LOG", "DRYRUN_AUDIT_LOG_ONLY"]

  • evaluation_mode required - string

  How this admission rule will be evaluated. Possible values: ["ALWAYS_ALLOW", "REQUIRE_ATTESTATION", "ALWAYS_DENY"]

  • require_attestations_by optional - set of string

  The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format 'projects//attestors/'. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

• default_admission_rule list block
  • enforcement_mode required - string

  The action when a pod creation is denied by the admission rule. Possible values: ["ENFORCED_BLOCK_AND_AUDIT_LOG", "DRYRUN_AUDIT_LOG_ONLY"]

  • evaluation_mode required - string

  How this admission rule will be evaluated. Possible values: ["ALWAYS_ALLOW", "REQUIRE_ATTESTATION", "ALWAYS_DENY"]

  • require_attestations_by optional - set of string

  The resource names of the attestors that must attest to a container image. If the attestor is in a different project from the policy, it should be specified in the format 'projects//attestors/'. Each attestor must exist before a policy can reference it. To add an attestor to a policy the principal issuing the policy change request must be able to read the attestor resource. Note: this field must be non-empty when the evaluation_mode field specifies REQUIRE_ATTESTATION, otherwise it must be empty.

• timeouts single block
  • create optional - string
  • delete optional - string
  • update optional - string

Explanation in Terraform Registry

A policy for container image binary authorization. To get more information about Policy, see:

• API documentation
• How-to Guides
  • Official Documentation