#[non_exhaustive]pub struct Policy {
pub name: String,
pub description: String,
pub global_policy_evaluation_mode: GlobalPolicyEvaluationMode,
pub admission_whitelist_patterns: Vec<AdmissionWhitelistPattern>,
pub cluster_admission_rules: HashMap<String, AdmissionRule>,
pub kubernetes_namespace_admission_rules: HashMap<String, AdmissionRule>,
pub kubernetes_service_account_admission_rules: HashMap<String, AdmissionRule>,
pub istio_service_identity_admission_rules: HashMap<String, AdmissionRule>,
pub default_admission_rule: Option<AdmissionRule>,
pub update_time: Option<Timestamp>,
pub etag: String,
/* private fields */
}Expand description
A policy for container image binary authorization.
Fields (Non-exhaustive)§
This struct is marked as non-exhaustive
Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.name: StringOutput only. The resource name, in the format projects/*/policy. There is
at most one policy per project.
description: StringOptional. A descriptive comment.
global_policy_evaluation_mode: GlobalPolicyEvaluationModeOptional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.
admission_whitelist_patterns: Vec<AdmissionWhitelistPattern>Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.
cluster_admission_rules: HashMap<String, AdmissionRule>Optional. A valid policy has only one of the following rule maps non-empty,
i.e. only one of cluster_admission_rules,
kubernetes_namespace_admission_rules,
kubernetes_service_account_admission_rules,
or istio_service_identity_admission_rules can be non-empty.
Per-cluster admission rules. Cluster spec format:
location.clusterId. There can be at most one admission rule per cluster
spec.
A location is either a compute zone (e.g. us-central1-a) or a region
(e.g. us-central1).
For clusterId syntax restrictions see
https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
kubernetes_namespace_admission_rules: HashMap<String, AdmissionRule>Optional. Per-kubernetes-namespace admission rules. K8s namespace spec
format:
[a-z.-]+, e.g. some-namespace
kubernetes_service_account_admission_rules: HashMap<String, AdmissionRule>Optional. Per-kubernetes-service-account admission rules. Service account
spec format: namespace:serviceaccount. e.g. test-ns:default
istio_service_identity_admission_rules: HashMap<String, AdmissionRule>Optional. Per-istio-service-identity admission rules. Istio service
identity spec format:
spiffe://<domain>/ns/<namespace>/sa/<serviceaccount> or
<domain>/ns/<namespace>/sa/<serviceaccount>
e.g. spiffe://example.com/ns/test-ns/sa/default
default_admission_rule: Option<AdmissionRule>Required. Default admission rule for a cluster without a per-cluster, per- kubernetes-service-account, or per-istio-service-identity admission rule.
update_time: Option<Timestamp>Output only. Time when the policy was last updated.
etag: StringOptional. A checksum, returned by the server, that can be sent on update requests to ensure the policy has an up-to-date value before attempting to update it. See https://google.aip.dev/154.
Implementations§
Source§impl Policy
impl Policy
Sourcepub fn set_description<T: Into<String>>(self, v: T) -> Self
pub fn set_description<T: Into<String>>(self, v: T) -> Self
Sourcepub fn set_global_policy_evaluation_mode<T: Into<GlobalPolicyEvaluationMode>>(
self,
v: T,
) -> Self
pub fn set_global_policy_evaluation_mode<T: Into<GlobalPolicyEvaluationMode>>( self, v: T, ) -> Self
Sets the value of global_policy_evaluation_mode.
§Example
use google_cloud_binaryauthorization_v1::model::policy::GlobalPolicyEvaluationMode;
let x0 = Policy::new().set_global_policy_evaluation_mode(GlobalPolicyEvaluationMode::Enable);
let x1 = Policy::new().set_global_policy_evaluation_mode(GlobalPolicyEvaluationMode::Disable);Sourcepub fn set_admission_whitelist_patterns<T, V>(self, v: T) -> Self
pub fn set_admission_whitelist_patterns<T, V>(self, v: T) -> Self
Sets the value of admission_whitelist_patterns.
§Example
use google_cloud_binaryauthorization_v1::model::AdmissionWhitelistPattern;
let x = Policy::new()
.set_admission_whitelist_patterns([
AdmissionWhitelistPattern::default()/* use setters */,
AdmissionWhitelistPattern::default()/* use (different) setters */,
]);Sourcepub fn set_cluster_admission_rules<T, K, V>(self, v: T) -> Self
pub fn set_cluster_admission_rules<T, K, V>(self, v: T) -> Self
Sets the value of cluster_admission_rules.
§Example
use google_cloud_binaryauthorization_v1::model::AdmissionRule;
let x = Policy::new().set_cluster_admission_rules([
("key0", AdmissionRule::default()/* use setters */),
("key1", AdmissionRule::default()/* use (different) setters */),
]);Sourcepub fn set_kubernetes_namespace_admission_rules<T, K, V>(self, v: T) -> Self
pub fn set_kubernetes_namespace_admission_rules<T, K, V>(self, v: T) -> Self
Sets the value of kubernetes_namespace_admission_rules.
§Example
use google_cloud_binaryauthorization_v1::model::AdmissionRule;
let x = Policy::new().set_kubernetes_namespace_admission_rules([
("key0", AdmissionRule::default()/* use setters */),
("key1", AdmissionRule::default()/* use (different) setters */),
]);Sourcepub fn set_kubernetes_service_account_admission_rules<T, K, V>(
self,
v: T,
) -> Self
pub fn set_kubernetes_service_account_admission_rules<T, K, V>( self, v: T, ) -> Self
Sets the value of kubernetes_service_account_admission_rules.
§Example
use google_cloud_binaryauthorization_v1::model::AdmissionRule;
let x = Policy::new().set_kubernetes_service_account_admission_rules([
("key0", AdmissionRule::default()/* use setters */),
("key1", AdmissionRule::default()/* use (different) setters */),
]);Sourcepub fn set_istio_service_identity_admission_rules<T, K, V>(self, v: T) -> Self
pub fn set_istio_service_identity_admission_rules<T, K, V>(self, v: T) -> Self
Sets the value of istio_service_identity_admission_rules.
§Example
use google_cloud_binaryauthorization_v1::model::AdmissionRule;
let x = Policy::new().set_istio_service_identity_admission_rules([
("key0", AdmissionRule::default()/* use setters */),
("key1", AdmissionRule::default()/* use (different) setters */),
]);Sourcepub fn set_default_admission_rule<T>(self, v: T) -> Selfwhere
T: Into<AdmissionRule>,
pub fn set_default_admission_rule<T>(self, v: T) -> Selfwhere
T: Into<AdmissionRule>,
Sets the value of default_admission_rule.
§Example
use google_cloud_binaryauthorization_v1::model::AdmissionRule;
let x = Policy::new().set_default_admission_rule(AdmissionRule::default()/* use setters */);Sourcepub fn set_or_clear_default_admission_rule<T>(self, v: Option<T>) -> Selfwhere
T: Into<AdmissionRule>,
pub fn set_or_clear_default_admission_rule<T>(self, v: Option<T>) -> Selfwhere
T: Into<AdmissionRule>,
Sets or clears the value of default_admission_rule.
§Example
use google_cloud_binaryauthorization_v1::model::AdmissionRule;
let x = Policy::new().set_or_clear_default_admission_rule(Some(AdmissionRule::default()/* use setters */));
let x = Policy::new().set_or_clear_default_admission_rule(None::<AdmissionRule>);Sourcepub fn set_update_time<T>(self, v: T) -> Self
pub fn set_update_time<T>(self, v: T) -> Self
Sets the value of update_time.
§Example
use wkt::Timestamp;
let x = Policy::new().set_update_time(Timestamp::default()/* use setters */);Sourcepub fn set_or_clear_update_time<T>(self, v: Option<T>) -> Self
pub fn set_or_clear_update_time<T>(self, v: Option<T>) -> Self
Sets or clears the value of update_time.
§Example
use wkt::Timestamp;
let x = Policy::new().set_or_clear_update_time(Some(Timestamp::default()/* use setters */));
let x = Policy::new().set_or_clear_update_time(None::<Timestamp>);