This rule allows all all pod creations.

This rule denies all pod creations.

Dryrun mode: Audit logging only.

Enforce the admission rule by blocking the pod creation.

Do not use.

Do not use.

This rule allows a pod creation if all the attestors listed in `require_attestations_by` have valid attestations for all of the images in the pod spec.

Image is allowed.

Unspecified result.

We should always have a verdict.

The check was successfully evaluated and the image did not satisfy the check.

A regular deployment.

The container type should always be specified.

Image is denied.

Ephemeral container defined as specified at https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/.

Init container defined as specified at https://kubernetes.io/docs/concepts/workloads/pods/init-containers/.

We should always have a verdict.

The pod violates the policy.

ECDSA on the NIST P-256 curve with a SHA256 digest.

ECDSA on the NIST P-384 curve with a SHA384 digest.

ECDSA on the NIST P-521 curve with a SHA512 digest.

ECDSA on the NIST P-256 curve with a SHA256 digest.

ECDSA on the NIST P-384 curve with a SHA384 digest.

ECDSA on the NIST P-521 curve with a SHA512 digest.

RSASSA-PSS 2048 bit key with a SHA256 digest.

RSASSA-PSS 3072 bit key with a SHA256 digest.

RSASSA-PSS 4096 bit key with a SHA256 digest.

RSASSA-PSS 4096 bit key with a SHA512 digest.

RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.

RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.

RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.

RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.

Not specified.

Disables system policy evaluation.

Enables system policy evaluation.

Not specified: DISABLE is assumed.

Enum value maps for AdmissionRule_EnforcementMode.

Enum value maps for AdmissionRule_EnforcementMode.

Enum value maps for AdmissionRule_EvaluationMode.

Enum value maps for AdmissionRule_EvaluationMode.

Enum value maps for ContinuousValidationEvent_ContinuousValidationPodEvent_ImageDetails_AuditResult.

Enum value maps for ContinuousValidationEvent_ContinuousValidationPodEvent_ImageDetails_AuditResult.

Enum value maps for ContinuousValidationEvent_ContinuousValidationPodEvent_ImageDetails_CheckResult_CheckVerdict.

Enum value maps for ContinuousValidationEvent_ContinuousValidationPodEvent_ImageDetails_CheckResult_CheckVerdict.

Enum value maps for ContinuousValidationEvent_ContinuousValidationPodEvent_ImageDetails_ContainerType.

Enum value maps for ContinuousValidationEvent_ContinuousValidationPodEvent_ImageDetails_ContainerType.

Enum value maps for ContinuousValidationEvent_ContinuousValidationPodEvent_PolicyConformanceVerdict.

Enum value maps for ContinuousValidationEvent_ContinuousValidationPodEvent_PolicyConformanceVerdict.

Enum value maps for PkixPublicKey_SignatureAlgorithm.

Enum value maps for PkixPublicKey_SignatureAlgorithm.

Enum value maps for Policy_GlobalPolicyEvaluationMode.

Enum value maps for Policy_GlobalPolicyEvaluationMode.

An [admission rule][google.cloud.binaryauthorization.v1beta1.AdmissionRule] specifies either that all container images used in a pod creation request must be attested to by one or more [attestors][google.cloud.binaryauthorization.v1beta1.Attestor], that all pod creations will be allowed, or that all pod creations will be denied.

An [admission allowlist pattern][google.cloud.binaryauthorization.v1beta1.AdmissionWhitelistPattern] exempts images from checks by [admission rules][google.cloud.binaryauthorization.v1beta1.AdmissionRule].

An [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] that attests to container image artifacts.

An [attestor public key][google.cloud.binaryauthorization.v1beta1.AttestorPublicKey] that will be used to verify attestations signed by this attestor.

Represents an auditing event from Continuous Validation.

An event describing a user-actionable configuration issue that prevents CV from auditing.

An auditing event for one Pod.

Container image with auditing details.

A scope specifier for check sets.

Request message for [BinauthzManagementService.CreateAttestor][].

Request message for [BinauthzManagementService.DeleteAttestor][].

Request message for [BinauthzManagementService.GetAttestor][].

Request message for [BinauthzManagementService.GetPolicy][].

Request to read the current system policy.

Request message for [BinauthzManagementService.ListAttestors][].

Response message for [BinauthzManagementService.ListAttestors][].

A public key in the PkixPublicKey format (see https://tools.ietf.org/html/rfc5280#section-4.1.2.7 for details).

A [policy][google.cloud.binaryauthorization.v1beta1.Policy] for Binary Authorization.

UnimplementedBinauthzManagementServiceV1Beta1Server can be embedded to have forward compatible implementations.

UnimplementedSystemPolicyV1Beta1Server can be embedded to have forward compatible implementations.

Request message for [BinauthzManagementService.UpdateAttestor][].

Request message for [BinauthzManagementService.UpdatePolicy][].

An [user owned drydock note][google.cloud.binaryauthorization.v1beta1.UserOwnedDrydockNote] references a Drydock ATTESTATION_AUTHORITY Note created by the user.

BinauthzManagementServiceV1Beta1Client is the client API for BinauthzManagementServiceV1Beta1 service.

BinauthzManagementServiceV1Beta1Server is the server API for BinauthzManagementServiceV1Beta1 service.

SystemPolicyV1Beta1Client is the client API for SystemPolicyV1Beta1 service.

SystemPolicyV1Beta1Server is the server API for SystemPolicyV1Beta1 service.

Defines the possible actions when a pod creation is denied by an admission rule.

Result of the audit.

Result of evaluating one check.

The container type.

Audit time policy conformance verdict.

Represents a signature algorithm and other information necessary to verify signatures with a given public key.