Google Cloud Binary Authorization V1 Client - Class Policy (1.1.1)

Reference documentation and code samples for the Google Cloud Binary Authorization V1 Client class Policy.

Apolicy for container image binary authorization.

Generated from protobuf messagegoogle.cloud.binaryauthorization.v1.Policy

Namespace

Google \ Cloud \ BinaryAuthorization \ V1

Methods

__construct

Constructor.

Parameters
NameDescription
dataarray

Optional. Data for populating the Message object.

↳ namestring

Output only. The resource name, in the formatprojects/*/policy. There is at most one policy per project.

↳ descriptionstring

Optional. A descriptive comment.

↳ global_policy_evaluation_modeint

Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.

↳ admission_whitelist_patternsarray<AdmissionWhitelistPattern>

Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.

↳ cluster_admission_rulesarray|Google\Protobuf\Internal\MapField

Optional. Per-cluster admission rules. Cluster spec format:location.clusterId. There can be at most one admission rule per cluster spec. Alocation is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). ForclusterId syntax restrictions seehttps://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.

↳ kubernetes_namespace_admission_rulesarray|Google\Protobuf\Internal\MapField

Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format: [a-z.-]+, e.g. 'some-namespace'

↳ kubernetes_service_account_admission_rulesarray|Google\Protobuf\Internal\MapField

Optional. Per-kubernetes-service-account admission rules. Service account spec format:namespace:serviceaccount. e.g. 'test-ns:default'

↳ istio_service_identity_admission_rulesarray|Google\Protobuf\Internal\MapField

Optional. Per-istio-service-identity admission rules. Istio service identity spec format: spiffe://

↳ default_admission_ruleAdmissionRule

Required. Default admission rule for a cluster without a per-cluster, per- kubernetes-service-account, or per-istio-service-identity admission rule.

↳ update_timeGoogle\Protobuf\Timestamp

Output only. Time when the policy was last updated.

getName

Output only. The resource name, in the formatprojects/*/policy. There isat most one policy per project.

Returns
TypeDescription
string

setName

Output only. The resource name, in the formatprojects/*/policy. There isat most one policy per project.

Parameter
NameDescription
varstring
Returns
TypeDescription
$this

getDescription

Optional. A descriptive comment.

Returns
TypeDescription
string

setDescription

Optional. A descriptive comment.

Parameter
NameDescription
varstring
Returns
TypeDescription
$this

getGlobalPolicyEvaluationMode

Optional. Controls the evaluation of a Google-maintained global admissionpolicy for common system-level images. Images not covered by the globalpolicy will be subject to the project admission policy. This settinghas no effect when specified inside a global admission policy.

Returns
TypeDescription
intEnum of typeGlobalPolicyEvaluationMode.

setGlobalPolicyEvaluationMode

Optional. Controls the evaluation of a Google-maintained global admissionpolicy for common system-level images. Images not covered by the globalpolicy will be subject to the project admission policy. This settinghas no effect when specified inside a global admission policy.

Parameter
NameDescription
varint

Enum of typeGlobalPolicyEvaluationMode.

Returns
TypeDescription
$this

getAdmissionWhitelistPatterns

Optional. Admission policy allowlisting. A matching admission request willalways be permitted. This feature is typically used to exclude Google orthird-party infrastructure images from Binary Authorization policies.

Returns
TypeDescription
Google\Protobuf\Internal\RepeatedField

setAdmissionWhitelistPatterns

Optional. Admission policy allowlisting. A matching admission request willalways be permitted. This feature is typically used to exclude Google orthird-party infrastructure images from Binary Authorization policies.

Parameter
NameDescription
vararray<AdmissionWhitelistPattern>
Returns
TypeDescription
$this

getClusterAdmissionRules

Optional. Per-cluster admission rules. Cluster spec format:location.clusterId. There can be at most one admission rule per clusterspec.

Alocation is either a compute zone (e.g. us-central1-a) or a region(e.g. us-central1).ForclusterId syntax restrictions seehttps://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.

Returns
TypeDescription
Google\Protobuf\Internal\MapField

setClusterAdmissionRules

Optional. Per-cluster admission rules. Cluster spec format:location.clusterId. There can be at most one admission rule per clusterspec.

Alocation is either a compute zone (e.g. us-central1-a) or a region(e.g. us-central1).ForclusterId syntax restrictions seehttps://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.

Parameter
NameDescription
vararray|Google\Protobuf\Internal\MapField
Returns
TypeDescription
$this

getKubernetesNamespaceAdmissionRules

Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format:[a-z.-]+, e.g. 'some-namespace'

Returns
TypeDescription
Google\Protobuf\Internal\MapField

setKubernetesNamespaceAdmissionRules

Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format:[a-z.-]+, e.g. 'some-namespace'

Parameter
NameDescription
vararray|Google\Protobuf\Internal\MapField
Returns
TypeDescription
$this

getKubernetesServiceAccountAdmissionRules

Optional. Per-kubernetes-service-account admission rules. Service accountspec format:namespace:serviceaccount. e.g. 'test-ns:default'

Returns
TypeDescription
Google\Protobuf\Internal\MapField

setKubernetesServiceAccountAdmissionRules

Optional. Per-kubernetes-service-account admission rules. Service accountspec format:namespace:serviceaccount. e.g. 'test-ns:default'

Parameter
NameDescription
vararray|Google\Protobuf\Internal\MapField
Returns
TypeDescription
$this

getIstioServiceIdentityAdmissionRules

Optional. Per-istio-service-identity admission rules. Istio serviceidentity spec format:spiffe://

Returns
TypeDescription
Google\Protobuf\Internal\MapField

setIstioServiceIdentityAdmissionRules

Optional. Per-istio-service-identity admission rules. Istio serviceidentity spec format:spiffe://

Parameter
NameDescription
vararray|Google\Protobuf\Internal\MapField
Returns
TypeDescription
$this

getDefaultAdmissionRule

Required. Default admission rule for a cluster without a per-cluster, per-kubernetes-service-account, or per-istio-service-identity admission rule.

Returns
TypeDescription
AdmissionRule|null

hasDefaultAdmissionRule

clearDefaultAdmissionRule

setDefaultAdmissionRule

Required. Default admission rule for a cluster without a per-cluster, per-kubernetes-service-account, or per-istio-service-identity admission rule.

Parameter
NameDescription
varAdmissionRule
Returns
TypeDescription
$this

getUpdateTime

Output only. Time when the policy was last updated.

Returns
TypeDescription
Google\Protobuf\Timestamp|null

hasUpdateTime

clearUpdateTime

setUpdateTime

Output only. Time when the policy was last updated.

Parameter
NameDescription
varGoogle\Protobuf\Timestamp
Returns
TypeDescription
$this

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-10-30 UTC.