Skip to content

Commit

Permalink
Binary Authorization: globalPolicyEvaluationMode
Browse files Browse the repository at this point in the history
  • Loading branch information
drebes committed Jul 28, 2019
1 parent 83b9fd5 commit 74c80b4
Show file tree
Hide file tree
Showing 3 changed files with 45 additions and 0 deletions.
9 changes: 9 additions & 0 deletions products/binaryauthorization/api.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,15 @@ objects:
- !ruby/object:Api::Type::String
name: description
description: A descriptive comment.
- !ruby/object:Api::Type::Enum
name: globalPolicyEvaluationMode
description: |
Controls the evaluation of a Google-maintained global admission policy
for common system-level images. Images not covered by the global
policy will be subject to the project admission policy.
values:
- :ENABLE
- :DISABLE
- !ruby/object:Api::Type::Array
name: admissionWhitelistPatterns
description: |
Expand Down
9 changes: 9 additions & 0 deletions products/binaryauthorization/terraform.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,16 @@ overrides: !ruby/object:Overrides::ResourceOverrides
vars:
attestor_name: "test-attestor"
note_name: "test-attestor-note"
- !ruby/object:Provider::Terraform::Examples
name: "binary_authorization_policy_global_evaluation"
primary_resource_id: "policy"
skip_test: true
vars:
attestor_name: "test-attestor"
note_name: "test-attestor-note"
properties:
globalPolicyEvaluationMode: !ruby/object:Overrides::Terraform::PropertyOverride
default_from_api: true
clusterAdmissionRules: !ruby/object:Overrides::Terraform::PropertyOverride
is_set: true
set_hash_func: |-
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
resource "google_binary_authorization_policy" "<%= ctx[:primary_resource_id] %>" {

default_admission_rule {
evaluation_mode = "REQUIRE_ATTESTATION"
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
require_attestations_by = ["${google_binary_authorization_attestor.attestor.name}"]
}

global_policy_evaluation_mode = "ENABLE"

}

resource "google_container_analysis_note" "note" {
name = "<%= ctx[:vars]["note_name"] %>"
attestation_authority {
hint {
human_readable_name = "My attestor"
}
}
}

resource "google_binary_authorization_attestor" "attestor" {
name = "<%= ctx[:vars]["attestor_name"] %>"
attestation_authority_note {
note_reference = "${google_container_analysis_note.note.name}"
}
}

0 comments on commit 74c80b4

Please sign in to comment.