Optional. Controls the evaluation of a Google-maintained global admission policy for common system-level images. Images not covered by the global policy will be subject to the project admission policy. This setting has no effect when specified inside a global admission policy.
Optional. Admission policy allowlisting. A matching admission request will always be permitted. This feature is typically used to exclude Google or third-party infrastructure images from Binary Authorization policies.
Optional. Per-cluster admission rules. Cluster spec format: location.clusterId. There can be at most one admission rule per cluster spec. A location is either a compute zone (e.g. us-central1-a) or a region (e.g. us-central1). For clusterId syntax restrictions see https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Optional. Per-istio-service-identity admission rules. Istio service identity spec format: spiffe://<domain>/ns/<namespace>/sa/<serviceaccount> or <domain>/ns/<namespace>/sa/<serviceaccount> e.g. spiffe://example.com/ns/test-ns/sa/default
An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
Output only. Time when the policy was last updated.
A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
etag
string
Optional. A checksum, returned by the server, that can be sent on update requests to ensure the policy has an up-to-date value before attempting to update it. See https://google.aip.dev/154.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-05-30 UTC."],[[["\u003cp\u003eThe Policy resource in Binary Authorization defines rules for allowing or denying container image deployments.\u003c/p\u003e\n"],["\u003cp\u003eThe JSON representation of a Policy includes fields like \u003ccode\u003ename\u003c/code\u003e, \u003ccode\u003edescription\u003c/code\u003e, \u003ccode\u003eglobalPolicyEvaluationMode\u003c/code\u003e, and various admission rules.\u003c/p\u003e\n"],["\u003cp\u003eAdmission rules can be configured globally, per-cluster, per-Kubernetes-namespace, per-Kubernetes-service-account, or per-Istio-service-identity.\u003c/p\u003e\n"],["\u003cp\u003eA \u003ccode\u003edefaultAdmissionRule\u003c/code\u003e is required to handle cases where no specific admission rule applies.\u003c/p\u003e\n"],["\u003cp\u003eMethods available for interacting with Policy include \u003ccode\u003egetIamPolicy\u003c/code\u003e, \u003ccode\u003esetIamPolicy\u003c/code\u003e, and \u003ccode\u003etestIamPermissions\u003c/code\u003e, which are used for managing access control.\u003c/p\u003e\n"]]],[],null,["# REST Resource: projects.policy\n\n- [Resource: Policy](#Policy)\n - [JSON representation](#Policy.SCHEMA_REPRESENTATION)\n- [Methods](#METHODS_SUMMARY)\n\nResource: Policy\n----------------\n\nA [policy](/binary-authorization/docs/reference/rest/Shared.Types/Policy) for Binary Authorization."]]
