feat: Add preview support for monitoring a cluster's pods for compliance with a provided Binary Authorization platform policy via Binary Authorization Continuous Validation

Google APIs · copybara-github · commit 2edfcad933b8 · 2023-08-10T18:58:20.000-07:00
PiperOrigin-RevId: 555745169
diff --git a/google/container/v1beta1/cluster_service.proto b/google/container/v1beta1/cluster_service.proto
@@ -1730,6 +1730,21 @@ message BinaryAuthorization {
     // project's singleton policy. This is equivalent to setting the
     // enabled boolean to true.
     PROJECT_SINGLETON_POLICY_ENFORCE = 2;
+
+    // Use Binary Authorization with the policies specified in policy_bindings.
+    POLICY_BINDINGS = 5;
+
+    // Use Binary Authorization with the policies specified in policy_bindings,
+    // and also with the project's singleton policy in enforcement mode.
+    POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE = 6;
+  }
+
+  // Binauthz policy that applies to this cluster.
+  message PolicyBinding {
+    // The relative resource name of the binauthz platform policy to audit. GKE
+    // platform policies have the following format:
+    // `projects/{project_number}/platforms/gke/policies/{policy_id}`.
+    optional string name = 1;
   }
 
   // This field is deprecated. Leave this unset and instead configure
@@ -1740,6 +1755,10 @@ message BinaryAuthorization {
   // Mode of operation for binauthz policy evaluation. If unspecified, defaults
   // to DISABLED.
   EvaluationMode evaluation_mode = 2;
+
+  // Optional. Binauthz policies that apply to this cluster.
+  repeated PolicyBinding policy_bindings = 5
+      [(google.api.field_behavior) = OPTIONAL];
 }
 
 // Configuration for the PodSecurityPolicy feature.
