- HTTP request
- Path parameters
- Request body
- Response body
- Authorization scopes
- Verdict
- PodResult
- PodVerdict
- ImageResult
- ImageVerdict
- AllowlistResult
- CheckSetResult
- CheckResults
- CheckResult
- EvaluationResult
- CheckVerdict
Evaluates a Kubernetes object versus a GKE platform policy. Returns NOT_FOUND if the policy doesn't exist, INVALID_ARGUMENT if the policy or request is malformed and PERMISSION_DENIED if the client does not have sufficient permissions.
HTTP request
POST https://binaryauthorization.googleapis.com/v1/{name=projects/*/platforms/gke/policies/*}:evaluate
The URL uses gRPC Transcoding syntax.
Path parameters
| Parameters | |
|---|---|
| name | 
 Required. The name of the  Authorization requires the following IAM permission on the specified resource  
 | 
Request body
The request body contains data with the following structure:
| JSON representation | 
|---|
| { "resource": { object } } | 
| Fields | |
|---|---|
| resource | 
 Required. JSON or YAML blob representing a Kubernetes resource. | 
Response body
Response message for PlatformPolicyEvaluationService.EvaluateGkePolicy.
If successful, the response body contains data with the following structure:
| JSON representation | 
|---|
| { "verdict": enum ( | 
| Fields | |
|---|---|
| verdict | 
 The result of evaluating all Pods in the request. | 
| results[] | 
 Evaluation result for each Pod contained in the request. | 
Authorization scopes
Requires the following OAuth scope:
- https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
Verdict
Whether the Pods passed, failed, or couldn't be evaluated.
| Enums | |
|---|---|
| VERDICT_UNSPECIFIED | Not specified. This should never be used. | 
| CONFORMANT | All Pods in the request conform to the policy. | 
| NON_CONFORMANT | At least one Pod does not conform to the policy. | 
| ERROR | Encountered at least one error evaluating a Pod and all other Pods conform to the policy. Non-conformance has precedence over errors. | 
PodResult
Result of evaluating the whole GKE policy for one Pod.
| JSON representation | 
|---|
| { "podName": string, "kubernetesNamespace": string, "kubernetesServiceAccount": string, "verdict": enum ( | 
| Fields | |
|---|---|
| podName | 
 The name of the Pod. | 
| kubernetesNamespace | 
 The Kubernetes namespace of the Pod. | 
| kubernetesServiceAccount | 
 The Kubernetes service account of the Pod. | 
| verdict | 
 The result of evaluating this Pod. | 
| imageResults[] | 
 Per-image details. | 
PodVerdict
Whether the Pod passed, failed, or couldn't be evaluated.
| Enums | |
|---|---|
| POD_VERDICT_UNSPECIFIED | Not specified. This should never be used. | 
| CONFORMANT | All images conform to the policy. | 
| NON_CONFORMANT | At least one image does not conform to the policy. | 
| ERROR | Encountered at least one error evaluating an image and all other images with non-error verdicts conform to the policy. Non-conformance has precedence over errors. | 
ImageResult
Result of evaluating one image.
| JSON representation | 
|---|
| { "imageUri": string, "verdict": enum ( | 
| Fields | |
|---|---|
| imageUri | 
 Image URI from the request. | 
| verdict | 
 The result of evaluating this image. | 
| explanation | 
 Explanation of this image result. Only populated if no check sets were evaluated. | 
| Union field result. How the image was evaluated.resultcan be only one of the following: | |
| allowlistResult | 
 If the image was exempted by a top-level  | 
| checkSetResult | 
 If a check set was evaluated, contains the result of the check set. Empty if there were no check sets. | 
ImageVerdict
Whether the image passed, failed, or couldn't be evaluated.
| Enums | |
|---|---|
| IMAGE_VERDICT_UNSPECIFIED | Not specified. This should never be used. | 
| CONFORMANT | Image conforms to the policy. | 
| NON_CONFORMANT | Image does not conform to the policy. | 
| ERROR | Error evaluating the image. Non-conformance has precedence over errors. | 
AllowlistResult
Result of evaluating an image name allowlist.
| JSON representation | 
|---|
| { "matchedPattern": string } | 
| Fields | |
|---|---|
| matchedPattern | 
 The allowlist pattern that the image matched. | 
CheckSetResult
Result of evaluating one check set.
| JSON representation | 
|---|
| { "index": string, "displayName": string, "scope": { object ( | 
| Fields | |
|---|---|
| index | 
 The index of the check set. | 
| displayName | 
 The name of the check set. | 
| scope | 
 The scope of the check set. | 
| explanation | 
 Explanation of this check set result. Only populated if no checks were evaluated. | 
| Union field result. How the check set was evaluated.resultcan be only one of the following: | |
| allowlistResult | 
 If the image was exempted by an  | 
| checkResults | 
 If checks were evaluated, contains the results of evaluating each check. | 
CheckResults
Result of evaluating one or more checks.
| JSON representation | 
|---|
| {
  "results": [
    {
      object ( | 
| Fields | |
|---|---|
| results[] | 
 Per-check details. | 
CheckResult
Result of evaluating one check.
| JSON representation | 
|---|
| { "index": string, "displayName": string, "type": string, "explanation": string, // Union field | 
| Fields | |
|---|---|
| index | 
 The index of the check. | 
| displayName | 
 The name of the check. | 
| type | 
 The type of the check. | 
| explanation | 
 Explanation of this check result. | 
| Union field result. How the check was evaluated.resultcan be only one of the following: | |
| allowlistResult | 
 If the image was exempted by an  | 
| evaluationResult | 
 If a check was evaluated, contains the result of the check. | 
EvaluationResult
Result of evaluating one check.
| JSON representation | 
|---|
| {
  "verdict": enum ( | 
| Fields | |
|---|---|
| verdict | 
 The result of evaluating this check. | 
CheckVerdict
Whether the check passed, failed, or couldn't be evaluated.
| Enums | |
|---|---|
| CHECK_VERDICT_UNSPECIFIED | Not specified. This should never be used. | 
| CONFORMANT | The check was successfully evaluated and the image satisfied the check. | 
| NON_CONFORMANT | The check was successfully evaluated and the image did not satisfy the check. | 
| ERROR | The check was not successfully evaluated. |