Binary authorization policy - add support for namespace rules

[tuukkalahti]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Currently only GKE-cluster -rules are supported.

Binary authorization supports also 3 other ruletypes - especially Kubernetes namespace should be supported (as it gives more control).

New or Affected Resource(s)

• google_binary_authorization_policy

Potential Terraform Configuration

based on rest api format block could be something like:

kubernetes_namespace_admission_rules {
  namespace = "default"
  evaluation_mode = "REQUIRE_ATTESTATION"
  enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
  requireAttestationsBy = [google_binary_authorization_attestor.attestor.name]
}

References

• Configure a policy using the Google Cloud console

b/302672961

[newtondev]

This is a feature that we really need at the moment. I will set aside some time to work on it and create a PR.