A conjunction of policy checks, scoped to a particular namespace or Kubernetes service account. In order for evaluation of a CheckSet to return "allowed" for a given image in a given Pod, one of the following conditions must be satisfied: The image is explicitly exempted by an entry in image_allowlist, OR ALL of the checks evaluate to "allowed".

Attributes

• checks (type: list(GoogleApi.BinaryAuthorization.V1.Model.Check.t), default: nil) - Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
• displayName (type: String.t, default: nil) - Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
• imageAllowlist (type: GoogleApi.BinaryAuthorization.V1.Model.ImageAllowlist.t, default: nil) - Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
• scope (type: GoogleApi.BinaryAuthorization.V1.Model.Scope.t, default: nil) - Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.