google-apis-binaryauthorization_v1 0.26.0 → 0.27.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/lib/google/apis/binaryauthorization_v1/classes.rb +605 -20
- data/lib/google/apis/binaryauthorization_v1/gem_version.rb +2 -2
- data/lib/google/apis/binaryauthorization_v1/representations.rb +251 -0
- data/lib/google/apis/binaryauthorization_v1/service.rb +177 -0
- metadata +3 -3
@@ -84,6 +84,41 @@ module Google
|
|
84
84
|
end
|
85
85
|
end
|
86
86
|
|
87
|
+
# An attestation authenticator that will be used to verify attestations.
|
88
|
+
# Typically this is just a set of public keys. Conceptually, an authenticator
|
89
|
+
# can be treated as always returning either "authenticated" or "not
|
90
|
+
# authenticated" when presented with a signed attestation (almost always assumed
|
91
|
+
# to be a [DSSE](https://github.com/secure-systems-lab/dsse) attestation). The
|
92
|
+
# details of how an authenticator makes this decision are specific to the type
|
93
|
+
# of 'authenticator' that this message wraps.
|
94
|
+
class AttestationAuthenticator
|
95
|
+
include Google::Apis::Core::Hashable
|
96
|
+
|
97
|
+
# Optional. A user-provided name for this AttestationAuthenticator. This field
|
98
|
+
# has no effect on the policy evaluation behavior except to improve readability
|
99
|
+
# of messages in evaluation results.
|
100
|
+
# Corresponds to the JSON property `displayName`
|
101
|
+
# @return [String]
|
102
|
+
attr_accessor :display_name
|
103
|
+
|
104
|
+
# A bundle of PKIX public keys, used to authenticate attestation signatures.
|
105
|
+
# Generally, a signature is considered to be authenticated by a PkixPublicKeySet
|
106
|
+
# if any of the public keys verify it (i.e. it is an "OR" of the keys).
|
107
|
+
# Corresponds to the JSON property `pkixPublicKeySet`
|
108
|
+
# @return [Google::Apis::BinaryauthorizationV1::PkixPublicKeySet]
|
109
|
+
attr_accessor :pkix_public_key_set
|
110
|
+
|
111
|
+
def initialize(**args)
|
112
|
+
update!(**args)
|
113
|
+
end
|
114
|
+
|
115
|
+
# Update properties of this object
|
116
|
+
def update!(**args)
|
117
|
+
@display_name = args[:display_name] if args.key?(:display_name)
|
118
|
+
@pkix_public_key_set = args[:pkix_public_key_set] if args.key?(:pkix_public_key_set)
|
119
|
+
end
|
120
|
+
end
|
121
|
+
|
87
122
|
# Occurrence that represents a single "attestation". The authenticity of an
|
88
123
|
# attestation can be verified using the attached signature. If the verifier
|
89
124
|
# trusts the public key of the signer, then verifying the signature is
|
@@ -131,6 +166,26 @@ module Google
|
|
131
166
|
end
|
132
167
|
end
|
133
168
|
|
169
|
+
# Specifies the locations for fetching the provenance attestations.
|
170
|
+
class AttestationSource
|
171
|
+
include Google::Apis::Core::Hashable
|
172
|
+
|
173
|
+
# The ids of the GCP projects storing the SLSA attestations as container
|
174
|
+
# analysis Occurrences.
|
175
|
+
# Corresponds to the JSON property `containerAnalysisAttestationProjects`
|
176
|
+
# @return [Array<String>]
|
177
|
+
attr_accessor :container_analysis_attestation_projects
|
178
|
+
|
179
|
+
def initialize(**args)
|
180
|
+
update!(**args)
|
181
|
+
end
|
182
|
+
|
183
|
+
# Update properties of this object
|
184
|
+
def update!(**args)
|
185
|
+
@container_analysis_attestation_projects = args[:container_analysis_attestation_projects] if args.key?(:container_analysis_attestation_projects)
|
186
|
+
end
|
187
|
+
end
|
188
|
+
|
134
189
|
# An attestor that attests to container image artifacts. An existing attestor
|
135
190
|
# cannot be modified except where indicated.
|
136
191
|
class Attestor
|
@@ -305,6 +360,124 @@ module Google
|
|
305
360
|
end
|
306
361
|
end
|
307
362
|
|
363
|
+
# A single check to perform against a Pod. Checks are grouped into CheckSets,
|
364
|
+
# which are defined by the top-level policy.
|
365
|
+
class Check
|
366
|
+
include Google::Apis::Core::Hashable
|
367
|
+
|
368
|
+
# Optional. A special-case check that always denies. Note that this still only
|
369
|
+
# applies when the scope of the CheckSet applies and the image isn't exempted by
|
370
|
+
# an image allowlist. This check is primarily useful for testing, or to set the
|
371
|
+
# default behavior for all unmatched scopes to "deny".
|
372
|
+
# Corresponds to the JSON property `alwaysDeny`
|
373
|
+
# @return [Boolean]
|
374
|
+
attr_accessor :always_deny
|
375
|
+
alias_method :always_deny?, :always_deny
|
376
|
+
|
377
|
+
# Optional. A user-provided name for this Check. This field has no effect on the
|
378
|
+
# policy evaluation behavior except to improve readability of messages in
|
379
|
+
# evaluation results.
|
380
|
+
# Corresponds to the JSON property `displayName`
|
381
|
+
# @return [String]
|
382
|
+
attr_accessor :display_name
|
383
|
+
|
384
|
+
# Images that are exempted from normal checks based on name pattern only.
|
385
|
+
# Corresponds to the JSON property `imageAllowlist`
|
386
|
+
# @return [Google::Apis::BinaryauthorizationV1::ImageAllowlist]
|
387
|
+
attr_accessor :image_allowlist
|
388
|
+
|
389
|
+
# An image freshness check, which rejects images that were uploaded before the
|
390
|
+
# set number of days ago to the supported repositories.
|
391
|
+
# Corresponds to the JSON property `imageFreshnessCheck`
|
392
|
+
# @return [Google::Apis::BinaryauthorizationV1::ImageFreshnessCheck]
|
393
|
+
attr_accessor :image_freshness_check
|
394
|
+
|
395
|
+
# Require a signed [DSSE](https://github.com/secure-systems-lab/dsse)
|
396
|
+
# attestation with type SimpleSigning.
|
397
|
+
# Corresponds to the JSON property `simpleSigningAttestationCheck`
|
398
|
+
# @return [Google::Apis::BinaryauthorizationV1::SimpleSigningAttestationCheck]
|
399
|
+
attr_accessor :simple_signing_attestation_check
|
400
|
+
|
401
|
+
# A SLSA provenance attestation check, which ensures that images are built by a
|
402
|
+
# trusted builder using source code from its trusted repositories only.
|
403
|
+
# Corresponds to the JSON property `slsaCheck`
|
404
|
+
# @return [Google::Apis::BinaryauthorizationV1::SlsaCheck]
|
405
|
+
attr_accessor :slsa_check
|
406
|
+
|
407
|
+
# A trusted directory check, which rejects images that do not come from the set
|
408
|
+
# of user-configured trusted directories.
|
409
|
+
# Corresponds to the JSON property `trustedDirectoryCheck`
|
410
|
+
# @return [Google::Apis::BinaryauthorizationV1::TrustedDirectoryCheck]
|
411
|
+
attr_accessor :trusted_directory_check
|
412
|
+
|
413
|
+
# An image vulnerability check, which rejects images that violate the configured
|
414
|
+
# vulnerability rules.
|
415
|
+
# Corresponds to the JSON property `vulnerabilityCheck`
|
416
|
+
# @return [Google::Apis::BinaryauthorizationV1::VulnerabilityCheck]
|
417
|
+
attr_accessor :vulnerability_check
|
418
|
+
|
419
|
+
def initialize(**args)
|
420
|
+
update!(**args)
|
421
|
+
end
|
422
|
+
|
423
|
+
# Update properties of this object
|
424
|
+
def update!(**args)
|
425
|
+
@always_deny = args[:always_deny] if args.key?(:always_deny)
|
426
|
+
@display_name = args[:display_name] if args.key?(:display_name)
|
427
|
+
@image_allowlist = args[:image_allowlist] if args.key?(:image_allowlist)
|
428
|
+
@image_freshness_check = args[:image_freshness_check] if args.key?(:image_freshness_check)
|
429
|
+
@simple_signing_attestation_check = args[:simple_signing_attestation_check] if args.key?(:simple_signing_attestation_check)
|
430
|
+
@slsa_check = args[:slsa_check] if args.key?(:slsa_check)
|
431
|
+
@trusted_directory_check = args[:trusted_directory_check] if args.key?(:trusted_directory_check)
|
432
|
+
@vulnerability_check = args[:vulnerability_check] if args.key?(:vulnerability_check)
|
433
|
+
end
|
434
|
+
end
|
435
|
+
|
436
|
+
# A conjunction of policy checks, scoped to a particular namespace or Kubernetes
|
437
|
+
# service account. In order for evaluation of a CheckSet to return "allowed" for
|
438
|
+
# a given image in a given Pod, one of the following conditions must be
|
439
|
+
# satisfied: * The image is explicitly exempted by an entry in `image_allowlist`,
|
440
|
+
# OR * ALL of the `checks` evaluate to "allowed".
|
441
|
+
class CheckSet
|
442
|
+
include Google::Apis::Core::Hashable
|
443
|
+
|
444
|
+
# Optional. The checks to apply. The ultimate result of evaluating the check set
|
445
|
+
# will be "allow" if and only if every check in 'checks' evaluates to "allow".
|
446
|
+
# If `checks` is empty, the default behavior is "always allow".
|
447
|
+
# Corresponds to the JSON property `checks`
|
448
|
+
# @return [Array<Google::Apis::BinaryauthorizationV1::Check>]
|
449
|
+
attr_accessor :checks
|
450
|
+
|
451
|
+
# Optional. A user-provided name for this CheckSet. This field has no effect on
|
452
|
+
# the policy evaluation behavior except to improve readability of messages in
|
453
|
+
# evaluation results.
|
454
|
+
# Corresponds to the JSON property `displayName`
|
455
|
+
# @return [String]
|
456
|
+
attr_accessor :display_name
|
457
|
+
|
458
|
+
# Images that are exempted from normal checks based on name pattern only.
|
459
|
+
# Corresponds to the JSON property `imageAllowlist`
|
460
|
+
# @return [Google::Apis::BinaryauthorizationV1::ImageAllowlist]
|
461
|
+
attr_accessor :image_allowlist
|
462
|
+
|
463
|
+
# A scope specifier for CheckSets.
|
464
|
+
# Corresponds to the JSON property `scope`
|
465
|
+
# @return [Google::Apis::BinaryauthorizationV1::Scope]
|
466
|
+
attr_accessor :scope
|
467
|
+
|
468
|
+
def initialize(**args)
|
469
|
+
update!(**args)
|
470
|
+
end
|
471
|
+
|
472
|
+
# Update properties of this object
|
473
|
+
def update!(**args)
|
474
|
+
@checks = args[:checks] if args.key?(:checks)
|
475
|
+
@display_name = args[:display_name] if args.key?(:display_name)
|
476
|
+
@image_allowlist = args[:image_allowlist] if args.key?(:image_allowlist)
|
477
|
+
@scope = args[:scope] if args.key?(:scope)
|
478
|
+
end
|
479
|
+
end
|
480
|
+
|
308
481
|
# A generic empty message that you can re-use to avoid defining duplicated empty
|
309
482
|
# messages in your APIs. A typical example is to use it as the request or the
|
310
483
|
# response type of an API method. For instance: service Foo ` rpc Bar(google.
|
@@ -375,6 +548,46 @@ module Google
|
|
375
548
|
end
|
376
549
|
end
|
377
550
|
|
551
|
+
# A Binary Authorization policy for a GKE cluster. This is one type of policy
|
552
|
+
# that can occur as a `PlatformPolicy`.
|
553
|
+
class GkePolicy
|
554
|
+
include Google::Apis::Core::Hashable
|
555
|
+
|
556
|
+
# Optional. The CheckSets to apply, scoped by namespace or namespace and service
|
557
|
+
# account. Exactly one CheckSet will be evaluated for a given Pod (unless the
|
558
|
+
# list is empty, in which case the behavior is "always allow"). If multiple
|
559
|
+
# CheckSets have scopes that match the namespace and service account of the Pod
|
560
|
+
# being evaluated, only the CheckSet with the MOST SPECIFIC scope will match.
|
561
|
+
# CheckSets must be listed in order of decreasing specificity, i.e. if a scope
|
562
|
+
# matches a given service account (which must include the namespace), it must
|
563
|
+
# come before a CheckSet with a scope matching just that namespace. This
|
564
|
+
# property is enforced by server-side validation. The purpose of this
|
565
|
+
# restriction is to ensure that if more than one CheckSet matches a given Pod,
|
566
|
+
# the CheckSet that will be evaluated will always be the first in the list to
|
567
|
+
# match (because if any other matches, it must be less specific). If `check_sets`
|
568
|
+
# is empty, the default behavior is to allow all images. If `check_sets` is non-
|
569
|
+
# empty, the last `check_sets` entry must always be a CheckSet with no scope set,
|
570
|
+
# i.e. a catchall to handle any situation not caught by the preceding CheckSets.
|
571
|
+
# Corresponds to the JSON property `checkSets`
|
572
|
+
# @return [Array<Google::Apis::BinaryauthorizationV1::CheckSet>]
|
573
|
+
attr_accessor :check_sets
|
574
|
+
|
575
|
+
# Images that are exempted from normal checks based on name pattern only.
|
576
|
+
# Corresponds to the JSON property `imageAllowlist`
|
577
|
+
# @return [Google::Apis::BinaryauthorizationV1::ImageAllowlist]
|
578
|
+
attr_accessor :image_allowlist
|
579
|
+
|
580
|
+
def initialize(**args)
|
581
|
+
update!(**args)
|
582
|
+
end
|
583
|
+
|
584
|
+
# Update properties of this object
|
585
|
+
def update!(**args)
|
586
|
+
@check_sets = args[:check_sets] if args.key?(:check_sets)
|
587
|
+
@image_allowlist = args[:image_allowlist] if args.key?(:image_allowlist)
|
588
|
+
end
|
589
|
+
end
|
590
|
+
|
378
591
|
# An Identity and Access Management (IAM) policy, which specifies access
|
379
592
|
# controls for Google Cloud resources. A `Policy` is a collection of `bindings`.
|
380
593
|
# A `binding` binds one or more `members`, or principals, to a single `role`.
|
@@ -386,22 +599,22 @@ module Google
|
|
386
599
|
# evaluates to `true`. A condition can add constraints based on attributes of
|
387
600
|
# the request, the resource, or both. To learn which resources support
|
388
601
|
# conditions in their IAM policies, see the [IAM documentation](https://cloud.
|
389
|
-
# google.com/iam/help/conditions/resource-policies). **JSON example:** ` "
|
602
|
+
# google.com/iam/help/conditions/resource-policies). **JSON example:** ``` ` "
|
390
603
|
# bindings": [ ` "role": "roles/resourcemanager.organizationAdmin", "members": [
|
391
604
|
# "user:mike@example.com", "group:admins@example.com", "domain:google.com", "
|
392
605
|
# serviceAccount:my-project-id@appspot.gserviceaccount.com" ] `, ` "role": "
|
393
606
|
# roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com"
|
394
607
|
# ], "condition": ` "title": "expirable access", "description": "Does not grant
|
395
608
|
# access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:
|
396
|
-
# 00:00.000Z')", ` ` ], "etag": "BwWWja0YfJA=", "version": 3 ` **YAML
|
397
|
-
# bindings: - members: - user:mike@example.com - group:admins@
|
398
|
-
# domain:google.com - serviceAccount:my-project-id@appspot.
|
399
|
-
# role: roles/resourcemanager.organizationAdmin - members: -
|
400
|
-
# com role: roles/resourcemanager.organizationViewer condition:
|
401
|
-
# access description: Does not grant access after Sep 2020
|
402
|
-
# time < timestamp('2020-10-01T00:00:00.000Z') etag:
|
403
|
-
# a description of IAM and its features, see the
|
404
|
-
# cloud.google.com/iam/docs/).
|
609
|
+
# 00:00.000Z')", ` ` ], "etag": "BwWWja0YfJA=", "version": 3 ` ``` **YAML
|
610
|
+
# example:** ``` bindings: - members: - user:mike@example.com - group:admins@
|
611
|
+
# example.com - domain:google.com - serviceAccount:my-project-id@appspot.
|
612
|
+
# gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: -
|
613
|
+
# user:eve@example.com role: roles/resourcemanager.organizationViewer condition:
|
614
|
+
# title: expirable access description: Does not grant access after Sep 2020
|
615
|
+
# expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag:
|
616
|
+
# BwWWja0YfJA= version: 3 ``` For a description of IAM and its features, see the
|
617
|
+
# [IAM documentation](https://cloud.google.com/iam/docs/).
|
405
618
|
class IamPolicy
|
406
619
|
include Google::Apis::Core::Hashable
|
407
620
|
|
@@ -464,6 +677,47 @@ module Google
|
|
464
677
|
end
|
465
678
|
end
|
466
679
|
|
680
|
+
# Images that are exempted from normal checks based on name pattern only.
|
681
|
+
class ImageAllowlist
|
682
|
+
include Google::Apis::Core::Hashable
|
683
|
+
|
684
|
+
# Required. A disjunction of image patterns to allow. If any of these patterns
|
685
|
+
# match, then the image is considered exempted by this allowlist.
|
686
|
+
# Corresponds to the JSON property `allowPattern`
|
687
|
+
# @return [Array<String>]
|
688
|
+
attr_accessor :allow_pattern
|
689
|
+
|
690
|
+
def initialize(**args)
|
691
|
+
update!(**args)
|
692
|
+
end
|
693
|
+
|
694
|
+
# Update properties of this object
|
695
|
+
def update!(**args)
|
696
|
+
@allow_pattern = args[:allow_pattern] if args.key?(:allow_pattern)
|
697
|
+
end
|
698
|
+
end
|
699
|
+
|
700
|
+
# An image freshness check, which rejects images that were uploaded before the
|
701
|
+
# set number of days ago to the supported repositories.
|
702
|
+
class ImageFreshnessCheck
|
703
|
+
include Google::Apis::Core::Hashable
|
704
|
+
|
705
|
+
# Required. The max number of days that is allowed since the image was uploaded.
|
706
|
+
# Must be greater than zero.
|
707
|
+
# Corresponds to the JSON property `maxUploadAgeDays`
|
708
|
+
# @return [Fixnum]
|
709
|
+
attr_accessor :max_upload_age_days
|
710
|
+
|
711
|
+
def initialize(**args)
|
712
|
+
update!(**args)
|
713
|
+
end
|
714
|
+
|
715
|
+
# Update properties of this object
|
716
|
+
def update!(**args)
|
717
|
+
@max_upload_age_days = args[:max_upload_age_days] if args.key?(:max_upload_age_days)
|
718
|
+
end
|
719
|
+
end
|
720
|
+
|
467
721
|
#
|
468
722
|
class Jwt
|
469
723
|
include Google::Apis::Core::Hashable
|
@@ -512,6 +766,33 @@ module Google
|
|
512
766
|
end
|
513
767
|
end
|
514
768
|
|
769
|
+
# Response message for PlatformPolicyManagementService.ListPlatformPolicies.
|
770
|
+
class ListPlatformPoliciesResponse
|
771
|
+
include Google::Apis::Core::Hashable
|
772
|
+
|
773
|
+
# A token to retrieve the next page of results. Pass this value in the
|
774
|
+
# ListPlatformPoliciesRequest.page_token field in the subsequent call to the `
|
775
|
+
# ListPlatformPolicies` method to retrieve the next page of results.
|
776
|
+
# Corresponds to the JSON property `nextPageToken`
|
777
|
+
# @return [String]
|
778
|
+
attr_accessor :next_page_token
|
779
|
+
|
780
|
+
# The list of platform policies.
|
781
|
+
# Corresponds to the JSON property `platformPolicies`
|
782
|
+
# @return [Array<Google::Apis::BinaryauthorizationV1::PlatformPolicy>]
|
783
|
+
attr_accessor :platform_policies
|
784
|
+
|
785
|
+
def initialize(**args)
|
786
|
+
update!(**args)
|
787
|
+
end
|
788
|
+
|
789
|
+
# Update properties of this object
|
790
|
+
def update!(**args)
|
791
|
+
@next_page_token = args[:next_page_token] if args.key?(:next_page_token)
|
792
|
+
@platform_policies = args[:platform_policies] if args.key?(:platform_policies)
|
793
|
+
end
|
794
|
+
end
|
795
|
+
|
515
796
|
# A public key in the PkixPublicKey format (see https://tools.ietf.org/html/
|
516
797
|
# rfc5280#section-4.1.2.7 for details). Public keys of this type are typically
|
517
798
|
# textually encoded using the PEM format.
|
@@ -543,6 +824,66 @@ module Google
|
|
543
824
|
end
|
544
825
|
end
|
545
826
|
|
827
|
+
# A bundle of PKIX public keys, used to authenticate attestation signatures.
|
828
|
+
# Generally, a signature is considered to be authenticated by a PkixPublicKeySet
|
829
|
+
# if any of the public keys verify it (i.e. it is an "OR" of the keys).
|
830
|
+
class PkixPublicKeySet
|
831
|
+
include Google::Apis::Core::Hashable
|
832
|
+
|
833
|
+
# Required. `pkix_public_keys` must have at least one entry.
|
834
|
+
# Corresponds to the JSON property `pkixPublicKeys`
|
835
|
+
# @return [Array<Google::Apis::BinaryauthorizationV1::PkixPublicKey>]
|
836
|
+
attr_accessor :pkix_public_keys
|
837
|
+
|
838
|
+
def initialize(**args)
|
839
|
+
update!(**args)
|
840
|
+
end
|
841
|
+
|
842
|
+
# Update properties of this object
|
843
|
+
def update!(**args)
|
844
|
+
@pkix_public_keys = args[:pkix_public_keys] if args.key?(:pkix_public_keys)
|
845
|
+
end
|
846
|
+
end
|
847
|
+
|
848
|
+
# A Binary Authorization platform policy for deployments on various platforms.
|
849
|
+
class PlatformPolicy
|
850
|
+
include Google::Apis::Core::Hashable
|
851
|
+
|
852
|
+
# Optional. A description comment about the policy.
|
853
|
+
# Corresponds to the JSON property `description`
|
854
|
+
# @return [String]
|
855
|
+
attr_accessor :description
|
856
|
+
|
857
|
+
# A Binary Authorization policy for a GKE cluster. This is one type of policy
|
858
|
+
# that can occur as a `PlatformPolicy`.
|
859
|
+
# Corresponds to the JSON property `gkePolicy`
|
860
|
+
# @return [Google::Apis::BinaryauthorizationV1::GkePolicy]
|
861
|
+
attr_accessor :gke_policy
|
862
|
+
|
863
|
+
# Output only. The relative resource name of the BinAuthz platform policy, in
|
864
|
+
# the form of `projects/*/platforms/*/policies/*`.
|
865
|
+
# Corresponds to the JSON property `name`
|
866
|
+
# @return [String]
|
867
|
+
attr_accessor :name
|
868
|
+
|
869
|
+
# Output only. Time when the policy was last updated.
|
870
|
+
# Corresponds to the JSON property `updateTime`
|
871
|
+
# @return [String]
|
872
|
+
attr_accessor :update_time
|
873
|
+
|
874
|
+
def initialize(**args)
|
875
|
+
update!(**args)
|
876
|
+
end
|
877
|
+
|
878
|
+
# Update properties of this object
|
879
|
+
def update!(**args)
|
880
|
+
@description = args[:description] if args.key?(:description)
|
881
|
+
@gke_policy = args[:gke_policy] if args.key?(:gke_policy)
|
882
|
+
@name = args[:name] if args.key?(:name)
|
883
|
+
@update_time = args[:update_time] if args.key?(:update_time)
|
884
|
+
end
|
885
|
+
end
|
886
|
+
|
546
887
|
# A policy for container image binary authorization.
|
547
888
|
class Policy
|
548
889
|
include Google::Apis::Core::Hashable
|
@@ -642,6 +983,34 @@ module Google
|
|
642
983
|
end
|
643
984
|
end
|
644
985
|
|
986
|
+
# A scope specifier for CheckSets.
|
987
|
+
class Scope
|
988
|
+
include Google::Apis::Core::Hashable
|
989
|
+
|
990
|
+
# Optional. Matches all Kubernetes service accounts in the provided namespace,
|
991
|
+
# unless a more specific `kubernetes_service_account` scope already matched.
|
992
|
+
# Corresponds to the JSON property `kubernetesNamespace`
|
993
|
+
# @return [String]
|
994
|
+
attr_accessor :kubernetes_namespace
|
995
|
+
|
996
|
+
# Optional. Matches a single Kubernetes service account, e.g. 'my-namespace:my-
|
997
|
+
# service-account'. `kubernetes_service_account` scope is always more specific
|
998
|
+
# than `kubernetes_namespace` scope for the same namespace.
|
999
|
+
# Corresponds to the JSON property `kubernetesServiceAccount`
|
1000
|
+
# @return [String]
|
1001
|
+
attr_accessor :kubernetes_service_account
|
1002
|
+
|
1003
|
+
def initialize(**args)
|
1004
|
+
update!(**args)
|
1005
|
+
end
|
1006
|
+
|
1007
|
+
# Update properties of this object
|
1008
|
+
def update!(**args)
|
1009
|
+
@kubernetes_namespace = args[:kubernetes_namespace] if args.key?(:kubernetes_namespace)
|
1010
|
+
@kubernetes_service_account = args[:kubernetes_service_account] if args.key?(:kubernetes_service_account)
|
1011
|
+
end
|
1012
|
+
end
|
1013
|
+
|
645
1014
|
# Request message for `SetIamPolicy` method.
|
646
1015
|
class SetIamPolicyRequest
|
647
1016
|
include Google::Apis::Core::Hashable
|
@@ -657,22 +1026,22 @@ module Google
|
|
657
1026
|
# evaluates to `true`. A condition can add constraints based on attributes of
|
658
1027
|
# the request, the resource, or both. To learn which resources support
|
659
1028
|
# conditions in their IAM policies, see the [IAM documentation](https://cloud.
|
660
|
-
# google.com/iam/help/conditions/resource-policies). **JSON example:** ` "
|
1029
|
+
# google.com/iam/help/conditions/resource-policies). **JSON example:** ``` ` "
|
661
1030
|
# bindings": [ ` "role": "roles/resourcemanager.organizationAdmin", "members": [
|
662
1031
|
# "user:mike@example.com", "group:admins@example.com", "domain:google.com", "
|
663
1032
|
# serviceAccount:my-project-id@appspot.gserviceaccount.com" ] `, ` "role": "
|
664
1033
|
# roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com"
|
665
1034
|
# ], "condition": ` "title": "expirable access", "description": "Does not grant
|
666
1035
|
# access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:
|
667
|
-
# 00:00.000Z')", ` ` ], "etag": "BwWWja0YfJA=", "version": 3 ` **YAML
|
668
|
-
# bindings: - members: - user:mike@example.com - group:admins@
|
669
|
-
# domain:google.com - serviceAccount:my-project-id@appspot.
|
670
|
-
# role: roles/resourcemanager.organizationAdmin - members: -
|
671
|
-
# com role: roles/resourcemanager.organizationViewer condition:
|
672
|
-
# access description: Does not grant access after Sep 2020
|
673
|
-
# time < timestamp('2020-10-01T00:00:00.000Z') etag:
|
674
|
-
# a description of IAM and its features, see the
|
675
|
-
# cloud.google.com/iam/docs/).
|
1036
|
+
# 00:00.000Z')", ` ` ], "etag": "BwWWja0YfJA=", "version": 3 ` ``` **YAML
|
1037
|
+
# example:** ``` bindings: - members: - user:mike@example.com - group:admins@
|
1038
|
+
# example.com - domain:google.com - serviceAccount:my-project-id@appspot.
|
1039
|
+
# gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: -
|
1040
|
+
# user:eve@example.com role: roles/resourcemanager.organizationViewer condition:
|
1041
|
+
# title: expirable access description: Does not grant access after Sep 2020
|
1042
|
+
# expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag:
|
1043
|
+
# BwWWja0YfJA= version: 3 ``` For a description of IAM and its features, see the
|
1044
|
+
# [IAM documentation](https://cloud.google.com/iam/docs/).
|
676
1045
|
# Corresponds to the JSON property `policy`
|
677
1046
|
# @return [Google::Apis::BinaryauthorizationV1::IamPolicy]
|
678
1047
|
attr_accessor :policy
|
@@ -742,6 +1111,64 @@ module Google
|
|
742
1111
|
end
|
743
1112
|
end
|
744
1113
|
|
1114
|
+
# Require a signed [DSSE](https://github.com/secure-systems-lab/dsse)
|
1115
|
+
# attestation with type SimpleSigning.
|
1116
|
+
class SimpleSigningAttestationCheck
|
1117
|
+
include Google::Apis::Core::Hashable
|
1118
|
+
|
1119
|
+
# Required. The authenticators required by this check to verify an attestation.
|
1120
|
+
# Typically this is one or more PKIX public keys for signature verification.
|
1121
|
+
# Only one authenticator needs to consider an attestation verified in order for
|
1122
|
+
# an attestation to be considered fully authenticated. In otherwords, this list
|
1123
|
+
# of authenticators is an "OR" of the authenticator results. At least one
|
1124
|
+
# authenticator is required.
|
1125
|
+
# Corresponds to the JSON property `attestationAuthenticators`
|
1126
|
+
# @return [Array<Google::Apis::BinaryauthorizationV1::AttestationAuthenticator>]
|
1127
|
+
attr_accessor :attestation_authenticators
|
1128
|
+
|
1129
|
+
# Optional. The projects where attestations are stored as Container Analysis
|
1130
|
+
# Occurrences. Only one attestation needs to successfully verify an image for
|
1131
|
+
# this check to pass, so a single verified attestation found in any of `
|
1132
|
+
# container_analysis_attestation_projects` is sufficient for the check to pass.
|
1133
|
+
# When fetching Occurrences from Container Analysis, only 'AttestationOccurrence'
|
1134
|
+
# kinds are considered. In the future, additional Occurrence kinds may be added
|
1135
|
+
# to the query.
|
1136
|
+
# Corresponds to the JSON property `containerAnalysisAttestationProjects`
|
1137
|
+
# @return [Array<String>]
|
1138
|
+
attr_accessor :container_analysis_attestation_projects
|
1139
|
+
|
1140
|
+
def initialize(**args)
|
1141
|
+
update!(**args)
|
1142
|
+
end
|
1143
|
+
|
1144
|
+
# Update properties of this object
|
1145
|
+
def update!(**args)
|
1146
|
+
@attestation_authenticators = args[:attestation_authenticators] if args.key?(:attestation_authenticators)
|
1147
|
+
@container_analysis_attestation_projects = args[:container_analysis_attestation_projects] if args.key?(:container_analysis_attestation_projects)
|
1148
|
+
end
|
1149
|
+
end
|
1150
|
+
|
1151
|
+
# A SLSA provenance attestation check, which ensures that images are built by a
|
1152
|
+
# trusted builder using source code from its trusted repositories only.
|
1153
|
+
class SlsaCheck
|
1154
|
+
include Google::Apis::Core::Hashable
|
1155
|
+
|
1156
|
+
# Specifies a list of verification rules for the SLSA attestations. An image is
|
1157
|
+
# considered compliant with the SlsaCheck if any of the rules are satisfied.
|
1158
|
+
# Corresponds to the JSON property `rules`
|
1159
|
+
# @return [Array<Google::Apis::BinaryauthorizationV1::VerificationRule>]
|
1160
|
+
attr_accessor :rules
|
1161
|
+
|
1162
|
+
def initialize(**args)
|
1163
|
+
update!(**args)
|
1164
|
+
end
|
1165
|
+
|
1166
|
+
# Update properties of this object
|
1167
|
+
def update!(**args)
|
1168
|
+
@rules = args[:rules] if args.key?(:rules)
|
1169
|
+
end
|
1170
|
+
end
|
1171
|
+
|
745
1172
|
# Request message for `TestIamPermissions` method.
|
746
1173
|
class TestIamPermissionsRequest
|
747
1174
|
include Google::Apis::Core::Hashable
|
@@ -782,6 +1209,40 @@ module Google
|
|
782
1209
|
end
|
783
1210
|
end
|
784
1211
|
|
1212
|
+
# A trusted directory check, which rejects images that do not come from the set
|
1213
|
+
# of user-configured trusted directories.
|
1214
|
+
class TrustedDirectoryCheck
|
1215
|
+
include Google::Apis::Core::Hashable
|
1216
|
+
|
1217
|
+
# Required. List of trusted directory patterns. A pattern is in the form "
|
1218
|
+
# registry/path/to/directory". The registry domain part is defined as two or
|
1219
|
+
# more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be
|
1220
|
+
# used in three ways as wildcards: 1. leading * to match varying prefixes in
|
1221
|
+
# registry subdomain (useful for location prefixes); 2. trailing * after
|
1222
|
+
# registry/ to match varying endings; 3. trailing ** after registry/ to match "/"
|
1223
|
+
# as well. For example: -- gcr.io/my-project/my-repo is valid to match a single
|
1224
|
+
# directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are
|
1225
|
+
# valid to match varying prefixes -- gcr.io/my-project/* will match all direct
|
1226
|
+
# directories in my-project -- gcr.io/my-project/** would match all directories
|
1227
|
+
# in my-project -- gcr.i* is not allowed since the registry is not completely
|
1228
|
+
# specified -- sub*domain.gcr.io/nginx is not valid because only leading * or
|
1229
|
+
# trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because
|
1230
|
+
# leading * can only match subdomain -- **-docker.pkg.dev is not valid because
|
1231
|
+
# one leading * is allowed, and that it cannot match "/"
|
1232
|
+
# Corresponds to the JSON property `trustedDirPatterns`
|
1233
|
+
# @return [Array<String>]
|
1234
|
+
attr_accessor :trusted_dir_patterns
|
1235
|
+
|
1236
|
+
def initialize(**args)
|
1237
|
+
update!(**args)
|
1238
|
+
end
|
1239
|
+
|
1240
|
+
# Update properties of this object
|
1241
|
+
def update!(**args)
|
1242
|
+
@trusted_dir_patterns = args[:trusted_dir_patterns] if args.key?(:trusted_dir_patterns)
|
1243
|
+
end
|
1244
|
+
end
|
1245
|
+
|
785
1246
|
# An user owned Grafeas note references a Grafeas Attestation.Authority Note
|
786
1247
|
# created by the user.
|
787
1248
|
class UserOwnedGrafeasNote
|
@@ -892,6 +1353,130 @@ module Google
|
|
892
1353
|
@result = args[:result] if args.key?(:result)
|
893
1354
|
end
|
894
1355
|
end
|
1356
|
+
|
1357
|
+
# Specifies verification rules for evaluating the SLSA attestations including:
|
1358
|
+
# which builders to trust, where to fetch the SLSA attestations generated by
|
1359
|
+
# those builders, and other builder-specific evaluation rules such as which
|
1360
|
+
# source repositories are trusted. An image is considered verified by the rule
|
1361
|
+
# if any of the fetched SLSA attestations is verified.
|
1362
|
+
class VerificationRule
|
1363
|
+
include Google::Apis::Core::Hashable
|
1364
|
+
|
1365
|
+
# Specifies the locations for fetching the provenance attestations.
|
1366
|
+
# Corresponds to the JSON property `attestationSource`
|
1367
|
+
# @return [Google::Apis::BinaryauthorizationV1::AttestationSource]
|
1368
|
+
attr_accessor :attestation_source
|
1369
|
+
|
1370
|
+
# If true, require the image to be built from a top-level configuration.
|
1371
|
+
# trusted_source_repo patterns specifies the repositories containing this
|
1372
|
+
# configuration.
|
1373
|
+
# Corresponds to the JSON property `configBasedBuildRequired`
|
1374
|
+
# @return [Boolean]
|
1375
|
+
attr_accessor :config_based_build_required
|
1376
|
+
alias_method :config_based_build_required?, :config_based_build_required
|
1377
|
+
|
1378
|
+
# Each verification rule is used for evaluation against provenances generated by
|
1379
|
+
# a specific builder (group). For some of the builders, such as the Google Cloud
|
1380
|
+
# Build, users don't need to explicitly specify their roots of trust in the
|
1381
|
+
# policy since the evaluation service can automatically fetch them based on the
|
1382
|
+
# builder (group).
|
1383
|
+
# Corresponds to the JSON property `trustedBuilder`
|
1384
|
+
# @return [String]
|
1385
|
+
attr_accessor :trusted_builder
|
1386
|
+
|
1387
|
+
# List of trusted source code repository URL patterns. These patterns match the
|
1388
|
+
# full repository URL without its scheme (e.g. "https://"). The patterns must
|
1389
|
+
# not include schemes. For example, the pattern "source.cloud.google.com/my-
|
1390
|
+
# project/my-repo-name" matches the following URLs: - "source.cloud.google.com/
|
1391
|
+
# my-project/my-repo-name" - "git+ssh://source.cloud.google.com/my-project/my-
|
1392
|
+
# repo-name" - "https://source.cloud.google.com/my-project/my-repo-name" A
|
1393
|
+
# pattern matches a URL either exactly or with * wildcards. * can be used in
|
1394
|
+
# only two ways: 1. trailing * after hosturi/ to match varying endings; 2.
|
1395
|
+
# trailing ** after hosturi/ to match "/" as well. * and ** can only be used as
|
1396
|
+
# wildcards and can only occur at the end of the pattern after a /. (So it's not
|
1397
|
+
# possible to match a URL that contains literal *.) For example: - "github.com/
|
1398
|
+
# my-project/my-repo" is valid to match a single repo - "github.com/my-project/*"
|
1399
|
+
# will match all direct repos in my-project - "github.com/**" matches all repos
|
1400
|
+
# in GitHub
|
1401
|
+
# Corresponds to the JSON property `trustedSourceRepoPatterns`
|
1402
|
+
# @return [Array<String>]
|
1403
|
+
attr_accessor :trusted_source_repo_patterns
|
1404
|
+
|
1405
|
+
def initialize(**args)
|
1406
|
+
update!(**args)
|
1407
|
+
end
|
1408
|
+
|
1409
|
+
# Update properties of this object
|
1410
|
+
def update!(**args)
|
1411
|
+
@attestation_source = args[:attestation_source] if args.key?(:attestation_source)
|
1412
|
+
@config_based_build_required = args[:config_based_build_required] if args.key?(:config_based_build_required)
|
1413
|
+
@trusted_builder = args[:trusted_builder] if args.key?(:trusted_builder)
|
1414
|
+
@trusted_source_repo_patterns = args[:trusted_source_repo_patterns] if args.key?(:trusted_source_repo_patterns)
|
1415
|
+
end
|
1416
|
+
end
|
1417
|
+
|
1418
|
+
# An image vulnerability check, which rejects images that violate the configured
|
1419
|
+
# vulnerability rules.
|
1420
|
+
class VulnerabilityCheck
|
1421
|
+
include Google::Apis::Core::Hashable
|
1422
|
+
|
1423
|
+
# Optional. A list of specific CVEs to ignore even if the vulnerability level
|
1424
|
+
# violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed
|
1425
|
+
# in the format of Container Analysis note id. For example: - CVE-2021-20305 -
|
1426
|
+
# CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.
|
1427
|
+
# g., an entry of `CVE-2021-20305` will allow vulnerabilities with a note name
|
1428
|
+
# of either `projects/goog-vulnz/notes/CVE-2021-20305` or `projects/CUSTOM-
|
1429
|
+
# PROJECT/notes/CVE-2021-20305`.
|
1430
|
+
# Corresponds to the JSON property `allowedCves`
|
1431
|
+
# @return [Array<String>]
|
1432
|
+
attr_accessor :allowed_cves
|
1433
|
+
|
1434
|
+
# Optional. A list of specific CVEs to always raise warnings about even if the
|
1435
|
+
# vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity.
|
1436
|
+
# CVEs are listed in the format of Container Analysis note id. For example: -
|
1437
|
+
# CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note
|
1438
|
+
# provider project, e.g., an entry of `CVE-2021-20305` will block
|
1439
|
+
# vulnerabilities with a note name of either `projects/goog-vulnz/notes/CVE-2021-
|
1440
|
+
# 20305` or `projects/CUSTOM-PROJECT/notes/CVE-2021-20305`.
|
1441
|
+
# Corresponds to the JSON property `blockedCves`
|
1442
|
+
# @return [Array<String>]
|
1443
|
+
attr_accessor :blocked_cves
|
1444
|
+
|
1445
|
+
# Optional. The projects where vulnerabilities are stored as Container Analysis
|
1446
|
+
# Occurrences. Each project is expressed in the resource format of `projects/[
|
1447
|
+
# PROJECT_ID]`, e.g., projects/my-gcp-project. An attempt will be made for each
|
1448
|
+
# project to fetch vulnerabilities, and all valid vulnerabilities will be used
|
1449
|
+
# to check against the vulnerability policy. If no valid scan is found in all
|
1450
|
+
# projects configured here, an error will be returned for the check.
|
1451
|
+
# Corresponds to the JSON property `containerAnalysisVulnerabilityProjects`
|
1452
|
+
# @return [Array<String>]
|
1453
|
+
attr_accessor :container_analysis_vulnerability_projects
|
1454
|
+
|
1455
|
+
# Required. The threshold for severity for which a fix is currently available.
|
1456
|
+
# This field is required and must be set.
|
1457
|
+
# Corresponds to the JSON property `maximumFixableSeverity`
|
1458
|
+
# @return [String]
|
1459
|
+
attr_accessor :maximum_fixable_severity
|
1460
|
+
|
1461
|
+
# Required. The threshold for severity for which a fix isn't currently available.
|
1462
|
+
# This field is required and must be set.
|
1463
|
+
# Corresponds to the JSON property `maximumUnfixableSeverity`
|
1464
|
+
# @return [String]
|
1465
|
+
attr_accessor :maximum_unfixable_severity
|
1466
|
+
|
1467
|
+
def initialize(**args)
|
1468
|
+
update!(**args)
|
1469
|
+
end
|
1470
|
+
|
1471
|
+
# Update properties of this object
|
1472
|
+
def update!(**args)
|
1473
|
+
@allowed_cves = args[:allowed_cves] if args.key?(:allowed_cves)
|
1474
|
+
@blocked_cves = args[:blocked_cves] if args.key?(:blocked_cves)
|
1475
|
+
@container_analysis_vulnerability_projects = args[:container_analysis_vulnerability_projects] if args.key?(:container_analysis_vulnerability_projects)
|
1476
|
+
@maximum_fixable_severity = args[:maximum_fixable_severity] if args.key?(:maximum_fixable_severity)
|
1477
|
+
@maximum_unfixable_severity = args[:maximum_unfixable_severity] if args.key?(:maximum_unfixable_severity)
|
1478
|
+
end
|
1479
|
+
end
|
895
1480
|
end
|
896
1481
|
end
|
897
1482
|
end
|