google-apis-binaryauthorization_v1 0.26.0 → 0.27.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/lib/google/apis/binaryauthorization_v1/classes.rb +605 -20
- data/lib/google/apis/binaryauthorization_v1/gem_version.rb +2 -2
- data/lib/google/apis/binaryauthorization_v1/representations.rb +251 -0
- data/lib/google/apis/binaryauthorization_v1/service.rb +177 -0
- metadata +3 -3
@@ -84,6 +84,41 @@ module Google
|
|
84
84
|
end
|
85
85
|
end
|
86
86
|
|
87
|
+
# An attestation authenticator that will be used to verify attestations.
|
88
|
+
# Typically this is just a set of public keys. Conceptually, an authenticator
|
89
|
+
# can be treated as always returning either "authenticated" or "not
|
90
|
+
# authenticated" when presented with a signed attestation (almost always assumed
|
91
|
+
# to be a [DSSE](https://github.com/secure-systems-lab/dsse) attestation). The
|
92
|
+
# details of how an authenticator makes this decision are specific to the type
|
93
|
+
# of 'authenticator' that this message wraps.
|
94
|
+
class AttestationAuthenticator
|
95
|
+
include Google::Apis::Core::Hashable
|
96
|
+
|
97
|
+
# Optional. A user-provided name for this AttestationAuthenticator. This field
|
98
|
+
# has no effect on the policy evaluation behavior except to improve readability
|
99
|
+
# of messages in evaluation results.
|
100
|
+
# Corresponds to the JSON property `displayName`
|
101
|
+
# @return [String]
|
102
|
+
attr_accessor :display_name
|
103
|
+
|
104
|
+
# A bundle of PKIX public keys, used to authenticate attestation signatures.
|
105
|
+
# Generally, a signature is considered to be authenticated by a PkixPublicKeySet
|
106
|
+
# if any of the public keys verify it (i.e. it is an "OR" of the keys).
|
107
|
+
# Corresponds to the JSON property `pkixPublicKeySet`
|
108
|
+
# @return [Google::Apis::BinaryauthorizationV1::PkixPublicKeySet]
|
109
|
+
attr_accessor :pkix_public_key_set
|
110
|
+
|
111
|
+
def initialize(**args)
|
112
|
+
update!(**args)
|
113
|
+
end
|
114
|
+
|
115
|
+
# Update properties of this object
|
116
|
+
def update!(**args)
|
117
|
+
@display_name = args[:display_name] if args.key?(:display_name)
|
118
|
+
@pkix_public_key_set = args[:pkix_public_key_set] if args.key?(:pkix_public_key_set)
|
119
|
+
end
|
120
|
+
end
|
121
|
+
|
87
122
|
# Occurrence that represents a single "attestation". The authenticity of an
|
88
123
|
# attestation can be verified using the attached signature. If the verifier
|
89
124
|
# trusts the public key of the signer, then verifying the signature is
|
@@ -131,6 +166,26 @@ module Google
|
|
131
166
|
end
|
132
167
|
end
|
133
168
|
|
169
|
+
# Specifies the locations for fetching the provenance attestations.
|
170
|
+
class AttestationSource
|
171
|
+
include Google::Apis::Core::Hashable
|
172
|
+
|
173
|
+
# The ids of the GCP projects storing the SLSA attestations as container
|
174
|
+
# analysis Occurrences.
|
175
|
+
# Corresponds to the JSON property `containerAnalysisAttestationProjects`
|
176
|
+
# @return [Array<String>]
|
177
|
+
attr_accessor :container_analysis_attestation_projects
|
178
|
+
|
179
|
+
def initialize(**args)
|
180
|
+
update!(**args)
|
181
|
+
end
|
182
|
+
|
183
|
+
# Update properties of this object
|
184
|
+
def update!(**args)
|
185
|
+
@container_analysis_attestation_projects = args[:container_analysis_attestation_projects] if args.key?(:container_analysis_attestation_projects)
|
186
|
+
end
|
187
|
+
end
|
188
|
+
|
134
189
|
# An attestor that attests to container image artifacts. An existing attestor
|
135
190
|
# cannot be modified except where indicated.
|
136
191
|
class Attestor
|
@@ -305,6 +360,124 @@ module Google
|
|
305
360
|
end
|
306
361
|
end
|
307
362
|
|
363
|
+
# A single check to perform against a Pod. Checks are grouped into CheckSets,
|
364
|
+
# which are defined by the top-level policy.
|
365
|
+
class Check
|
366
|
+
include Google::Apis::Core::Hashable
|
367
|
+
|
368
|
+
# Optional. A special-case check that always denies. Note that this still only
|
369
|
+
# applies when the scope of the CheckSet applies and the image isn't exempted by
|
370
|
+
# an image allowlist. This check is primarily useful for testing, or to set the
|
371
|
+
# default behavior for all unmatched scopes to "deny".
|
372
|
+
# Corresponds to the JSON property `alwaysDeny`
|
373
|
+
# @return [Boolean]
|
374
|
+
attr_accessor :always_deny
|
375
|
+
alias_method :always_deny?, :always_deny
|
376
|
+
|
377
|
+
# Optional. A user-provided name for this Check. This field has no effect on the
|
378
|
+
# policy evaluation behavior except to improve readability of messages in
|
379
|
+
# evaluation results.
|
380
|
+
# Corresponds to the JSON property `displayName`
|
381
|
+
# @return [String]
|
382
|
+
attr_accessor :display_name
|
383
|
+
|
384
|
+
# Images that are exempted from normal checks based on name pattern only.
|
385
|
+
# Corresponds to the JSON property `imageAllowlist`
|
386
|
+
# @return [Google::Apis::BinaryauthorizationV1::ImageAllowlist]
|
387
|
+
attr_accessor :image_allowlist
|
388
|
+
|
389
|
+
# An image freshness check, which rejects images that were uploaded before the
|
390
|
+
# set number of days ago to the supported repositories.
|
391
|
+
# Corresponds to the JSON property `imageFreshnessCheck`
|
392
|
+
# @return [Google::Apis::BinaryauthorizationV1::ImageFreshnessCheck]
|
393
|
+
attr_accessor :image_freshness_check
|
394
|
+
|
395
|
+
# Require a signed [DSSE](https://github.com/secure-systems-lab/dsse)
|
396
|
+
# attestation with type SimpleSigning.
|
397
|
+
# Corresponds to the JSON property `simpleSigningAttestationCheck`
|
398
|
+
# @return [Google::Apis::BinaryauthorizationV1::SimpleSigningAttestationCheck]
|
399
|
+
attr_accessor :simple_signing_attestation_check
|
400
|
+
|
401
|
+
# A SLSA provenance attestation check, which ensures that images are built by a
|
402
|
+
# trusted builder using source code from its trusted repositories only.
|
403
|
+
# Corresponds to the JSON property `slsaCheck`
|
404
|
+
# @return [Google::Apis::BinaryauthorizationV1::SlsaCheck]
|
405
|
+
attr_accessor :slsa_check
|
406
|
+
|
407
|
+
# A trusted directory check, which rejects images that do not come from the set
|
408
|
+
# of user-configured trusted directories.
|
409
|
+
# Corresponds to the JSON property `trustedDirectoryCheck`
|
410
|
+
# @return [Google::Apis::BinaryauthorizationV1::TrustedDirectoryCheck]
|
411
|
+
attr_accessor :trusted_directory_check
|
412
|
+
|
413
|
+
# An image vulnerability check, which rejects images that violate the configured
|
414
|
+
# vulnerability rules.
|
415
|
+
# Corresponds to the JSON property `vulnerabilityCheck`
|
416
|
+
# @return [Google::Apis::BinaryauthorizationV1::VulnerabilityCheck]
|
417
|
+
attr_accessor :vulnerability_check
|
418
|
+
|
419
|
+
def initialize(**args)
|
420
|
+
update!(**args)
|
421
|
+
end
|
422
|
+
|
423
|
+
# Update properties of this object
|
424
|
+
def update!(**args)
|
425
|
+
@always_deny = args[:always_deny] if args.key?(:always_deny)
|
426
|
+
@display_name = args[:display_name] if args.key?(:display_name)
|
427
|
+
@image_allowlist = args[:image_allowlist] if args.key?(:image_allowlist)
|
428
|
+
@image_freshness_check = args[:image_freshness_check] if args.key?(:image_freshness_check)
|
429
|
+
@simple_signing_attestation_check = args[:simple_signing_attestation_check] if args.key?(:simple_signing_attestation_check)
|
430
|
+
@slsa_check = args[:slsa_check] if args.key?(:slsa_check)
|
431
|
+
@trusted_directory_check = args[:trusted_directory_check] if args.key?(:trusted_directory_check)
|
432
|
+
@vulnerability_check = args[:vulnerability_check] if args.key?(:vulnerability_check)
|
433
|
+
end
|
434
|
+
end
|
435
|
+
|
436
|
+
# A conjunction of policy checks, scoped to a particular namespace or Kubernetes
|
437
|
+
# service account. In order for evaluation of a CheckSet to return "allowed" for
|
438
|
+
# a given image in a given Pod, one of the following conditions must be
|
439
|
+
# satisfied: * The image is explicitly exempted by an entry in `image_allowlist`,
|
440
|
+
# OR * ALL of the `checks` evaluate to "allowed".
|
441
|
+
class CheckSet
|
442
|
+
include Google::Apis::Core::Hashable
|
443
|
+
|
444
|
+
# Optional. The checks to apply. The ultimate result of evaluating the check set
|
445
|
+
# will be "allow" if and only if every check in 'checks' evaluates to "allow".
|
446
|
+
# If `checks` is empty, the default behavior is "always allow".
|
447
|
+
# Corresponds to the JSON property `checks`
|
448
|
+
# @return [Array<Google::Apis::BinaryauthorizationV1::Check>]
|
449
|
+
attr_accessor :checks
|
450
|
+
|
451
|
+
# Optional. A user-provided name for this CheckSet. This field has no effect on
|
452
|
+
# the policy evaluation behavior except to improve readability of messages in
|
453
|
+
# evaluation results.
|
454
|
+
# Corresponds to the JSON property `displayName`
|
455
|
+
# @return [String]
|
456
|
+
attr_accessor :display_name
|
457
|
+
|
458
|
+
# Images that are exempted from normal checks based on name pattern only.
|
459
|
+
# Corresponds to the JSON property `imageAllowlist`
|
460
|
+
# @return [Google::Apis::BinaryauthorizationV1::ImageAllowlist]
|
461
|
+
attr_accessor :image_allowlist
|
462
|
+
|
463
|
+
# A scope specifier for CheckSets.
|
464
|
+
# Corresponds to the JSON property `scope`
|
465
|
+
# @return [Google::Apis::BinaryauthorizationV1::Scope]
|
466
|
+
attr_accessor :scope
|
467
|
+
|
468
|
+
def initialize(**args)
|
469
|
+
update!(**args)
|
470
|
+
end
|
471
|
+
|
472
|
+
# Update properties of this object
|
473
|
+
def update!(**args)
|
474
|
+
@checks = args[:checks] if args.key?(:checks)
|
475
|
+
@display_name = args[:display_name] if args.key?(:display_name)
|
476
|
+
@image_allowlist = args[:image_allowlist] if args.key?(:image_allowlist)
|
477
|
+
@scope = args[:scope] if args.key?(:scope)
|
478
|
+
end
|
479
|
+
end
|
480
|
+
|
308
481
|
# A generic empty message that you can re-use to avoid defining duplicated empty
|
309
482
|
# messages in your APIs. A typical example is to use it as the request or the
|
310
483
|
# response type of an API method. For instance: service Foo ` rpc Bar(google.
|
@@ -375,6 +548,46 @@ module Google
|
|
375
548
|
end
|
376
549
|
end
|
377
550
|
|
551
|
+
# A Binary Authorization policy for a GKE cluster. This is one type of policy
|
552
|
+
# that can occur as a `PlatformPolicy`.
|
553
|
+
class GkePolicy
|
554
|
+
include Google::Apis::Core::Hashable
|
555
|
+
|
556
|
+
# Optional. The CheckSets to apply, scoped by namespace or namespace and service
|
557
|
+
# account. Exactly one CheckSet will be evaluated for a given Pod (unless the
|
558
|
+
# list is empty, in which case the behavior is "always allow"). If multiple
|
559
|
+
# CheckSets have scopes that match the namespace and service account of the Pod
|
560
|
+
# being evaluated, only the CheckSet with the MOST SPECIFIC scope will match.
|
561
|
+
# CheckSets must be listed in order of decreasing specificity, i.e. if a scope
|
562
|
+
# matches a given service account (which must include the namespace), it must
|
563
|
+
# come before a CheckSet with a scope matching just that namespace. This
|
564
|
+
# property is enforced by server-side validation. The purpose of this
|
565
|
+
# restriction is to ensure that if more than one CheckSet matches a given Pod,
|
566
|
+
# the CheckSet that will be evaluated will always be the first in the list to
|
567
|
+
# match (because if any other matches, it must be less specific). If `check_sets`
|
568
|
+
# is empty, the default behavior is to allow all images. If `check_sets` is non-
|
569
|
+
# empty, the last `check_sets` entry must always be a CheckSet with no scope set,
|
570
|
+
# i.e. a catchall to handle any situation not caught by the preceding CheckSets.
|
571
|
+
# Corresponds to the JSON property `checkSets`
|
572
|
+
# @return [Array<Google::Apis::BinaryauthorizationV1::CheckSet>]
|
573
|
+
attr_accessor :check_sets
|
574
|
+
|
575
|
+
# Images that are exempted from normal checks based on name pattern only.
|
576
|
+
# Corresponds to the JSON property `imageAllowlist`
|
577
|
+
# @return [Google::Apis::BinaryauthorizationV1::ImageAllowlist]
|
578
|
+
attr_accessor :image_allowlist
|
579
|
+
|
580
|
+
def initialize(**args)
|
581
|
+
update!(**args)
|
582
|
+
end
|
583
|
+
|
584
|
+
# Update properties of this object
|
585
|
+
def update!(**args)
|
586
|
+
@check_sets = args[:check_sets] if args.key?(:check_sets)
|
587
|
+
@image_allowlist = args[:image_allowlist] if args.key?(:image_allowlist)
|
588
|
+
end
|
589
|
+
end
|
590
|
+
|
378
591
|
# An Identity and Access Management (IAM) policy, which specifies access
|
379
592
|
# controls for Google Cloud resources. A `Policy` is a collection of `bindings`.
|
380
593
|
# A `binding` binds one or more `members`, or principals, to a single `role`.
|
@@ -386,22 +599,22 @@ module Google
|
|
386
599
|
# evaluates to `true`. A condition can add constraints based on attributes of
|
387
600
|
# the request, the resource, or both. To learn which resources support
|
388
601
|
# conditions in their IAM policies, see the [IAM documentation](https://cloud.
|
389
|
-
# google.com/iam/help/conditions/resource-policies). **JSON example:** ` "
|
602
|
+
# google.com/iam/help/conditions/resource-policies). **JSON example:** ``` ` "
|
390
603
|
# bindings": [ ` "role": "roles/resourcemanager.organizationAdmin", "members": [
|
391
604
|
# "user:mike@example.com", "group:admins@example.com", "domain:google.com", "
|
392
605
|
# serviceAccount:my-project-id@appspot.gserviceaccount.com" ] `, ` "role": "
|
393
606
|
# roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com"
|
394
607
|
# ], "condition": ` "title": "expirable access", "description": "Does not grant
|
395
608
|
# access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:
|
396
|
-
# 00:00.000Z')", ` ` ], "etag": "BwWWja0YfJA=", "version": 3 ` **YAML
|
397
|
-
# bindings: - members: - user:mike@example.com - group:admins@
|
398
|
-
# domain:google.com - serviceAccount:my-project-id@appspot.
|
399
|
-
# role: roles/resourcemanager.organizationAdmin - members: -
|
400
|
-
# com role: roles/resourcemanager.organizationViewer condition:
|
401
|
-
# access description: Does not grant access after Sep 2020
|
402
|
-
# time < timestamp('2020-10-01T00:00:00.000Z') etag:
|
403
|
-
# a description of IAM and its features, see the
|
404
|
-
# cloud.google.com/iam/docs/).
|
609
|
+
# 00:00.000Z')", ` ` ], "etag": "BwWWja0YfJA=", "version": 3 ` ``` **YAML
|
610
|
+
# example:** ``` bindings: - members: - user:mike@example.com - group:admins@
|
611
|
+
# example.com - domain:google.com - serviceAccount:my-project-id@appspot.
|
612
|
+
# gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: -
|
613
|
+
# user:eve@example.com role: roles/resourcemanager.organizationViewer condition:
|
614
|
+
# title: expirable access description: Does not grant access after Sep 2020
|
615
|
+
# expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag:
|
616
|
+
# BwWWja0YfJA= version: 3 ``` For a description of IAM and its features, see the
|
617
|
+
# [IAM documentation](https://cloud.google.com/iam/docs/).
|
405
618
|
class IamPolicy
|
406
619
|
include Google::Apis::Core::Hashable
|
407
620
|
|
@@ -464,6 +677,47 @@ module Google
|
|
464
677
|
end
|
465
678
|
end
|
466
679
|
|
680
|
+
# Images that are exempted from normal checks based on name pattern only.
|
681
|
+
class ImageAllowlist
|
682
|
+
include Google::Apis::Core::Hashable
|
683
|
+
|
684
|
+
# Required. A disjunction of image patterns to allow. If any of these patterns
|
685
|
+
# match, then the image is considered exempted by this allowlist.
|
686
|
+
# Corresponds to the JSON property `allowPattern`
|
687
|
+
# @return [Array<String>]
|
688
|
+
attr_accessor :allow_pattern
|
689
|
+
|
690
|
+
def initialize(**args)
|
691
|
+
update!(**args)
|
692
|
+
end
|
693
|
+
|
694
|
+
# Update properties of this object
|
695
|
+
def update!(**args)
|
696
|
+
@allow_pattern = args[:allow_pattern] if args.key?(:allow_pattern)
|
697
|
+
end
|
698
|
+
end
|
699
|
+
|
700
|
+
# An image freshness check, which rejects images that were uploaded before the
|
701
|
+
# set number of days ago to the supported repositories.
|
702
|
+
class ImageFreshnessCheck
|
703
|
+
include Google::Apis::Core::Hashable
|
704
|
+
|
705
|
+
# Required. The max number of days that is allowed since the image was uploaded.
|
706
|
+
# Must be greater than zero.
|
707
|
+
# Corresponds to the JSON property `maxUploadAgeDays`
|
708
|
+
# @return [Fixnum]
|
709
|
+
attr_accessor :max_upload_age_days
|
710
|
+
|
711
|
+
def initialize(**args)
|
712
|
+
update!(**args)
|
713
|
+
end
|
714
|
+
|
715
|
+
# Update properties of this object
|
716
|
+
def update!(**args)
|
717
|
+
@max_upload_age_days = args[:max_upload_age_days] if args.key?(:max_upload_age_days)
|
718
|
+
end
|
719
|
+
end
|
720
|
+
|
467
721
|
#
|
468
722
|
class Jwt
|
469
723
|
include Google::Apis::Core::Hashable
|
@@ -512,6 +766,33 @@ module Google
|
|
512
766
|
end
|
513
767
|
end
|
514
768
|
|
769
|
+
# Response message for PlatformPolicyManagementService.ListPlatformPolicies.
|
770
|
+
class ListPlatformPoliciesResponse
|
771
|
+
include Google::Apis::Core::Hashable
|
772
|
+
|
773
|
+
# A token to retrieve the next page of results. Pass this value in the
|
774
|
+
# ListPlatformPoliciesRequest.page_token field in the subsequent call to the `
|
775
|
+
# ListPlatformPolicies` method to retrieve the next page of results.
|
776
|
+
# Corresponds to the JSON property `nextPageToken`
|
777
|
+
# @return [String]
|
778
|
+
attr_accessor :next_page_token
|
779
|
+
|
780
|
+
# The list of platform policies.
|
781
|
+
# Corresponds to the JSON property `platformPolicies`
|
782
|
+
# @return [Array<Google::Apis::BinaryauthorizationV1::PlatformPolicy>]
|
783
|
+
attr_accessor :platform_policies
|
784
|
+
|
785
|
+
def initialize(**args)
|
786
|
+
update!(**args)
|
787
|
+
end
|
788
|
+
|
789
|
+
# Update properties of this object
|
790
|
+
def update!(**args)
|
791
|
+
@next_page_token = args[:next_page_token] if args.key?(:next_page_token)
|
792
|
+
@platform_policies = args[:platform_policies] if args.key?(:platform_policies)
|
793
|
+
end
|
794
|
+
end
|
795
|
+
|
515
796
|
# A public key in the PkixPublicKey format (see https://tools.ietf.org/html/
|
516
797
|
# rfc5280#section-4.1.2.7 for details). Public keys of this type are typically
|
517
798
|
# textually encoded using the PEM format.
|
@@ -543,6 +824,66 @@ module Google
|
|
543
824
|
end
|
544
825
|
end
|
545
826
|
|
827
|
+
# A bundle of PKIX public keys, used to authenticate attestation signatures.
|
828
|
+
# Generally, a signature is considered to be authenticated by a PkixPublicKeySet
|
829
|
+
# if any of the public keys verify it (i.e. it is an "OR" of the keys).
|
830
|
+
class PkixPublicKeySet
|
831
|
+
include Google::Apis::Core::Hashable
|
832
|
+
|
833
|
+
# Required. `pkix_public_keys` must have at least one entry.
|
834
|
+
# Corresponds to the JSON property `pkixPublicKeys`
|
835
|
+
# @return [Array<Google::Apis::BinaryauthorizationV1::PkixPublicKey>]
|
836
|
+
attr_accessor :pkix_public_keys
|
837
|
+
|
838
|
+
def initialize(**args)
|
839
|
+
update!(**args)
|
840
|
+
end
|
841
|
+
|
842
|
+
# Update properties of this object
|
843
|
+
def update!(**args)
|
844
|
+
@pkix_public_keys = args[:pkix_public_keys] if args.key?(:pkix_public_keys)
|
845
|
+
end
|
846
|
+
end
|
847
|
+
|
848
|
+
# A Binary Authorization platform policy for deployments on various platforms.
|
849
|
+
class PlatformPolicy
|
850
|
+
include Google::Apis::Core::Hashable
|
851
|
+
|
852
|
+
# Optional. A description comment about the policy.
|
853
|
+
# Corresponds to the JSON property `description`
|
854
|
+
# @return [String]
|
855
|
+
attr_accessor :description
|
856
|
+
|
857
|
+
# A Binary Authorization policy for a GKE cluster. This is one type of policy
|
858
|
+
# that can occur as a `PlatformPolicy`.
|
859
|
+
# Corresponds to the JSON property `gkePolicy`
|
860
|
+
# @return [Google::Apis::BinaryauthorizationV1::GkePolicy]
|
861
|
+
attr_accessor :gke_policy
|
862
|
+
|
863
|
+
# Output only. The relative resource name of the BinAuthz platform policy, in
|
864
|
+
# the form of `projects/*/platforms/*/policies/*`.
|
865
|
+
# Corresponds to the JSON property `name`
|
866
|
+
# @return [String]
|
867
|
+
attr_accessor :name
|
868
|
+
|
869
|
+
# Output only. Time when the policy was last updated.
|
870
|
+
# Corresponds to the JSON property `updateTime`
|
871
|
+
# @return [String]
|
872
|
+
attr_accessor :update_time
|
873
|
+
|
874
|
+
def initialize(**args)
|
875
|
+
update!(**args)
|
876
|
+
end
|
877
|
+
|
878
|
+
# Update properties of this object
|
879
|
+
def update!(**args)
|
880
|
+
@description = args[:description] if args.key?(:description)
|
881
|
+
@gke_policy = args[:gke_policy] if args.key?(:gke_policy)
|
882
|
+
@name = args[:name] if args.key?(:name)
|
883
|
+
@update_time = args[:update_time] if args.key?(:update_time)
|
884
|
+
end
|
885
|
+
end
|
886
|
+
|
546
887
|
# A policy for container image binary authorization.
|
547
888
|
class Policy
|
548
889
|
include Google::Apis::Core::Hashable
|
@@ -642,6 +983,34 @@ module Google
|
|
642
983
|
end
|
643
984
|
end
|
644
985
|
|
986
|
+
# A scope specifier for CheckSets.
|
987
|
+
class Scope
|
988
|
+
include Google::Apis::Core::Hashable
|
989
|
+
|
990
|
+
# Optional. Matches all Kubernetes service accounts in the provided namespace,
|
991
|
+
# unless a more specific `kubernetes_service_account` scope already matched.
|
992
|
+
# Corresponds to the JSON property `kubernetesNamespace`
|
993
|
+
# @return [String]
|
994
|
+
attr_accessor :kubernetes_namespace
|
995
|
+
|
996
|
+
# Optional. Matches a single Kubernetes service account, e.g. 'my-namespace:my-
|
997
|
+
# service-account'. `kubernetes_service_account` scope is always more specific
|
998
|
+
# than `kubernetes_namespace` scope for the same namespace.
|
999
|
+
# Corresponds to the JSON property `kubernetesServiceAccount`
|
1000
|
+
# @return [String]
|
1001
|
+
attr_accessor :kubernetes_service_account
|
1002
|
+
|
1003
|
+
def initialize(**args)
|
1004
|
+
update!(**args)
|
1005
|
+
end
|
1006
|
+
|
1007
|
+
# Update properties of this object
|
1008
|
+
def update!(**args)
|
1009
|
+
@kubernetes_namespace = args[:kubernetes_namespace] if args.key?(:kubernetes_namespace)
|
1010
|
+
@kubernetes_service_account = args[:kubernetes_service_account] if args.key?(:kubernetes_service_account)
|
1011
|
+
end
|
1012
|
+
end
|
1013
|
+
|
645
1014
|
# Request message for `SetIamPolicy` method.
|
646
1015
|
class SetIamPolicyRequest
|
647
1016
|
include Google::Apis::Core::Hashable
|
@@ -657,22 +1026,22 @@ module Google
|
|
657
1026
|
# evaluates to `true`. A condition can add constraints based on attributes of
|
658
1027
|
# the request, the resource, or both. To learn which resources support
|
659
1028
|
# conditions in their IAM policies, see the [IAM documentation](https://cloud.
|
660
|
-
# google.com/iam/help/conditions/resource-policies). **JSON example:** ` "
|
1029
|
+
# google.com/iam/help/conditions/resource-policies). **JSON example:** ``` ` "
|
661
1030
|
# bindings": [ ` "role": "roles/resourcemanager.organizationAdmin", "members": [
|
662
1031
|
# "user:mike@example.com", "group:admins@example.com", "domain:google.com", "
|
663
1032
|
# serviceAccount:my-project-id@appspot.gserviceaccount.com" ] `, ` "role": "
|
664
1033
|
# roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com"
|
665
1034
|
# ], "condition": ` "title": "expirable access", "description": "Does not grant
|
666
1035
|
# access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:
|
667
|
-
# 00:00.000Z')", ` ` ], "etag": "BwWWja0YfJA=", "version": 3 ` **YAML
|
668
|
-
# bindings: - members: - user:mike@example.com - group:admins@
|
669
|
-
# domain:google.com - serviceAccount:my-project-id@appspot.
|
670
|
-
# role: roles/resourcemanager.organizationAdmin - members: -
|
671
|
-
# com role: roles/resourcemanager.organizationViewer condition:
|
672
|
-
# access description: Does not grant access after Sep 2020
|
673
|
-
# time < timestamp('2020-10-01T00:00:00.000Z') etag:
|
674
|
-
# a description of IAM and its features, see the
|
675
|
-
# cloud.google.com/iam/docs/).
|
1036
|
+
# 00:00.000Z')", ` ` ], "etag": "BwWWja0YfJA=", "version": 3 ` ``` **YAML
|
1037
|
+
# example:** ``` bindings: - members: - user:mike@example.com - group:admins@
|
1038
|
+
# example.com - domain:google.com - serviceAccount:my-project-id@appspot.
|
1039
|
+
# gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: -
|
1040
|
+
# user:eve@example.com role: roles/resourcemanager.organizationViewer condition:
|
1041
|
+
# title: expirable access description: Does not grant access after Sep 2020
|
1042
|
+
# expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag:
|
1043
|
+
# BwWWja0YfJA= version: 3 ``` For a description of IAM and its features, see the
|
1044
|
+
# [IAM documentation](https://cloud.google.com/iam/docs/).
|
676
1045
|
# Corresponds to the JSON property `policy`
|
677
1046
|
# @return [Google::Apis::BinaryauthorizationV1::IamPolicy]
|
678
1047
|
attr_accessor :policy
|
@@ -742,6 +1111,64 @@ module Google
|
|
742
1111
|
end
|
743
1112
|
end
|
744
1113
|
|
1114
|
+
# Require a signed [DSSE](https://github.com/secure-systems-lab/dsse)
|
1115
|
+
# attestation with type SimpleSigning.
|
1116
|
+
class SimpleSigningAttestationCheck
|
1117
|
+
include Google::Apis::Core::Hashable
|
1118
|
+
|
1119
|
+
# Required. The authenticators required by this check to verify an attestation.
|
1120
|
+
# Typically this is one or more PKIX public keys for signature verification.
|
1121
|
+
# Only one authenticator needs to consider an attestation verified in order for
|
1122
|
+
# an attestation to be considered fully authenticated. In otherwords, this list
|
1123
|
+
# of authenticators is an "OR" of the authenticator results. At least one
|
1124
|
+
# authenticator is required.
|
1125
|
+
# Corresponds to the JSON property `attestationAuthenticators`
|
1126
|
+
# @return [Array<Google::Apis::BinaryauthorizationV1::AttestationAuthenticator>]
|
1127
|
+
attr_accessor :attestation_authenticators
|
1128
|
+
|
1129
|
+
# Optional. The projects where attestations are stored as Container Analysis
|
1130
|
+
# Occurrences. Only one attestation needs to successfully verify an image for
|
1131
|
+
# this check to pass, so a single verified attestation found in any of `
|
1132
|
+
# container_analysis_attestation_projects` is sufficient for the check to pass.
|
1133
|
+
# When fetching Occurrences from Container Analysis, only 'AttestationOccurrence'
|
1134
|
+
# kinds are considered. In the future, additional Occurrence kinds may be added
|
1135
|
+
# to the query.
|
1136
|
+
# Corresponds to the JSON property `containerAnalysisAttestationProjects`
|
1137
|
+
# @return [Array<String>]
|
1138
|
+
attr_accessor :container_analysis_attestation_projects
|
1139
|
+
|
1140
|
+
def initialize(**args)
|
1141
|
+
update!(**args)
|
1142
|
+
end
|
1143
|
+
|
1144
|
+
# Update properties of this object
|
1145
|
+
def update!(**args)
|
1146
|
+
@attestation_authenticators = args[:attestation_authenticators] if args.key?(:attestation_authenticators)
|
1147
|
+
@container_analysis_attestation_projects = args[:container_analysis_attestation_projects] if args.key?(:container_analysis_attestation_projects)
|
1148
|
+
end
|
1149
|
+
end
|
1150
|
+
|
1151
|
+
# A SLSA provenance attestation check, which ensures that images are built by a
|
1152
|
+
# trusted builder using source code from its trusted repositories only.
|
1153
|
+
class SlsaCheck
|
1154
|
+
include Google::Apis::Core::Hashable
|
1155
|
+
|
1156
|
+
# Specifies a list of verification rules for the SLSA attestations. An image is
|
1157
|
+
# considered compliant with the SlsaCheck if any of the rules are satisfied.
|
1158
|
+
# Corresponds to the JSON property `rules`
|
1159
|
+
# @return [Array<Google::Apis::BinaryauthorizationV1::VerificationRule>]
|
1160
|
+
attr_accessor :rules
|
1161
|
+
|
1162
|
+
def initialize(**args)
|
1163
|
+
update!(**args)
|
1164
|
+
end
|
1165
|
+
|
1166
|
+
# Update properties of this object
|
1167
|
+
def update!(**args)
|
1168
|
+
@rules = args[:rules] if args.key?(:rules)
|
1169
|
+
end
|
1170
|
+
end
|
1171
|
+
|
745
1172
|
# Request message for `TestIamPermissions` method.
|
746
1173
|
class TestIamPermissionsRequest
|
747
1174
|
include Google::Apis::Core::Hashable
|
@@ -782,6 +1209,40 @@ module Google
|
|
782
1209
|
end
|
783
1210
|
end
|
784
1211
|
|
1212
|
+
# A trusted directory check, which rejects images that do not come from the set
|
1213
|
+
# of user-configured trusted directories.
|
1214
|
+
class TrustedDirectoryCheck
|
1215
|
+
include Google::Apis::Core::Hashable
|
1216
|
+
|
1217
|
+
# Required. List of trusted directory patterns. A pattern is in the form "
|
1218
|
+
# registry/path/to/directory". The registry domain part is defined as two or
|
1219
|
+
# more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be
|
1220
|
+
# used in three ways as wildcards: 1. leading * to match varying prefixes in
|
1221
|
+
# registry subdomain (useful for location prefixes); 2. trailing * after
|
1222
|
+
# registry/ to match varying endings; 3. trailing ** after registry/ to match "/"
|
1223
|
+
# as well. For example: -- gcr.io/my-project/my-repo is valid to match a single
|
1224
|
+
# directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are
|
1225
|
+
# valid to match varying prefixes -- gcr.io/my-project/* will match all direct
|
1226
|
+
# directories in my-project -- gcr.io/my-project/** would match all directories
|
1227
|
+
# in my-project -- gcr.i* is not allowed since the registry is not completely
|
1228
|
+
# specified -- sub*domain.gcr.io/nginx is not valid because only leading * or
|
1229
|
+
# trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because
|
1230
|
+
# leading * can only match subdomain -- **-docker.pkg.dev is not valid because
|
1231
|
+
# one leading * is allowed, and that it cannot match "/"
|
1232
|
+
# Corresponds to the JSON property `trustedDirPatterns`
|
1233
|
+
# @return [Array<String>]
|
1234
|
+
attr_accessor :trusted_dir_patterns
|
1235
|
+
|
1236
|
+
def initialize(**args)
|
1237
|
+
update!(**args)
|
1238
|
+
end
|
1239
|
+
|
1240
|
+
# Update properties of this object
|
1241
|
+
def update!(**args)
|
1242
|
+
@trusted_dir_patterns = args[:trusted_dir_patterns] if args.key?(:trusted_dir_patterns)
|
1243
|
+
end
|
1244
|
+
end
|
1245
|
+
|
785
1246
|
# An user owned Grafeas note references a Grafeas Attestation.Authority Note
|
786
1247
|
# created by the user.
|
787
1248
|
class UserOwnedGrafeasNote
|
@@ -892,6 +1353,130 @@ module Google
|
|
892
1353
|
@result = args[:result] if args.key?(:result)
|
893
1354
|
end
|
894
1355
|
end
|
1356
|
+
|
1357
|
+
# Specifies verification rules for evaluating the SLSA attestations including:
|
1358
|
+
# which builders to trust, where to fetch the SLSA attestations generated by
|
1359
|
+
# those builders, and other builder-specific evaluation rules such as which
|
1360
|
+
# source repositories are trusted. An image is considered verified by the rule
|
1361
|
+
# if any of the fetched SLSA attestations is verified.
|
1362
|
+
class VerificationRule
|
1363
|
+
include Google::Apis::Core::Hashable
|
1364
|
+
|
1365
|
+
# Specifies the locations for fetching the provenance attestations.
|
1366
|
+
# Corresponds to the JSON property `attestationSource`
|
1367
|
+
# @return [Google::Apis::BinaryauthorizationV1::AttestationSource]
|
1368
|
+
attr_accessor :attestation_source
|
1369
|
+
|
1370
|
+
# If true, require the image to be built from a top-level configuration.
|
1371
|
+
# trusted_source_repo patterns specifies the repositories containing this
|
1372
|
+
# configuration.
|
1373
|
+
# Corresponds to the JSON property `configBasedBuildRequired`
|
1374
|
+
# @return [Boolean]
|
1375
|
+
attr_accessor :config_based_build_required
|
1376
|
+
alias_method :config_based_build_required?, :config_based_build_required
|
1377
|
+
|
1378
|
+
# Each verification rule is used for evaluation against provenances generated by
|
1379
|
+
# a specific builder (group). For some of the builders, such as the Google Cloud
|
1380
|
+
# Build, users don't need to explicitly specify their roots of trust in the
|
1381
|
+
# policy since the evaluation service can automatically fetch them based on the
|
1382
|
+
# builder (group).
|
1383
|
+
# Corresponds to the JSON property `trustedBuilder`
|
1384
|
+
# @return [String]
|
1385
|
+
attr_accessor :trusted_builder
|
1386
|
+
|
1387
|
+
# List of trusted source code repository URL patterns. These patterns match the
|
1388
|
+
# full repository URL without its scheme (e.g. "https://"). The patterns must
|
1389
|
+
# not include schemes. For example, the pattern "source.cloud.google.com/my-
|
1390
|
+
# project/my-repo-name" matches the following URLs: - "source.cloud.google.com/
|
1391
|
+
# my-project/my-repo-name" - "git+ssh://source.cloud.google.com/my-project/my-
|
1392
|
+
# repo-name" - "https://source.cloud.google.com/my-project/my-repo-name" A
|
1393
|
+
# pattern matches a URL either exactly or with * wildcards. * can be used in
|
1394
|
+
# only two ways: 1. trailing * after hosturi/ to match varying endings; 2.
|
1395
|
+
# trailing ** after hosturi/ to match "/" as well. * and ** can only be used as
|
1396
|
+
# wildcards and can only occur at the end of the pattern after a /. (So it's not
|
1397
|
+
# possible to match a URL that contains literal *.) For example: - "github.com/
|
1398
|
+
# my-project/my-repo" is valid to match a single repo - "github.com/my-project/*"
|
1399
|
+
# will match all direct repos in my-project - "github.com/**" matches all repos
|
1400
|
+
# in GitHub
|
1401
|
+
# Corresponds to the JSON property `trustedSourceRepoPatterns`
|
1402
|
+
# @return [Array<String>]
|
1403
|
+
attr_accessor :trusted_source_repo_patterns
|
1404
|
+
|
1405
|
+
def initialize(**args)
|
1406
|
+
update!(**args)
|
1407
|
+
end
|
1408
|
+
|
1409
|
+
# Update properties of this object
|
1410
|
+
def update!(**args)
|
1411
|
+
@attestation_source = args[:attestation_source] if args.key?(:attestation_source)
|
1412
|
+
@config_based_build_required = args[:config_based_build_required] if args.key?(:config_based_build_required)
|
1413
|
+
@trusted_builder = args[:trusted_builder] if args.key?(:trusted_builder)
|
1414
|
+
@trusted_source_repo_patterns = args[:trusted_source_repo_patterns] if args.key?(:trusted_source_repo_patterns)
|
1415
|
+
end
|
1416
|
+
end
|
1417
|
+
|
1418
|
+
# An image vulnerability check, which rejects images that violate the configured
|
1419
|
+
# vulnerability rules.
|
1420
|
+
class VulnerabilityCheck
|
1421
|
+
include Google::Apis::Core::Hashable
|
1422
|
+
|
1423
|
+
# Optional. A list of specific CVEs to ignore even if the vulnerability level
|
1424
|
+
# violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed
|
1425
|
+
# in the format of Container Analysis note id. For example: - CVE-2021-20305 -
|
1426
|
+
# CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.
|
1427
|
+
# g., an entry of `CVE-2021-20305` will allow vulnerabilities with a note name
|
1428
|
+
# of either `projects/goog-vulnz/notes/CVE-2021-20305` or `projects/CUSTOM-
|
1429
|
+
# PROJECT/notes/CVE-2021-20305`.
|
1430
|
+
# Corresponds to the JSON property `allowedCves`
|
1431
|
+
# @return [Array<String>]
|
1432
|
+
attr_accessor :allowed_cves
|
1433
|
+
|
1434
|
+
# Optional. A list of specific CVEs to always raise warnings about even if the
|
1435
|
+
# vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity.
|
1436
|
+
# CVEs are listed in the format of Container Analysis note id. For example: -
|
1437
|
+
# CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note
|
1438
|
+
# provider project, e.g., an entry of `CVE-2021-20305` will block
|
1439
|
+
# vulnerabilities with a note name of either `projects/goog-vulnz/notes/CVE-2021-
|
1440
|
+
# 20305` or `projects/CUSTOM-PROJECT/notes/CVE-2021-20305`.
|
1441
|
+
# Corresponds to the JSON property `blockedCves`
|
1442
|
+
# @return [Array<String>]
|
1443
|
+
attr_accessor :blocked_cves
|
1444
|
+
|
1445
|
+
# Optional. The projects where vulnerabilities are stored as Container Analysis
|
1446
|
+
# Occurrences. Each project is expressed in the resource format of `projects/[
|
1447
|
+
# PROJECT_ID]`, e.g., projects/my-gcp-project. An attempt will be made for each
|
1448
|
+
# project to fetch vulnerabilities, and all valid vulnerabilities will be used
|
1449
|
+
# to check against the vulnerability policy. If no valid scan is found in all
|
1450
|
+
# projects configured here, an error will be returned for the check.
|
1451
|
+
# Corresponds to the JSON property `containerAnalysisVulnerabilityProjects`
|
1452
|
+
# @return [Array<String>]
|
1453
|
+
attr_accessor :container_analysis_vulnerability_projects
|
1454
|
+
|
1455
|
+
# Required. The threshold for severity for which a fix is currently available.
|
1456
|
+
# This field is required and must be set.
|
1457
|
+
# Corresponds to the JSON property `maximumFixableSeverity`
|
1458
|
+
# @return [String]
|
1459
|
+
attr_accessor :maximum_fixable_severity
|
1460
|
+
|
1461
|
+
# Required. The threshold for severity for which a fix isn't currently available.
|
1462
|
+
# This field is required and must be set.
|
1463
|
+
# Corresponds to the JSON property `maximumUnfixableSeverity`
|
1464
|
+
# @return [String]
|
1465
|
+
attr_accessor :maximum_unfixable_severity
|
1466
|
+
|
1467
|
+
def initialize(**args)
|
1468
|
+
update!(**args)
|
1469
|
+
end
|
1470
|
+
|
1471
|
+
# Update properties of this object
|
1472
|
+
def update!(**args)
|
1473
|
+
@allowed_cves = args[:allowed_cves] if args.key?(:allowed_cves)
|
1474
|
+
@blocked_cves = args[:blocked_cves] if args.key?(:blocked_cves)
|
1475
|
+
@container_analysis_vulnerability_projects = args[:container_analysis_vulnerability_projects] if args.key?(:container_analysis_vulnerability_projects)
|
1476
|
+
@maximum_fixable_severity = args[:maximum_fixable_severity] if args.key?(:maximum_fixable_severity)
|
1477
|
+
@maximum_unfixable_severity = args[:maximum_unfixable_severity] if args.key?(:maximum_unfixable_severity)
|
1478
|
+
end
|
1479
|
+
end
|
895
1480
|
end
|
896
1481
|
end
|
897
1482
|
end
|