google-cloud-binary_authorization-v1 1.6.0 → 1.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +2 -2
- data/lib/google/cloud/binary_authorization/v1/binauthz_management_service/client.rb +76 -37
- data/lib/google/cloud/binary_authorization/v1/binauthz_management_service/rest/client.rb +84 -37
- data/lib/google/cloud/binary_authorization/v1/binauthz_management_service/rest.rb +1 -0
- data/lib/google/cloud/binary_authorization/v1/bindings_override.rb +110 -0
- data/lib/google/cloud/binary_authorization/v1/rest.rb +1 -0
- data/lib/google/cloud/binary_authorization/v1/system_policy/client.rb +18 -0
- data/lib/google/cloud/binary_authorization/v1/system_policy/rest/client.rb +26 -0
- data/lib/google/cloud/binary_authorization/v1/system_policy/rest.rb +1 -0
- data/lib/google/cloud/binary_authorization/v1/validation_helper/client.rb +25 -6
- data/lib/google/cloud/binary_authorization/v1/validation_helper/rest/client.rb +33 -6
- data/lib/google/cloud/binary_authorization/v1/validation_helper/rest.rb +1 -0
- data/lib/google/cloud/binary_authorization/v1/version.rb +1 -1
- data/lib/google/cloud/binaryauthorization/v1/resources_pb.rb +1 -1
- data/lib/google/cloud/binaryauthorization/v1/service_pb.rb +1 -1
- data/lib/google/cloud/binaryauthorization/v1/service_services_pb.rb +29 -20
- data/proto_docs/google/api/client.rb +149 -29
- data/proto_docs/google/cloud/binaryauthorization/v1/resources.rb +106 -52
- data/proto_docs/google/cloud/binaryauthorization/v1/service.rb +56 -34
- data/proto_docs/google/protobuf/field_mask.rb +229 -0
- data/proto_docs/google/type/expr.rb +75 -0
- metadata +23 -6
|
@@ -31,6 +31,8 @@ module Google
|
|
|
31
31
|
# @!attribute [rw] selective_gapic_generation
|
|
32
32
|
# @return [::Google::Api::SelectiveGapicGeneration]
|
|
33
33
|
# Configuration for which RPCs should be generated in the GAPIC client.
|
|
34
|
+
#
|
|
35
|
+
# Note: This field should not be used in most cases.
|
|
34
36
|
class CommonLanguageSettings
|
|
35
37
|
include ::Google::Protobuf::MessageExts
|
|
36
38
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
@@ -141,9 +143,10 @@ module Google
|
|
|
141
143
|
#
|
|
142
144
|
# Example of a YAML configuration::
|
|
143
145
|
#
|
|
144
|
-
#
|
|
145
|
-
#
|
|
146
|
-
#
|
|
146
|
+
# publishing:
|
|
147
|
+
# library_settings:
|
|
148
|
+
# java_settings:
|
|
149
|
+
# library_package: com.google.cloud.pubsub.v1
|
|
147
150
|
# @!attribute [rw] service_class_names
|
|
148
151
|
# @return [::Google::Protobuf::Map{::String => ::String}]
|
|
149
152
|
# Configure the Java class name to use instead of the service's for its
|
|
@@ -155,11 +158,11 @@ module Google
|
|
|
155
158
|
#
|
|
156
159
|
# Example of a YAML configuration::
|
|
157
160
|
#
|
|
158
|
-
#
|
|
159
|
-
#
|
|
160
|
-
#
|
|
161
|
-
#
|
|
162
|
-
#
|
|
161
|
+
# publishing:
|
|
162
|
+
# java_settings:
|
|
163
|
+
# service_class_names:
|
|
164
|
+
# - google.pubsub.v1.Publisher: TopicAdmin
|
|
165
|
+
# - google.pubsub.v1.Subscriber: SubscriptionAdmin
|
|
163
166
|
# @!attribute [rw] common
|
|
164
167
|
# @return [::Google::Api::CommonLanguageSettings]
|
|
165
168
|
# Some settings.
|
|
@@ -190,6 +193,20 @@ module Google
|
|
|
190
193
|
# @!attribute [rw] common
|
|
191
194
|
# @return [::Google::Api::CommonLanguageSettings]
|
|
192
195
|
# Some settings.
|
|
196
|
+
# @!attribute [rw] library_package
|
|
197
|
+
# @return [::String]
|
|
198
|
+
# The package name to use in Php. Clobbers the php_namespace option
|
|
199
|
+
# set in the protobuf. This should be used **only** by APIs
|
|
200
|
+
# who have already set the language_settings.php.package_name" field
|
|
201
|
+
# in gapic.yaml. API teams should use the protobuf php_namespace option
|
|
202
|
+
# where possible.
|
|
203
|
+
#
|
|
204
|
+
# Example of a YAML configuration::
|
|
205
|
+
#
|
|
206
|
+
# publishing:
|
|
207
|
+
# library_settings:
|
|
208
|
+
# php_settings:
|
|
209
|
+
# library_package: Google\Cloud\PubSub\V1
|
|
193
210
|
class PhpSettings
|
|
194
211
|
include ::Google::Protobuf::MessageExts
|
|
195
212
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
@@ -318,10 +335,12 @@ module Google
|
|
|
318
335
|
# service names and values are the name to be used for the service client
|
|
319
336
|
# and call options.
|
|
320
337
|
#
|
|
321
|
-
#
|
|
322
|
-
#
|
|
323
|
-
#
|
|
324
|
-
#
|
|
338
|
+
# Example:
|
|
339
|
+
#
|
|
340
|
+
# publishing:
|
|
341
|
+
# go_settings:
|
|
342
|
+
# renamed_services:
|
|
343
|
+
# Publisher: TopicAdmin
|
|
325
344
|
class GoSettings
|
|
326
345
|
include ::Google::Protobuf::MessageExts
|
|
327
346
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
@@ -344,10 +363,10 @@ module Google
|
|
|
344
363
|
#
|
|
345
364
|
# Example:
|
|
346
365
|
#
|
|
347
|
-
#
|
|
348
|
-
#
|
|
349
|
-
#
|
|
350
|
-
#
|
|
366
|
+
# publishing:
|
|
367
|
+
# method_settings:
|
|
368
|
+
# - selector: google.storage.control.v2.StorageControl.CreateFolder
|
|
369
|
+
# # method settings for CreateFolder...
|
|
351
370
|
# @!attribute [rw] long_running
|
|
352
371
|
# @return [::Google::Api::MethodSettings::LongRunning]
|
|
353
372
|
# Describes settings to use for long-running operations when generating
|
|
@@ -356,14 +375,14 @@ module Google
|
|
|
356
375
|
#
|
|
357
376
|
# Example of a YAML configuration::
|
|
358
377
|
#
|
|
359
|
-
#
|
|
360
|
-
#
|
|
361
|
-
#
|
|
362
|
-
#
|
|
363
|
-
#
|
|
364
|
-
#
|
|
365
|
-
#
|
|
366
|
-
#
|
|
378
|
+
# publishing:
|
|
379
|
+
# method_settings:
|
|
380
|
+
# - selector: google.cloud.speech.v2.Speech.BatchRecognize
|
|
381
|
+
# long_running:
|
|
382
|
+
# initial_poll_delay: 60s # 1 minute
|
|
383
|
+
# poll_delay_multiplier: 1.5
|
|
384
|
+
# max_poll_delay: 360s # 6 minutes
|
|
385
|
+
# total_poll_timeout: 54000s # 90 minutes
|
|
367
386
|
# @!attribute [rw] auto_populated_fields
|
|
368
387
|
# @return [::Array<::String>]
|
|
369
388
|
# List of top-level fields of the request message, that should be
|
|
@@ -372,11 +391,24 @@ module Google
|
|
|
372
391
|
#
|
|
373
392
|
# Example of a YAML configuration:
|
|
374
393
|
#
|
|
375
|
-
#
|
|
376
|
-
#
|
|
377
|
-
#
|
|
378
|
-
#
|
|
379
|
-
#
|
|
394
|
+
# publishing:
|
|
395
|
+
# method_settings:
|
|
396
|
+
# - selector: google.example.v1.ExampleService.CreateExample
|
|
397
|
+
# auto_populated_fields:
|
|
398
|
+
# - request_id
|
|
399
|
+
# @!attribute [rw] batching
|
|
400
|
+
# @return [::Google::Api::BatchingConfigProto]
|
|
401
|
+
# Batching configuration for an API method in client libraries.
|
|
402
|
+
#
|
|
403
|
+
# Example of a YAML configuration:
|
|
404
|
+
#
|
|
405
|
+
# publishing:
|
|
406
|
+
# method_settings:
|
|
407
|
+
# - selector: google.example.v1.ExampleService.BatchCreateExample
|
|
408
|
+
# batching:
|
|
409
|
+
# element_count_threshold: 1000
|
|
410
|
+
# request_byte_threshold: 100000000
|
|
411
|
+
# delay_threshold_millis: 10
|
|
380
412
|
class MethodSettings
|
|
381
413
|
include ::Google::Protobuf::MessageExts
|
|
382
414
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
@@ -411,6 +443,8 @@ module Google
|
|
|
411
443
|
|
|
412
444
|
# This message is used to configure the generation of a subset of the RPCs in
|
|
413
445
|
# a service for client libraries.
|
|
446
|
+
#
|
|
447
|
+
# Note: This feature should not be used in most cases.
|
|
414
448
|
# @!attribute [rw] methods
|
|
415
449
|
# @return [::Array<::String>]
|
|
416
450
|
# An allowlist of the fully qualified names of RPCs that should be included
|
|
@@ -428,6 +462,77 @@ module Google
|
|
|
428
462
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
429
463
|
end
|
|
430
464
|
|
|
465
|
+
# `BatchingConfigProto` defines the batching configuration for an API method.
|
|
466
|
+
# @!attribute [rw] thresholds
|
|
467
|
+
# @return [::Google::Api::BatchingSettingsProto]
|
|
468
|
+
# The thresholds which trigger a batched request to be sent.
|
|
469
|
+
# @!attribute [rw] batch_descriptor
|
|
470
|
+
# @return [::Google::Api::BatchingDescriptorProto]
|
|
471
|
+
# The request and response fields used in batching.
|
|
472
|
+
class BatchingConfigProto
|
|
473
|
+
include ::Google::Protobuf::MessageExts
|
|
474
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
475
|
+
end
|
|
476
|
+
|
|
477
|
+
# `BatchingSettingsProto` specifies a set of batching thresholds, each of
|
|
478
|
+
# which acts as a trigger to send a batch of messages as a request. At least
|
|
479
|
+
# one threshold must be positive nonzero.
|
|
480
|
+
# @!attribute [rw] element_count_threshold
|
|
481
|
+
# @return [::Integer]
|
|
482
|
+
# The number of elements of a field collected into a batch which, if
|
|
483
|
+
# exceeded, causes the batch to be sent.
|
|
484
|
+
# @!attribute [rw] request_byte_threshold
|
|
485
|
+
# @return [::Integer]
|
|
486
|
+
# The aggregated size of the batched field which, if exceeded, causes the
|
|
487
|
+
# batch to be sent. This size is computed by aggregating the sizes of the
|
|
488
|
+
# request field to be batched, not of the entire request message.
|
|
489
|
+
# @!attribute [rw] delay_threshold
|
|
490
|
+
# @return [::Google::Protobuf::Duration]
|
|
491
|
+
# The duration after which a batch should be sent, starting from the addition
|
|
492
|
+
# of the first message to that batch.
|
|
493
|
+
# @!attribute [rw] element_count_limit
|
|
494
|
+
# @return [::Integer]
|
|
495
|
+
# The maximum number of elements collected in a batch that could be accepted
|
|
496
|
+
# by server.
|
|
497
|
+
# @!attribute [rw] request_byte_limit
|
|
498
|
+
# @return [::Integer]
|
|
499
|
+
# The maximum size of the request that could be accepted by server.
|
|
500
|
+
# @!attribute [rw] flow_control_element_limit
|
|
501
|
+
# @return [::Integer]
|
|
502
|
+
# The maximum number of elements allowed by flow control.
|
|
503
|
+
# @!attribute [rw] flow_control_byte_limit
|
|
504
|
+
# @return [::Integer]
|
|
505
|
+
# The maximum size of data allowed by flow control.
|
|
506
|
+
# @!attribute [rw] flow_control_limit_exceeded_behavior
|
|
507
|
+
# @return [::Google::Api::FlowControlLimitExceededBehaviorProto]
|
|
508
|
+
# The behavior to take when the flow control limit is exceeded.
|
|
509
|
+
class BatchingSettingsProto
|
|
510
|
+
include ::Google::Protobuf::MessageExts
|
|
511
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
512
|
+
end
|
|
513
|
+
|
|
514
|
+
# `BatchingDescriptorProto` specifies the fields of the request message to be
|
|
515
|
+
# used for batching, and, optionally, the fields of the response message to be
|
|
516
|
+
# used for demultiplexing.
|
|
517
|
+
# @!attribute [rw] batched_field
|
|
518
|
+
# @return [::String]
|
|
519
|
+
# The repeated field in the request message to be aggregated by batching.
|
|
520
|
+
# @!attribute [rw] discriminator_fields
|
|
521
|
+
# @return [::Array<::String>]
|
|
522
|
+
# A list of the fields in the request message. Two requests will be batched
|
|
523
|
+
# together only if the values of every field specified in
|
|
524
|
+
# `request_discriminator_fields` is equal between the two requests.
|
|
525
|
+
# @!attribute [rw] subresponse_field
|
|
526
|
+
# @return [::String]
|
|
527
|
+
# Optional. When present, indicates the field in the response message to be
|
|
528
|
+
# used to demultiplex the response into multiple response messages, in
|
|
529
|
+
# correspondence with the multiple request messages originally batched
|
|
530
|
+
# together.
|
|
531
|
+
class BatchingDescriptorProto
|
|
532
|
+
include ::Google::Protobuf::MessageExts
|
|
533
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
534
|
+
end
|
|
535
|
+
|
|
431
536
|
# The organization for which the client libraries are being published.
|
|
432
537
|
# Affects the url where generated docs are published, etc.
|
|
433
538
|
module ClientLibraryOrganization
|
|
@@ -469,5 +574,20 @@ module Google
|
|
|
469
574
|
# Publish the library to package managers like nuget.org and npmjs.com.
|
|
470
575
|
PACKAGE_MANAGER = 20
|
|
471
576
|
end
|
|
577
|
+
|
|
578
|
+
# The behavior to take when the flow control limit is exceeded.
|
|
579
|
+
module FlowControlLimitExceededBehaviorProto
|
|
580
|
+
# Default behavior, system-defined.
|
|
581
|
+
UNSET_BEHAVIOR = 0
|
|
582
|
+
|
|
583
|
+
# Stop operation, raise error.
|
|
584
|
+
THROW_EXCEPTION = 1
|
|
585
|
+
|
|
586
|
+
# Pause operation until limit clears.
|
|
587
|
+
BLOCK = 2
|
|
588
|
+
|
|
589
|
+
# Continue operation, disregard limit.
|
|
590
|
+
IGNORE = 3
|
|
591
|
+
end
|
|
472
592
|
end
|
|
473
593
|
end
|
|
@@ -21,7 +21,8 @@ module Google
|
|
|
21
21
|
module Cloud
|
|
22
22
|
module BinaryAuthorization
|
|
23
23
|
module V1
|
|
24
|
-
# A {::Google::Cloud::BinaryAuthorization::V1::Policy policy} for container image
|
|
24
|
+
# A {::Google::Cloud::BinaryAuthorization::V1::Policy policy} for container image
|
|
25
|
+
# binary authorization.
|
|
25
26
|
# @!attribute [r] name
|
|
26
27
|
# @return [::String]
|
|
27
28
|
# Output only. The resource name, in the format `projects/*/policy`. There is
|
|
@@ -42,7 +43,12 @@ module Google
|
|
|
42
43
|
# third-party infrastructure images from Binary Authorization policies.
|
|
43
44
|
# @!attribute [rw] cluster_admission_rules
|
|
44
45
|
# @return [::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1::AdmissionRule}]
|
|
45
|
-
# Optional.
|
|
46
|
+
# Optional. A valid policy has only one of the following rule maps non-empty,
|
|
47
|
+
# i.e. only one of `cluster_admission_rules`,
|
|
48
|
+
# `kubernetes_namespace_admission_rules`,
|
|
49
|
+
# `kubernetes_service_account_admission_rules`,
|
|
50
|
+
# or `istio_service_identity_admission_rules` can be non-empty.
|
|
51
|
+
# Per-cluster admission rules. Cluster spec format:
|
|
46
52
|
# `location.clusterId`. There can be at most one admission rule per cluster
|
|
47
53
|
# spec.
|
|
48
54
|
# A `location` is either a compute zone (e.g. us-central1-a) or a region
|
|
@@ -51,19 +57,20 @@ module Google
|
|
|
51
57
|
# https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
|
|
52
58
|
# @!attribute [rw] kubernetes_namespace_admission_rules
|
|
53
59
|
# @return [::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1::AdmissionRule}]
|
|
54
|
-
# Optional. Per-kubernetes-namespace admission rules. K8s namespace spec
|
|
55
|
-
#
|
|
60
|
+
# Optional. Per-kubernetes-namespace admission rules. K8s namespace spec
|
|
61
|
+
# format:
|
|
62
|
+
# `[a-z.-]+`, e.g. `some-namespace`
|
|
56
63
|
# @!attribute [rw] kubernetes_service_account_admission_rules
|
|
57
64
|
# @return [::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1::AdmissionRule}]
|
|
58
65
|
# Optional. Per-kubernetes-service-account admission rules. Service account
|
|
59
|
-
# spec format: `namespace:serviceaccount`. e.g.
|
|
66
|
+
# spec format: `namespace:serviceaccount`. e.g. `test-ns:default`
|
|
60
67
|
# @!attribute [rw] istio_service_identity_admission_rules
|
|
61
68
|
# @return [::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1::AdmissionRule}]
|
|
62
69
|
# Optional. Per-istio-service-identity admission rules. Istio service
|
|
63
70
|
# identity spec format:
|
|
64
|
-
# spiffe://<domain>/ns/<namespace>/sa/<serviceaccount
|
|
65
|
-
#
|
|
66
|
-
# e.g. spiffe://example.com/ns/test-ns/sa/default
|
|
71
|
+
# `spiffe://<domain>/ns/<namespace>/sa/<serviceaccount>` or
|
|
72
|
+
# `<domain>/ns/<namespace>/sa/<serviceaccount>`
|
|
73
|
+
# e.g. `spiffe://example.com/ns/test-ns/sa/default`
|
|
67
74
|
# @!attribute [rw] default_admission_rule
|
|
68
75
|
# @return [::Google::Cloud::BinaryAuthorization::V1::AdmissionRule]
|
|
69
76
|
# Required. Default admission rule for a cluster without a per-cluster, per-
|
|
@@ -71,6 +78,11 @@ module Google
|
|
|
71
78
|
# @!attribute [r] update_time
|
|
72
79
|
# @return [::Google::Protobuf::Timestamp]
|
|
73
80
|
# Output only. Time when the policy was last updated.
|
|
81
|
+
# @!attribute [rw] etag
|
|
82
|
+
# @return [::String]
|
|
83
|
+
# Optional. A checksum, returned by the server, that can be sent on update
|
|
84
|
+
# requests to ensure the policy has an up-to-date value before attempting to
|
|
85
|
+
# update it. See https://google.aip.dev/154.
|
|
74
86
|
class Policy
|
|
75
87
|
include ::Google::Protobuf::MessageExts
|
|
76
88
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
@@ -112,7 +124,7 @@ module Google
|
|
|
112
124
|
end
|
|
113
125
|
|
|
114
126
|
module GlobalPolicyEvaluationMode
|
|
115
|
-
# Not specified: DISABLE is assumed.
|
|
127
|
+
# Not specified: `DISABLE` is assumed.
|
|
116
128
|
GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED = 0
|
|
117
129
|
|
|
118
130
|
# Enables system policy evaluation.
|
|
@@ -123,8 +135,10 @@ module Google
|
|
|
123
135
|
end
|
|
124
136
|
end
|
|
125
137
|
|
|
126
|
-
# An
|
|
127
|
-
#
|
|
138
|
+
# An [admission allowlist
|
|
139
|
+
# pattern][google.cloud.binaryauthorization.v1.AdmissionWhitelistPattern]
|
|
140
|
+
# exempts images from checks by [admission
|
|
141
|
+
# rules][google.cloud.binaryauthorization.v1.AdmissionRule].
|
|
128
142
|
# @!attribute [rw] name_pattern
|
|
129
143
|
# @return [::String]
|
|
130
144
|
# An image name pattern to allowlist, in the form `registry/path/to/image`.
|
|
@@ -136,13 +150,15 @@ module Google
|
|
|
136
150
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
137
151
|
end
|
|
138
152
|
|
|
139
|
-
# An {::Google::Cloud::BinaryAuthorization::V1::AdmissionRule admission rule}
|
|
140
|
-
# used in a pod creation request
|
|
141
|
-
#
|
|
142
|
-
#
|
|
153
|
+
# An {::Google::Cloud::BinaryAuthorization::V1::AdmissionRule admission rule}
|
|
154
|
+
# specifies either that all container images used in a pod creation request
|
|
155
|
+
# must be attested to by one or more
|
|
156
|
+
# {::Google::Cloud::BinaryAuthorization::V1::Attestor attestors}, that all pod
|
|
157
|
+
# creations will be allowed, or that all pod creations will be denied.
|
|
143
158
|
#
|
|
144
|
-
# Images matching an
|
|
145
|
-
# are
|
|
159
|
+
# Images matching an [admission allowlist
|
|
160
|
+
# pattern][google.cloud.binaryauthorization.v1.AdmissionWhitelistPattern] are
|
|
161
|
+
# exempted from admission rules and will never block a pod creation.
|
|
146
162
|
# @!attribute [rw] evaluation_mode
|
|
147
163
|
# @return [::Google::Cloud::BinaryAuthorization::V1::AdmissionRule::EvaluationMode]
|
|
148
164
|
# Required. How this admission rule will be evaluated.
|
|
@@ -154,8 +170,8 @@ module Google
|
|
|
154
170
|
# to a policy the principal issuing the policy change request must be able
|
|
155
171
|
# to read the attestor resource.
|
|
156
172
|
#
|
|
157
|
-
# Note: this field must be non-empty when the evaluation_mode field
|
|
158
|
-
# REQUIRE_ATTESTATION
|
|
173
|
+
# Note: this field must be non-empty when the `evaluation_mode` field
|
|
174
|
+
# specifies `REQUIRE_ATTESTATION`, otherwise it must be empty.
|
|
159
175
|
# @!attribute [rw] enforcement_mode
|
|
160
176
|
# @return [::Google::Cloud::BinaryAuthorization::V1::AdmissionRule::EnforcementMode]
|
|
161
177
|
# Required. The action when a pod creation is denied by the admission rule.
|
|
@@ -167,11 +183,11 @@ module Google
|
|
|
167
183
|
# Do not use.
|
|
168
184
|
EVALUATION_MODE_UNSPECIFIED = 0
|
|
169
185
|
|
|
170
|
-
# This rule allows all
|
|
186
|
+
# This rule allows all pod creations.
|
|
171
187
|
ALWAYS_ALLOW = 1
|
|
172
188
|
|
|
173
189
|
# This rule allows a pod creation if all the attestors listed in
|
|
174
|
-
#
|
|
190
|
+
# `require_attestations_by` have valid attestations for all of the
|
|
175
191
|
# images in the pod spec.
|
|
176
192
|
REQUIRE_ATTESTATION = 2
|
|
177
193
|
|
|
@@ -194,9 +210,9 @@ module Google
|
|
|
194
210
|
end
|
|
195
211
|
end
|
|
196
212
|
|
|
197
|
-
# An {::Google::Cloud::BinaryAuthorization::V1::Attestor attestor} that attests to
|
|
198
|
-
# artifacts. An existing attestor cannot be modified except
|
|
199
|
-
# indicated.
|
|
213
|
+
# An {::Google::Cloud::BinaryAuthorization::V1::Attestor attestor} that attests to
|
|
214
|
+
# container image artifacts. An existing attestor cannot be modified except
|
|
215
|
+
# where indicated.
|
|
200
216
|
# @!attribute [rw] name
|
|
201
217
|
# @return [::String]
|
|
202
218
|
# Required. The resource name, in the format:
|
|
@@ -212,18 +228,24 @@ module Google
|
|
|
212
228
|
# @!attribute [r] update_time
|
|
213
229
|
# @return [::Google::Protobuf::Timestamp]
|
|
214
230
|
# Output only. Time when the attestor was last updated.
|
|
231
|
+
# @!attribute [rw] etag
|
|
232
|
+
# @return [::String]
|
|
233
|
+
# Optional. A checksum, returned by the server, that can be sent on update
|
|
234
|
+
# requests to ensure the attestor has an up-to-date value before attempting
|
|
235
|
+
# to update it. See https://google.aip.dev/154.
|
|
215
236
|
class Attestor
|
|
216
237
|
include ::Google::Protobuf::MessageExts
|
|
217
238
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
218
239
|
end
|
|
219
240
|
|
|
220
|
-
# An
|
|
221
|
-
#
|
|
241
|
+
# An [user owned Grafeas
|
|
242
|
+
# note][google.cloud.binaryauthorization.v1.UserOwnedGrafeasNote] references a
|
|
243
|
+
# Grafeas Attestation.Authority Note created by the user.
|
|
222
244
|
# @!attribute [rw] note_reference
|
|
223
245
|
# @return [::String]
|
|
224
246
|
# Required. The Grafeas resource name of a Attestation.Authority Note,
|
|
225
|
-
# created by the user, in the format: `projects
|
|
226
|
-
# not be updated.
|
|
247
|
+
# created by the user, in the format: `projects/[PROJECT_ID]/notes/*`. This
|
|
248
|
+
# field may not be updated. A project ID must be used, not a project number.
|
|
227
249
|
#
|
|
228
250
|
# An attestation by this attestor is stored as a Grafeas
|
|
229
251
|
# Attestation.Authority Occurrence that names a container image and that
|
|
@@ -242,12 +264,13 @@ module Google
|
|
|
242
264
|
# @!attribute [r] delegation_service_account_email
|
|
243
265
|
# @return [::String]
|
|
244
266
|
# Output only. This field will contain the service account email address
|
|
245
|
-
# that this
|
|
267
|
+
# that this attestor will use as the principal when querying Container
|
|
246
268
|
# Analysis. Attestor administrators must grant this service account the
|
|
247
|
-
# IAM role needed to read attestations from the
|
|
248
|
-
#
|
|
269
|
+
# IAM role needed to read attestations from the
|
|
270
|
+
# {::Google::Cloud::BinaryAuthorization::V1::UserOwnedGrafeasNote#note_reference note_reference}
|
|
271
|
+
# in Container Analysis (`containeranalysis.notes.occurrences.viewer`).
|
|
249
272
|
#
|
|
250
|
-
# This email address is fixed for the lifetime of the
|
|
273
|
+
# This email address is fixed for the lifetime of the attestor, but callers
|
|
251
274
|
# should not make any other assumptions about the service account email;
|
|
252
275
|
# future versions may use an email based on a different naming pattern.
|
|
253
276
|
class UserOwnedGrafeasNote
|
|
@@ -255,10 +278,9 @@ module Google
|
|
|
255
278
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
256
279
|
end
|
|
257
280
|
|
|
258
|
-
# A public key in the PkixPublicKey
|
|
259
|
-
# https://tools.ietf.org/html/rfc5280#section-4.1.2.7
|
|
260
|
-
#
|
|
261
|
-
# format.
|
|
281
|
+
# A public key in the PkixPublicKey
|
|
282
|
+
# [format](https://tools.ietf.org/html/rfc5280#section-4.1.2.7). Public keys of
|
|
283
|
+
# this type are typically textually encoded using the PEM format.
|
|
262
284
|
# @!attribute [rw] public_key_pem
|
|
263
285
|
# @return [::String]
|
|
264
286
|
# A PEM-encoded public key, as described in
|
|
@@ -270,6 +292,22 @@ module Google
|
|
|
270
292
|
# These signature algorithm must match the structure and any object
|
|
271
293
|
# identifiers encoded in `public_key_pem` (i.e. this algorithm must match
|
|
272
294
|
# that of the public key).
|
|
295
|
+
# @!attribute [rw] key_id
|
|
296
|
+
# @return [::String]
|
|
297
|
+
# Optional. The ID of this public key.
|
|
298
|
+
# Signatures verified by Binary Authorization must include the ID of the
|
|
299
|
+
# public key that can be used to verify them. The ID must match exactly
|
|
300
|
+
# contents of the `key_id` field exactly.
|
|
301
|
+
#
|
|
302
|
+
# The ID may be explicitly provided by the caller, but it MUST be a valid
|
|
303
|
+
# RFC3986 URI. If `key_id` is left blank and this `PkixPublicKey` is not used
|
|
304
|
+
# in the context of a wrapper (see next paragraph), a default key ID will be
|
|
305
|
+
# computed based on the digest of the DER encoding of the public key.
|
|
306
|
+
#
|
|
307
|
+
# If this `PkixPublicKey` is used in the context of a wrapper that has its
|
|
308
|
+
# own notion of key ID (e.g. `AttestorPublicKey`), then this field can
|
|
309
|
+
# either match that value exactly, or be left blank, in which case it behaves
|
|
310
|
+
# exactly as though it is equal to that wrapper value.
|
|
273
311
|
class PkixPublicKey
|
|
274
312
|
include ::Google::Protobuf::MessageExts
|
|
275
313
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
|
@@ -277,9 +315,10 @@ module Google
|
|
|
277
315
|
# Represents a signature algorithm and other information necessary to verify
|
|
278
316
|
# signatures with a given public key.
|
|
279
317
|
# This is based primarily on the public key types supported by Tink's
|
|
280
|
-
# PemKeyType, which is in turn based on KMS's supported signing
|
|
281
|
-
#
|
|
282
|
-
# might support additional public key types
|
|
318
|
+
# PemKeyType, which is in turn based on KMS's supported signing
|
|
319
|
+
# [algorithms](https://cloud.google.com/kms/docs/algorithms). In the future,
|
|
320
|
+
# Binary Authorization might support additional public key types
|
|
321
|
+
# independently of Tink and/or KMS.
|
|
283
322
|
module SignatureAlgorithm
|
|
284
323
|
# Not specified.
|
|
285
324
|
SIGNATURE_ALGORITHM_UNSPECIFIED = 0
|
|
@@ -287,15 +326,27 @@ module Google
|
|
|
287
326
|
# RSASSA-PSS 2048 bit key with a SHA256 digest.
|
|
288
327
|
RSA_PSS_2048_SHA256 = 1
|
|
289
328
|
|
|
329
|
+
# RSASSA-PSS 2048 bit key with a SHA256 digest.
|
|
330
|
+
RSA_SIGN_PSS_2048_SHA256 = 1
|
|
331
|
+
|
|
290
332
|
# RSASSA-PSS 3072 bit key with a SHA256 digest.
|
|
291
333
|
RSA_PSS_3072_SHA256 = 2
|
|
292
334
|
|
|
335
|
+
# RSASSA-PSS 3072 bit key with a SHA256 digest.
|
|
336
|
+
RSA_SIGN_PSS_3072_SHA256 = 2
|
|
337
|
+
|
|
293
338
|
# RSASSA-PSS 4096 bit key with a SHA256 digest.
|
|
294
339
|
RSA_PSS_4096_SHA256 = 3
|
|
295
340
|
|
|
341
|
+
# RSASSA-PSS 4096 bit key with a SHA256 digest.
|
|
342
|
+
RSA_SIGN_PSS_4096_SHA256 = 3
|
|
343
|
+
|
|
296
344
|
# RSASSA-PSS 4096 bit key with a SHA512 digest.
|
|
297
345
|
RSA_PSS_4096_SHA512 = 4
|
|
298
346
|
|
|
347
|
+
# RSASSA-PSS 4096 bit key with a SHA512 digest.
|
|
348
|
+
RSA_SIGN_PSS_4096_SHA512 = 4
|
|
349
|
+
|
|
299
350
|
# RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
|
|
300
351
|
RSA_SIGN_PKCS1_2048_SHA256 = 5
|
|
301
352
|
|
|
@@ -325,33 +376,36 @@ module Google
|
|
|
325
376
|
|
|
326
377
|
# ECDSA on the NIST P-521 curve with a SHA512 digest.
|
|
327
378
|
EC_SIGN_P521_SHA512 = 11
|
|
379
|
+
|
|
380
|
+
# ML-DSA-65 Post-Quantum Cryptography signature algorithm.
|
|
381
|
+
ML_DSA_65 = 13
|
|
328
382
|
end
|
|
329
383
|
end
|
|
330
384
|
|
|
331
|
-
# An
|
|
332
|
-
#
|
|
385
|
+
# An [attestor public
|
|
386
|
+
# key][google.cloud.binaryauthorization.v1.AttestorPublicKey] that will be used
|
|
387
|
+
# to verify attestations signed by this attestor.
|
|
333
388
|
# @!attribute [rw] comment
|
|
334
389
|
# @return [::String]
|
|
335
390
|
# Optional. A descriptive comment. This field may be updated.
|
|
336
391
|
# @!attribute [rw] id
|
|
337
392
|
# @return [::String]
|
|
338
393
|
# The ID of this public key.
|
|
339
|
-
# Signatures verified by
|
|
340
|
-
# can be used to verify them, and that ID must match the
|
|
341
|
-
# field exactly.
|
|
342
|
-
#
|
|
343
|
-
#
|
|
344
|
-
# for details.
|
|
394
|
+
# Signatures verified by Binary Authorization must include the ID of the
|
|
395
|
+
# public key that can be used to verify them, and that ID must match the
|
|
396
|
+
# contents of this field exactly. Additional restrictions on this field can
|
|
397
|
+
# be imposed based on which public key type is encapsulated. See the
|
|
398
|
+
# documentation on `public_key` cases below for details.
|
|
345
399
|
# @!attribute [rw] ascii_armored_pgp_public_key
|
|
346
400
|
# @return [::String]
|
|
347
401
|
# ASCII-armored representation of a PGP public key, as the entire output by
|
|
348
402
|
# the command `gpg --export --armor foo@example.com` (either LF or CRLF
|
|
349
403
|
# line endings).
|
|
350
|
-
# When using this field, `id` should be left blank. The
|
|
351
|
-
# handlers will calculate the ID and fill it in
|
|
352
|
-
# computes this ID as the OpenPGP
|
|
353
|
-
# upper-case hex. If `id` is
|
|
354
|
-
# overwritten by the API-calculated ID.
|
|
404
|
+
# When using this field, `id` should be left blank. The Binary
|
|
405
|
+
# Authorization API handlers will calculate the ID and fill it in
|
|
406
|
+
# automatically. Binary Authorization computes this ID as the OpenPGP
|
|
407
|
+
# RFC4880 V4 fingerprint, represented as upper-case hex. If `id` is
|
|
408
|
+
# provided by the caller, it will be overwritten by the API-calculated ID.
|
|
355
409
|
#
|
|
356
410
|
# Note: The following fields are mutually exclusive: `ascii_armored_pgp_public_key`, `pkix_public_key`. If a field in that set is populated, all other fields in the set will automatically be cleared.
|
|
357
411
|
# @!attribute [rw] pkix_public_key
|