google-cloud-binary_authorization-v1beta1 0.3.3 → 0.4.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.yardopts +1 -1
- data/AUTHENTICATION.md +7 -25
- data/lib/google/cloud/binary_authorization/v1beta1/binauthz_management_service/client.rb +233 -129
- data/lib/google/cloud/binary_authorization/v1beta1/binauthz_management_service/paths.rb +24 -5
- data/lib/google/cloud/binary_authorization/v1beta1/system_policy/client.rb +388 -0
- data/lib/google/cloud/binary_authorization/v1beta1/system_policy/credentials.rb +51 -0
- data/lib/google/cloud/binary_authorization/v1beta1/system_policy/paths.rb +66 -0
- data/lib/google/cloud/binary_authorization/v1beta1/system_policy.rb +49 -0
- data/lib/google/cloud/binary_authorization/v1beta1/version.rb +1 -1
- data/lib/google/cloud/binary_authorization/v1beta1.rb +1 -0
- data/lib/google/cloud/binaryauthorization/v1beta1/continuous_validation_logging_pb.rb +1 -1
- data/lib/google/cloud/binaryauthorization/v1beta1/resources_pb.rb +9 -3
- data/lib/google/cloud/binaryauthorization/v1beta1/service_pb.rb +6 -2
- data/lib/google/cloud/binaryauthorization/v1beta1/service_services_pb.rb +35 -34
- data/proto_docs/google/api/resource.rb +10 -71
- data/proto_docs/google/cloud/binaryauthorization/v1beta1/resources.rb +73 -25
- data/proto_docs/google/cloud/binaryauthorization/v1beta1/service.rb +32 -37
- metadata +9 -5
@@ -1,14 +1,14 @@
|
|
1
1
|
# Generated by the protocol buffer compiler. DO NOT EDIT!
|
2
2
|
# source: google/cloud/binaryauthorization/v1beta1/service.proto
|
3
3
|
|
4
|
-
require 'google/protobuf'
|
5
|
-
|
6
4
|
require 'google/api/annotations_pb'
|
7
5
|
require 'google/api/client_pb'
|
8
6
|
require 'google/api/field_behavior_pb'
|
9
7
|
require 'google/api/resource_pb'
|
10
8
|
require 'google/cloud/binaryauthorization/v1beta1/resources_pb'
|
11
9
|
require 'google/protobuf/empty_pb'
|
10
|
+
require 'google/protobuf'
|
11
|
+
|
12
12
|
Google::Protobuf::DescriptorPool.generated_pool.build do
|
13
13
|
add_file("google/cloud/binaryauthorization/v1beta1/service.proto", :syntax => :proto3) do
|
14
14
|
add_message "google.cloud.binaryauthorization.v1beta1.GetPolicyRequest" do
|
@@ -40,6 +40,9 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
|
|
40
40
|
add_message "google.cloud.binaryauthorization.v1beta1.DeleteAttestorRequest" do
|
41
41
|
optional :name, :string, 1
|
42
42
|
end
|
43
|
+
add_message "google.cloud.binaryauthorization.v1beta1.GetSystemPolicyRequest" do
|
44
|
+
optional :name, :string, 1
|
45
|
+
end
|
43
46
|
end
|
44
47
|
end
|
45
48
|
|
@@ -55,6 +58,7 @@ module Google
|
|
55
58
|
ListAttestorsRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.binaryauthorization.v1beta1.ListAttestorsRequest").msgclass
|
56
59
|
ListAttestorsResponse = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.binaryauthorization.v1beta1.ListAttestorsResponse").msgclass
|
57
60
|
DeleteAttestorRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.binaryauthorization.v1beta1.DeleteAttestorRequest").msgclass
|
61
|
+
GetSystemPolicyRequest = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.binaryauthorization.v1beta1.GetSystemPolicyRequest").msgclass
|
58
62
|
end
|
59
63
|
end
|
60
64
|
end
|
@@ -1,7 +1,7 @@
|
|
1
1
|
# Generated by the protocol buffer compiler. DO NOT EDIT!
|
2
2
|
# Source: google/cloud/binaryauthorization/v1beta1/service.proto for package 'Google.Cloud.BinaryAuthorization.V1beta1'
|
3
3
|
# Original file comments:
|
4
|
-
# Copyright
|
4
|
+
# Copyright 2021 Google LLC
|
5
5
|
#
|
6
6
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
7
7
|
# you may not use this file except in compliance with the License.
|
@@ -15,7 +15,6 @@
|
|
15
15
|
# See the License for the specific language governing permissions and
|
16
16
|
# limitations under the License.
|
17
17
|
#
|
18
|
-
#
|
19
18
|
|
20
19
|
require 'grpc'
|
21
20
|
require 'google/cloud/binaryauthorization/v1beta1/service_pb'
|
@@ -36,59 +35,61 @@ module Google
|
|
36
35
|
# * [Attestor][google.cloud.binaryauthorization.v1beta1.Attestor]
|
37
36
|
class Service
|
38
37
|
|
39
|
-
include GRPC::GenericService
|
38
|
+
include ::GRPC::GenericService
|
40
39
|
|
41
40
|
self.marshal_class_method = :encode
|
42
41
|
self.unmarshal_class_method = :decode
|
43
42
|
self.service_name = 'google.cloud.binaryauthorization.v1beta1.BinauthzManagementServiceV1Beta1'
|
44
43
|
|
45
|
-
# A [policy][google.cloud.binaryauthorization.v1beta1.Policy] specifies the
|
46
|
-
#
|
47
|
-
# attest to a container image, before the project is allowed to deploy that
|
44
|
+
# A [policy][google.cloud.binaryauthorization.v1beta1.Policy] specifies the [attestors][google.cloud.binaryauthorization.v1beta1.Attestor] that must attest to
|
45
|
+
# a container image, before the project is allowed to deploy that
|
48
46
|
# image. There is at most one policy per project. All image admission
|
49
47
|
# requests are permitted if a project has no policy.
|
50
48
|
#
|
51
|
-
# Gets the [policy][google.cloud.binaryauthorization.v1beta1.Policy] for this
|
52
|
-
#
|
53
|
-
# [policy][google.cloud.binaryauthorization.v1beta1.Policy] if the project
|
54
|
-
# does not have one.
|
49
|
+
# Gets the [policy][google.cloud.binaryauthorization.v1beta1.Policy] for this project. Returns a default
|
50
|
+
# [policy][google.cloud.binaryauthorization.v1beta1.Policy] if the project does not have one.
|
55
51
|
rpc :GetPolicy, ::Google::Cloud::BinaryAuthorization::V1beta1::GetPolicyRequest, ::Google::Cloud::BinaryAuthorization::V1beta1::Policy
|
56
|
-
# Creates or updates a project's
|
57
|
-
# [policy][google.cloud.binaryauthorization.v1beta1.Policy],
|
58
|
-
#
|
59
|
-
#
|
60
|
-
#
|
61
|
-
# if the project does not exist, INVALID_ARGUMENT if the request is
|
62
|
-
# malformed.
|
52
|
+
# Creates or updates a project's [policy][google.cloud.binaryauthorization.v1beta1.Policy], and returns a copy of the
|
53
|
+
# new [policy][google.cloud.binaryauthorization.v1beta1.Policy]. A policy is always updated as a whole, to avoid race
|
54
|
+
# conditions with concurrent policy enforcement (or management!)
|
55
|
+
# requests. Returns NOT_FOUND if the project does not exist, INVALID_ARGUMENT
|
56
|
+
# if the request is malformed.
|
63
57
|
rpc :UpdatePolicy, ::Google::Cloud::BinaryAuthorization::V1beta1::UpdatePolicyRequest, ::Google::Cloud::BinaryAuthorization::V1beta1::Policy
|
64
|
-
# Creates an [attestor][google.cloud.binaryauthorization.v1beta1.Attestor],
|
65
|
-
#
|
66
|
-
#
|
67
|
-
#
|
68
|
-
# malformed, ALREADY_EXISTS if the
|
69
|
-
# [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] already
|
70
|
-
# exists.
|
58
|
+
# Creates an [attestor][google.cloud.binaryauthorization.v1beta1.Attestor], and returns a copy of the new
|
59
|
+
# [attestor][google.cloud.binaryauthorization.v1beta1.Attestor]. Returns NOT_FOUND if the project does not exist,
|
60
|
+
# INVALID_ARGUMENT if the request is malformed, ALREADY_EXISTS if the
|
61
|
+
# [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] already exists.
|
71
62
|
rpc :CreateAttestor, ::Google::Cloud::BinaryAuthorization::V1beta1::CreateAttestorRequest, ::Google::Cloud::BinaryAuthorization::V1beta1::Attestor
|
72
63
|
# Gets an [attestor][google.cloud.binaryauthorization.v1beta1.Attestor].
|
73
|
-
# Returns NOT_FOUND if the
|
74
|
-
# [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] does not
|
75
|
-
# exist.
|
64
|
+
# Returns NOT_FOUND if the [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] does not exist.
|
76
65
|
rpc :GetAttestor, ::Google::Cloud::BinaryAuthorization::V1beta1::GetAttestorRequest, ::Google::Cloud::BinaryAuthorization::V1beta1::Attestor
|
77
66
|
# Updates an [attestor][google.cloud.binaryauthorization.v1beta1.Attestor].
|
78
|
-
# Returns NOT_FOUND if the
|
79
|
-
# [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] does not
|
80
|
-
# exist.
|
67
|
+
# Returns NOT_FOUND if the [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] does not exist.
|
81
68
|
rpc :UpdateAttestor, ::Google::Cloud::BinaryAuthorization::V1beta1::UpdateAttestorRequest, ::Google::Cloud::BinaryAuthorization::V1beta1::Attestor
|
82
69
|
# Lists [attestors][google.cloud.binaryauthorization.v1beta1.Attestor].
|
83
70
|
# Returns INVALID_ARGUMENT if the project does not exist.
|
84
71
|
rpc :ListAttestors, ::Google::Cloud::BinaryAuthorization::V1beta1::ListAttestorsRequest, ::Google::Cloud::BinaryAuthorization::V1beta1::ListAttestorsResponse
|
85
|
-
# Deletes an [attestor][google.cloud.binaryauthorization.v1beta1.Attestor].
|
86
|
-
#
|
87
|
-
# [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] does not
|
88
|
-
# exist.
|
72
|
+
# Deletes an [attestor][google.cloud.binaryauthorization.v1beta1.Attestor]. Returns NOT_FOUND if the
|
73
|
+
# [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] does not exist.
|
89
74
|
rpc :DeleteAttestor, ::Google::Cloud::BinaryAuthorization::V1beta1::DeleteAttestorRequest, ::Google::Protobuf::Empty
|
90
75
|
end
|
91
76
|
|
77
|
+
Stub = Service.rpc_stub_class
|
78
|
+
end
|
79
|
+
module SystemPolicyV1Beta1
|
80
|
+
# API for working with the system policy.
|
81
|
+
class Service
|
82
|
+
|
83
|
+
include ::GRPC::GenericService
|
84
|
+
|
85
|
+
self.marshal_class_method = :encode
|
86
|
+
self.unmarshal_class_method = :decode
|
87
|
+
self.service_name = 'google.cloud.binaryauthorization.v1beta1.SystemPolicyV1Beta1'
|
88
|
+
|
89
|
+
# Gets the current system policy in the specified location.
|
90
|
+
rpc :GetSystemPolicy, ::Google::Cloud::BinaryAuthorization::V1beta1::GetSystemPolicyRequest, ::Google::Cloud::BinaryAuthorization::V1beta1::Policy
|
91
|
+
end
|
92
|
+
|
92
93
|
Stub = Service.rpc_stub_class
|
93
94
|
end
|
94
95
|
end
|
@@ -33,11 +33,7 @@ module Google
|
|
33
33
|
# // For Kubernetes resources, the format is {api group}/{kind}.
|
34
34
|
# option (google.api.resource) = {
|
35
35
|
# type: "pubsub.googleapis.com/Topic"
|
36
|
-
#
|
37
|
-
# pattern: "projects/{project}/topics/{topic}"
|
38
|
-
# parent_type: "cloudresourcemanager.googleapis.com/Project"
|
39
|
-
# parent_name_extractor: "projects/{project}"
|
40
|
-
# }
|
36
|
+
# pattern: "projects/{project}/topics/{topic}"
|
41
37
|
# };
|
42
38
|
# }
|
43
39
|
#
|
@@ -45,10 +41,7 @@ module Google
|
|
45
41
|
#
|
46
42
|
# resources:
|
47
43
|
# - type: "pubsub.googleapis.com/Topic"
|
48
|
-
#
|
49
|
-
# - pattern: "projects/{project}/topics/{topic}"
|
50
|
-
# parent_type: "cloudresourcemanager.googleapis.com/Project"
|
51
|
-
# parent_name_extractor: "projects/{project}"
|
44
|
+
# pattern: "projects/{project}/topics/{topic}"
|
52
45
|
#
|
53
46
|
# Sometimes, resources have multiple patterns, typically because they can
|
54
47
|
# live under multiple parents.
|
@@ -58,26 +51,10 @@ module Google
|
|
58
51
|
# message LogEntry {
|
59
52
|
# option (google.api.resource) = {
|
60
53
|
# type: "logging.googleapis.com/LogEntry"
|
61
|
-
#
|
62
|
-
#
|
63
|
-
#
|
64
|
-
#
|
65
|
-
# }
|
66
|
-
# name_descriptor: {
|
67
|
-
# pattern: "folders/{folder}/logs/{log}"
|
68
|
-
# parent_type: "cloudresourcemanager.googleapis.com/Folder"
|
69
|
-
# parent_name_extractor: "folders/{folder}"
|
70
|
-
# }
|
71
|
-
# name_descriptor: {
|
72
|
-
# pattern: "organizations/{organization}/logs/{log}"
|
73
|
-
# parent_type: "cloudresourcemanager.googleapis.com/Organization"
|
74
|
-
# parent_name_extractor: "organizations/{organization}"
|
75
|
-
# }
|
76
|
-
# name_descriptor: {
|
77
|
-
# pattern: "billingAccounts/{billing_account}/logs/{log}"
|
78
|
-
# parent_type: "billing.googleapis.com/BillingAccount"
|
79
|
-
# parent_name_extractor: "billingAccounts/{billing_account}"
|
80
|
-
# }
|
54
|
+
# pattern: "projects/{project}/logs/{log}"
|
55
|
+
# pattern: "folders/{folder}/logs/{log}"
|
56
|
+
# pattern: "organizations/{organization}/logs/{log}"
|
57
|
+
# pattern: "billingAccounts/{billing_account}/logs/{log}"
|
81
58
|
# };
|
82
59
|
# }
|
83
60
|
#
|
@@ -85,48 +62,10 @@ module Google
|
|
85
62
|
#
|
86
63
|
# resources:
|
87
64
|
# - type: 'logging.googleapis.com/LogEntry'
|
88
|
-
#
|
89
|
-
#
|
90
|
-
#
|
91
|
-
#
|
92
|
-
# - pattern: "folders/{folder}/logs/{log}"
|
93
|
-
# parent_type: "cloudresourcemanager.googleapis.com/Folder"
|
94
|
-
# parent_name_extractor: "folders/{folder}"
|
95
|
-
# - pattern: "organizations/{organization}/logs/{log}"
|
96
|
-
# parent_type: "cloudresourcemanager.googleapis.com/Organization"
|
97
|
-
# parent_name_extractor: "organizations/{organization}"
|
98
|
-
# - pattern: "billingAccounts/{billing_account}/logs/{log}"
|
99
|
-
# parent_type: "billing.googleapis.com/BillingAccount"
|
100
|
-
# parent_name_extractor: "billingAccounts/{billing_account}"
|
101
|
-
#
|
102
|
-
# For flexible resources, the resource name doesn't contain parent names, but
|
103
|
-
# the resource itself has parents for policy evaluation.
|
104
|
-
#
|
105
|
-
# Example:
|
106
|
-
#
|
107
|
-
# message Shelf {
|
108
|
-
# option (google.api.resource) = {
|
109
|
-
# type: "library.googleapis.com/Shelf"
|
110
|
-
# name_descriptor: {
|
111
|
-
# pattern: "shelves/{shelf}"
|
112
|
-
# parent_type: "cloudresourcemanager.googleapis.com/Project"
|
113
|
-
# }
|
114
|
-
# name_descriptor: {
|
115
|
-
# pattern: "shelves/{shelf}"
|
116
|
-
# parent_type: "cloudresourcemanager.googleapis.com/Folder"
|
117
|
-
# }
|
118
|
-
# };
|
119
|
-
# }
|
120
|
-
#
|
121
|
-
# The ResourceDescriptor Yaml config will look like:
|
122
|
-
#
|
123
|
-
# resources:
|
124
|
-
# - type: 'library.googleapis.com/Shelf'
|
125
|
-
# name_descriptor:
|
126
|
-
# - pattern: "shelves/{shelf}"
|
127
|
-
# parent_type: "cloudresourcemanager.googleapis.com/Project"
|
128
|
-
# - pattern: "shelves/{shelf}"
|
129
|
-
# parent_type: "cloudresourcemanager.googleapis.com/Folder"
|
65
|
+
# pattern: "projects/{project}/logs/{log}"
|
66
|
+
# pattern: "folders/{folder}/logs/{log}"
|
67
|
+
# pattern: "organizations/{organization}/logs/{log}"
|
68
|
+
# pattern: "billingAccounts/{billing_account}/logs/{log}"
|
130
69
|
# @!attribute [rw] type
|
131
70
|
# @return [::String]
|
132
71
|
# The resource type. It must be in the format of
|
@@ -21,8 +21,7 @@ module Google
|
|
21
21
|
module Cloud
|
22
22
|
module BinaryAuthorization
|
23
23
|
module V1beta1
|
24
|
-
# A {::Google::Cloud::BinaryAuthorization::V1beta1::Policy policy} for
|
25
|
-
# image binary authorization.
|
24
|
+
# A {::Google::Cloud::BinaryAuthorization::V1beta1::Policy policy} for Binary Authorization.
|
26
25
|
# @!attribute [r] name
|
27
26
|
# @return [::String]
|
28
27
|
# Output only. The resource name, in the format `projects/*/policy`. There is
|
@@ -50,6 +49,21 @@ module Google
|
|
50
49
|
# (e.g. us-central1).
|
51
50
|
# For `clusterId` syntax restrictions see
|
52
51
|
# https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
|
52
|
+
# @!attribute [rw] kubernetes_namespace_admission_rules
|
53
|
+
# @return [::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}]
|
54
|
+
# Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format:
|
55
|
+
# `[a-z.-]+`, e.g. `some-namespace`
|
56
|
+
# @!attribute [rw] kubernetes_service_account_admission_rules
|
57
|
+
# @return [::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}]
|
58
|
+
# Optional. Per-kubernetes-service-account admission rules. Service account
|
59
|
+
# spec format: `namespace:serviceaccount`. e.g. `test-ns:default`
|
60
|
+
# @!attribute [rw] istio_service_identity_admission_rules
|
61
|
+
# @return [::Google::Protobuf::Map{::String => ::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule}]
|
62
|
+
# Optional. Per-istio-service-identity admission rules. Istio service
|
63
|
+
# identity spec format:
|
64
|
+
# `spiffe://<domain>/ns/<namespace>/sa/<serviceaccount>` or
|
65
|
+
# `<domain>/ns/<namespace>/sa/<serviceaccount>`
|
66
|
+
# e.g. `spiffe://example.com/ns/test-ns/sa/default`
|
53
67
|
# @!attribute [rw] default_admission_rule
|
54
68
|
# @return [::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule]
|
55
69
|
# Required. Default admission rule for a cluster without a per-cluster, per-
|
@@ -70,6 +84,33 @@ module Google
|
|
70
84
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
71
85
|
end
|
72
86
|
|
87
|
+
# @!attribute [rw] key
|
88
|
+
# @return [::String]
|
89
|
+
# @!attribute [rw] value
|
90
|
+
# @return [::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule]
|
91
|
+
class KubernetesNamespaceAdmissionRulesEntry
|
92
|
+
include ::Google::Protobuf::MessageExts
|
93
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
94
|
+
end
|
95
|
+
|
96
|
+
# @!attribute [rw] key
|
97
|
+
# @return [::String]
|
98
|
+
# @!attribute [rw] value
|
99
|
+
# @return [::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule]
|
100
|
+
class KubernetesServiceAccountAdmissionRulesEntry
|
101
|
+
include ::Google::Protobuf::MessageExts
|
102
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
103
|
+
end
|
104
|
+
|
105
|
+
# @!attribute [rw] key
|
106
|
+
# @return [::String]
|
107
|
+
# @!attribute [rw] value
|
108
|
+
# @return [::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule]
|
109
|
+
class IstioServiceIdentityAdmissionRulesEntry
|
110
|
+
include ::Google::Protobuf::MessageExts
|
111
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
112
|
+
end
|
113
|
+
|
73
114
|
module GlobalPolicyEvaluationMode
|
74
115
|
# Not specified: DISABLE is assumed.
|
75
116
|
GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED = 0
|
@@ -82,28 +123,28 @@ module Google
|
|
82
123
|
end
|
83
124
|
end
|
84
125
|
|
85
|
-
# An
|
86
|
-
#
|
87
|
-
# exempts images from checks by [admission
|
88
|
-
# rules][google.cloud.binaryauthorization.v1beta1.AdmissionRule].
|
126
|
+
# An {::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionWhitelistPattern admission allowlist pattern} exempts images
|
127
|
+
# from checks by {::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule admission rules}.
|
89
128
|
# @!attribute [rw] name_pattern
|
90
129
|
# @return [::String]
|
91
|
-
# An image name pattern to
|
130
|
+
# An image name pattern to allowlist, in the form `registry/path/to/image`.
|
92
131
|
# This supports a trailing `*` as a wildcard, but this is allowed only in
|
93
|
-
# text after the `registry/` part.
|
132
|
+
# text after the `registry/` part. `*` wildcard does not match `/`, i.e.,
|
133
|
+
# `gcr.io/nginx*` matches `gcr.io/nginx@latest`, but it does not match
|
134
|
+
# `gcr.io/nginx/image`. This also supports a trailing `**` wildcard which
|
135
|
+
# matches subdirectories, i.e., `gcr.io/nginx**` matches
|
136
|
+
# `gcr.io/nginx/image`.
|
94
137
|
class AdmissionWhitelistPattern
|
95
138
|
include ::Google::Protobuf::MessageExts
|
96
139
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
97
140
|
end
|
98
141
|
|
99
|
-
# An {::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule admission rule}
|
100
|
-
#
|
101
|
-
#
|
102
|
-
#
|
103
|
-
# creations will be allowed, or that all pod creations will be denied.
|
142
|
+
# An {::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule admission rule} specifies either that all container images
|
143
|
+
# used in a pod creation request must be attested to by one or more
|
144
|
+
# {::Google::Cloud::BinaryAuthorization::V1beta1::Attestor attestors}, that all pod creations will be allowed, or that all
|
145
|
+
# pod creations will be denied.
|
104
146
|
#
|
105
|
-
# Images matching an
|
106
|
-
# pattern][google.cloud.binaryauthorization.v1beta1.AdmissionWhitelistPattern]
|
147
|
+
# Images matching an {::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionWhitelistPattern admission allowlist pattern}
|
107
148
|
# are exempted from admission rules and will never block a pod creation.
|
108
149
|
# @!attribute [rw] evaluation_mode
|
109
150
|
# @return [::Google::Cloud::BinaryAuthorization::V1beta1::AdmissionRule::EvaluationMode]
|
@@ -133,7 +174,7 @@ module Google
|
|
133
174
|
ALWAYS_ALLOW = 1
|
134
175
|
|
135
176
|
# This rule allows a pod creation if all the attestors listed in
|
136
|
-
#
|
177
|
+
# `require_attestations_by` have valid attestations for all of the
|
137
178
|
# images in the pod spec.
|
138
179
|
REQUIRE_ATTESTATION = 2
|
139
180
|
|
@@ -156,9 +197,9 @@ module Google
|
|
156
197
|
end
|
157
198
|
end
|
158
199
|
|
159
|
-
# An {::Google::Cloud::BinaryAuthorization::V1beta1::Attestor attestor} that attests
|
160
|
-
#
|
161
|
-
#
|
200
|
+
# An {::Google::Cloud::BinaryAuthorization::V1beta1::Attestor attestor} that attests to container image
|
201
|
+
# artifacts. An existing attestor cannot be modified except where
|
202
|
+
# indicated.
|
162
203
|
# @!attribute [rw] name
|
163
204
|
# @return [::String]
|
164
205
|
# Required. The resource name, in the format:
|
@@ -178,9 +219,8 @@ module Google
|
|
178
219
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
179
220
|
end
|
180
221
|
|
181
|
-
# An
|
182
|
-
#
|
183
|
-
# references a Drydock ATTESTATION_AUTHORITY Note created by the user.
|
222
|
+
# An {::Google::Cloud::BinaryAuthorization::V1beta1::UserOwnedDrydockNote user owned drydock note} references a Drydock
|
223
|
+
# ATTESTATION_AUTHORITY Note created by the user.
|
184
224
|
# @!attribute [rw] note_reference
|
185
225
|
# @return [::String]
|
186
226
|
# Required. The Drydock resource name of a ATTESTATION_AUTHORITY Note,
|
@@ -273,17 +313,25 @@ module Google
|
|
273
313
|
# ECDSA on the NIST P-256 curve with a SHA256 digest.
|
274
314
|
ECDSA_P256_SHA256 = 9
|
275
315
|
|
316
|
+
# ECDSA on the NIST P-256 curve with a SHA256 digest.
|
317
|
+
EC_SIGN_P256_SHA256 = 9
|
318
|
+
|
276
319
|
# ECDSA on the NIST P-384 curve with a SHA384 digest.
|
277
320
|
ECDSA_P384_SHA384 = 10
|
278
321
|
|
322
|
+
# ECDSA on the NIST P-384 curve with a SHA384 digest.
|
323
|
+
EC_SIGN_P384_SHA384 = 10
|
324
|
+
|
279
325
|
# ECDSA on the NIST P-521 curve with a SHA512 digest.
|
280
326
|
ECDSA_P521_SHA512 = 11
|
327
|
+
|
328
|
+
# ECDSA on the NIST P-521 curve with a SHA512 digest.
|
329
|
+
EC_SIGN_P521_SHA512 = 11
|
281
330
|
end
|
282
331
|
end
|
283
332
|
|
284
|
-
# An
|
285
|
-
#
|
286
|
-
# used to verify attestations signed by this attestor.
|
333
|
+
# An {::Google::Cloud::BinaryAuthorization::V1beta1::AttestorPublicKey attestor public key} that will be used to verify
|
334
|
+
# attestations signed by this attestor.
|
287
335
|
# @!attribute [rw] comment
|
288
336
|
# @return [::String]
|
289
337
|
# Optional. A descriptive comment. This field may be updated.
|
@@ -24,9 +24,8 @@ module Google
|
|
24
24
|
# Request message for [BinauthzManagementService.GetPolicy][].
|
25
25
|
# @!attribute [rw] name
|
26
26
|
# @return [::String]
|
27
|
-
# Required. The resource name of the
|
28
|
-
#
|
29
|
-
# the format `projects/*/policy`.
|
27
|
+
# Required. The resource name of the {::Google::Cloud::BinaryAuthorization::V1beta1::Policy policy} to retrieve,
|
28
|
+
# in the format `projects/*/policy`.
|
30
29
|
class GetPolicyRequest
|
31
30
|
include ::Google::Protobuf::MessageExts
|
32
31
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -35,11 +34,9 @@ module Google
|
|
35
34
|
# Request message for [BinauthzManagementService.UpdatePolicy][].
|
36
35
|
# @!attribute [rw] policy
|
37
36
|
# @return [::Google::Cloud::BinaryAuthorization::V1beta1::Policy]
|
38
|
-
# Required. A new or updated
|
39
|
-
# {::Google::Cloud::BinaryAuthorization::V1beta1::Policy policy}
|
40
|
-
#
|
41
|
-
# name][google.cloud.binaryauthorization.v1beta1.Policy.name] field with the
|
42
|
-
# resource name in the request URL, in the format `projects/*/policy`.
|
37
|
+
# Required. A new or updated {::Google::Cloud::BinaryAuthorization::V1beta1::Policy policy} value. The service will
|
38
|
+
# overwrite the {::Google::Cloud::BinaryAuthorization::V1beta1::Policy#name policy name} field with the resource name in
|
39
|
+
# the request URL, in the format `projects/*/policy`.
|
43
40
|
class UpdatePolicyRequest
|
44
41
|
include ::Google::Protobuf::MessageExts
|
45
42
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -48,19 +45,15 @@ module Google
|
|
48
45
|
# Request message for [BinauthzManagementService.CreateAttestor][].
|
49
46
|
# @!attribute [rw] parent
|
50
47
|
# @return [::String]
|
51
|
-
# Required. The parent of this
|
52
|
-
# {::Google::Cloud::BinaryAuthorization::V1beta1::Attestor attestor}.
|
48
|
+
# Required. The parent of this {::Google::Cloud::BinaryAuthorization::V1beta1::Attestor attestor}.
|
53
49
|
# @!attribute [rw] attestor_id
|
54
50
|
# @return [::String]
|
55
|
-
# Required. The
|
56
|
-
# {::Google::Cloud::BinaryAuthorization::V1beta1::Attestor attestors} ID.
|
51
|
+
# Required. The {::Google::Cloud::BinaryAuthorization::V1beta1::Attestor attestors} ID.
|
57
52
|
# @!attribute [rw] attestor
|
58
53
|
# @return [::Google::Cloud::BinaryAuthorization::V1beta1::Attestor]
|
59
|
-
# Required. The initial
|
60
|
-
# {::Google::Cloud::BinaryAuthorization::V1beta1::Attestor attestor}
|
61
|
-
#
|
62
|
-
# name][google.cloud.binaryauthorization.v1beta1.Attestor.name] field with
|
63
|
-
# the resource name, in the format `projects/*/attestors/*`.
|
54
|
+
# Required. The initial {::Google::Cloud::BinaryAuthorization::V1beta1::Attestor attestor} value. The service will
|
55
|
+
# overwrite the {::Google::Cloud::BinaryAuthorization::V1beta1::Attestor#name attestor name} field with the resource name,
|
56
|
+
# in the format `projects/*/attestors/*`.
|
64
57
|
class CreateAttestorRequest
|
65
58
|
include ::Google::Protobuf::MessageExts
|
66
59
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -69,9 +62,8 @@ module Google
|
|
69
62
|
# Request message for [BinauthzManagementService.GetAttestor][].
|
70
63
|
# @!attribute [rw] name
|
71
64
|
# @return [::String]
|
72
|
-
# Required. The name of the
|
73
|
-
#
|
74
|
-
# in the format `projects/*/attestors/*`.
|
65
|
+
# Required. The name of the {::Google::Cloud::BinaryAuthorization::V1beta1::Attestor attestor} to retrieve, in the format
|
66
|
+
# `projects/*/attestors/*`.
|
75
67
|
class GetAttestorRequest
|
76
68
|
include ::Google::Protobuf::MessageExts
|
77
69
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -80,12 +72,9 @@ module Google
|
|
80
72
|
# Request message for [BinauthzManagementService.UpdateAttestor][].
|
81
73
|
# @!attribute [rw] attestor
|
82
74
|
# @return [::Google::Cloud::BinaryAuthorization::V1beta1::Attestor]
|
83
|
-
# Required. The updated
|
84
|
-
# {::Google::Cloud::BinaryAuthorization::V1beta1::Attestor attestor}
|
85
|
-
#
|
86
|
-
# name][google.cloud.binaryauthorization.v1beta1.Attestor.name] field with
|
87
|
-
# the resource name in the request URL, in the format
|
88
|
-
# `projects/*/attestors/*`.
|
75
|
+
# Required. The updated {::Google::Cloud::BinaryAuthorization::V1beta1::Attestor attestor} value. The service will
|
76
|
+
# overwrite the {::Google::Cloud::BinaryAuthorization::V1beta1::Attestor#name attestor name} field with the resource name
|
77
|
+
# in the request URL, in the format `projects/*/attestors/*`.
|
89
78
|
class UpdateAttestorRequest
|
90
79
|
include ::Google::Protobuf::MessageExts
|
91
80
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -95,8 +84,7 @@ module Google
|
|
95
84
|
# @!attribute [rw] parent
|
96
85
|
# @return [::String]
|
97
86
|
# Required. The resource name of the project associated with the
|
98
|
-
# {::Google::Cloud::BinaryAuthorization::V1beta1::Attestor attestors}, in the
|
99
|
-
# format `projects/*`.
|
87
|
+
# {::Google::Cloud::BinaryAuthorization::V1beta1::Attestor attestors}, in the format `projects/*`.
|
100
88
|
# @!attribute [rw] page_size
|
101
89
|
# @return [::Integer]
|
102
90
|
# Requested page size. The server may return fewer results than requested. If
|
@@ -104,9 +92,8 @@ module Google
|
|
104
92
|
# @!attribute [rw] page_token
|
105
93
|
# @return [::String]
|
106
94
|
# A token identifying a page of results the server should return. Typically,
|
107
|
-
# this is the value of
|
108
|
-
#
|
109
|
-
# returned from the previous call to the `ListAttestors` method.
|
95
|
+
# this is the value of {::Google::Cloud::BinaryAuthorization::V1beta1::ListAttestorsResponse#next_page_token ListAttestorsResponse.next_page_token} returned
|
96
|
+
# from the previous call to the `ListAttestors` method.
|
110
97
|
class ListAttestorsRequest
|
111
98
|
include ::Google::Protobuf::MessageExts
|
112
99
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -119,9 +106,8 @@ module Google
|
|
119
106
|
# @!attribute [rw] next_page_token
|
120
107
|
# @return [::String]
|
121
108
|
# A token to retrieve the next page of results. Pass this value in the
|
122
|
-
# {::Google::Cloud::BinaryAuthorization::V1beta1::ListAttestorsRequest#page_token ListAttestorsRequest.page_token}
|
123
|
-
#
|
124
|
-
# next page of results.
|
109
|
+
# {::Google::Cloud::BinaryAuthorization::V1beta1::ListAttestorsRequest#page_token ListAttestorsRequest.page_token} field in the subsequent call to the
|
110
|
+
# `ListAttestors` method to retrieve the next page of results.
|
125
111
|
class ListAttestorsResponse
|
126
112
|
include ::Google::Protobuf::MessageExts
|
127
113
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
@@ -130,13 +116,22 @@ module Google
|
|
130
116
|
# Request message for [BinauthzManagementService.DeleteAttestor][].
|
131
117
|
# @!attribute [rw] name
|
132
118
|
# @return [::String]
|
133
|
-
# Required. The name of the
|
134
|
-
#
|
135
|
-
# in the format `projects/*/attestors/*`.
|
119
|
+
# Required. The name of the {::Google::Cloud::BinaryAuthorization::V1beta1::Attestor attestors} to delete, in the format
|
120
|
+
# `projects/*/attestors/*`.
|
136
121
|
class DeleteAttestorRequest
|
137
122
|
include ::Google::Protobuf::MessageExts
|
138
123
|
extend ::Google::Protobuf::MessageExts::ClassMethods
|
139
124
|
end
|
125
|
+
|
126
|
+
# Request to read the current system policy.
|
127
|
+
# @!attribute [rw] name
|
128
|
+
# @return [::String]
|
129
|
+
# Required. The resource name, in the format `locations/*/policy`.
|
130
|
+
# Note that the system policy is not associated with a project.
|
131
|
+
class GetSystemPolicyRequest
|
132
|
+
include ::Google::Protobuf::MessageExts
|
133
|
+
extend ::Google::Protobuf::MessageExts::ClassMethods
|
134
|
+
end
|
140
135
|
end
|
141
136
|
end
|
142
137
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: google-cloud-binary_authorization-v1beta1
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.4.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Google LLC
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-01-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: gapic-common
|
@@ -16,7 +16,7 @@ dependencies:
|
|
16
16
|
requirements:
|
17
17
|
- - ">="
|
18
18
|
- !ruby/object:Gem::Version
|
19
|
-
version: '0.
|
19
|
+
version: '0.7'
|
20
20
|
- - "<"
|
21
21
|
- !ruby/object:Gem::Version
|
22
22
|
version: 2.a
|
@@ -26,7 +26,7 @@ dependencies:
|
|
26
26
|
requirements:
|
27
27
|
- - ">="
|
28
28
|
- !ruby/object:Gem::Version
|
29
|
-
version: '0.
|
29
|
+
version: '0.7'
|
30
30
|
- - "<"
|
31
31
|
- !ruby/object:Gem::Version
|
32
32
|
version: 2.a
|
@@ -177,6 +177,10 @@ files:
|
|
177
177
|
- lib/google/cloud/binary_authorization/v1beta1/binauthz_management_service/client.rb
|
178
178
|
- lib/google/cloud/binary_authorization/v1beta1/binauthz_management_service/credentials.rb
|
179
179
|
- lib/google/cloud/binary_authorization/v1beta1/binauthz_management_service/paths.rb
|
180
|
+
- lib/google/cloud/binary_authorization/v1beta1/system_policy.rb
|
181
|
+
- lib/google/cloud/binary_authorization/v1beta1/system_policy/client.rb
|
182
|
+
- lib/google/cloud/binary_authorization/v1beta1/system_policy/credentials.rb
|
183
|
+
- lib/google/cloud/binary_authorization/v1beta1/system_policy/paths.rb
|
180
184
|
- lib/google/cloud/binary_authorization/v1beta1/version.rb
|
181
185
|
- lib/google/cloud/binaryauthorization/v1beta1/continuous_validation_logging_pb.rb
|
182
186
|
- lib/google/cloud/binaryauthorization/v1beta1/resources_pb.rb
|
@@ -209,7 +213,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
209
213
|
- !ruby/object:Gem::Version
|
210
214
|
version: '0'
|
211
215
|
requirements: []
|
212
|
-
rubygems_version: 3.
|
216
|
+
rubygems_version: 3.3.4
|
213
217
|
signing_key:
|
214
218
|
specification_version: 4
|
215
219
|
summary: API Client library for the Binary Authorization V1beta1 API
|