API Reference google_api_binary_authorization v0.18.0
View SourceModules
API client metadata for GoogleApi.BinaryAuthorization.V1.
API calls for all endpoints tagged Projects.
API calls for all endpoints tagged Systempolicy.
Handle Tesla connections for GoogleApi.BinaryAuthorization.V1.
An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation.
An admission allowlist pattern exempts images from checks by admission rules.
Result of evaluating an image name allowlist.
An attestation authenticator that will be used to verify attestations. Typically this is just a set of public keys. Conceptually, an authenticator can be treated as always returning either "authenticated" or "not authenticated" when presented with a signed attestation (almost always assumed to be a DSSE attestation). The details of how an authenticator makes this decision are specific to the type of 'authenticator' that this message wraps.
Occurrence that represents a single "attestation". The authenticity of an attestation can be verified using the attached signature. If the verifier trusts the public key of the signer, then verifying the signature is sufficient to establish trust. In this circumstance, the authority to which this attestation is attached is primarily useful for lookup (how to find this attestation if you already know the authority and artifact to be verified) and intent (for which authority this attestation was intended to sign.
Specifies the locations for fetching the provenance attestations.
An attestor that attests to container image artifacts. An existing attestor cannot be modified except where indicated.
An attestor public key that will be used to verify attestations signed by this attestor.
Associates members, or principals, with a role.
A single check to perform against a Pod. Checks are grouped into CheckSet objects, which are defined by the top-level policy.
Result of evaluating one check.
Result of evaluating one or more checks.
A conjunction of policy checks, scoped to a particular namespace or Kubernetes service account. In order for evaluation of a CheckSet to return "allowed" for a given image in a given Pod, one of the following conditions must be satisfied: The image is explicitly exempted by an entry in image_allowlist, OR ALL of the checks evaluate to "allowed".
Result of evaluating one check set.
A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); }
Request message for PlatformPolicyEvaluationService.EvaluateGkePolicy.
Response message for PlatformPolicyEvaluationService.EvaluateGkePolicy.
Result of evaluating one check.
Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
A Binary Authorization policy for a GKE cluster. This is one type of policy that can occur as a PlatformPolicy.
An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A Policy is a collection of bindings. A binding binds one or more members, or principals, to a single role. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role. For some types of Google Cloud resources, a binding can also specify a condition, which is a logical expression that allows access to a resource only if the expression evaluates to true. A condition can add constraints based on attributes of the request, the resource, or both. To learn which resources support conditions in their IAM policies, see the IAM documentation. JSON example: { "bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com", "group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] }, { "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": { "title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time < timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 } YAML example: bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com - serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin - members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable access description: Does not grant access after Sep 2020 expression: request.time < timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3 For a description of IAM and its features, see the IAM documentation.
Images that are exempted from normal checks based on name pattern only.
An image freshness check, which rejects images that were uploaded before the set number of days ago to the supported repositories.
Result of evaluating one image.
Attributes
-
compactJwt(type:String.t, default:nil) - The compact encoding of a JWS, which is always three base64 encoded strings joined by periods. For details, see: https://tools.ietf.org/html/rfc7515.html#section-3.1
Response message for BinauthzManagementServiceV1.ListAttestors.
Response message for PlatformPolicyManagementService.ListPlatformPolicies.
A public key in the PkixPublicKey format. Public keys of this type are typically textually encoded using the PEM format.
A bundle of PKIX public keys, used to authenticate attestation signatures. Generally, a signature is considered to be authenticated by a PkixPublicKeySet if any of the public keys verify it (i.e. it is an "OR" of the keys).
A Binary Authorization platform policy for deployments on various platforms.
Result of evaluating the whole GKE policy for one Pod.
A policy for container image binary authorization.
A scope specifier for CheckSet objects.
Request message for SetIamPolicy method.
Verifiers (e.g. Kritis implementations) MUST verify signatures with respect to the trust anchors defined in policy (e.g. a Kritis policy). Typically this means that the verifier has been configured with a map from public_key_id to public key material (and any required parameters, e.g. signing algorithm). In particular, verification implementations MUST NOT treat the signature public_key_id as anything more than a key lookup hint. The public_key_id DOES NOT validate or authenticate a public key; it only provides a mechanism for quickly selecting a public key ALREADY CONFIGURED on the verifier through a trusted channel. Verification implementations MUST reject signatures in any of the following circumstances: The public_key_id is not recognized by the verifier. The public key that public_key_id refers to does not verify the signature with respect to the payload. The signature contents SHOULD NOT be "attached" (where the payload is included with the serialized signature bytes). Verifiers MUST ignore any "attached" payload and only verify signatures with respect to explicitly provided payload (e.g. a payload field on the proto message that holds this Signature, or the canonical serialization of the proto message that holds this signature).
A Sigstore authority, used to verify signatures that are created by Sigstore. An authority is analogous to an attestation authenticator, verifying that a signature is valid or invalid.
A Sigstore public key. SigstorePublicKey is the public key material used to authenticate Sigstore signatures.
A bundle of Sigstore public keys, used to verify Sigstore signatures. A signature is authenticated by a SigstorePublicKeySet if any of the keys verify it.
A Sigstore signature check, which verifies the Sigstore signature associated with an image.
Require a signed DSSE attestation with type SimpleSigning.
A SLSA provenance attestation check, which ensures that images are built by a trusted builder using source code from its trusted repositories only.
Request message for TestIamPermissions method.
Response message for TestIamPermissions method.
A trusted directory check, which rejects images that do not come from the set of user-configured trusted directories.
An user owned Grafeas note references a Grafeas Attestation.Authority Note created by the user.
Request message for ValidationHelperV1.ValidateAttestationOccurrence.
Response message for ValidationHelperV1.ValidateAttestationOccurrence.
Specifies verification rules for evaluating the SLSA attestations including: which builders to trust, where to fetch the SLSA attestations generated by those builders, and other builder-specific evaluation rules such as which source repositories are trusted. An image is considered verified by the rule if any of the fetched SLSA attestations is verified.
An image vulnerability check, which rejects images that violate the configured vulnerability rules.