Namespace Google.Apis.BinaryAuthorization.v1.Data
Classes
AdmissionRule
An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied. Images matching an admission allowlist pattern are exempted from admission rules and will never block a pod creation.
AdmissionWhitelistPattern
An admission allowlist pattern exempts images from checks by admission rules.
AllowlistResult
Result of evaluating an image name allowlist.
AttestationAuthenticator
An attestation authenticator that will be used to verify attestations. Typically this is just a set of public keys. Conceptually, an authenticator can be treated as always returning either "authenticated" or "not authenticated" when presented with a signed attestation (almost always assumed to be a DSSE attestation). The details of how an authenticator makes this decision are specific to the type of 'authenticator' that this message wraps.
AttestationOccurrence
Occurrence that represents a single "attestation". The authenticity of an attestation can be verified using the attached signature. If the verifier trusts the public key of the signer, then verifying the signature is sufficient to establish trust. In this circumstance, the authority to which this attestation is attached is primarily useful for lookup (how to find this attestation if you already know the authority and artifact to be verified) and intent (for which authority this attestation was intended to sign.
AttestationSource
Specifies the locations for fetching the provenance attestations.
Attestor
An attestor that attests to container image artifacts. An existing attestor cannot be modified except where indicated.
AttestorPublicKey
An attestor public key that will be used to verify attestations signed by this attestor.
Binding
Associates members, or principals, with a role.
Check
A single check to perform against a Pod. Checks are grouped into CheckSet objects, which are defined by the
top-level policy.
CheckResult
Result of evaluating one check.
CheckResults
Result of evaluating one or more checks.
CheckSet
A conjunction of policy checks, scoped to a particular namespace or Kubernetes service account. In order for
evaluation of a CheckSet to return "allowed" for a given image in a given Pod, one of the following conditions
must be satisfied: * The image is explicitly exempted by an entry in image_allowlist, OR * ALL of the checks
evaluate to "allowed".
CheckSetResult
Result of evaluating one check set.
Empty
A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); }
EvaluateGkePolicyRequest
Request message for PlatformPolicyEvaluationService.EvaluateGkePolicy.
EvaluateGkePolicyResponse
Response message for PlatformPolicyEvaluationService.EvaluateGkePolicy.
EvaluationResult
Result of evaluating one check.
Expr
Represents a textual expression in the Common Expression Language (CEL) syntax. CEL is a C-like expression language. The syntax and semantics of CEL are documented at https://github.com/google/cel-spec. Example (Comparison): title: "Summary size limit" description: "Determines if a summary is less than 100 chars" expression: "document.summary.size() < 100" Example (Equality): title: "Requestor is owner" description: "Determines if requestor is the document owner" expression: "document.owner == request.auth.claims.email" Example (Logic): title: "Public documents" description: "Determine whether the document should be publicly visible" expression: "document.type != 'private' && document.type != 'internal'" Example (Data Manipulation): title: "Notification string" description: "Create a notification string with a timestamp." expression: "'New message received at ' + string(document.create_time)" The exact variables and functions that may be referenced within an expression are determined by the service that evaluates it. See the service documentation for additional information.
GkePolicy
A Binary Authorization policy for a GKE cluster. This is one type of policy that can occur as a
PlatformPolicy.
IamPolicy
An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources. A
Policy is a collection of bindings. A binding binds one or more members, or principals, to a single
role. Principals can be user accounts, service accounts, Google groups, and domains (such as G Suite). A
role is a named list of permissions; each role can be an IAM predefined role or a user-created custom role.
For some types of Google Cloud resources, a binding can also specify a condition, which is a logical
expression that allows access to a resource only if the expression evaluates to true. A condition can add
constraints based on attributes of the request, the resource, or both. To learn which resources support
conditions in their IAM policies, see the IAM
documentation. JSON example:
{
"bindings": [ { "role": "roles/resourcemanager.organizationAdmin", "members": [ "user:mike@example.com",
"group:admins@example.com", "domain:google.com", "serviceAccount:my-project-id@appspot.gserviceaccount.com" ] },
{ "role": "roles/resourcemanager.organizationViewer", "members": [ "user:eve@example.com" ], "condition": {
"title": "expirable access", "description": "Does not grant access after Sep 2020", "expression": "request.time
< timestamp('2020-10-01T00:00:00.000Z')", } } ], "etag": "BwWWja0YfJA=", "version": 3 }
YAML example:
bindings: - members: - user:mike@example.com - group:admins@example.com - domain:google.com -
serviceAccount:my-project-id@appspot.gserviceaccount.com role: roles/resourcemanager.organizationAdmin -
members: - user:eve@example.com role: roles/resourcemanager.organizationViewer condition: title: expirable
access description: Does not grant access after Sep 2020 expression: request.time <
timestamp('2020-10-01T00:00:00.000Z') etag: BwWWja0YfJA= version: 3
For a description of IAM and its features, see the IAM documentation.
ImageAllowlist
Images that are exempted from normal checks based on name pattern only.
ImageFreshnessCheck
An image freshness check, which rejects images that were uploaded before the set number of days ago to the supported repositories.
ImageResult
Result of evaluating one image.
Jwt
ListAttestorsResponse
Response message for BinauthzManagementServiceV1.ListAttestors.
ListPlatformPoliciesResponse
Response message for PlatformPolicyManagementService.ListPlatformPolicies.
PkixPublicKey
A public key in the PkixPublicKey format. Public keys of this type are typically textually encoded using the PEM format.
PkixPublicKeySet
A bundle of PKIX public keys, used to authenticate attestation signatures. Generally, a signature is considered
to be authenticated by a PkixPublicKeySet if any of the public keys verify it (i.e. it is an "OR" of the
keys).
PlatformPolicy
A Binary Authorization platform policy for deployments on various platforms.
PodResult
Result of evaluating the whole GKE policy for one Pod.
Policy
A policy for container image binary authorization.
Scope
A scope specifier for CheckSet objects.
SetIamPolicyRequest
Request message for SetIamPolicy method.
Signature
Verifiers (e.g. Kritis implementations) MUST verify signatures with respect to the trust anchors defined in
policy (e.g. a Kritis policy). Typically this means that the verifier has been configured with a map from
public_key_id to public key material (and any required parameters, e.g. signing algorithm). In particular,
verification implementations MUST NOT treat the signature public_key_id as anything more than a key lookup
hint. The public_key_id DOES NOT validate or authenticate a public key; it only provides a mechanism for
quickly selecting a public key ALREADY CONFIGURED on the verifier through a trusted channel. Verification
implementations MUST reject signatures in any of the following circumstances: * The public_key_id is not
recognized by the verifier. * The public key that public_key_id refers to does not verify the signature with
respect to the payload. The signature contents SHOULD NOT be "attached" (where the payload is included with
the serialized signature bytes). Verifiers MUST ignore any "attached" payload and only verify signatures with
respect to explicitly provided payload (e.g. a payload field on the proto message that holds this Signature,
or the canonical serialization of the proto message that holds this signature).
SigstoreAuthority
A Sigstore authority, used to verify signatures that are created by Sigstore. An authority is analogous to an attestation authenticator, verifying that a signature is valid or invalid.
SigstorePublicKey
A Sigstore public key. SigstorePublicKey is the public key material used to authenticate Sigstore signatures.
SigstorePublicKeySet
A bundle of Sigstore public keys, used to verify Sigstore signatures. A signature is authenticated by a
SigstorePublicKeySet if any of the keys verify it.
SigstoreSignatureCheck
A Sigstore signature check, which verifies the Sigstore signature associated with an image.
SimpleSigningAttestationCheck
Require a signed DSSE attestation with type SimpleSigning.
SlsaCheck
A SLSA provenance attestation check, which ensures that images are built by a trusted builder using source code from its trusted repositories only.
TestIamPermissionsRequest
Request message for TestIamPermissions method.
TestIamPermissionsResponse
Response message for TestIamPermissions method.
TrustedDirectoryCheck
A trusted directory check, which rejects images that do not come from the set of user-configured trusted directories.
UserOwnedGrafeasNote
An user owned Grafeas note references a Grafeas Attestation.Authority Note created by the user.
ValidateAttestationOccurrenceRequest
Request message for ValidationHelperV1.ValidateAttestationOccurrence.
ValidateAttestationOccurrenceResponse
Response message for ValidationHelperV1.ValidateAttestationOccurrence.
VerificationRule
Specifies verification rules for evaluating the SLSA attestations including: which builders to trust, where to fetch the SLSA attestations generated by those builders, and other builder-specific evaluation rules such as which source repositories are trusted. An image is considered verified by the rule if any of the fetched SLSA attestations is verified.
VulnerabilityCheck
An image vulnerability check, which rejects images that violate the configured vulnerability rules.