binaryauthorization

package
v0.0.0-...-51c3e5b Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 29, 2020 License: Apache-2.0 Imports: 12 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	Policy_GlobalPolicyEvaluationMode_name = map[int32]string{
		0: "GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED",
		1: "ENABLE",
		2: "DISABLE",
	}
	Policy_GlobalPolicyEvaluationMode_value = map[string]int32{
		"GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED": 0,
		"ENABLE":  1,
		"DISABLE": 2,
	}
)

Enum value maps for Policy_GlobalPolicyEvaluationMode.

View Source
var (
	AdmissionRule_EvaluationMode_name = map[int32]string{
		0: "EVALUATION_MODE_UNSPECIFIED",
		1: "ALWAYS_ALLOW",
		2: "REQUIRE_ATTESTATION",
		3: "ALWAYS_DENY",
	}
	AdmissionRule_EvaluationMode_value = map[string]int32{
		"EVALUATION_MODE_UNSPECIFIED": 0,
		"ALWAYS_ALLOW":                1,
		"REQUIRE_ATTESTATION":         2,
		"ALWAYS_DENY":                 3,
	}
)

Enum value maps for AdmissionRule_EvaluationMode.

View Source
var (
	AdmissionRule_EnforcementMode_name = map[int32]string{
		0: "ENFORCEMENT_MODE_UNSPECIFIED",
		1: "ENFORCED_BLOCK_AND_AUDIT_LOG",
		2: "DRYRUN_AUDIT_LOG_ONLY",
	}
	AdmissionRule_EnforcementMode_value = map[string]int32{
		"ENFORCEMENT_MODE_UNSPECIFIED": 0,
		"ENFORCED_BLOCK_AND_AUDIT_LOG": 1,
		"DRYRUN_AUDIT_LOG_ONLY":        2,
	}
)

Enum value maps for AdmissionRule_EnforcementMode.

View Source
var (
	PkixPublicKey_SignatureAlgorithm_name = map[int32]string{
		0:  "SIGNATURE_ALGORITHM_UNSPECIFIED",
		1:  "RSA_PSS_2048_SHA256",
		2:  "RSA_PSS_3072_SHA256",
		3:  "RSA_PSS_4096_SHA256",
		4:  "RSA_PSS_4096_SHA512",
		5:  "RSA_SIGN_PKCS1_2048_SHA256",
		6:  "RSA_SIGN_PKCS1_3072_SHA256",
		7:  "RSA_SIGN_PKCS1_4096_SHA256",
		8:  "RSA_SIGN_PKCS1_4096_SHA512",
		9:  "ECDSA_P256_SHA256",
		10: "ECDSA_P384_SHA384",
		11: "ECDSA_P521_SHA512",
	}
	PkixPublicKey_SignatureAlgorithm_value = map[string]int32{
		"SIGNATURE_ALGORITHM_UNSPECIFIED": 0,
		"RSA_PSS_2048_SHA256":             1,
		"RSA_PSS_3072_SHA256":             2,
		"RSA_PSS_4096_SHA256":             3,
		"RSA_PSS_4096_SHA512":             4,
		"RSA_SIGN_PKCS1_2048_SHA256":      5,
		"RSA_SIGN_PKCS1_3072_SHA256":      6,
		"RSA_SIGN_PKCS1_4096_SHA256":      7,
		"RSA_SIGN_PKCS1_4096_SHA512":      8,
		"ECDSA_P256_SHA256":               9,
		"ECDSA_P384_SHA384":               10,
		"ECDSA_P521_SHA512":               11,
	}
)

Enum value maps for PkixPublicKey_SignatureAlgorithm.

View Source
var File_google_cloud_binaryauthorization_v1beta1_resources_proto protoreflect.FileDescriptor
View Source
var File_google_cloud_binaryauthorization_v1beta1_service_proto protoreflect.FileDescriptor

Functions

func RegisterBinauthzManagementServiceV1Beta1Server

func RegisterBinauthzManagementServiceV1Beta1Server(s *grpc.Server, srv BinauthzManagementServiceV1Beta1Server)

Types

type AdmissionRule

type AdmissionRule struct {

	// Required. How this admission rule will be evaluated.
	EvaluationMode AdmissionRule_EvaluationMode `` /* 179-byte string literal not displayed */
	// Optional. The resource names of the attestors that must attest to
	// a container image, in the format `projects/*/attestors/*`. Each
	// attestor must exist before a policy can reference it.  To add an attestor
	// to a policy the principal issuing the policy change request must be able
	// to read the attestor resource.
	//
	// Note: this field must be non-empty when the evaluation_mode field specifies
	// REQUIRE_ATTESTATION, otherwise it must be empty.
	RequireAttestationsBy []string `` /* 126-byte string literal not displayed */
	// Required. The action when a pod creation is denied by the admission rule.
	EnforcementMode AdmissionRule_EnforcementMode `` /* 183-byte string literal not displayed */
	// contains filtered or unexported fields
}

An [admission rule][google.cloud.binaryauthorization.v1beta1.AdmissionRule] specifies either that all container images used in a pod creation request must be attested to by one or more [attestors][google.cloud.binaryauthorization.v1beta1.Attestor], that all pod creations will be allowed, or that all pod creations will be denied.

Images matching an [admission whitelist pattern][google.cloud.binaryauthorization.v1beta1.AdmissionWhitelistPattern] are exempted from admission rules and will never block a pod creation.

func (*AdmissionRule) Descriptor deprecated

func (*AdmissionRule) Descriptor() ([]byte, []int)

Deprecated: Use AdmissionRule.ProtoReflect.Descriptor instead.

func (*AdmissionRule) GetEnforcementMode

func (x *AdmissionRule) GetEnforcementMode() AdmissionRule_EnforcementMode

func (*AdmissionRule) GetEvaluationMode

func (x *AdmissionRule) GetEvaluationMode() AdmissionRule_EvaluationMode

func (*AdmissionRule) GetRequireAttestationsBy

func (x *AdmissionRule) GetRequireAttestationsBy() []string

func (*AdmissionRule) ProtoMessage

func (*AdmissionRule) ProtoMessage()

func (*AdmissionRule) ProtoReflect

func (x *AdmissionRule) ProtoReflect() protoreflect.Message

func (*AdmissionRule) Reset

func (x *AdmissionRule) Reset()

func (*AdmissionRule) String

func (x *AdmissionRule) String() string

type AdmissionRule_EnforcementMode

type AdmissionRule_EnforcementMode int32

Defines the possible actions when a pod creation is denied by an admission rule.

const (
	// Do not use.
	AdmissionRule_ENFORCEMENT_MODE_UNSPECIFIED AdmissionRule_EnforcementMode = 0
	// Enforce the admission rule by blocking the pod creation.
	AdmissionRule_ENFORCED_BLOCK_AND_AUDIT_LOG AdmissionRule_EnforcementMode = 1
	// Dryrun mode: Audit logging only.  This will allow the pod creation as if
	// the admission request had specified break-glass.
	AdmissionRule_DRYRUN_AUDIT_LOG_ONLY AdmissionRule_EnforcementMode = 2
)

func (AdmissionRule_EnforcementMode) Descriptor

func (AdmissionRule_EnforcementMode) Enum

func (AdmissionRule_EnforcementMode) EnumDescriptor deprecated

func (AdmissionRule_EnforcementMode) EnumDescriptor() ([]byte, []int)

Deprecated: Use AdmissionRule_EnforcementMode.Descriptor instead.

func (AdmissionRule_EnforcementMode) Number

func (AdmissionRule_EnforcementMode) String

func (AdmissionRule_EnforcementMode) Type

type AdmissionRule_EvaluationMode

type AdmissionRule_EvaluationMode int32
const (
	// Do not use.
	AdmissionRule_EVALUATION_MODE_UNSPECIFIED AdmissionRule_EvaluationMode = 0
	// This rule allows all all pod creations.
	AdmissionRule_ALWAYS_ALLOW AdmissionRule_EvaluationMode = 1
	// This rule allows a pod creation if all the attestors listed in
	// 'require_attestations_by' have valid attestations for all of the
	// images in the pod spec.
	AdmissionRule_REQUIRE_ATTESTATION AdmissionRule_EvaluationMode = 2
	// This rule denies all pod creations.
	AdmissionRule_ALWAYS_DENY AdmissionRule_EvaluationMode = 3
)

func (AdmissionRule_EvaluationMode) Descriptor

func (AdmissionRule_EvaluationMode) Enum

func (AdmissionRule_EvaluationMode) EnumDescriptor deprecated

func (AdmissionRule_EvaluationMode) EnumDescriptor() ([]byte, []int)

Deprecated: Use AdmissionRule_EvaluationMode.Descriptor instead.

func (AdmissionRule_EvaluationMode) Number

func (AdmissionRule_EvaluationMode) String

func (AdmissionRule_EvaluationMode) Type

type AdmissionWhitelistPattern

type AdmissionWhitelistPattern struct {

	// An image name pattern to whitelist, in the form `registry/path/to/image`.
	// This supports a trailing `*` as a wildcard, but this is allowed only in
	// text after the `registry/` part.
	NamePattern string `protobuf:"bytes,1,opt,name=name_pattern,json=namePattern,proto3" json:"name_pattern,omitempty"`
	// contains filtered or unexported fields
}

An [admission whitelist pattern][google.cloud.binaryauthorization.v1beta1.AdmissionWhitelistPattern] exempts images from checks by [admission rules][google.cloud.binaryauthorization.v1beta1.AdmissionRule].

func (*AdmissionWhitelistPattern) Descriptor deprecated

func (*AdmissionWhitelistPattern) Descriptor() ([]byte, []int)

Deprecated: Use AdmissionWhitelistPattern.ProtoReflect.Descriptor instead.

func (*AdmissionWhitelistPattern) GetNamePattern

func (x *AdmissionWhitelistPattern) GetNamePattern() string

func (*AdmissionWhitelistPattern) ProtoMessage

func (*AdmissionWhitelistPattern) ProtoMessage()

func (*AdmissionWhitelistPattern) ProtoReflect

func (*AdmissionWhitelistPattern) Reset

func (x *AdmissionWhitelistPattern) Reset()

func (*AdmissionWhitelistPattern) String

func (x *AdmissionWhitelistPattern) String() string

type Attestor

type Attestor struct {

	// Required. The resource name, in the format:
	// `projects/*/attestors/*`. This field may not be updated.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// Optional. A descriptive comment.  This field may be updated.
	// The field may be displayed in chooser dialogs.
	Description string `protobuf:"bytes,6,opt,name=description,proto3" json:"description,omitempty"`
	// Required. Identifies an [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] that attests to a
	// container image artifact. This determines how an attestation will
	// be stored, and how it will be used during policy
	// enforcement. Updates may not change the attestor type, but individual
	// attestor fields may be updated
	//
	// Types that are assignable to AttestorType:
	//	*Attestor_UserOwnedDrydockNote
	AttestorType isAttestor_AttestorType `protobuf_oneof:"attestor_type"`
	// Output only. Time when the attestor was last updated.
	UpdateTime *timestamppb.Timestamp `protobuf:"bytes,4,opt,name=update_time,json=updateTime,proto3" json:"update_time,omitempty"`
	// contains filtered or unexported fields
}

An [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] that attests to container image artifacts. An existing attestor cannot be modified except where indicated.

func (*Attestor) Descriptor deprecated

func (*Attestor) Descriptor() ([]byte, []int)

Deprecated: Use Attestor.ProtoReflect.Descriptor instead.

func (*Attestor) GetAttestorType

func (m *Attestor) GetAttestorType() isAttestor_AttestorType

func (*Attestor) GetDescription

func (x *Attestor) GetDescription() string

func (*Attestor) GetName

func (x *Attestor) GetName() string

func (*Attestor) GetUpdateTime

func (x *Attestor) GetUpdateTime() *timestamppb.Timestamp

func (*Attestor) GetUserOwnedDrydockNote

func (x *Attestor) GetUserOwnedDrydockNote() *UserOwnedDrydockNote

func (*Attestor) ProtoMessage

func (*Attestor) ProtoMessage()

func (*Attestor) ProtoReflect

func (x *Attestor) ProtoReflect() protoreflect.Message

func (*Attestor) Reset

func (x *Attestor) Reset()

func (*Attestor) String

func (x *Attestor) String() string

type AttestorPublicKey

type AttestorPublicKey struct {

	// Optional. A descriptive comment. This field may be updated.
	Comment string `protobuf:"bytes,1,opt,name=comment,proto3" json:"comment,omitempty"`
	// The ID of this public key.
	// Signatures verified by BinAuthz must include the ID of the public key that
	// can be used to verify them, and that ID must match the contents of this
	// field exactly.
	// Additional restrictions on this field can be imposed based on which public
	// key type is encapsulated. See the documentation on `public_key` cases below
	// for details.
	Id string `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"`
	// Required. A public key reference or serialized instance. This field may be
	// updated.
	//
	// Types that are assignable to PublicKey:
	//	*AttestorPublicKey_AsciiArmoredPgpPublicKey
	//	*AttestorPublicKey_PkixPublicKey
	PublicKey isAttestorPublicKey_PublicKey `protobuf_oneof:"public_key"`
	// contains filtered or unexported fields
}

An [attestor public key][google.cloud.binaryauthorization.v1beta1.AttestorPublicKey] that will be used to verify attestations signed by this attestor.

func (*AttestorPublicKey) Descriptor deprecated

func (*AttestorPublicKey) Descriptor() ([]byte, []int)

Deprecated: Use AttestorPublicKey.ProtoReflect.Descriptor instead.

func (*AttestorPublicKey) GetAsciiArmoredPgpPublicKey

func (x *AttestorPublicKey) GetAsciiArmoredPgpPublicKey() string

func (*AttestorPublicKey) GetComment

func (x *AttestorPublicKey) GetComment() string

func (*AttestorPublicKey) GetId

func (x *AttestorPublicKey) GetId() string

func (*AttestorPublicKey) GetPkixPublicKey

func (x *AttestorPublicKey) GetPkixPublicKey() *PkixPublicKey

func (*AttestorPublicKey) GetPublicKey

func (m *AttestorPublicKey) GetPublicKey() isAttestorPublicKey_PublicKey

func (*AttestorPublicKey) ProtoMessage

func (*AttestorPublicKey) ProtoMessage()

func (*AttestorPublicKey) ProtoReflect

func (x *AttestorPublicKey) ProtoReflect() protoreflect.Message

func (*AttestorPublicKey) Reset

func (x *AttestorPublicKey) Reset()

func (*AttestorPublicKey) String

func (x *AttestorPublicKey) String() string

type AttestorPublicKey_AsciiArmoredPgpPublicKey

type AttestorPublicKey_AsciiArmoredPgpPublicKey struct {
	// ASCII-armored representation of a PGP public key, as the entire output by
	// the command `gpg --export --armor foo@example.com` (either LF or CRLF
	// line endings).
	// When using this field, `id` should be left blank.  The BinAuthz API
	// handlers will calculate the ID and fill it in automatically.  BinAuthz
	// computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as
	// upper-case hex.  If `id` is provided by the caller, it will be
	// overwritten by the API-calculated ID.
	AsciiArmoredPgpPublicKey string `protobuf:"bytes,3,opt,name=ascii_armored_pgp_public_key,json=asciiArmoredPgpPublicKey,proto3,oneof"`
}

type AttestorPublicKey_PkixPublicKey

type AttestorPublicKey_PkixPublicKey struct {
	// A raw PKIX SubjectPublicKeyInfo format public key.
	//
	// NOTE: `id` may be explicitly provided by the caller when using this
	// type of public key, but it MUST be a valid RFC3986 URI. If `id` is left
	// blank, a default one will be computed based on the digest of the DER
	// encoding of the public key.
	PkixPublicKey *PkixPublicKey `protobuf:"bytes,5,opt,name=pkix_public_key,json=pkixPublicKey,proto3,oneof"`
}

type Attestor_UserOwnedDrydockNote

type Attestor_UserOwnedDrydockNote struct {
	// A Drydock ATTESTATION_AUTHORITY Note, created by the user.
	UserOwnedDrydockNote *UserOwnedDrydockNote `protobuf:"bytes,3,opt,name=user_owned_drydock_note,json=userOwnedDrydockNote,proto3,oneof"`
}

type BinauthzManagementServiceV1Beta1Client

type BinauthzManagementServiceV1Beta1Client interface {
	// A [policy][google.cloud.binaryauthorization.v1beta1.Policy] specifies the [attestors][google.cloud.binaryauthorization.v1beta1.Attestor] that must attest to
	// a container image, before the project is allowed to deploy that
	// image. There is at most one policy per project. All image admission
	// requests are permitted if a project has no policy.
	//
	// Gets the [policy][google.cloud.binaryauthorization.v1beta1.Policy] for this project. Returns a default
	// [policy][google.cloud.binaryauthorization.v1beta1.Policy] if the project does not have one.
	GetPolicy(ctx context.Context, in *GetPolicyRequest, opts ...grpc.CallOption) (*Policy, error)
	// Creates or updates a project's [policy][google.cloud.binaryauthorization.v1beta1.Policy], and returns a copy of the
	// new [policy][google.cloud.binaryauthorization.v1beta1.Policy]. A policy is always updated as a whole, to avoid race
	// conditions with concurrent policy enforcement (or management!)
	// requests. Returns NOT_FOUND if the project does not exist, INVALID_ARGUMENT
	// if the request is malformed.
	UpdatePolicy(ctx context.Context, in *UpdatePolicyRequest, opts ...grpc.CallOption) (*Policy, error)
	// Creates an [attestor][google.cloud.binaryauthorization.v1beta1.Attestor], and returns a copy of the new
	// [attestor][google.cloud.binaryauthorization.v1beta1.Attestor]. Returns NOT_FOUND if the project does not exist,
	// INVALID_ARGUMENT if the request is malformed, ALREADY_EXISTS if the
	// [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] already exists.
	CreateAttestor(ctx context.Context, in *CreateAttestorRequest, opts ...grpc.CallOption) (*Attestor, error)
	// Gets an [attestor][google.cloud.binaryauthorization.v1beta1.Attestor].
	// Returns NOT_FOUND if the [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] does not exist.
	GetAttestor(ctx context.Context, in *GetAttestorRequest, opts ...grpc.CallOption) (*Attestor, error)
	// Updates an [attestor][google.cloud.binaryauthorization.v1beta1.Attestor].
	// Returns NOT_FOUND if the [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] does not exist.
	UpdateAttestor(ctx context.Context, in *UpdateAttestorRequest, opts ...grpc.CallOption) (*Attestor, error)
	// Lists [attestors][google.cloud.binaryauthorization.v1beta1.Attestor].
	// Returns INVALID_ARGUMENT if the project does not exist.
	ListAttestors(ctx context.Context, in *ListAttestorsRequest, opts ...grpc.CallOption) (*ListAttestorsResponse, error)
	// Deletes an [attestor][google.cloud.binaryauthorization.v1beta1.Attestor]. Returns NOT_FOUND if the
	// [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] does not exist.
	DeleteAttestor(ctx context.Context, in *DeleteAttestorRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
}

BinauthzManagementServiceV1Beta1Client is the client API for BinauthzManagementServiceV1Beta1 service.

For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.

type BinauthzManagementServiceV1Beta1Server

type BinauthzManagementServiceV1Beta1Server interface {
	// A [policy][google.cloud.binaryauthorization.v1beta1.Policy] specifies the [attestors][google.cloud.binaryauthorization.v1beta1.Attestor] that must attest to
	// a container image, before the project is allowed to deploy that
	// image. There is at most one policy per project. All image admission
	// requests are permitted if a project has no policy.
	//
	// Gets the [policy][google.cloud.binaryauthorization.v1beta1.Policy] for this project. Returns a default
	// [policy][google.cloud.binaryauthorization.v1beta1.Policy] if the project does not have one.
	GetPolicy(context.Context, *GetPolicyRequest) (*Policy, error)
	// Creates or updates a project's [policy][google.cloud.binaryauthorization.v1beta1.Policy], and returns a copy of the
	// new [policy][google.cloud.binaryauthorization.v1beta1.Policy]. A policy is always updated as a whole, to avoid race
	// conditions with concurrent policy enforcement (or management!)
	// requests. Returns NOT_FOUND if the project does not exist, INVALID_ARGUMENT
	// if the request is malformed.
	UpdatePolicy(context.Context, *UpdatePolicyRequest) (*Policy, error)
	// Creates an [attestor][google.cloud.binaryauthorization.v1beta1.Attestor], and returns a copy of the new
	// [attestor][google.cloud.binaryauthorization.v1beta1.Attestor]. Returns NOT_FOUND if the project does not exist,
	// INVALID_ARGUMENT if the request is malformed, ALREADY_EXISTS if the
	// [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] already exists.
	CreateAttestor(context.Context, *CreateAttestorRequest) (*Attestor, error)
	// Gets an [attestor][google.cloud.binaryauthorization.v1beta1.Attestor].
	// Returns NOT_FOUND if the [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] does not exist.
	GetAttestor(context.Context, *GetAttestorRequest) (*Attestor, error)
	// Updates an [attestor][google.cloud.binaryauthorization.v1beta1.Attestor].
	// Returns NOT_FOUND if the [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] does not exist.
	UpdateAttestor(context.Context, *UpdateAttestorRequest) (*Attestor, error)
	// Lists [attestors][google.cloud.binaryauthorization.v1beta1.Attestor].
	// Returns INVALID_ARGUMENT if the project does not exist.
	ListAttestors(context.Context, *ListAttestorsRequest) (*ListAttestorsResponse, error)
	// Deletes an [attestor][google.cloud.binaryauthorization.v1beta1.Attestor]. Returns NOT_FOUND if the
	// [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] does not exist.
	DeleteAttestor(context.Context, *DeleteAttestorRequest) (*emptypb.Empty, error)
}

BinauthzManagementServiceV1Beta1Server is the server API for BinauthzManagementServiceV1Beta1 service.

type CreateAttestorRequest

type CreateAttestorRequest struct {

	// Required. The parent of this [attestor][google.cloud.binaryauthorization.v1beta1.Attestor].
	Parent string `protobuf:"bytes,1,opt,name=parent,proto3" json:"parent,omitempty"`
	// Required. The [attestors][google.cloud.binaryauthorization.v1beta1.Attestor] ID.
	AttestorId string `protobuf:"bytes,2,opt,name=attestor_id,json=attestorId,proto3" json:"attestor_id,omitempty"`
	// Required. The initial [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] value. The service will
	// overwrite the [attestor name][google.cloud.binaryauthorization.v1beta1.Attestor.name] field with the resource name,
	// in the format `projects/*/attestors/*`.
	Attestor *Attestor `protobuf:"bytes,3,opt,name=attestor,proto3" json:"attestor,omitempty"`
	// contains filtered or unexported fields
}

Request message for [BinauthzManagementService.CreateAttestor][].

func (*CreateAttestorRequest) Descriptor deprecated

func (*CreateAttestorRequest) Descriptor() ([]byte, []int)

Deprecated: Use CreateAttestorRequest.ProtoReflect.Descriptor instead.

func (*CreateAttestorRequest) GetAttestor

func (x *CreateAttestorRequest) GetAttestor() *Attestor

func (*CreateAttestorRequest) GetAttestorId

func (x *CreateAttestorRequest) GetAttestorId() string

func (*CreateAttestorRequest) GetParent

func (x *CreateAttestorRequest) GetParent() string

func (*CreateAttestorRequest) ProtoMessage

func (*CreateAttestorRequest) ProtoMessage()

func (*CreateAttestorRequest) ProtoReflect

func (x *CreateAttestorRequest) ProtoReflect() protoreflect.Message

func (*CreateAttestorRequest) Reset

func (x *CreateAttestorRequest) Reset()

func (*CreateAttestorRequest) String

func (x *CreateAttestorRequest) String() string

type DeleteAttestorRequest

type DeleteAttestorRequest struct {

	// Required. The name of the [attestors][google.cloud.binaryauthorization.v1beta1.Attestor] to delete, in the format
	// `projects/*/attestors/*`.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// contains filtered or unexported fields
}

Request message for [BinauthzManagementService.DeleteAttestor][].

func (*DeleteAttestorRequest) Descriptor deprecated

func (*DeleteAttestorRequest) Descriptor() ([]byte, []int)

Deprecated: Use DeleteAttestorRequest.ProtoReflect.Descriptor instead.

func (*DeleteAttestorRequest) GetName

func (x *DeleteAttestorRequest) GetName() string

func (*DeleteAttestorRequest) ProtoMessage

func (*DeleteAttestorRequest) ProtoMessage()

func (*DeleteAttestorRequest) ProtoReflect

func (x *DeleteAttestorRequest) ProtoReflect() protoreflect.Message

func (*DeleteAttestorRequest) Reset

func (x *DeleteAttestorRequest) Reset()

func (*DeleteAttestorRequest) String

func (x *DeleteAttestorRequest) String() string

type GetAttestorRequest

type GetAttestorRequest struct {

	// Required. The name of the [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] to retrieve, in the format
	// `projects/*/attestors/*`.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// contains filtered or unexported fields
}

Request message for [BinauthzManagementService.GetAttestor][].

func (*GetAttestorRequest) Descriptor deprecated

func (*GetAttestorRequest) Descriptor() ([]byte, []int)

Deprecated: Use GetAttestorRequest.ProtoReflect.Descriptor instead.

func (*GetAttestorRequest) GetName

func (x *GetAttestorRequest) GetName() string

func (*GetAttestorRequest) ProtoMessage

func (*GetAttestorRequest) ProtoMessage()

func (*GetAttestorRequest) ProtoReflect

func (x *GetAttestorRequest) ProtoReflect() protoreflect.Message

func (*GetAttestorRequest) Reset

func (x *GetAttestorRequest) Reset()

func (*GetAttestorRequest) String

func (x *GetAttestorRequest) String() string

type GetPolicyRequest

type GetPolicyRequest struct {

	// Required. The resource name of the [policy][google.cloud.binaryauthorization.v1beta1.Policy] to retrieve,
	// in the format `projects/*/policy`.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// contains filtered or unexported fields
}

Request message for [BinauthzManagementService.GetPolicy][].

func (*GetPolicyRequest) Descriptor deprecated

func (*GetPolicyRequest) Descriptor() ([]byte, []int)

Deprecated: Use GetPolicyRequest.ProtoReflect.Descriptor instead.

func (*GetPolicyRequest) GetName

func (x *GetPolicyRequest) GetName() string

func (*GetPolicyRequest) ProtoMessage

func (*GetPolicyRequest) ProtoMessage()

func (*GetPolicyRequest) ProtoReflect

func (x *GetPolicyRequest) ProtoReflect() protoreflect.Message

func (*GetPolicyRequest) Reset

func (x *GetPolicyRequest) Reset()

func (*GetPolicyRequest) String

func (x *GetPolicyRequest) String() string

type ListAttestorsRequest

type ListAttestorsRequest struct {

	// Required. The resource name of the project associated with the
	// [attestors][google.cloud.binaryauthorization.v1beta1.Attestor], in the format `projects/*`.
	Parent string `protobuf:"bytes,1,opt,name=parent,proto3" json:"parent,omitempty"`
	// Requested page size. The server may return fewer results than requested. If
	// unspecified, the server will pick an appropriate default.
	PageSize int32 `protobuf:"varint,2,opt,name=page_size,json=pageSize,proto3" json:"page_size,omitempty"`
	// A token identifying a page of results the server should return. Typically,
	// this is the value of [ListAttestorsResponse.next_page_token][google.cloud.binaryauthorization.v1beta1.ListAttestorsResponse.next_page_token] returned
	// from the previous call to the `ListAttestors` method.
	PageToken string `protobuf:"bytes,3,opt,name=page_token,json=pageToken,proto3" json:"page_token,omitempty"`
	// contains filtered or unexported fields
}

Request message for [BinauthzManagementService.ListAttestors][].

func (*ListAttestorsRequest) Descriptor deprecated

func (*ListAttestorsRequest) Descriptor() ([]byte, []int)

Deprecated: Use ListAttestorsRequest.ProtoReflect.Descriptor instead.

func (*ListAttestorsRequest) GetPageSize

func (x *ListAttestorsRequest) GetPageSize() int32

func (*ListAttestorsRequest) GetPageToken

func (x *ListAttestorsRequest) GetPageToken() string

func (*ListAttestorsRequest) GetParent

func (x *ListAttestorsRequest) GetParent() string

func (*ListAttestorsRequest) ProtoMessage

func (*ListAttestorsRequest) ProtoMessage()

func (*ListAttestorsRequest) ProtoReflect

func (x *ListAttestorsRequest) ProtoReflect() protoreflect.Message

func (*ListAttestorsRequest) Reset

func (x *ListAttestorsRequest) Reset()

func (*ListAttestorsRequest) String

func (x *ListAttestorsRequest) String() string

type ListAttestorsResponse

type ListAttestorsResponse struct {

	// The list of [attestors][google.cloud.binaryauthorization.v1beta1.Attestor].
	Attestors []*Attestor `protobuf:"bytes,1,rep,name=attestors,proto3" json:"attestors,omitempty"`
	// A token to retrieve the next page of results. Pass this value in the
	// [ListAttestorsRequest.page_token][google.cloud.binaryauthorization.v1beta1.ListAttestorsRequest.page_token] field in the subsequent call to the
	// `ListAttestors` method to retrieve the next page of results.
	NextPageToken string `protobuf:"bytes,2,opt,name=next_page_token,json=nextPageToken,proto3" json:"next_page_token,omitempty"`
	// contains filtered or unexported fields
}

Response message for [BinauthzManagementService.ListAttestors][].

func (*ListAttestorsResponse) Descriptor deprecated

func (*ListAttestorsResponse) Descriptor() ([]byte, []int)

Deprecated: Use ListAttestorsResponse.ProtoReflect.Descriptor instead.

func (*ListAttestorsResponse) GetAttestors

func (x *ListAttestorsResponse) GetAttestors() []*Attestor

func (*ListAttestorsResponse) GetNextPageToken

func (x *ListAttestorsResponse) GetNextPageToken() string

func (*ListAttestorsResponse) ProtoMessage

func (*ListAttestorsResponse) ProtoMessage()

func (*ListAttestorsResponse) ProtoReflect

func (x *ListAttestorsResponse) ProtoReflect() protoreflect.Message

func (*ListAttestorsResponse) Reset

func (x *ListAttestorsResponse) Reset()

func (*ListAttestorsResponse) String

func (x *ListAttestorsResponse) String() string

type PkixPublicKey

type PkixPublicKey struct {

	// A PEM-encoded public key, as described in
	// https://tools.ietf.org/html/rfc7468#section-13
	PublicKeyPem string `protobuf:"bytes,1,opt,name=public_key_pem,json=publicKeyPem,proto3" json:"public_key_pem,omitempty"`
	// The signature algorithm used to verify a message against a signature using
	// this key.
	// These signature algorithm must match the structure and any object
	// identifiers encoded in `public_key_pem` (i.e. this algorithm must match
	// that of the public key).
	SignatureAlgorithm PkixPublicKey_SignatureAlgorithm `` /* 195-byte string literal not displayed */
	// contains filtered or unexported fields
}

A public key in the PkixPublicKey format (see https://tools.ietf.org/html/rfc5280#section-4.1.2.7 for details). Public keys of this type are typically textually encoded using the PEM format.

func (*PkixPublicKey) Descriptor deprecated

func (*PkixPublicKey) Descriptor() ([]byte, []int)

Deprecated: Use PkixPublicKey.ProtoReflect.Descriptor instead.

func (*PkixPublicKey) GetPublicKeyPem

func (x *PkixPublicKey) GetPublicKeyPem() string

func (*PkixPublicKey) GetSignatureAlgorithm

func (x *PkixPublicKey) GetSignatureAlgorithm() PkixPublicKey_SignatureAlgorithm

func (*PkixPublicKey) ProtoMessage

func (*PkixPublicKey) ProtoMessage()

func (*PkixPublicKey) ProtoReflect

func (x *PkixPublicKey) ProtoReflect() protoreflect.Message

func (*PkixPublicKey) Reset

func (x *PkixPublicKey) Reset()

func (*PkixPublicKey) String

func (x *PkixPublicKey) String() string

type PkixPublicKey_SignatureAlgorithm

type PkixPublicKey_SignatureAlgorithm int32

Represents a signature algorithm and other information necessary to verify signatures with a given public key. This is based primarily on the public key types supported by Tink's PemKeyType, which is in turn based on KMS's supported signing algorithms. See https://cloud.google.com/kms/docs/algorithms. In the future, BinAuthz might support additional public key types independently of Tink and/or KMS.

const (
	// Not specified.
	PkixPublicKey_SIGNATURE_ALGORITHM_UNSPECIFIED PkixPublicKey_SignatureAlgorithm = 0
	// RSASSA-PSS 2048 bit key with a SHA256 digest.
	PkixPublicKey_RSA_PSS_2048_SHA256 PkixPublicKey_SignatureAlgorithm = 1
	// RSASSA-PSS 3072 bit key with a SHA256 digest.
	PkixPublicKey_RSA_PSS_3072_SHA256 PkixPublicKey_SignatureAlgorithm = 2
	// RSASSA-PSS 4096 bit key with a SHA256 digest.
	PkixPublicKey_RSA_PSS_4096_SHA256 PkixPublicKey_SignatureAlgorithm = 3
	// RSASSA-PSS 4096 bit key with a SHA512 digest.
	PkixPublicKey_RSA_PSS_4096_SHA512 PkixPublicKey_SignatureAlgorithm = 4
	// RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
	PkixPublicKey_RSA_SIGN_PKCS1_2048_SHA256 PkixPublicKey_SignatureAlgorithm = 5
	// RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
	PkixPublicKey_RSA_SIGN_PKCS1_3072_SHA256 PkixPublicKey_SignatureAlgorithm = 6
	// RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
	PkixPublicKey_RSA_SIGN_PKCS1_4096_SHA256 PkixPublicKey_SignatureAlgorithm = 7
	// RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
	PkixPublicKey_RSA_SIGN_PKCS1_4096_SHA512 PkixPublicKey_SignatureAlgorithm = 8
	// ECDSA on the NIST P-256 curve with a SHA256 digest.
	PkixPublicKey_ECDSA_P256_SHA256 PkixPublicKey_SignatureAlgorithm = 9
	// ECDSA on the NIST P-384 curve with a SHA384 digest.
	PkixPublicKey_ECDSA_P384_SHA384 PkixPublicKey_SignatureAlgorithm = 10
	// ECDSA on the NIST P-521 curve with a SHA512 digest.
	PkixPublicKey_ECDSA_P521_SHA512 PkixPublicKey_SignatureAlgorithm = 11
)

func (PkixPublicKey_SignatureAlgorithm) Descriptor

func (PkixPublicKey_SignatureAlgorithm) Enum

func (PkixPublicKey_SignatureAlgorithm) EnumDescriptor deprecated

func (PkixPublicKey_SignatureAlgorithm) EnumDescriptor() ([]byte, []int)

Deprecated: Use PkixPublicKey_SignatureAlgorithm.Descriptor instead.

func (PkixPublicKey_SignatureAlgorithm) Number

func (PkixPublicKey_SignatureAlgorithm) String

func (PkixPublicKey_SignatureAlgorithm) Type

type Policy

type Policy struct {

	// Output only. The resource name, in the format `projects/*/policy`. There is
	// at most one policy per project.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// Optional. A descriptive comment.
	Description string `protobuf:"bytes,6,opt,name=description,proto3" json:"description,omitempty"`
	// Optional. Controls the evaluation of a Google-maintained global admission
	// policy for common system-level images. Images not covered by the global
	// policy will be subject to the project admission policy. This setting
	// has no effect when specified inside a global admission policy.
	GlobalPolicyEvaluationMode Policy_GlobalPolicyEvaluationMode `` /* 224-byte string literal not displayed */
	// Optional. Admission policy whitelisting. A matching admission request will
	// always be permitted. This feature is typically used to exclude Google or
	// third-party infrastructure images from Binary Authorization policies.
	AdmissionWhitelistPatterns []*AdmissionWhitelistPattern `` /* 141-byte string literal not displayed */
	// Optional. Per-cluster admission rules. Cluster spec format:
	// `location.clusterId`. There can be at most one admission rule per cluster
	// spec.
	// A `location` is either a compute zone (e.g. us-central1-a) or a region
	// (e.g. us-central1).
	// For `clusterId` syntax restrictions see
	// https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
	ClusterAdmissionRules map[string]*AdmissionRule `` /* 214-byte string literal not displayed */
	// Required. Default admission rule for a cluster without a per-cluster, per-
	// kubernetes-service-account, or per-istio-service-identity admission rule.
	DefaultAdmissionRule *AdmissionRule `protobuf:"bytes,4,opt,name=default_admission_rule,json=defaultAdmissionRule,proto3" json:"default_admission_rule,omitempty"`
	// Output only. Time when the policy was last updated.
	UpdateTime *timestamppb.Timestamp `protobuf:"bytes,5,opt,name=update_time,json=updateTime,proto3" json:"update_time,omitempty"`
	// contains filtered or unexported fields
}

A [policy][google.cloud.binaryauthorization.v1beta1.Policy] for container image binary authorization.

func (*Policy) Descriptor deprecated

func (*Policy) Descriptor() ([]byte, []int)

Deprecated: Use Policy.ProtoReflect.Descriptor instead.

func (*Policy) GetAdmissionWhitelistPatterns

func (x *Policy) GetAdmissionWhitelistPatterns() []*AdmissionWhitelistPattern

func (*Policy) GetClusterAdmissionRules

func (x *Policy) GetClusterAdmissionRules() map[string]*AdmissionRule

func (*Policy) GetDefaultAdmissionRule

func (x *Policy) GetDefaultAdmissionRule() *AdmissionRule

func (*Policy) GetDescription

func (x *Policy) GetDescription() string

func (*Policy) GetGlobalPolicyEvaluationMode

func (x *Policy) GetGlobalPolicyEvaluationMode() Policy_GlobalPolicyEvaluationMode

func (*Policy) GetName

func (x *Policy) GetName() string

func (*Policy) GetUpdateTime

func (x *Policy) GetUpdateTime() *timestamppb.Timestamp

func (*Policy) ProtoMessage

func (*Policy) ProtoMessage()

func (*Policy) ProtoReflect

func (x *Policy) ProtoReflect() protoreflect.Message

func (*Policy) Reset

func (x *Policy) Reset()

func (*Policy) String

func (x *Policy) String() string

type Policy_GlobalPolicyEvaluationMode

type Policy_GlobalPolicyEvaluationMode int32
const (
	// Not specified: DISABLE is assumed.
	Policy_GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED Policy_GlobalPolicyEvaluationMode = 0
	// Enables global policy evaluation.
	Policy_ENABLE Policy_GlobalPolicyEvaluationMode = 1
	// Disables global policy evaluation.
	Policy_DISABLE Policy_GlobalPolicyEvaluationMode = 2
)

func (Policy_GlobalPolicyEvaluationMode) Descriptor

func (Policy_GlobalPolicyEvaluationMode) Enum

func (Policy_GlobalPolicyEvaluationMode) EnumDescriptor deprecated

func (Policy_GlobalPolicyEvaluationMode) EnumDescriptor() ([]byte, []int)

Deprecated: Use Policy_GlobalPolicyEvaluationMode.Descriptor instead.

func (Policy_GlobalPolicyEvaluationMode) Number

func (Policy_GlobalPolicyEvaluationMode) String

func (Policy_GlobalPolicyEvaluationMode) Type

type UnimplementedBinauthzManagementServiceV1Beta1Server

type UnimplementedBinauthzManagementServiceV1Beta1Server struct {
}

UnimplementedBinauthzManagementServiceV1Beta1Server can be embedded to have forward compatible implementations.

func (*UnimplementedBinauthzManagementServiceV1Beta1Server) CreateAttestor

func (*UnimplementedBinauthzManagementServiceV1Beta1Server) DeleteAttestor

func (*UnimplementedBinauthzManagementServiceV1Beta1Server) GetAttestor

func (*UnimplementedBinauthzManagementServiceV1Beta1Server) GetPolicy

func (*UnimplementedBinauthzManagementServiceV1Beta1Server) ListAttestors

func (*UnimplementedBinauthzManagementServiceV1Beta1Server) UpdateAttestor

func (*UnimplementedBinauthzManagementServiceV1Beta1Server) UpdatePolicy

type UpdateAttestorRequest

type UpdateAttestorRequest struct {

	// Required. The updated [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] value. The service will
	// overwrite the [attestor name][google.cloud.binaryauthorization.v1beta1.Attestor.name] field with the resource name
	// in the request URL, in the format `projects/*/attestors/*`.
	Attestor *Attestor `protobuf:"bytes,1,opt,name=attestor,proto3" json:"attestor,omitempty"`
	// contains filtered or unexported fields
}

Request message for [BinauthzManagementService.UpdateAttestor][].

func (*UpdateAttestorRequest) Descriptor deprecated

func (*UpdateAttestorRequest) Descriptor() ([]byte, []int)

Deprecated: Use UpdateAttestorRequest.ProtoReflect.Descriptor instead.

func (*UpdateAttestorRequest) GetAttestor

func (x *UpdateAttestorRequest) GetAttestor() *Attestor

func (*UpdateAttestorRequest) ProtoMessage

func (*UpdateAttestorRequest) ProtoMessage()

func (*UpdateAttestorRequest) ProtoReflect

func (x *UpdateAttestorRequest) ProtoReflect() protoreflect.Message

func (*UpdateAttestorRequest) Reset

func (x *UpdateAttestorRequest) Reset()

func (*UpdateAttestorRequest) String

func (x *UpdateAttestorRequest) String() string

type UpdatePolicyRequest

type UpdatePolicyRequest struct {

	// Required. A new or updated [policy][google.cloud.binaryauthorization.v1beta1.Policy] value. The service will
	// overwrite the [policy name][google.cloud.binaryauthorization.v1beta1.Policy.name] field with the resource name in
	// the request URL, in the format `projects/*/policy`.
	Policy *Policy `protobuf:"bytes,1,opt,name=policy,proto3" json:"policy,omitempty"`
	// contains filtered or unexported fields
}

Request message for [BinauthzManagementService.UpdatePolicy][].

func (*UpdatePolicyRequest) Descriptor deprecated

func (*UpdatePolicyRequest) Descriptor() ([]byte, []int)

Deprecated: Use UpdatePolicyRequest.ProtoReflect.Descriptor instead.

func (*UpdatePolicyRequest) GetPolicy

func (x *UpdatePolicyRequest) GetPolicy() *Policy

func (*UpdatePolicyRequest) ProtoMessage

func (*UpdatePolicyRequest) ProtoMessage()

func (*UpdatePolicyRequest) ProtoReflect

func (x *UpdatePolicyRequest) ProtoReflect() protoreflect.Message

func (*UpdatePolicyRequest) Reset

func (x *UpdatePolicyRequest) Reset()

func (*UpdatePolicyRequest) String

func (x *UpdatePolicyRequest) String() string

type UserOwnedDrydockNote

type UserOwnedDrydockNote struct {

	// Required. The Drydock resource name of a ATTESTATION_AUTHORITY Note,
	// created by the user, in the format: `projects/*/notes/*` (or the legacy
	// `providers/*/notes/*`). This field may not be updated.
	//
	// An attestation by this attestor is stored as a Drydock
	// ATTESTATION_AUTHORITY Occurrence that names a container image and that
	// links to this Note. Drydock is an external dependency.
	NoteReference string `protobuf:"bytes,1,opt,name=note_reference,json=noteReference,proto3" json:"note_reference,omitempty"`
	// Optional. Public keys that verify attestations signed by this
	// attestor.  This field may be updated.
	//
	// If this field is non-empty, one of the specified public keys must
	// verify that an attestation was signed by this attestor for the
	// image specified in the admission request.
	//
	// If this field is empty, this attestor always returns that no
	// valid attestations exist.
	PublicKeys []*AttestorPublicKey `protobuf:"bytes,2,rep,name=public_keys,json=publicKeys,proto3" json:"public_keys,omitempty"`
	// Output only. This field will contain the service account email address
	// that this Attestor will use as the principal when querying Container
	// Analysis. Attestor administrators must grant this service account the
	// IAM role needed to read attestations from the [note_reference][Note] in
	// Container Analysis (`containeranalysis.notes.occurrences.viewer`).
	//
	// This email address is fixed for the lifetime of the Attestor, but callers
	// should not make any other assumptions about the service account email;
	// future versions may use an email based on a different naming pattern.
	DelegationServiceAccountEmail string `` /* 152-byte string literal not displayed */
	// contains filtered or unexported fields
}

An [user owned drydock note][google.cloud.binaryauthorization.v1beta1.UserOwnedDrydockNote] references a Drydock ATTESTATION_AUTHORITY Note created by the user.

func (*UserOwnedDrydockNote) Descriptor deprecated

func (*UserOwnedDrydockNote) Descriptor() ([]byte, []int)

Deprecated: Use UserOwnedDrydockNote.ProtoReflect.Descriptor instead.

func (*UserOwnedDrydockNote) GetDelegationServiceAccountEmail

func (x *UserOwnedDrydockNote) GetDelegationServiceAccountEmail() string

func (*UserOwnedDrydockNote) GetNoteReference

func (x *UserOwnedDrydockNote) GetNoteReference() string

func (*UserOwnedDrydockNote) GetPublicKeys

func (x *UserOwnedDrydockNote) GetPublicKeys() []*AttestorPublicKey

func (*UserOwnedDrydockNote) ProtoMessage

func (*UserOwnedDrydockNote) ProtoMessage()

func (*UserOwnedDrydockNote) ProtoReflect

func (x *UserOwnedDrydockNote) ProtoReflect() protoreflect.Message

func (*UserOwnedDrydockNote) Reset

func (x *UserOwnedDrydockNote) Reset()

func (*UserOwnedDrydockNote) String

func (x *UserOwnedDrydockNote) String() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL