This product is not supported for your selected
Datadog site. (
).
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
ancestors
Type: UNORDERED_LIST_STRING
description
Type: STRING
Provider name: description
Description: Optional. A description comment about the policy.
etag
Type: STRING
Provider name: etag
Description: Optional. Used to prevent updating the policy when another request has updated it since it was retrieved.
gke_policy
Type: STRUCT
Provider name: gkePolicy
Description: Optional. GKE platform-specific policy.
check_sets
Type: UNORDERED_LIST_STRUCT
Provider name: checkSets
Description: Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is “always allow”). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
checks
Type: UNORDERED_LIST_STRUCT
Provider name: checks
Description: Optional. The checks to apply. The ultimate result of evaluating the check set will be “allow” if and only if every check in checks evaluates to “allow”. If checks is empty, the default behavior is “always allow”.
always_deny
Type: BOOLEAN
Provider name: alwaysDeny
Description: Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn’t exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to “deny”.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
image_allowlist
Type: STRUCT
Provider name: imageAllowlist
Description: Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
allow_pattern
Type: UNORDERED_LIST_STRING
Provider name: allowPattern
Description: Required. A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
image_freshness_check
Type: STRUCT
Provider name: imageFreshnessCheck
Description: Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
max_upload_age_days
Type: INT32
Provider name: maxUploadAgeDays
Description: Required. The max number of days that is allowed since the image was uploaded. Must be greater than zero.
sigstore_signature_check
Type: STRUCT
Provider name: sigstoreSignatureCheck
Description: Optional. Require that an image was signed by Cosign with a trusted key. This check requires that both the image and signature are stored in Artifact Registry.
sigstore_authorities
Type: UNORDERED_LIST_STRUCT
Provider name: sigstoreAuthorities
Description: Required. The authorities required by this check to verify the signature. A signature only needs to be verified by one authority to pass the check.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Optional. A user-provided name for this SigstoreAuthority. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
public_key_set
Type: STRUCT
Provider name: publicKeySet
Description: Required. A simple set of public keys. A signature is considered valid if any keys in the set validate the signature.
public_keys
Type: UNORDERED_LIST_STRUCT
Provider name: publicKeys
Description: Required. public_keys must have at least one entry.
public_key_pem
Type: STRING
Provider name: publicKeyPem
Description: The public key material in PEM format.
simple_signing_attestation_check
Type: STRUCT
Provider name: simpleSigningAttestationCheck
Description: Optional. Require a SimpleSigning-type attestation for every image in the deployment.
attestation_authenticators
Type: UNORDERED_LIST_STRUCT
Provider name: attestationAuthenticators
Description: Required. The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an “OR” of the authenticator results. At least one authenticator is required.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
pkix_public_key_set
Type: STRUCT
Provider name: pkixPublicKeySet
Description: Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
pkix_public_keys
Type: UNORDERED_LIST_STRUCT
Provider name: pkixPublicKeys
Description: Required. pkix_public_keys must have at least one entry.
key_id
Type: STRING
Provider name: keyId
Description: Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them. The ID must match exactly contents of the key_id field exactly. The ID may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either match that value exactly, or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
public_key_pem
Type: STRING
Provider name: publicKeyPem
Description: A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
signature_algorithm
Type: STRING
Provider name: signatureAlgorithm
Description: The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).
Possible values:
SIGNATURE_ALGORITHM_UNSPECIFIED - Not specified.
RSA_PSS_2048_SHA256 - RSASSA-PSS 2048 bit key with a SHA256 digest.
RSA_SIGN_PSS_2048_SHA256 - RSASSA-PSS 2048 bit key with a SHA256 digest.
RSA_PSS_3072_SHA256 - RSASSA-PSS 3072 bit key with a SHA256 digest.
RSA_SIGN_PSS_3072_SHA256 - RSASSA-PSS 3072 bit key with a SHA256 digest.
RSA_PSS_4096_SHA256 - RSASSA-PSS 4096 bit key with a SHA256 digest.
RSA_SIGN_PSS_4096_SHA256 - RSASSA-PSS 4096 bit key with a SHA256 digest.
RSA_PSS_4096_SHA512 - RSASSA-PSS 4096 bit key with a SHA512 digest.
RSA_SIGN_PSS_4096_SHA512 - RSASSA-PSS 4096 bit key with a SHA512 digest.
RSA_SIGN_PKCS1_2048_SHA256 - RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
RSA_SIGN_PKCS1_3072_SHA256 - RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
RSA_SIGN_PKCS1_4096_SHA256 - RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
RSA_SIGN_PKCS1_4096_SHA512 - RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
ECDSA_P256_SHA256 - ECDSA on the NIST P-256 curve with a SHA256 digest.
EC_SIGN_P256_SHA256 - ECDSA on the NIST P-256 curve with a SHA256 digest.
ECDSA_P384_SHA384 - ECDSA on the NIST P-384 curve with a SHA384 digest.
EC_SIGN_P384_SHA384 - ECDSA on the NIST P-384 curve with a SHA384 digest.
ECDSA_P521_SHA512 - ECDSA on the NIST P-521 curve with a SHA512 digest.
EC_SIGN_P521_SHA512 - ECDSA on the NIST P-521 curve with a SHA512 digest.
container_analysis_attestation_projects
Type: UNORDERED_LIST_STRING
Provider name: containerAnalysisAttestationProjects
Description: Optional. The projects where attestations are stored as Container Analysis Occurrences, in the format projects/[PROJECT_ID]. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. A project ID must be used, not a project number. When fetching Occurrences from Container Analysis, only AttestationOccurrence kinds are considered. In the future, additional Occurrence kinds may be added to the query. Maximum number of container_analysis_attestation_projects allowed in each SimpleSigningAttestationCheck is 10.
slsa_check
Type: STRUCT
Provider name: slsaCheck
Description: Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
rules
Type: UNORDERED_LIST_STRUCT
Provider name: rules
Description: Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
attestation_source
Type: STRUCT
Provider name: attestationSource
Description: Specifies where to fetch the provenances attestations generated by the builder (group).
container_analysis_attestation_projects
Type: UNORDERED_LIST_STRING
Provider name: containerAnalysisAttestationProjects
Description: The IDs of the Google Cloud projects that store the SLSA attestations as Container Analysis Occurrences, in the format projects/[PROJECT_ID]. Maximum number of container_analysis_attestation_projects allowed in each AttestationSource is 10.
config_based_build_required
Type: BOOLEAN
Provider name: configBasedBuildRequired
Description: If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
custom_constraints
Type: STRING
Provider name: customConstraints
Description: Optional. A CEL expression for specifying custom constraints on the provenance payload. This can be used when users want to specify expectations on provenance fields that are not covered by the general check. For example, users can use this field to require that certain parameters should never be used during the build process.
trusted_builder
Type: STRING
Provider name: trustedBuilder
Description: Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don’t need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
Possible values:
BUILDER_UNSPECIFIED - Should never happen.
GOOGLE_CLOUD_BUILD - The whole Google Cloud Build (GCB) builder group, including all GCB builder types.
trusted_source_repo_patterns
Type: UNORDERED_LIST_STRING
Provider name: trustedSourceRepoPatterns
Description: List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it’s not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub
trusted_directory_check
Type: STRUCT
Provider name: trustedDirectoryCheck
Description: Optional. Require that an image lives in a trusted directory.
trusted_dir_patterns
Type: UNORDERED_LIST_STRING
Provider name: trustedDirPatterns
Description: Required. List of trusted directory patterns. A pattern is in the form “registry/path/to/directory”. The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match “/” as well. For example: – gcr.io/my-project/my-repo is valid to match a single directory – *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes – gcr.io/my-project/* will match all direct directories in my-project – gcr.io/my-project/** would match all directories in my-project – gcr.i* is not allowed since the registry is not completely specified – sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. – *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain – **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /
vulnerability_check
Type: STRUCT
Provider name: vulnerabilityCheck
Description: Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
allowed_cves
Type: UNORDERED_LIST_STRING
Provider name: allowedCves
Description: Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
blocked_cves
Type: UNORDERED_LIST_STRING
Provider name: blockedCves
Description: Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
container_analysis_vulnerability_projects
Type: UNORDERED_LIST_STRING
Provider name: containerAnalysisVulnerabilityProjects
Description: Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check. Maximum number of container_analysis_vulnerability_projects allowed in each VulnerabilityCheck is 10.
maximum_fixable_severity
Type: STRING
Provider name: maximumFixableSeverity
Description: Required. The threshold for severity for which a fix is currently available. This field is required and must be set.
Possible values:
MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED - Not specified.
BLOCK_ALL - Block any vulnerability.
MINIMAL - Allow only minimal severity.
LOW - Allow only low severity and lower.
MEDIUM - Allow medium severity and lower.
HIGH - Allow high severity and lower.
CRITICAL - Allow critical severity and lower.
ALLOW_ALL - Allow all severity, even vulnerability with unspecified severity.
maximum_unfixable_severity
Type: STRING
Provider name: maximumUnfixableSeverity
Description: Required. The threshold for severity for which a fix isn’t currently available. This field is required and must be set.
Possible values:
MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED - Not specified.
BLOCK_ALL - Block any vulnerability.
MINIMAL - Allow only minimal severity.
LOW - Allow only low severity and lower.
MEDIUM - Allow medium severity and lower.
HIGH - Allow high severity and lower.
CRITICAL - Allow critical severity and lower.
ALLOW_ALL - Allow all severity, even vulnerability with unspecified severity.
gcp_display_name
Type: STRING
Provider name: displayName
Description: Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
image_allowlist
Type: STRUCT
Provider name: imageAllowlist
Description: Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
allow_pattern
Type: UNORDERED_LIST_STRING
Provider name: allowPattern
Description: Required. A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
scope
Type: STRUCT
Provider name: scope
Description: Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.
kubernetes_namespace
Type: STRING
Provider name: kubernetesNamespace
Description: Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
kubernetes_service_account
Type: STRING
Provider name: kubernetesServiceAccount
Description: Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.
image_allowlist
Type: STRUCT
Provider name: imageAllowlist
Description: Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
allow_pattern
Type: UNORDERED_LIST_STRING
Provider name: allowPattern
Description: Required. A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
labels
Type: UNORDERED_LIST_STRING
name
Type: STRING
Provider name: name
Description: Output only. The relative resource name of the Binary Authorization platform policy, in the form of projects/*/platforms/*/policies/*.
organization_id
Type: STRING
parent
Type: STRING
project_id
Type: STRING
project_number
Type: STRING
resource_name
Type: STRING
Type: UNORDERED_LIST_STRING
update_time
Type: TIMESTAMP
Provider name: updateTime
Description: Output only. Time when the policy was last updated.
