--- title: Getting Started with Datadog description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: Docs > Infrastructure > Datadog Resource Catalog --- # gcp_binaryauthorization_platform_policy{% #gcp_binaryauthorization_platform_policy %} ## `ancestors`{% #ancestors %} **Type**: `UNORDERED_LIST_STRING` ## `description`{% #description %} **Type**: `STRING`**Provider name**: `description`**Description**: Optional. A description comment about the policy. ## `etag`{% #etag %} **Type**: `STRING`**Provider name**: `etag`**Description**: Optional. Used to prevent updating the policy when another request has updated it since it was retrieved. ## `gke_policy`{% #gke_policy %} **Type**: `STRUCT`**Provider name**: `gkePolicy`**Description**: Optional. GKE platform-specific policy. - `check_sets`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `checkSets`**Description**: Optional. The `CheckSet` objects to apply, scoped by namespace or namespace and service account. Exactly one `CheckSet` will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple `CheckSet` objects have scopes that match the namespace and service account of the Pod being evaluated, only the `CheckSet` with the MOST SPECIFIC scope will match. `CheckSet` objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a `CheckSet` with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one `CheckSet` matches a given Pod, the `CheckSet` that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If `check_sets` is empty, the default behavior is to allow all images. If `check_sets` is non-empty, the last `check_sets` entry must always be a `CheckSet` with no scope set, i.e. a catchall to handle any situation not caught by the preceding `CheckSet` objects. - `checks`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `checks`**Description**: Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in `checks` evaluates to "allow". If `checks` is empty, the default behavior is "always allow". - `always_deny`**Type**: `BOOLEAN`**Provider name**: `alwaysDeny`**Description**: Optional. A special-case check that always denies. Note that this still only applies when the scope of the `CheckSet` applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny". - `gcp_display_name`**Type**: `STRING`**Provider name**: `displayName`**Description**: Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - `image_allowlist`**Type**: `STRUCT`**Provider name**: `imageAllowlist`**Description**: Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated. - `allow_pattern`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `allowPattern`**Description**: Required. A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist. - `image_freshness_check`**Type**: `STRUCT`**Provider name**: `imageFreshnessCheck`**Description**: Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time. - `max_upload_age_days`**Type**: `INT32`**Provider name**: `maxUploadAgeDays`**Description**: Required. The max number of days that is allowed since the image was uploaded. Must be greater than zero. - `sigstore_signature_check`**Type**: `STRUCT`**Provider name**: `sigstoreSignatureCheck`**Description**: Optional. Require that an image was signed by Cosign with a trusted key. This check requires that both the image and signature are stored in Artifact Registry. - `sigstore_authorities`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `sigstoreAuthorities`**Description**: Required. The authorities required by this check to verify the signature. A signature only needs to be verified by one authority to pass the check. - `gcp_display_name`**Type**: `STRING`**Provider name**: `displayName`**Description**: Optional. A user-provided name for this `SigstoreAuthority`. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - `public_key_set`**Type**: `STRUCT`**Provider name**: `publicKeySet`**Description**: Required. A simple set of public keys. A signature is considered valid if any keys in the set validate the signature. - `public_keys`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `publicKeys`**Description**: Required. `public_keys` must have at least one entry. - `public_key_pem`**Type**: `STRING`**Provider name**: `publicKeyPem`**Description**: The public key material in PEM format. - `simple_signing_attestation_check`**Type**: `STRUCT`**Provider name**: `simpleSigningAttestationCheck`**Description**: Optional. Require a SimpleSigning-type attestation for every image in the deployment. - `attestation_authenticators`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `attestationAuthenticators`**Description**: Required. The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required. - `gcp_display_name`**Type**: `STRING`**Provider name**: `displayName`**Description**: Optional. A user-provided name for this `AttestationAuthenticator`. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - `pkix_public_key_set`**Type**: `STRUCT`**Provider name**: `pkixPublicKeySet`**Description**: Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate). - `pkix_public_keys`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `pkixPublicKeys`**Description**: Required. `pkix_public_keys` must have at least one entry. - `key_id`**Type**: `STRING`**Provider name**: `keyId`**Description**: Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them. The ID must match exactly contents of the `key_id` field exactly. The ID may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If `key_id` is left blank and this `PkixPublicKey` is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this `PkixPublicKey` is used in the context of a wrapper that has its own notion of key ID (e.g. `AttestorPublicKey`), then this field can either match that value exactly, or be left blank, in which case it behaves exactly as though it is equal to that wrapper value. - `public_key_pem`**Type**: `STRING`**Provider name**: `publicKeyPem`**Description**: A PEM-encoded public key, as described in [https://tools.ietf.org/html/rfc7468#section-13](https://tools.ietf.org/html/rfc7468#section-13) - `signature_algorithm`**Type**: `STRING`**Provider name**: `signatureAlgorithm`**Description**: The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in `public_key_pem` (i.e. this algorithm must match that of the public key).**Possible values**: - `SIGNATURE_ALGORITHM_UNSPECIFIED` - Not specified. - `RSA_PSS_2048_SHA256` - RSASSA-PSS 2048 bit key with a SHA256 digest. - `RSA_SIGN_PSS_2048_SHA256` - RSASSA-PSS 2048 bit key with a SHA256 digest. - `RSA_PSS_3072_SHA256` - RSASSA-PSS 3072 bit key with a SHA256 digest. - `RSA_SIGN_PSS_3072_SHA256` - RSASSA-PSS 3072 bit key with a SHA256 digest. - `RSA_PSS_4096_SHA256` - RSASSA-PSS 4096 bit key with a SHA256 digest. - `RSA_SIGN_PSS_4096_SHA256` - RSASSA-PSS 4096 bit key with a SHA256 digest. - `RSA_PSS_4096_SHA512` - RSASSA-PSS 4096 bit key with a SHA512 digest. - `RSA_SIGN_PSS_4096_SHA512` - RSASSA-PSS 4096 bit key with a SHA512 digest. - `RSA_SIGN_PKCS1_2048_SHA256` - RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest. - `RSA_SIGN_PKCS1_3072_SHA256` - RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest. - `RSA_SIGN_PKCS1_4096_SHA256` - RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest. - `RSA_SIGN_PKCS1_4096_SHA512` - RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest. - `ECDSA_P256_SHA256` - ECDSA on the NIST P-256 curve with a SHA256 digest. - `EC_SIGN_P256_SHA256` - ECDSA on the NIST P-256 curve with a SHA256 digest. - `ECDSA_P384_SHA384` - ECDSA on the NIST P-384 curve with a SHA384 digest. - `EC_SIGN_P384_SHA384` - ECDSA on the NIST P-384 curve with a SHA384 digest. - `ECDSA_P521_SHA512` - ECDSA on the NIST P-521 curve with a SHA512 digest. - `EC_SIGN_P521_SHA512` - ECDSA on the NIST P-521 curve with a SHA512 digest. - `container_analysis_attestation_projects`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `containerAnalysisAttestationProjects`**Description**: Optional. The projects where attestations are stored as Container Analysis Occurrences, in the format `projects/[PROJECT_ID]`. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of `container_analysis_attestation_projects` is sufficient for the check to pass. A project ID must be used, not a project number. When fetching Occurrences from Container Analysis, only `AttestationOccurrence` kinds are considered. In the future, additional Occurrence kinds may be added to the query. Maximum number of `container_analysis_attestation_projects` allowed in each `SimpleSigningAttestationCheck` is 10. - `slsa_check`**Type**: `STRUCT`**Provider name**: `slsaCheck`**Description**: Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory. - `rules`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `rules`**Description**: Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied. - `attestation_source`**Type**: `STRUCT`**Provider name**: `attestationSource`**Description**: Specifies where to fetch the provenances attestations generated by the builder (group). - `container_analysis_attestation_projects`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `containerAnalysisAttestationProjects`**Description**: The IDs of the Google Cloud projects that store the SLSA attestations as Container Analysis Occurrences, in the format `projects/[PROJECT_ID]`. Maximum number of `container_analysis_attestation_projects` allowed in each `AttestationSource` is 10. - `config_based_build_required`**Type**: `BOOLEAN`**Provider name**: `configBasedBuildRequired`**Description**: If true, require the image to be built from a top-level configuration. `trusted_source_repo_patterns` specifies the repositories containing this configuration. - `custom_constraints`**Type**: `STRING`**Provider name**: `customConstraints`**Description**: Optional. A CEL expression for specifying custom constraints on the provenance payload. This can be used when users want to specify expectations on provenance fields that are not covered by the general check. For example, users can use this field to require that certain parameters should never be used during the build process. - `trusted_builder`**Type**: `STRING`**Provider name**: `trustedBuilder`**Description**: Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).**Possible values**: - `BUILDER_UNSPECIFIED` - Should never happen. - `GOOGLE_CLOUD_BUILD` - The whole Google Cloud Build (GCB) builder group, including all GCB builder types. - `trusted_source_repo_patterns`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `trustedSourceRepoPatterns`**Description**: List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. `https://`). The patterns must not include schemes. For example, the pattern `source.cloud.google.com/my-project/my-repo-name` matches the following URLs: - `source.cloud.google.com/my-project/my-repo-name` - `git+ssh://source.cloud.google.com/my-project/my-repo-name` - `https://source.cloud.google.com/my-project/my-repo-name` A pattern matches a URL either exactly or with `*` wildcards. `*` can be used in only two ways: 1. trailing `*` after hosturi/ to match varying endings; 2. trailing `**` after hosturi/ to match `/` as well. `*` and `**` can only be used as wildcards and can only occur at the end of the pattern after a `/`. (So it's not possible to match a URL that contains literal `*`.) For example: - `github.com/my-project/my-repo` is valid to match a single repo - `github.com/my-project/*` will match all direct repos in `my-project` - `github.com/**` matches all repos in GitHub - `trusted_directory_check`**Type**: `STRUCT`**Provider name**: `trustedDirectoryCheck`**Description**: Optional. Require that an image lives in a trusted directory. - `trusted_dir_patterns`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `trustedDirPatterns`**Description**: Required. List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., `us.pkg.dev`, or `gcr.io`. Additionally, `*` can be used in three ways as wildcards: 1. leading `*` to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing `*` after registry/ to match varying endings; 3. trailing `**` after registry/ to match "/" as well. For example: – `gcr.io/my-project/my-repo` is valid to match a single directory – `*-docker.pkg.dev/my-project/my-repo` or `*.gcr.io/my-project` are valid to match varying prefixes – `gcr.io/my-project/*` will match all direct directories in `my-project` – `gcr.io/my-project/**` would match all directories in `my-project` – `gcr.i*` is not allowed since the registry is not completely specified – `sub*domain.gcr.io/nginx` is not valid because only leading `*` or trailing `*` are allowed. – `*pkg.dev/my-project/my-repo` is not valid because leading `*` can only match subdomain – `**-docker.pkg.dev` is not valid because one leading `*` is allowed, and that it cannot match `/` - `vulnerability_check`**Type**: `STRUCT`**Provider name**: `vulnerabilityCheck`**Description**: Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels. - `allowed_cves`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `allowedCves`**Description**: Optional. A list of specific CVEs to ignore even if the vulnerability level violates `maximumUnfixableSeverity` or `maximumFixableSeverity`. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of `CVE-2021-20305` will allow vulnerabilities with a note name of either `projects/goog-vulnz/notes/CVE-2021-20305` or `projects/CUSTOM-PROJECT/notes/CVE-2021-20305`. - `blocked_cves`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `blockedCves`**Description**: Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets `maximumUnfixableSeverity` or `maximumFixableSeverity`. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of `CVE-2021-20305` will block vulnerabilities with a note name of either `projects/goog-vulnz/notes/CVE-2021-20305` or `projects/CUSTOM-PROJECT/notes/CVE-2021-20305`. - `container_analysis_vulnerability_projects`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `containerAnalysisVulnerabilityProjects`**Description**: Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of `projects/[PROJECT_ID]`, e.g., `projects/my-gcp-project`. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check. Maximum number of `container_analysis_vulnerability_projects` allowed in each `VulnerabilityCheck` is 10. - `maximum_fixable_severity`**Type**: `STRING`**Provider name**: `maximumFixableSeverity`**Description**: Required. The threshold for severity for which a fix is currently available. This field is required and must be set.**Possible values**: - `MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED` - Not specified. - `BLOCK_ALL` - Block any vulnerability. - `MINIMAL` - Allow only minimal severity. - `LOW` - Allow only low severity and lower. - `MEDIUM` - Allow medium severity and lower. - `HIGH` - Allow high severity and lower. - `CRITICAL` - Allow critical severity and lower. - `ALLOW_ALL` - Allow all severity, even vulnerability with unspecified severity. - `maximum_unfixable_severity`**Type**: `STRING`**Provider name**: `maximumUnfixableSeverity`**Description**: Required. The threshold for severity for which a fix isn't currently available. This field is required and must be set.**Possible values**: - `MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED` - Not specified. - `BLOCK_ALL` - Block any vulnerability. - `MINIMAL` - Allow only minimal severity. - `LOW` - Allow only low severity and lower. - `MEDIUM` - Allow medium severity and lower. - `HIGH` - Allow high severity and lower. - `CRITICAL` - Allow critical severity and lower. - `ALLOW_ALL` - Allow all severity, even vulnerability with unspecified severity. - `gcp_display_name`**Type**: `STRING`**Provider name**: `displayName`**Description**: Optional. A user-provided name for this `CheckSet`. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - `image_allowlist`**Type**: `STRUCT`**Provider name**: `imageAllowlist`**Description**: Optional. Images exempted from this `CheckSet`. If any of the patterns match the image being evaluated, no checks in the `CheckSet` will be evaluated. - `allow_pattern`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `allowPattern`**Description**: Required. A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist. - `scope`**Type**: `STRUCT`**Provider name**: `scope`**Description**: Optional. The scope to which this `CheckSet` applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the `Scope` message documentation for details on scoping rules. - `kubernetes_namespace`**Type**: `STRING`**Provider name**: `kubernetesNamespace`**Description**: Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific `kubernetes_service_account` scope already matched. - `kubernetes_service_account`**Type**: `STRING`**Provider name**: `kubernetesServiceAccount`**Description**: Optional. Matches a single Kubernetes service account, e.g. `my-namespace:my-service-account`. `kubernetes_service_account` scope is always more specific than `kubernetes_namespace` scope for the same namespace. - `image_allowlist`**Type**: `STRUCT`**Provider name**: `imageAllowlist`**Description**: Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated. - `allow_pattern`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `allowPattern`**Description**: Required. A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist. ## `labels`{% #labels %} **Type**: `UNORDERED_LIST_STRING` ## `name`{% #name %} **Type**: `STRING`**Provider name**: `name`**Description**: Output only. The relative resource name of the Binary Authorization platform policy, in the form of `projects/*/platforms/*/policies/*`. ## `organization_id`{% #organization_id %} **Type**: `STRING` ## `parent`{% #parent %} **Type**: `STRING` ## `project_id`{% #project_id %} **Type**: `STRING` ## `project_number`{% #project_number %} **Type**: `STRING` ## `region_id`{% #region_id %} **Type**: `STRING` ## `resource_name`{% #resource_name %} **Type**: `STRING` ## `tags`{% #tags %} **Type**: `UNORDERED_LIST_STRING` ## `update_time`{% #update_time %} **Type**: `TIMESTAMP`**Provider name**: `updateTime`**Description**: Output only. Time when the policy was last updated. ## `zone_id`{% #zone_id %} **Type**: `STRING`