This product is not supported for your selected Datadog site. ().
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

gcp_binaryauthorization_platform_policy

ancestors

Type: UNORDERED_LIST_STRING

description

Type: STRING
Provider name: description
Description: Optional. A description comment about the policy.

etag

Type: STRING
Provider name: etag
Description: Optional. Used to prevent updating the policy when another request has updated it since it was retrieved.

gke_policy

Type: STRUCT
Provider name: gkePolicy
Description: Optional. GKE platform-specific policy.

  • check_sets
    Type: UNORDERED_LIST_STRUCT
    Provider name: checkSets
    Description: Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is “always allow”). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
    • checks
      Type: UNORDERED_LIST_STRUCT
      Provider name: checks
      Description: Optional. The checks to apply. The ultimate result of evaluating the check set will be “allow” if and only if every check in checks evaluates to “allow”. If checks is empty, the default behavior is “always allow”.
      • always_deny
        Type: BOOLEAN
        Provider name: alwaysDeny
        Description: Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn’t exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to “deny”.
      • gcp_display_name
        Type: STRING
        Provider name: displayName
        Description: Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
      • image_allowlist
        Type: STRUCT
        Provider name: imageAllowlist
        Description: Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
        • allow_pattern
          Type: UNORDERED_LIST_STRING
          Provider name: allowPattern
          Description: Required. A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
      • image_freshness_check
        Type: STRUCT
        Provider name: imageFreshnessCheck
        Description: Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
        • max_upload_age_days
          Type: INT32
          Provider name: maxUploadAgeDays
          Description: Required. The max number of days that is allowed since the image was uploaded. Must be greater than zero.
      • sigstore_signature_check
        Type: STRUCT
        Provider name: sigstoreSignatureCheck
        Description: Optional. Require that an image was signed by Cosign with a trusted key. This check requires that both the image and signature are stored in Artifact Registry.
        • sigstore_authorities
          Type: UNORDERED_LIST_STRUCT
          Provider name: sigstoreAuthorities
          Description: Required. The authorities required by this check to verify the signature. A signature only needs to be verified by one authority to pass the check.
          • gcp_display_name
            Type: STRING
            Provider name: displayName
            Description: Optional. A user-provided name for this SigstoreAuthority. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
          • public_key_set
            Type: STRUCT
            Provider name: publicKeySet
            Description: Required. A simple set of public keys. A signature is considered valid if any keys in the set validate the signature.
            • public_keys
              Type: UNORDERED_LIST_STRUCT
              Provider name: publicKeys
              Description: Required. public_keys must have at least one entry.
              • public_key_pem
                Type: STRING
                Provider name: publicKeyPem
                Description: The public key material in PEM format.
      • simple_signing_attestation_check
        Type: STRUCT
        Provider name: simpleSigningAttestationCheck
        Description: Optional. Require a SimpleSigning-type attestation for every image in the deployment.
        • attestation_authenticators
          Type: UNORDERED_LIST_STRUCT
          Provider name: attestationAuthenticators
          Description: Required. The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an “OR” of the authenticator results. At least one authenticator is required.
          • gcp_display_name
            Type: STRING
            Provider name: displayName
            Description: Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
          • pkix_public_key_set
            Type: STRUCT
            Provider name: pkixPublicKeySet
            Description: Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
            • pkix_public_keys
              Type: UNORDERED_LIST_STRUCT
              Provider name: pkixPublicKeys
              Description: Required. pkix_public_keys must have at least one entry.
              • key_id
                Type: STRING
                Provider name: keyId
                Description: Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them. The ID must match exactly contents of the key_id field exactly. The ID may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either match that value exactly, or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
              • public_key_pem
                Type: STRING
                Provider name: publicKeyPem
                Description: A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
              • signature_algorithm
                Type: STRING
                Provider name: signatureAlgorithm
                Description: The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).
                Possible values:
                • SIGNATURE_ALGORITHM_UNSPECIFIED - Not specified.
                • RSA_PSS_2048_SHA256 - RSASSA-PSS 2048 bit key with a SHA256 digest.
                • RSA_SIGN_PSS_2048_SHA256 - RSASSA-PSS 2048 bit key with a SHA256 digest.
                • RSA_PSS_3072_SHA256 - RSASSA-PSS 3072 bit key with a SHA256 digest.
                • RSA_SIGN_PSS_3072_SHA256 - RSASSA-PSS 3072 bit key with a SHA256 digest.
                • RSA_PSS_4096_SHA256 - RSASSA-PSS 4096 bit key with a SHA256 digest.
                • RSA_SIGN_PSS_4096_SHA256 - RSASSA-PSS 4096 bit key with a SHA256 digest.
                • RSA_PSS_4096_SHA512 - RSASSA-PSS 4096 bit key with a SHA512 digest.
                • RSA_SIGN_PSS_4096_SHA512 - RSASSA-PSS 4096 bit key with a SHA512 digest.
                • RSA_SIGN_PKCS1_2048_SHA256 - RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
                • RSA_SIGN_PKCS1_3072_SHA256 - RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
                • RSA_SIGN_PKCS1_4096_SHA256 - RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
                • RSA_SIGN_PKCS1_4096_SHA512 - RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
                • ECDSA_P256_SHA256 - ECDSA on the NIST P-256 curve with a SHA256 digest.
                • EC_SIGN_P256_SHA256 - ECDSA on the NIST P-256 curve with a SHA256 digest.
                • ECDSA_P384_SHA384 - ECDSA on the NIST P-384 curve with a SHA384 digest.
                • EC_SIGN_P384_SHA384 - ECDSA on the NIST P-384 curve with a SHA384 digest.
                • ECDSA_P521_SHA512 - ECDSA on the NIST P-521 curve with a SHA512 digest.
                • EC_SIGN_P521_SHA512 - ECDSA on the NIST P-521 curve with a SHA512 digest.
        • container_analysis_attestation_projects
          Type: UNORDERED_LIST_STRING
          Provider name: containerAnalysisAttestationProjects
          Description: Optional. The projects where attestations are stored as Container Analysis Occurrences, in the format projects/[PROJECT_ID]. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. A project ID must be used, not a project number. When fetching Occurrences from Container Analysis, only AttestationOccurrence kinds are considered. In the future, additional Occurrence kinds may be added to the query. Maximum number of container_analysis_attestation_projects allowed in each SimpleSigningAttestationCheck is 10.
      • slsa_check
        Type: STRUCT
        Provider name: slsaCheck
        Description: Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
        • rules
          Type: UNORDERED_LIST_STRUCT
          Provider name: rules
          Description: Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
          • attestation_source
            Type: STRUCT
            Provider name: attestationSource
            Description: Specifies where to fetch the provenances attestations generated by the builder (group).
            • container_analysis_attestation_projects
              Type: UNORDERED_LIST_STRING
              Provider name: containerAnalysisAttestationProjects
              Description: The IDs of the Google Cloud projects that store the SLSA attestations as Container Analysis Occurrences, in the format projects/[PROJECT_ID]. Maximum number of container_analysis_attestation_projects allowed in each AttestationSource is 10.
          • config_based_build_required
            Type: BOOLEAN
            Provider name: configBasedBuildRequired
            Description: If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
          • custom_constraints
            Type: STRING
            Provider name: customConstraints
            Description: Optional. A CEL expression for specifying custom constraints on the provenance payload. This can be used when users want to specify expectations on provenance fields that are not covered by the general check. For example, users can use this field to require that certain parameters should never be used during the build process.
          • trusted_builder
            Type: STRING
            Provider name: trustedBuilder
            Description: Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don’t need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
            Possible values:
            • BUILDER_UNSPECIFIED - Should never happen.
            • GOOGLE_CLOUD_BUILD - The whole Google Cloud Build (GCB) builder group, including all GCB builder types.
          • trusted_source_repo_patterns
            Type: UNORDERED_LIST_STRING
            Provider name: trustedSourceRepoPatterns
            Description: List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it’s not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub
      • trusted_directory_check
        Type: STRUCT
        Provider name: trustedDirectoryCheck
        Description: Optional. Require that an image lives in a trusted directory.
        • trusted_dir_patterns
          Type: UNORDERED_LIST_STRING
          Provider name: trustedDirPatterns
          Description: Required. List of trusted directory patterns. A pattern is in the form “registry/path/to/directory”. The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match “/” as well. For example: – gcr.io/my-project/my-repo is valid to match a single directory – *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes – gcr.io/my-project/* will match all direct directories in my-projectgcr.io/my-project/** would match all directories in my-projectgcr.i* is not allowed since the registry is not completely specified – sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. – *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain – **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /
      • vulnerability_check
        Type: STRUCT
        Provider name: vulnerabilityCheck
        Description: Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
        • allowed_cves
          Type: UNORDERED_LIST_STRING
          Provider name: allowedCves
          Description: Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
        • blocked_cves
          Type: UNORDERED_LIST_STRING
          Provider name: blockedCves
          Description: Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
        • container_analysis_vulnerability_projects
          Type: UNORDERED_LIST_STRING
          Provider name: containerAnalysisVulnerabilityProjects
          Description: Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check. Maximum number of container_analysis_vulnerability_projects allowed in each VulnerabilityCheck is 10.
        • maximum_fixable_severity
          Type: STRING
          Provider name: maximumFixableSeverity
          Description: Required. The threshold for severity for which a fix is currently available. This field is required and must be set.
          Possible values:
          • MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED - Not specified.
          • BLOCK_ALL - Block any vulnerability.
          • MINIMAL - Allow only minimal severity.
          • LOW - Allow only low severity and lower.
          • MEDIUM - Allow medium severity and lower.
          • HIGH - Allow high severity and lower.
          • CRITICAL - Allow critical severity and lower.
          • ALLOW_ALL - Allow all severity, even vulnerability with unspecified severity.
        • maximum_unfixable_severity
          Type: STRING
          Provider name: maximumUnfixableSeverity
          Description: Required. The threshold for severity for which a fix isn’t currently available. This field is required and must be set.
          Possible values:
          • MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED - Not specified.
          • BLOCK_ALL - Block any vulnerability.
          • MINIMAL - Allow only minimal severity.
          • LOW - Allow only low severity and lower.
          • MEDIUM - Allow medium severity and lower.
          • HIGH - Allow high severity and lower.
          • CRITICAL - Allow critical severity and lower.
          • ALLOW_ALL - Allow all severity, even vulnerability with unspecified severity.
    • gcp_display_name
      Type: STRING
      Provider name: displayName
      Description: Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    • image_allowlist
      Type: STRUCT
      Provider name: imageAllowlist
      Description: Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
      • allow_pattern
        Type: UNORDERED_LIST_STRING
        Provider name: allowPattern
        Description: Required. A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
    • scope
      Type: STRUCT
      Provider name: scope
      Description: Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.
      • kubernetes_namespace
        Type: STRING
        Provider name: kubernetesNamespace
        Description: Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
      • kubernetes_service_account
        Type: STRING
        Provider name: kubernetesServiceAccount
        Description: Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.
  • image_allowlist
    Type: STRUCT
    Provider name: imageAllowlist
    Description: Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
    • allow_pattern
      Type: UNORDERED_LIST_STRING
      Provider name: allowPattern
      Description: Required. A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.

labels

Type: UNORDERED_LIST_STRING

name

Type: STRING
Provider name: name
Description: Output only. The relative resource name of the Binary Authorization platform policy, in the form of projects/*/platforms/*/policies/*.

organization_id

Type: STRING

parent

Type: STRING

project_id

Type: STRING

project_number

Type: STRING

resource_name

Type: STRING

tags

Type: UNORDERED_LIST_STRING

update_time

Type: TIMESTAMP
Provider name: updateTime
Description: Output only. Time when the policy was last updated.