Constants
BinauthzManagementServiceV1_GetPolicy_FullMethodName, BinauthzManagementServiceV1_UpdatePolicy_FullMethodName, BinauthzManagementServiceV1_CreateAttestor_FullMethodName, BinauthzManagementServiceV1_GetAttestor_FullMethodName, BinauthzManagementServiceV1_UpdateAttestor_FullMethodName, BinauthzManagementServiceV1_ListAttestors_FullMethodName, BinauthzManagementServiceV1_DeleteAttestor_FullMethodName
const (
BinauthzManagementServiceV1_GetPolicy_FullMethodName = "/google.cloud.binaryauthorization.v1.BinauthzManagementServiceV1/GetPolicy"
BinauthzManagementServiceV1_UpdatePolicy_FullMethodName = "/google.cloud.binaryauthorization.v1.BinauthzManagementServiceV1/UpdatePolicy"
BinauthzManagementServiceV1_CreateAttestor_FullMethodName = "/google.cloud.binaryauthorization.v1.BinauthzManagementServiceV1/CreateAttestor"
BinauthzManagementServiceV1_GetAttestor_FullMethodName = "/google.cloud.binaryauthorization.v1.BinauthzManagementServiceV1/GetAttestor"
BinauthzManagementServiceV1_UpdateAttestor_FullMethodName = "/google.cloud.binaryauthorization.v1.BinauthzManagementServiceV1/UpdateAttestor"
BinauthzManagementServiceV1_ListAttestors_FullMethodName = "/google.cloud.binaryauthorization.v1.BinauthzManagementServiceV1/ListAttestors"
BinauthzManagementServiceV1_DeleteAttestor_FullMethodName = "/google.cloud.binaryauthorization.v1.BinauthzManagementServiceV1/DeleteAttestor"
)SystemPolicyV1_GetSystemPolicy_FullMethodName
const (
SystemPolicyV1_GetSystemPolicy_FullMethodName = "/google.cloud.binaryauthorization.v1.SystemPolicyV1/GetSystemPolicy"
)ValidationHelperV1_ValidateAttestationOccurrence_FullMethodName
const (
ValidationHelperV1_ValidateAttestationOccurrence_FullMethodName = "/google.cloud.binaryauthorization.v1.ValidationHelperV1/ValidateAttestationOccurrence"
)Variables
Policy_GlobalPolicyEvaluationMode_name, Policy_GlobalPolicyEvaluationMode_value
var (
Policy_GlobalPolicyEvaluationMode_name = map[int32]string{
0: "GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED",
1: "ENABLE",
2: "DISABLE",
}
Policy_GlobalPolicyEvaluationMode_value = map[string]int32{
"GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED": 0,
"ENABLE": 1,
"DISABLE": 2,
}
)Enum value maps for Policy_GlobalPolicyEvaluationMode.
AdmissionRule_EvaluationMode_name, AdmissionRule_EvaluationMode_value
var (
AdmissionRule_EvaluationMode_name = map[int32]string{
0: "EVALUATION_MODE_UNSPECIFIED",
1: "ALWAYS_ALLOW",
2: "REQUIRE_ATTESTATION",
3: "ALWAYS_DENY",
}
AdmissionRule_EvaluationMode_value = map[string]int32{
"EVALUATION_MODE_UNSPECIFIED": 0,
"ALWAYS_ALLOW": 1,
"REQUIRE_ATTESTATION": 2,
"ALWAYS_DENY": 3,
}
)Enum value maps for AdmissionRule_EvaluationMode.
AdmissionRule_EnforcementMode_name, AdmissionRule_EnforcementMode_value
var (
AdmissionRule_EnforcementMode_name = map[int32]string{
0: "ENFORCEMENT_MODE_UNSPECIFIED",
1: "ENFORCED_BLOCK_AND_AUDIT_LOG",
2: "DRYRUN_AUDIT_LOG_ONLY",
}
AdmissionRule_EnforcementMode_value = map[string]int32{
"ENFORCEMENT_MODE_UNSPECIFIED": 0,
"ENFORCED_BLOCK_AND_AUDIT_LOG": 1,
"DRYRUN_AUDIT_LOG_ONLY": 2,
}
)Enum value maps for AdmissionRule_EnforcementMode.
PkixPublicKey_SignatureAlgorithm_name, PkixPublicKey_SignatureAlgorithm_value
var (
PkixPublicKey_SignatureAlgorithm_name = map[int32]string{
0: "SIGNATURE_ALGORITHM_UNSPECIFIED",
1: "RSA_PSS_2048_SHA256",
2: "RSA_PSS_3072_SHA256",
3: "RSA_PSS_4096_SHA256",
4: "RSA_PSS_4096_SHA512",
5: "RSA_SIGN_PKCS1_2048_SHA256",
6: "RSA_SIGN_PKCS1_3072_SHA256",
7: "RSA_SIGN_PKCS1_4096_SHA256",
8: "RSA_SIGN_PKCS1_4096_SHA512",
9: "ECDSA_P256_SHA256",
10: "ECDSA_P384_SHA384",
11: "ECDSA_P521_SHA512",
}
PkixPublicKey_SignatureAlgorithm_value = map[string]int32{
"SIGNATURE_ALGORITHM_UNSPECIFIED": 0,
"RSA_PSS_2048_SHA256": 1,
"RSA_PSS_3072_SHA256": 2,
"RSA_PSS_4096_SHA256": 3,
"RSA_PSS_4096_SHA512": 4,
"RSA_SIGN_PKCS1_2048_SHA256": 5,
"RSA_SIGN_PKCS1_3072_SHA256": 6,
"RSA_SIGN_PKCS1_4096_SHA256": 7,
"RSA_SIGN_PKCS1_4096_SHA512": 8,
"ECDSA_P256_SHA256": 9,
"EC_SIGN_P256_SHA256": 9,
"ECDSA_P384_SHA384": 10,
"EC_SIGN_P384_SHA384": 10,
"ECDSA_P521_SHA512": 11,
"EC_SIGN_P521_SHA512": 11,
}
)Enum value maps for PkixPublicKey_SignatureAlgorithm.
ValidateAttestationOccurrenceResponse_Result_name, ValidateAttestationOccurrenceResponse_Result_value
var (
ValidateAttestationOccurrenceResponse_Result_name = map[int32]string{
0: "RESULT_UNSPECIFIED",
1: "VERIFIED",
2: "ATTESTATION_NOT_VERIFIABLE",
}
ValidateAttestationOccurrenceResponse_Result_value = map[string]int32{
"RESULT_UNSPECIFIED": 0,
"VERIFIED": 1,
"ATTESTATION_NOT_VERIFIABLE": 2,
}
)Enum value maps for ValidateAttestationOccurrenceResponse_Result.
BinauthzManagementServiceV1_ServiceDesc
var BinauthzManagementServiceV1_ServiceDesc = grpc.ServiceDesc{
ServiceName: "google.cloud.binaryauthorization.v1.BinauthzManagementServiceV1",
HandlerType: (*BinauthzManagementServiceV1Server)(nil),
Methods: []grpc.MethodDesc{
{
MethodName: "GetPolicy",
Handler: _BinauthzManagementServiceV1_GetPolicy_Handler,
},
{
MethodName: "UpdatePolicy",
Handler: _BinauthzManagementServiceV1_UpdatePolicy_Handler,
},
{
MethodName: "CreateAttestor",
Handler: _BinauthzManagementServiceV1_CreateAttestor_Handler,
},
{
MethodName: "GetAttestor",
Handler: _BinauthzManagementServiceV1_GetAttestor_Handler,
},
{
MethodName: "UpdateAttestor",
Handler: _BinauthzManagementServiceV1_UpdateAttestor_Handler,
},
{
MethodName: "ListAttestors",
Handler: _BinauthzManagementServiceV1_ListAttestors_Handler,
},
{
MethodName: "DeleteAttestor",
Handler: _BinauthzManagementServiceV1_DeleteAttestor_Handler,
},
},
Streams: []grpc.StreamDesc{},
Metadata: "google/cloud/binaryauthorization/v1/service.proto",
}BinauthzManagementServiceV1_ServiceDesc is the grpc.ServiceDesc for BinauthzManagementServiceV1 service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)
File_google_cloud_binaryauthorization_v1_resources_proto
var File_google_cloud_binaryauthorization_v1_resources_proto protoreflect.FileDescriptorFile_google_cloud_binaryauthorization_v1_service_proto
var File_google_cloud_binaryauthorization_v1_service_proto protoreflect.FileDescriptorSystemPolicyV1_ServiceDesc
var SystemPolicyV1_ServiceDesc = grpc.ServiceDesc{
ServiceName: "google.cloud.binaryauthorization.v1.SystemPolicyV1",
HandlerType: (*SystemPolicyV1Server)(nil),
Methods: []grpc.MethodDesc{
{
MethodName: "GetSystemPolicy",
Handler: _SystemPolicyV1_GetSystemPolicy_Handler,
},
},
Streams: []grpc.StreamDesc{},
Metadata: "google/cloud/binaryauthorization/v1/service.proto",
}SystemPolicyV1_ServiceDesc is the grpc.ServiceDesc for SystemPolicyV1 service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)
ValidationHelperV1_ServiceDesc
var ValidationHelperV1_ServiceDesc = grpc.ServiceDesc{
ServiceName: "google.cloud.binaryauthorization.v1.ValidationHelperV1",
HandlerType: (*ValidationHelperV1Server)(nil),
Methods: []grpc.MethodDesc{
{
MethodName: "ValidateAttestationOccurrence",
Handler: _ValidationHelperV1_ValidateAttestationOccurrence_Handler,
},
},
Streams: []grpc.StreamDesc{},
Metadata: "google/cloud/binaryauthorization/v1/service.proto",
}ValidationHelperV1_ServiceDesc is the grpc.ServiceDesc for ValidationHelperV1 service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)
Functions
func RegisterBinauthzManagementServiceV1Server
func RegisterBinauthzManagementServiceV1Server(s grpc.ServiceRegistrar, srv BinauthzManagementServiceV1Server)func RegisterSystemPolicyV1Server
func RegisterSystemPolicyV1Server(s grpc.ServiceRegistrar, srv SystemPolicyV1Server)func RegisterValidationHelperV1Server
func RegisterValidationHelperV1Server(s grpc.ServiceRegistrar, srv ValidationHelperV1Server)AdmissionRule
type AdmissionRule struct {
// Required. How this admission rule will be evaluated.
EvaluationMode AdmissionRule_EvaluationMode `protobuf:"varint,1,opt,name=evaluation_mode,json=evaluationMode,proto3,enum=google.cloud.binaryauthorization.v1.AdmissionRule_EvaluationMode" json:"evaluation_mode,omitempty"`
// Optional. The resource names of the attestors that must attest to
// a container image, in the format `projects/*/attestors/*`. Each
// attestor must exist before a policy can reference it. To add an attestor
// to a policy the principal issuing the policy change request must be able
// to read the attestor resource.
//
// Note: this field must be non-empty when the evaluation_mode field specifies
// REQUIRE_ATTESTATION, otherwise it must be empty.
RequireAttestationsBy []string `protobuf:"bytes,2,rep,name=require_attestations_by,json=requireAttestationsBy,proto3" json:"require_attestations_by,omitempty"`
// Required. The action when a pod creation is denied by the admission rule.
EnforcementMode AdmissionRule_EnforcementMode `protobuf:"varint,3,opt,name=enforcement_mode,json=enforcementMode,proto3,enum=google.cloud.binaryauthorization.v1.AdmissionRule_EnforcementMode" json:"enforcement_mode,omitempty"`
// contains filtered or unexported fields
}An [admission rule][google.cloud.binaryauthorization.v1.AdmissionRule] specifies either that all container images used in a pod creation request must be attested to by one or more [attestors][google.cloud.binaryauthorization.v1.Attestor], that all pod creations will be allowed, or that all pod creations will be denied.
Images matching an [admission allowlist pattern][google.cloud.binaryauthorization.v1.AdmissionWhitelistPattern] are exempted from admission rules and will never block a pod creation.
func (*AdmissionRule) Descriptor
func (*AdmissionRule) Descriptor() ([]byte, []int)Deprecated: Use AdmissionRule.ProtoReflect.Descriptor instead.
func (*AdmissionRule) GetEnforcementMode
func (x *AdmissionRule) GetEnforcementMode() AdmissionRule_EnforcementModefunc (*AdmissionRule) GetEvaluationMode
func (x *AdmissionRule) GetEvaluationMode() AdmissionRule_EvaluationModefunc (*AdmissionRule) GetRequireAttestationsBy
func (x *AdmissionRule) GetRequireAttestationsBy() []stringfunc (*AdmissionRule) ProtoMessage
func (*AdmissionRule) ProtoMessage()func (*AdmissionRule) ProtoReflect
func (x *AdmissionRule) ProtoReflect() protoreflect.Messagefunc (*AdmissionRule) Reset
func (x *AdmissionRule) Reset()func (*AdmissionRule) String
func (x *AdmissionRule) String() stringAdmissionRule_EnforcementMode
type AdmissionRule_EnforcementMode int32Defines the possible actions when a pod creation is denied by an admission rule.
AdmissionRule_ENFORCEMENT_MODE_UNSPECIFIED, AdmissionRule_ENFORCED_BLOCK_AND_AUDIT_LOG, AdmissionRule_DRYRUN_AUDIT_LOG_ONLY
const (
// Do not use.
AdmissionRule_ENFORCEMENT_MODE_UNSPECIFIED AdmissionRule_EnforcementMode = 0
// Enforce the admission rule by blocking the pod creation.
AdmissionRule_ENFORCED_BLOCK_AND_AUDIT_LOG AdmissionRule_EnforcementMode = 1
// Dryrun mode: Audit logging only. This will allow the pod creation as if
// the admission request had specified break-glass.
AdmissionRule_DRYRUN_AUDIT_LOG_ONLY AdmissionRule_EnforcementMode = 2
)func (AdmissionRule_EnforcementMode) Descriptor
func (AdmissionRule_EnforcementMode) Descriptor() protoreflect.EnumDescriptorfunc (AdmissionRule_EnforcementMode) Enum
func (x AdmissionRule_EnforcementMode) Enum() *AdmissionRule_EnforcementModefunc (AdmissionRule_EnforcementMode) EnumDescriptor
func (AdmissionRule_EnforcementMode) EnumDescriptor() ([]byte, []int)Deprecated: Use AdmissionRule_EnforcementMode.Descriptor instead.
func (AdmissionRule_EnforcementMode) Number
func (x AdmissionRule_EnforcementMode) Number() protoreflect.EnumNumberfunc (AdmissionRule_EnforcementMode) String
func (x AdmissionRule_EnforcementMode) String() stringfunc (AdmissionRule_EnforcementMode) Type
func (AdmissionRule_EnforcementMode) Type() protoreflect.EnumTypeAdmissionRule_EvaluationMode
type AdmissionRule_EvaluationMode int32AdmissionRule_EVALUATION_MODE_UNSPECIFIED, AdmissionRule_ALWAYS_ALLOW, AdmissionRule_REQUIRE_ATTESTATION, AdmissionRule_ALWAYS_DENY
const (
// Do not use.
AdmissionRule_EVALUATION_MODE_UNSPECIFIED AdmissionRule_EvaluationMode = 0
// This rule allows all all pod creations.
AdmissionRule_ALWAYS_ALLOW AdmissionRule_EvaluationMode = 1
// This rule allows a pod creation if all the attestors listed in
// 'require_attestations_by' have valid attestations for all of the
// images in the pod spec.
AdmissionRule_REQUIRE_ATTESTATION AdmissionRule_EvaluationMode = 2
// This rule denies all pod creations.
AdmissionRule_ALWAYS_DENY AdmissionRule_EvaluationMode = 3
)func (AdmissionRule_EvaluationMode) Descriptor
func (AdmissionRule_EvaluationMode) Descriptor() protoreflect.EnumDescriptorfunc (AdmissionRule_EvaluationMode) Enum
func (x AdmissionRule_EvaluationMode) Enum() *AdmissionRule_EvaluationModefunc (AdmissionRule_EvaluationMode) EnumDescriptor
func (AdmissionRule_EvaluationMode) EnumDescriptor() ([]byte, []int)Deprecated: Use AdmissionRule_EvaluationMode.Descriptor instead.
func (AdmissionRule_EvaluationMode) Number
func (x AdmissionRule_EvaluationMode) Number() protoreflect.EnumNumberfunc (AdmissionRule_EvaluationMode) String
func (x AdmissionRule_EvaluationMode) String() stringfunc (AdmissionRule_EvaluationMode) Type
func (AdmissionRule_EvaluationMode) Type() protoreflect.EnumTypeAdmissionWhitelistPattern
type AdmissionWhitelistPattern struct {
// An image name pattern to allowlist, in the form `registry/path/to/image`.
// This supports a trailing `*` wildcard, but this is allowed only in
// text after the `registry/` part. This also supports a trailing `**`
// wildcard which matches subdirectories of a given entry.
NamePattern string `protobuf:"bytes,1,opt,name=name_pattern,json=namePattern,proto3" json:"name_pattern,omitempty"`
// contains filtered or unexported fields
}An [admission allowlist pattern][google.cloud.binaryauthorization.v1.AdmissionWhitelistPattern] exempts images from checks by [admission rules][google.cloud.binaryauthorization.v1.AdmissionRule].
func (*AdmissionWhitelistPattern) Descriptor
func (*AdmissionWhitelistPattern) Descriptor() ([]byte, []int)Deprecated: Use AdmissionWhitelistPattern.ProtoReflect.Descriptor instead.
func (*AdmissionWhitelistPattern) GetNamePattern
func (x *AdmissionWhitelistPattern) GetNamePattern() stringfunc (*AdmissionWhitelistPattern) ProtoMessage
func (*AdmissionWhitelistPattern) ProtoMessage()func (*AdmissionWhitelistPattern) ProtoReflect
func (x *AdmissionWhitelistPattern) ProtoReflect() protoreflect.Messagefunc (*AdmissionWhitelistPattern) Reset
func (x *AdmissionWhitelistPattern) Reset()func (*AdmissionWhitelistPattern) String
func (x *AdmissionWhitelistPattern) String() stringAttestor
type Attestor struct {
// Required. The resource name, in the format:
// `projects/*/attestors/*`. This field may not be updated.
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
// Optional. A descriptive comment. This field may be updated.
// The field may be displayed in chooser dialogs.
Description string `protobuf:"bytes,6,opt,name=description,proto3" json:"description,omitempty"`
// Types that are assignable to AttestorType:
//
// *Attestor_UserOwnedGrafeasNote
AttestorType isAttestor_AttestorType `protobuf_oneof:"attestor_type"`
// Output only. Time when the attestor was last updated.
UpdateTime *timestamppb.Timestamp `protobuf:"bytes,4,opt,name=update_time,json=updateTime,proto3" json:"update_time,omitempty"`
// contains filtered or unexported fields
}An [attestor][google.cloud.binaryauthorization.v1.Attestor] that attests to container image artifacts. An existing attestor cannot be modified except where indicated.
func (*Attestor) Descriptor
Deprecated: Use Attestor.ProtoReflect.Descriptor instead.
func (*Attestor) GetAttestorType
func (m *Attestor) GetAttestorType() isAttestor_AttestorTypefunc (*Attestor) GetDescription
func (*Attestor) GetName
func (*Attestor) GetUpdateTime
func (x *Attestor) GetUpdateTime() *timestamppb.Timestampfunc (*Attestor) GetUserOwnedGrafeasNote
func (x *Attestor) GetUserOwnedGrafeasNote() *UserOwnedGrafeasNotefunc (*Attestor) ProtoMessage
func (*Attestor) ProtoMessage()func (*Attestor) ProtoReflect
func (x *Attestor) ProtoReflect() protoreflect.Messagefunc (*Attestor) Reset
func (x *Attestor) Reset()func (*Attestor) String
AttestorPublicKey
type AttestorPublicKey struct {
// Optional. A descriptive comment. This field may be updated.
Comment string `protobuf:"bytes,1,opt,name=comment,proto3" json:"comment,omitempty"`
// The ID of this public key.
// Signatures verified by BinAuthz must include the ID of the public key that
// can be used to verify them, and that ID must match the contents of this
// field exactly.
// Additional restrictions on this field can be imposed based on which public
// key type is encapsulated. See the documentation on `public_key` cases below
// for details.
Id string `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"`
// Types that are assignable to PublicKey:
//
// *AttestorPublicKey_AsciiArmoredPgpPublicKey
// *AttestorPublicKey_PkixPublicKey
PublicKey isAttestorPublicKey_PublicKey `protobuf_oneof:"public_key"`
// contains filtered or unexported fields
}An [attestor public key][google.cloud.binaryauthorization.v1.AttestorPublicKey] that will be used to verify attestations signed by this attestor.
func (*AttestorPublicKey) Descriptor
func (*AttestorPublicKey) Descriptor() ([]byte, []int)Deprecated: Use AttestorPublicKey.ProtoReflect.Descriptor instead.
func (*AttestorPublicKey) GetAsciiArmoredPgpPublicKey
func (x *AttestorPublicKey) GetAsciiArmoredPgpPublicKey() stringfunc (*AttestorPublicKey) GetComment
func (x *AttestorPublicKey) GetComment() stringfunc (*AttestorPublicKey) GetId
func (x *AttestorPublicKey) GetId() stringfunc (*AttestorPublicKey) GetPkixPublicKey
func (x *AttestorPublicKey) GetPkixPublicKey() *PkixPublicKeyfunc (*AttestorPublicKey) GetPublicKey
func (m *AttestorPublicKey) GetPublicKey() isAttestorPublicKey_PublicKeyfunc (*AttestorPublicKey) ProtoMessage
func (*AttestorPublicKey) ProtoMessage()func (*AttestorPublicKey) ProtoReflect
func (x *AttestorPublicKey) ProtoReflect() protoreflect.Messagefunc (*AttestorPublicKey) Reset
func (x *AttestorPublicKey) Reset()func (*AttestorPublicKey) String
func (x *AttestorPublicKey) String() stringAttestorPublicKey_AsciiArmoredPgpPublicKey
type AttestorPublicKey_AsciiArmoredPgpPublicKey struct {
// ASCII-armored representation of a PGP public key, as the entire output by
// the command `gpg --export --armor foo@example.com` (either LF or CRLF
// line endings).
// When using this field, `id` should be left blank. The BinAuthz API
// handlers will calculate the ID and fill it in automatically. BinAuthz
// computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as
// upper-case hex. If `id` is provided by the caller, it will be
// overwritten by the API-calculated ID.
AsciiArmoredPgpPublicKey string `protobuf:"bytes,3,opt,name=ascii_armored_pgp_public_key,json=asciiArmoredPgpPublicKey,proto3,oneof"`
}AttestorPublicKey_PkixPublicKey
type AttestorPublicKey_PkixPublicKey struct {
// A raw PKIX SubjectPublicKeyInfo format public key.
//
// NOTE: `id` may be explicitly provided by the caller when using this
// type of public key, but it MUST be a valid RFC3986 URI. If `id` is left
// blank, a default one will be computed based on the digest of the DER
// encoding of the public key.
PkixPublicKey *PkixPublicKey `protobuf:"bytes,5,opt,name=pkix_public_key,json=pkixPublicKey,proto3,oneof"`
}Attestor_UserOwnedGrafeasNote
type Attestor_UserOwnedGrafeasNote struct {
// This specifies how an attestation will be read, and how it will be used
// during policy enforcement.
UserOwnedGrafeasNote *UserOwnedGrafeasNote `protobuf:"bytes,3,opt,name=user_owned_grafeas_note,json=userOwnedGrafeasNote,proto3,oneof"`
}BinauthzManagementServiceV1Client
type BinauthzManagementServiceV1Client interface {
// A [policy][google.cloud.binaryauthorization.v1.Policy] specifies the [attestors][google.cloud.binaryauthorization.v1.Attestor] that must attest to
// a container image, before the project is allowed to deploy that
// image. There is at most one policy per project. All image admission
// requests are permitted if a project has no policy.
//
// Gets the [policy][google.cloud.binaryauthorization.v1.Policy] for this project. Returns a default
// [policy][google.cloud.binaryauthorization.v1.Policy] if the project does not have one.
GetPolicy(ctx context.Context, in *GetPolicyRequest, opts ...grpc.CallOption) (*Policy, error)
// Creates or updates a project's [policy][google.cloud.binaryauthorization.v1.Policy], and returns a copy of the
// new [policy][google.cloud.binaryauthorization.v1.Policy]. A policy is always updated as a whole, to avoid race
// conditions with concurrent policy enforcement (or management!)
// requests. Returns NOT_FOUND if the project does not exist, INVALID_ARGUMENT
// if the request is malformed.
UpdatePolicy(ctx context.Context, in *UpdatePolicyRequest, opts ...grpc.CallOption) (*Policy, error)
// Creates an [attestor][google.cloud.binaryauthorization.v1.Attestor], and returns a copy of the new
// [attestor][google.cloud.binaryauthorization.v1.Attestor]. Returns NOT_FOUND if the project does not exist,
// INVALID_ARGUMENT if the request is malformed, ALREADY_EXISTS if the
// [attestor][google.cloud.binaryauthorization.v1.Attestor] already exists.
CreateAttestor(ctx context.Context, in *CreateAttestorRequest, opts ...grpc.CallOption) (*Attestor, error)
// Gets an [attestor][google.cloud.binaryauthorization.v1.Attestor].
// Returns NOT_FOUND if the [attestor][google.cloud.binaryauthorization.v1.Attestor] does not exist.
GetAttestor(ctx context.Context, in *GetAttestorRequest, opts ...grpc.CallOption) (*Attestor, error)
// Updates an [attestor][google.cloud.binaryauthorization.v1.Attestor].
// Returns NOT_FOUND if the [attestor][google.cloud.binaryauthorization.v1.Attestor] does not exist.
UpdateAttestor(ctx context.Context, in *UpdateAttestorRequest, opts ...grpc.CallOption) (*Attestor, error)
// Lists [attestors][google.cloud.binaryauthorization.v1.Attestor].
// Returns INVALID_ARGUMENT if the project does not exist.
ListAttestors(ctx context.Context, in *ListAttestorsRequest, opts ...grpc.CallOption) (*ListAttestorsResponse, error)
// Deletes an [attestor][google.cloud.binaryauthorization.v1.Attestor]. Returns NOT_FOUND if the
// [attestor][google.cloud.binaryauthorization.v1.Attestor] does not exist.
DeleteAttestor(ctx context.Context, in *DeleteAttestorRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
}BinauthzManagementServiceV1Client is the client API for BinauthzManagementServiceV1 service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
func NewBinauthzManagementServiceV1Client
func NewBinauthzManagementServiceV1Client(cc grpc.ClientConnInterface) BinauthzManagementServiceV1ClientBinauthzManagementServiceV1Server
type BinauthzManagementServiceV1Server interface {
// A [policy][google.cloud.binaryauthorization.v1.Policy] specifies the [attestors][google.cloud.binaryauthorization.v1.Attestor] that must attest to
// a container image, before the project is allowed to deploy that
// image. There is at most one policy per project. All image admission
// requests are permitted if a project has no policy.
//
// Gets the [policy][google.cloud.binaryauthorization.v1.Policy] for this project. Returns a default
// [policy][google.cloud.binaryauthorization.v1.Policy] if the project does not have one.
GetPolicy(context.Context, *GetPolicyRequest) (*Policy, error)
// Creates or updates a project's [policy][google.cloud.binaryauthorization.v1.Policy], and returns a copy of the
// new [policy][google.cloud.binaryauthorization.v1.Policy]. A policy is always updated as a whole, to avoid race
// conditions with concurrent policy enforcement (or management!)
// requests. Returns NOT_FOUND if the project does not exist, INVALID_ARGUMENT
// if the request is malformed.
UpdatePolicy(context.Context, *UpdatePolicyRequest) (*Policy, error)
// Creates an [attestor][google.cloud.binaryauthorization.v1.Attestor], and returns a copy of the new
// [attestor][google.cloud.binaryauthorization.v1.Attestor]. Returns NOT_FOUND if the project does not exist,
// INVALID_ARGUMENT if the request is malformed, ALREADY_EXISTS if the
// [attestor][google.cloud.binaryauthorization.v1.Attestor] already exists.
CreateAttestor(context.Context, *CreateAttestorRequest) (*Attestor, error)
// Gets an [attestor][google.cloud.binaryauthorization.v1.Attestor].
// Returns NOT_FOUND if the [attestor][google.cloud.binaryauthorization.v1.Attestor] does not exist.
GetAttestor(context.Context, *GetAttestorRequest) (*Attestor, error)
// Updates an [attestor][google.cloud.binaryauthorization.v1.Attestor].
// Returns NOT_FOUND if the [attestor][google.cloud.binaryauthorization.v1.Attestor] does not exist.
UpdateAttestor(context.Context, *UpdateAttestorRequest) (*Attestor, error)
// Lists [attestors][google.cloud.binaryauthorization.v1.Attestor].
// Returns INVALID_ARGUMENT if the project does not exist.
ListAttestors(context.Context, *ListAttestorsRequest) (*ListAttestorsResponse, error)
// Deletes an [attestor][google.cloud.binaryauthorization.v1.Attestor]. Returns NOT_FOUND if the
// [attestor][google.cloud.binaryauthorization.v1.Attestor] does not exist.
DeleteAttestor(context.Context, *DeleteAttestorRequest) (*emptypb.Empty, error)
}BinauthzManagementServiceV1Server is the server API for BinauthzManagementServiceV1 service. All implementations should embed UnimplementedBinauthzManagementServiceV1Server for forward compatibility
CreateAttestorRequest
type CreateAttestorRequest struct {
// Required. The parent of this [attestor][google.cloud.binaryauthorization.v1.Attestor].
Parent string `protobuf:"bytes,1,opt,name=parent,proto3" json:"parent,omitempty"`
// Required. The [attestors][google.cloud.binaryauthorization.v1.Attestor] ID.
AttestorId string `protobuf:"bytes,2,opt,name=attestor_id,json=attestorId,proto3" json:"attestor_id,omitempty"`
// Required. The initial [attestor][google.cloud.binaryauthorization.v1.Attestor] value. The service will
// overwrite the [attestor name][google.cloud.binaryauthorization.v1.Attestor.name] field with the resource name,
// in the format `projects/*/attestors/*`.
Attestor *Attestor `protobuf:"bytes,3,opt,name=attestor,proto3" json:"attestor,omitempty"`
// contains filtered or unexported fields
}Request message for [BinauthzManagementService.CreateAttestor][].
func (*CreateAttestorRequest) Descriptor
func (*CreateAttestorRequest) Descriptor() ([]byte, []int)Deprecated: Use CreateAttestorRequest.ProtoReflect.Descriptor instead.
func (*CreateAttestorRequest) GetAttestor
func (x *CreateAttestorRequest) GetAttestor() *Attestorfunc (*CreateAttestorRequest) GetAttestorId
func (x *CreateAttestorRequest) GetAttestorId() stringfunc (*CreateAttestorRequest) GetParent
func (x *CreateAttestorRequest) GetParent() stringfunc (*CreateAttestorRequest) ProtoMessage
func (*CreateAttestorRequest) ProtoMessage()func (*CreateAttestorRequest) ProtoReflect
func (x *CreateAttestorRequest) ProtoReflect() protoreflect.Messagefunc (*CreateAttestorRequest) Reset
func (x *CreateAttestorRequest) Reset()func (*CreateAttestorRequest) String
func (x *CreateAttestorRequest) String() stringDeleteAttestorRequest
type DeleteAttestorRequest struct {
// Required. The name of the [attestors][google.cloud.binaryauthorization.v1.Attestor] to delete, in the format
// `projects/*/attestors/*`.
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
// contains filtered or unexported fields
}Request message for [BinauthzManagementService.DeleteAttestor][].
func (*DeleteAttestorRequest) Descriptor
func (*DeleteAttestorRequest) Descriptor() ([]byte, []int)Deprecated: Use DeleteAttestorRequest.ProtoReflect.Descriptor instead.
func (*DeleteAttestorRequest) GetName
func (x *DeleteAttestorRequest) GetName() stringfunc (*DeleteAttestorRequest) ProtoMessage
func (*DeleteAttestorRequest) ProtoMessage()func (*DeleteAttestorRequest) ProtoReflect
func (x *DeleteAttestorRequest) ProtoReflect() protoreflect.Messagefunc (*DeleteAttestorRequest) Reset
func (x *DeleteAttestorRequest) Reset()func (*DeleteAttestorRequest) String
func (x *DeleteAttestorRequest) String() stringGetAttestorRequest
type GetAttestorRequest struct {
// Required. The name of the [attestor][google.cloud.binaryauthorization.v1.Attestor] to retrieve, in the format
// `projects/*/attestors/*`.
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
// contains filtered or unexported fields
}Request message for [BinauthzManagementService.GetAttestor][].
func (*GetAttestorRequest) Descriptor
func (*GetAttestorRequest) Descriptor() ([]byte, []int)Deprecated: Use GetAttestorRequest.ProtoReflect.Descriptor instead.
func (*GetAttestorRequest) GetName
func (x *GetAttestorRequest) GetName() stringfunc (*GetAttestorRequest) ProtoMessage
func (*GetAttestorRequest) ProtoMessage()func (*GetAttestorRequest) ProtoReflect
func (x *GetAttestorRequest) ProtoReflect() protoreflect.Messagefunc (*GetAttestorRequest) Reset
func (x *GetAttestorRequest) Reset()func (*GetAttestorRequest) String
func (x *GetAttestorRequest) String() stringGetPolicyRequest
type GetPolicyRequest struct {
// Required. The resource name of the [policy][google.cloud.binaryauthorization.v1.Policy] to retrieve,
// in the format `projects/*/policy`.
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
// contains filtered or unexported fields
}Request message for [BinauthzManagementService.GetPolicy][].
func (*GetPolicyRequest) Descriptor
func (*GetPolicyRequest) Descriptor() ([]byte, []int)Deprecated: Use GetPolicyRequest.ProtoReflect.Descriptor instead.
func (*GetPolicyRequest) GetName
func (x *GetPolicyRequest) GetName() stringfunc (*GetPolicyRequest) ProtoMessage
func (*GetPolicyRequest) ProtoMessage()func (*GetPolicyRequest) ProtoReflect
func (x *GetPolicyRequest) ProtoReflect() protoreflect.Messagefunc (*GetPolicyRequest) Reset
func (x *GetPolicyRequest) Reset()func (*GetPolicyRequest) String
func (x *GetPolicyRequest) String() stringGetSystemPolicyRequest
type GetSystemPolicyRequest struct {
// Required. The resource name, in the format `locations/*/policy`.
// Note that the system policy is not associated with a project.
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
// contains filtered or unexported fields
}Request to read the current system policy.
func (*GetSystemPolicyRequest) Descriptor
func (*GetSystemPolicyRequest) Descriptor() ([]byte, []int)Deprecated: Use GetSystemPolicyRequest.ProtoReflect.Descriptor instead.
func (*GetSystemPolicyRequest) GetName
func (x *GetSystemPolicyRequest) GetName() stringfunc (*GetSystemPolicyRequest) ProtoMessage
func (*GetSystemPolicyRequest) ProtoMessage()func (*GetSystemPolicyRequest) ProtoReflect
func (x *GetSystemPolicyRequest) ProtoReflect() protoreflect.Messagefunc (*GetSystemPolicyRequest) Reset
func (x *GetSystemPolicyRequest) Reset()func (*GetSystemPolicyRequest) String
func (x *GetSystemPolicyRequest) String() stringListAttestorsRequest
type ListAttestorsRequest struct {
// Required. The resource name of the project associated with the
// [attestors][google.cloud.binaryauthorization.v1.Attestor], in the format `projects/*`.
Parent string `protobuf:"bytes,1,opt,name=parent,proto3" json:"parent,omitempty"`
// Requested page size. The server may return fewer results than requested. If
// unspecified, the server will pick an appropriate default.
PageSize int32 `protobuf:"varint,2,opt,name=page_size,json=pageSize,proto3" json:"page_size,omitempty"`
// A token identifying a page of results the server should return. Typically,
// this is the value of [ListAttestorsResponse.next_page_token][google.cloud.binaryauthorization.v1.ListAttestorsResponse.next_page_token] returned
// from the previous call to the `ListAttestors` method.
PageToken string `protobuf:"bytes,3,opt,name=page_token,json=pageToken,proto3" json:"page_token,omitempty"`
// contains filtered or unexported fields
}Request message for [BinauthzManagementService.ListAttestors][].
func (*ListAttestorsRequest) Descriptor
func (*ListAttestorsRequest) Descriptor() ([]byte, []int)Deprecated: Use ListAttestorsRequest.ProtoReflect.Descriptor instead.
func (*ListAttestorsRequest) GetPageSize
func (x *ListAttestorsRequest) GetPageSize() int32func (*ListAttestorsRequest) GetPageToken
func (x *ListAttestorsRequest) GetPageToken() stringfunc (*ListAttestorsRequest) GetParent
func (x *ListAttestorsRequest) GetParent() stringfunc (*ListAttestorsRequest) ProtoMessage
func (*ListAttestorsRequest) ProtoMessage()func (*ListAttestorsRequest) ProtoReflect
func (x *ListAttestorsRequest) ProtoReflect() protoreflect.Messagefunc (*ListAttestorsRequest) Reset
func (x *ListAttestorsRequest) Reset()func (*ListAttestorsRequest) String
func (x *ListAttestorsRequest) String() stringListAttestorsResponse
type ListAttestorsResponse struct {
// The list of [attestors][google.cloud.binaryauthorization.v1.Attestor].
Attestors []*Attestor `protobuf:"bytes,1,rep,name=attestors,proto3" json:"attestors,omitempty"`
// A token to retrieve the next page of results. Pass this value in the
// [ListAttestorsRequest.page_token][google.cloud.binaryauthorization.v1.ListAttestorsRequest.page_token] field in the subsequent call to the
// `ListAttestors` method to retrieve the next page of results.
NextPageToken string `protobuf:"bytes,2,opt,name=next_page_token,json=nextPageToken,proto3" json:"next_page_token,omitempty"`
// contains filtered or unexported fields
}Response message for [BinauthzManagementService.ListAttestors][].
func (*ListAttestorsResponse) Descriptor
func (*ListAttestorsResponse) Descriptor() ([]byte, []int)Deprecated: Use ListAttestorsResponse.ProtoReflect.Descriptor instead.
func (*ListAttestorsResponse) GetAttestors
func (x *ListAttestorsResponse) GetAttestors() []*Attestorfunc (*ListAttestorsResponse) GetNextPageToken
func (x *ListAttestorsResponse) GetNextPageToken() stringfunc (*ListAttestorsResponse) ProtoMessage
func (*ListAttestorsResponse) ProtoMessage()func (*ListAttestorsResponse) ProtoReflect
func (x *ListAttestorsResponse) ProtoReflect() protoreflect.Messagefunc (*ListAttestorsResponse) Reset
func (x *ListAttestorsResponse) Reset()func (*ListAttestorsResponse) String
func (x *ListAttestorsResponse) String() stringPkixPublicKey
type PkixPublicKey struct {
// A PEM-encoded public key, as described in
// https://tools.ietf.org/html/rfc7468#section-13
PublicKeyPem string `protobuf:"bytes,1,opt,name=public_key_pem,json=publicKeyPem,proto3" json:"public_key_pem,omitempty"`
// The signature algorithm used to verify a message against a signature using
// this key.
// These signature algorithm must match the structure and any object
// identifiers encoded in `public_key_pem` (i.e. this algorithm must match
// that of the public key).
SignatureAlgorithm PkixPublicKey_SignatureAlgorithm `protobuf:"varint,2,opt,name=signature_algorithm,json=signatureAlgorithm,proto3,enum=google.cloud.binaryauthorization.v1.PkixPublicKey_SignatureAlgorithm" json:"signature_algorithm,omitempty"`
// contains filtered or unexported fields
}A public key in the PkixPublicKey format (see https://tools.ietf.org/html/rfc5280#section-4.1.2.7 for details). Public keys of this type are typically textually encoded using the PEM format.
func (*PkixPublicKey) Descriptor
func (*PkixPublicKey) Descriptor() ([]byte, []int)Deprecated: Use PkixPublicKey.ProtoReflect.Descriptor instead.
func (*PkixPublicKey) GetPublicKeyPem
func (x *PkixPublicKey) GetPublicKeyPem() stringfunc (*PkixPublicKey) GetSignatureAlgorithm
func (x *PkixPublicKey) GetSignatureAlgorithm() PkixPublicKey_SignatureAlgorithmfunc (*PkixPublicKey) ProtoMessage
func (*PkixPublicKey) ProtoMessage()func (*PkixPublicKey) ProtoReflect
func (x *PkixPublicKey) ProtoReflect() protoreflect.Messagefunc (*PkixPublicKey) Reset
func (x *PkixPublicKey) Reset()func (*PkixPublicKey) String
func (x *PkixPublicKey) String() stringPkixPublicKey_SignatureAlgorithm
type PkixPublicKey_SignatureAlgorithm int32Represents a signature algorithm and other information necessary to verify signatures with a given public key. This is based primarily on the public key types supported by Tink's PemKeyType, which is in turn based on KMS's supported signing algorithms. See https://cloud.google.com/kms/docs/algorithms. In the future, BinAuthz might support additional public key types independently of Tink and/or KMS.
PkixPublicKey_SIGNATURE_ALGORITHM_UNSPECIFIED, PkixPublicKey_RSA_PSS_2048_SHA256, PkixPublicKey_RSA_PSS_3072_SHA256, PkixPublicKey_RSA_PSS_4096_SHA256, PkixPublicKey_RSA_PSS_4096_SHA512, PkixPublicKey_RSA_SIGN_PKCS1_2048_SHA256, PkixPublicKey_RSA_SIGN_PKCS1_3072_SHA256, PkixPublicKey_RSA_SIGN_PKCS1_4096_SHA256, PkixPublicKey_RSA_SIGN_PKCS1_4096_SHA512, PkixPublicKey_ECDSA_P256_SHA256, PkixPublicKey_EC_SIGN_P256_SHA256, PkixPublicKey_ECDSA_P384_SHA384, PkixPublicKey_EC_SIGN_P384_SHA384, PkixPublicKey_ECDSA_P521_SHA512, PkixPublicKey_EC_SIGN_P521_SHA512
const (
// Not specified.
PkixPublicKey_SIGNATURE_ALGORITHM_UNSPECIFIED PkixPublicKey_SignatureAlgorithm = 0
// RSASSA-PSS 2048 bit key with a SHA256 digest.
PkixPublicKey_RSA_PSS_2048_SHA256 PkixPublicKey_SignatureAlgorithm = 1
// RSASSA-PSS 3072 bit key with a SHA256 digest.
PkixPublicKey_RSA_PSS_3072_SHA256 PkixPublicKey_SignatureAlgorithm = 2
// RSASSA-PSS 4096 bit key with a SHA256 digest.
PkixPublicKey_RSA_PSS_4096_SHA256 PkixPublicKey_SignatureAlgorithm = 3
// RSASSA-PSS 4096 bit key with a SHA512 digest.
PkixPublicKey_RSA_PSS_4096_SHA512 PkixPublicKey_SignatureAlgorithm = 4
// RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
PkixPublicKey_RSA_SIGN_PKCS1_2048_SHA256 PkixPublicKey_SignatureAlgorithm = 5
// RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
PkixPublicKey_RSA_SIGN_PKCS1_3072_SHA256 PkixPublicKey_SignatureAlgorithm = 6
// RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
PkixPublicKey_RSA_SIGN_PKCS1_4096_SHA256 PkixPublicKey_SignatureAlgorithm = 7
// RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
PkixPublicKey_RSA_SIGN_PKCS1_4096_SHA512 PkixPublicKey_SignatureAlgorithm = 8
// ECDSA on the NIST P-256 curve with a SHA256 digest.
PkixPublicKey_ECDSA_P256_SHA256 PkixPublicKey_SignatureAlgorithm = 9
// ECDSA on the NIST P-256 curve with a SHA256 digest.
PkixPublicKey_EC_SIGN_P256_SHA256 PkixPublicKey_SignatureAlgorithm = 9
// ECDSA on the NIST P-384 curve with a SHA384 digest.
PkixPublicKey_ECDSA_P384_SHA384 PkixPublicKey_SignatureAlgorithm = 10
// ECDSA on the NIST P-384 curve with a SHA384 digest.
PkixPublicKey_EC_SIGN_P384_SHA384 PkixPublicKey_SignatureAlgorithm = 10
// ECDSA on the NIST P-521 curve with a SHA512 digest.
PkixPublicKey_ECDSA_P521_SHA512 PkixPublicKey_SignatureAlgorithm = 11
// ECDSA on the NIST P-521 curve with a SHA512 digest.
PkixPublicKey_EC_SIGN_P521_SHA512 PkixPublicKey_SignatureAlgorithm = 11
)func (PkixPublicKey_SignatureAlgorithm) Descriptor
func (PkixPublicKey_SignatureAlgorithm) Descriptor() protoreflect.EnumDescriptorfunc (PkixPublicKey_SignatureAlgorithm) Enum
func (x PkixPublicKey_SignatureAlgorithm) Enum() *PkixPublicKey_SignatureAlgorithmfunc (PkixPublicKey_SignatureAlgorithm) EnumDescriptor
func (PkixPublicKey_SignatureAlgorithm) EnumDescriptor() ([]byte, []int)Deprecated: Use PkixPublicKey_SignatureAlgorithm.Descriptor instead.
func (PkixPublicKey_SignatureAlgorithm) Number
func (x PkixPublicKey_SignatureAlgorithm) Number() protoreflect.EnumNumberfunc (PkixPublicKey_SignatureAlgorithm) String
func (x PkixPublicKey_SignatureAlgorithm) String() stringfunc (PkixPublicKey_SignatureAlgorithm) Type
func (PkixPublicKey_SignatureAlgorithm) Type() protoreflect.EnumTypePolicy
type Policy struct {
// Output only. The resource name, in the format `projects/*/policy`. There is
// at most one policy per project.
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
// Optional. A descriptive comment.
Description string `protobuf:"bytes,6,opt,name=description,proto3" json:"description,omitempty"`
// Optional. Controls the evaluation of a Google-maintained global admission
// policy for common system-level images. Images not covered by the global
// policy will be subject to the project admission policy. This setting
// has no effect when specified inside a global admission policy.
GlobalPolicyEvaluationMode Policy_GlobalPolicyEvaluationMode `protobuf:"varint,7,opt,name=global_policy_evaluation_mode,json=globalPolicyEvaluationMode,proto3,enum=google.cloud.binaryauthorization.v1.Policy_GlobalPolicyEvaluationMode" json:"global_policy_evaluation_mode,omitempty"`
// Optional. Admission policy allowlisting. A matching admission request will
// always be permitted. This feature is typically used to exclude Google or
// third-party infrastructure images from Binary Authorization policies.
AdmissionWhitelistPatterns []*AdmissionWhitelistPattern `protobuf:"bytes,2,rep,name=admission_whitelist_patterns,json=admissionWhitelistPatterns,proto3" json:"admission_whitelist_patterns,omitempty"`
// Optional. Per-cluster admission rules. Cluster spec format:
// `location.clusterId`. There can be at most one admission rule per cluster
// spec.
// A `location` is either a compute zone (e.g. us-central1-a) or a region
// (e.g. us-central1).
// For `clusterId` syntax restrictions see
// https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
ClusterAdmissionRules map[string]*AdmissionRule `protobuf:"bytes,3,rep,name=cluster_admission_rules,json=clusterAdmissionRules,proto3" json:"cluster_admission_rules,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
// Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format:
// [a-z.-]+, e.g. 'some-namespace'
KubernetesNamespaceAdmissionRules map[string]*AdmissionRule `protobuf:"bytes,10,rep,name=kubernetes_namespace_admission_rules,json=kubernetesNamespaceAdmissionRules,proto3" json:"kubernetes_namespace_admission_rules,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
// Optional. Per-kubernetes-service-account admission rules. Service account
// spec format: `namespace:serviceaccount`. e.g. 'test-ns:default'
KubernetesServiceAccountAdmissionRules map[string]*AdmissionRule `protobuf:"bytes,8,rep,name=kubernetes_service_account_admission_rules,json=kubernetesServiceAccountAdmissionRules,proto3" json:"kubernetes_service_account_admission_rules,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
// Optional. Per-istio-service-identity admission rules. Istio service
// identity spec format:
// spiffe://A [policy][google.cloud.binaryauthorization.v1.Policy] for container image binary authorization.
func (*Policy) Descriptor
Deprecated: Use Policy.ProtoReflect.Descriptor instead.
func (*Policy) GetAdmissionWhitelistPatterns
func (x *Policy) GetAdmissionWhitelistPatterns() []*AdmissionWhitelistPatternfunc (*Policy) GetClusterAdmissionRules
func (x *Policy) GetClusterAdmissionRules() map[string]*AdmissionRulefunc (*Policy) GetDefaultAdmissionRule
func (x *Policy) GetDefaultAdmissionRule() *AdmissionRulefunc (*Policy) GetDescription
func (*Policy) GetGlobalPolicyEvaluationMode
func (x *Policy) GetGlobalPolicyEvaluationMode() Policy_GlobalPolicyEvaluationModefunc (*Policy) GetIstioServiceIdentityAdmissionRules
func (x *Policy) GetIstioServiceIdentityAdmissionRules() map[string]*AdmissionRulefunc (*Policy) GetKubernetesNamespaceAdmissionRules
func (x *Policy) GetKubernetesNamespaceAdmissionRules() map[string]*AdmissionRulefunc (*Policy) GetKubernetesServiceAccountAdmissionRules
func (x *Policy) GetKubernetesServiceAccountAdmissionRules() map[string]*AdmissionRulefunc (*Policy) GetName
func (*Policy) GetUpdateTime
func (x *Policy) GetUpdateTime() *timestamppb.Timestampfunc (*Policy) ProtoMessage
func (*Policy) ProtoMessage()func (*Policy) ProtoReflect
func (x *Policy) ProtoReflect() protoreflect.Messagefunc (*Policy) Reset
func (x *Policy) Reset()func (*Policy) String
Policy_GlobalPolicyEvaluationMode
type Policy_GlobalPolicyEvaluationMode int32Policy_GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED, Policy_ENABLE, Policy_DISABLE
const (
// Not specified: DISABLE is assumed.
Policy_GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED Policy_GlobalPolicyEvaluationMode = 0
// Enables system policy evaluation.
Policy_ENABLE Policy_GlobalPolicyEvaluationMode = 1
// Disables system policy evaluation.
Policy_DISABLE Policy_GlobalPolicyEvaluationMode = 2
)func (Policy_GlobalPolicyEvaluationMode) Descriptor
func (Policy_GlobalPolicyEvaluationMode) Descriptor() protoreflect.EnumDescriptorfunc (Policy_GlobalPolicyEvaluationMode) Enum
func (x Policy_GlobalPolicyEvaluationMode) Enum() *Policy_GlobalPolicyEvaluationModefunc (Policy_GlobalPolicyEvaluationMode) EnumDescriptor
func (Policy_GlobalPolicyEvaluationMode) EnumDescriptor() ([]byte, []int)Deprecated: Use Policy_GlobalPolicyEvaluationMode.Descriptor instead.
func (Policy_GlobalPolicyEvaluationMode) Number
func (x Policy_GlobalPolicyEvaluationMode) Number() protoreflect.EnumNumberfunc (Policy_GlobalPolicyEvaluationMode) String
func (x Policy_GlobalPolicyEvaluationMode) String() stringfunc (Policy_GlobalPolicyEvaluationMode) Type
func (Policy_GlobalPolicyEvaluationMode) Type() protoreflect.EnumTypeSystemPolicyV1Client
type SystemPolicyV1Client interface {
// Gets the current system policy in the specified location.
GetSystemPolicy(ctx context.Context, in *GetSystemPolicyRequest, opts ...grpc.CallOption) (*Policy, error)
}SystemPolicyV1Client is the client API for SystemPolicyV1 service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
func NewSystemPolicyV1Client
func NewSystemPolicyV1Client(cc grpc.ClientConnInterface) SystemPolicyV1ClientSystemPolicyV1Server
type SystemPolicyV1Server interface {
// Gets the current system policy in the specified location.
GetSystemPolicy(context.Context, *GetSystemPolicyRequest) (*Policy, error)
}SystemPolicyV1Server is the server API for SystemPolicyV1 service. All implementations should embed UnimplementedSystemPolicyV1Server for forward compatibility
UnimplementedBinauthzManagementServiceV1Server
type UnimplementedBinauthzManagementServiceV1Server struct {
}UnimplementedBinauthzManagementServiceV1Server should be embedded to have forward compatible implementations.
func (UnimplementedBinauthzManagementServiceV1Server) CreateAttestor
func (UnimplementedBinauthzManagementServiceV1Server) CreateAttestor(context.Context, *CreateAttestorRequest) (*Attestor, error)func (UnimplementedBinauthzManagementServiceV1Server) DeleteAttestor
func (UnimplementedBinauthzManagementServiceV1Server) DeleteAttestor(context.Context, *DeleteAttestorRequest) (*emptypb.Empty, error)func (UnimplementedBinauthzManagementServiceV1Server) GetAttestor
func (UnimplementedBinauthzManagementServiceV1Server) GetAttestor(context.Context, *GetAttestorRequest) (*Attestor, error)func (UnimplementedBinauthzManagementServiceV1Server) GetPolicy
func (UnimplementedBinauthzManagementServiceV1Server) GetPolicy(context.Context, *GetPolicyRequest) (*Policy, error)func (UnimplementedBinauthzManagementServiceV1Server) ListAttestors
func (UnimplementedBinauthzManagementServiceV1Server) ListAttestors(context.Context, *ListAttestorsRequest) (*ListAttestorsResponse, error)func (UnimplementedBinauthzManagementServiceV1Server) UpdateAttestor
func (UnimplementedBinauthzManagementServiceV1Server) UpdateAttestor(context.Context, *UpdateAttestorRequest) (*Attestor, error)func (UnimplementedBinauthzManagementServiceV1Server) UpdatePolicy
func (UnimplementedBinauthzManagementServiceV1Server) UpdatePolicy(context.Context, *UpdatePolicyRequest) (*Policy, error)UnimplementedSystemPolicyV1Server
type UnimplementedSystemPolicyV1Server struct {
}UnimplementedSystemPolicyV1Server should be embedded to have forward compatible implementations.
func (UnimplementedSystemPolicyV1Server) GetSystemPolicy
func (UnimplementedSystemPolicyV1Server) GetSystemPolicy(context.Context, *GetSystemPolicyRequest) (*Policy, error)UnimplementedValidationHelperV1Server
type UnimplementedValidationHelperV1Server struct {
}UnimplementedValidationHelperV1Server should be embedded to have forward compatible implementations.
func (UnimplementedValidationHelperV1Server) ValidateAttestationOccurrence
func (UnimplementedValidationHelperV1Server) ValidateAttestationOccurrence(context.Context, *ValidateAttestationOccurrenceRequest) (*ValidateAttestationOccurrenceResponse, error)UnsafeBinauthzManagementServiceV1Server
type UnsafeBinauthzManagementServiceV1Server interface {
// contains filtered or unexported methods
}UnsafeBinauthzManagementServiceV1Server may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to BinauthzManagementServiceV1Server will result in compilation errors.
UnsafeSystemPolicyV1Server
type UnsafeSystemPolicyV1Server interface {
// contains filtered or unexported methods
}UnsafeSystemPolicyV1Server may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to SystemPolicyV1Server will result in compilation errors.
UnsafeValidationHelperV1Server
type UnsafeValidationHelperV1Server interface {
// contains filtered or unexported methods
}UnsafeValidationHelperV1Server may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to ValidationHelperV1Server will result in compilation errors.
UpdateAttestorRequest
type UpdateAttestorRequest struct {
// Required. The updated [attestor][google.cloud.binaryauthorization.v1.Attestor] value. The service will
// overwrite the [attestor name][google.cloud.binaryauthorization.v1.Attestor.name] field with the resource name
// in the request URL, in the format `projects/*/attestors/*`.
Attestor *Attestor `protobuf:"bytes,1,opt,name=attestor,proto3" json:"attestor,omitempty"`
// contains filtered or unexported fields
}Request message for [BinauthzManagementService.UpdateAttestor][].
func (*UpdateAttestorRequest) Descriptor
func (*UpdateAttestorRequest) Descriptor() ([]byte, []int)Deprecated: Use UpdateAttestorRequest.ProtoReflect.Descriptor instead.
func (*UpdateAttestorRequest) GetAttestor
func (x *UpdateAttestorRequest) GetAttestor() *Attestorfunc (*UpdateAttestorRequest) ProtoMessage
func (*UpdateAttestorRequest) ProtoMessage()func (*UpdateAttestorRequest) ProtoReflect
func (x *UpdateAttestorRequest) ProtoReflect() protoreflect.Messagefunc (*UpdateAttestorRequest) Reset
func (x *UpdateAttestorRequest) Reset()func (*UpdateAttestorRequest) String
func (x *UpdateAttestorRequest) String() stringUpdatePolicyRequest
type UpdatePolicyRequest struct {
// Required. A new or updated [policy][google.cloud.binaryauthorization.v1.Policy] value. The service will
// overwrite the [policy name][google.cloud.binaryauthorization.v1.Policy.name] field with the resource name in
// the request URL, in the format `projects/*/policy`.
Policy *Policy `protobuf:"bytes,1,opt,name=policy,proto3" json:"policy,omitempty"`
// contains filtered or unexported fields
}Request message for [BinauthzManagementService.UpdatePolicy][].
func (*UpdatePolicyRequest) Descriptor
func (*UpdatePolicyRequest) Descriptor() ([]byte, []int)Deprecated: Use UpdatePolicyRequest.ProtoReflect.Descriptor instead.
func (*UpdatePolicyRequest) GetPolicy
func (x *UpdatePolicyRequest) GetPolicy() *Policyfunc (*UpdatePolicyRequest) ProtoMessage
func (*UpdatePolicyRequest) ProtoMessage()func (*UpdatePolicyRequest) ProtoReflect
func (x *UpdatePolicyRequest) ProtoReflect() protoreflect.Messagefunc (*UpdatePolicyRequest) Reset
func (x *UpdatePolicyRequest) Reset()func (*UpdatePolicyRequest) String
func (x *UpdatePolicyRequest) String() stringUserOwnedGrafeasNote
type UserOwnedGrafeasNote struct {
// Required. The Grafeas resource name of a Attestation.Authority Note,
// created by the user, in the format: `projects/*/notes/*`. This field may
// not be updated.
//
// An attestation by this attestor is stored as a Grafeas
// Attestation.Authority Occurrence that names a container image and that
// links to this Note. Grafeas is an external dependency.
NoteReference string `protobuf:"bytes,1,opt,name=note_reference,json=noteReference,proto3" json:"note_reference,omitempty"`
// Optional. Public keys that verify attestations signed by this
// attestor. This field may be updated.
//
// If this field is non-empty, one of the specified public keys must
// verify that an attestation was signed by this attestor for the
// image specified in the admission request.
//
// If this field is empty, this attestor always returns that no
// valid attestations exist.
PublicKeys []*AttestorPublicKey `protobuf:"bytes,2,rep,name=public_keys,json=publicKeys,proto3" json:"public_keys,omitempty"`
// Output only. This field will contain the service account email address
// that this Attestor will use as the principal when querying Container
// Analysis. Attestor administrators must grant this service account the
// IAM role needed to read attestations from the [note_reference][Note] in
// Container Analysis (`containeranalysis.notes.occurrences.viewer`).
//
// This email address is fixed for the lifetime of the Attestor, but callers
// should not make any other assumptions about the service account email;
// future versions may use an email based on a different naming pattern.
DelegationServiceAccountEmail string `protobuf:"bytes,3,opt,name=delegation_service_account_email,json=delegationServiceAccountEmail,proto3" json:"delegation_service_account_email,omitempty"`
// contains filtered or unexported fields
}An [user owned Grafeas note][google.cloud.binaryauthorization.v1.UserOwnedGrafeasNote] references a Grafeas Attestation.Authority Note created by the user.
func (*UserOwnedGrafeasNote) Descriptor
func (*UserOwnedGrafeasNote) Descriptor() ([]byte, []int)Deprecated: Use UserOwnedGrafeasNote.ProtoReflect.Descriptor instead.
func (*UserOwnedGrafeasNote) GetDelegationServiceAccountEmail
func (x *UserOwnedGrafeasNote) GetDelegationServiceAccountEmail() stringfunc (*UserOwnedGrafeasNote) GetNoteReference
func (x *UserOwnedGrafeasNote) GetNoteReference() stringfunc (*UserOwnedGrafeasNote) GetPublicKeys
func (x *UserOwnedGrafeasNote) GetPublicKeys() []*AttestorPublicKeyfunc (*UserOwnedGrafeasNote) ProtoMessage
func (*UserOwnedGrafeasNote) ProtoMessage()func (*UserOwnedGrafeasNote) ProtoReflect
func (x *UserOwnedGrafeasNote) ProtoReflect() protoreflect.Messagefunc (*UserOwnedGrafeasNote) Reset
func (x *UserOwnedGrafeasNote) Reset()func (*UserOwnedGrafeasNote) String
func (x *UserOwnedGrafeasNote) String() stringValidateAttestationOccurrenceRequest
type ValidateAttestationOccurrenceRequest struct {
// Required. The resource name of the [Attestor][google.cloud.binaryauthorization.v1.Attestor] of the
// [occurrence][grafeas.v1.Occurrence], in the format
// `projects/*/attestors/*`.
Attestor string `protobuf:"bytes,1,opt,name=attestor,proto3" json:"attestor,omitempty"`
// Required. An [AttestationOccurrence][grafeas.v1.AttestationOccurrence] to
// be checked that it can be verified by the Attestor. It does not have to be
// an existing entity in Container Analysis. It must otherwise be a valid
// AttestationOccurrence.
Attestation *v1.AttestationOccurrence `protobuf:"bytes,2,opt,name=attestation,proto3" json:"attestation,omitempty"`
// Required. The resource name of the [Note][grafeas.v1.Note] to which the
// containing [Occurrence][grafeas.v1.Occurrence] is associated.
OccurrenceNote string `protobuf:"bytes,3,opt,name=occurrence_note,json=occurrenceNote,proto3" json:"occurrence_note,omitempty"`
// Required. The URI of the artifact (e.g. container image) that is the
// subject of the containing [Occurrence][grafeas.v1.Occurrence].
OccurrenceResourceUri string `protobuf:"bytes,4,opt,name=occurrence_resource_uri,json=occurrenceResourceUri,proto3" json:"occurrence_resource_uri,omitempty"`
// contains filtered or unexported fields
}Request message for [ValidationHelperV1.ValidateAttestationOccurrence][google.cloud.binaryauthorization.v1.ValidationHelperV1.ValidateAttestationOccurrence].
func (*ValidateAttestationOccurrenceRequest) Descriptor
func (*ValidateAttestationOccurrenceRequest) Descriptor() ([]byte, []int)Deprecated: Use ValidateAttestationOccurrenceRequest.ProtoReflect.Descriptor instead.
func (*ValidateAttestationOccurrenceRequest) GetAttestation
func (x *ValidateAttestationOccurrenceRequest) GetAttestation() *v1.AttestationOccurrencefunc (*ValidateAttestationOccurrenceRequest) GetAttestor
func (x *ValidateAttestationOccurrenceRequest) GetAttestor() stringfunc (*ValidateAttestationOccurrenceRequest) GetOccurrenceNote
func (x *ValidateAttestationOccurrenceRequest) GetOccurrenceNote() stringfunc (*ValidateAttestationOccurrenceRequest) GetOccurrenceResourceUri
func (x *ValidateAttestationOccurrenceRequest) GetOccurrenceResourceUri() stringfunc (*ValidateAttestationOccurrenceRequest) ProtoMessage
func (*ValidateAttestationOccurrenceRequest) ProtoMessage()func (*ValidateAttestationOccurrenceRequest) ProtoReflect
func (x *ValidateAttestationOccurrenceRequest) ProtoReflect() protoreflect.Messagefunc (*ValidateAttestationOccurrenceRequest) Reset
func (x *ValidateAttestationOccurrenceRequest) Reset()func (*ValidateAttestationOccurrenceRequest) String
func (x *ValidateAttestationOccurrenceRequest) String() stringValidateAttestationOccurrenceResponse
type ValidateAttestationOccurrenceResponse struct {
// The result of the Attestation validation.
Result ValidateAttestationOccurrenceResponse_Result `protobuf:"varint,1,opt,name=result,proto3,enum=google.cloud.binaryauthorization.v1.ValidateAttestationOccurrenceResponse_Result" json:"result,omitempty"`
// The reason for denial if the Attestation couldn't be validated.
DenialReason string `protobuf:"bytes,2,opt,name=denial_reason,json=denialReason,proto3" json:"denial_reason,omitempty"`
// contains filtered or unexported fields
}Response message for [ValidationHelperV1.ValidateAttestationOccurrence][google.cloud.binaryauthorization.v1.ValidationHelperV1.ValidateAttestationOccurrence].
func (*ValidateAttestationOccurrenceResponse) Descriptor
func (*ValidateAttestationOccurrenceResponse) Descriptor() ([]byte, []int)Deprecated: Use ValidateAttestationOccurrenceResponse.ProtoReflect.Descriptor instead.
func (*ValidateAttestationOccurrenceResponse) GetDenialReason
func (x *ValidateAttestationOccurrenceResponse) GetDenialReason() stringfunc (*ValidateAttestationOccurrenceResponse) GetResult
func (x *ValidateAttestationOccurrenceResponse) GetResult() ValidateAttestationOccurrenceResponse_Resultfunc (*ValidateAttestationOccurrenceResponse) ProtoMessage
func (*ValidateAttestationOccurrenceResponse) ProtoMessage()func (*ValidateAttestationOccurrenceResponse) ProtoReflect
func (x *ValidateAttestationOccurrenceResponse) ProtoReflect() protoreflect.Messagefunc (*ValidateAttestationOccurrenceResponse) Reset
func (x *ValidateAttestationOccurrenceResponse) Reset()func (*ValidateAttestationOccurrenceResponse) String
func (x *ValidateAttestationOccurrenceResponse) String() stringValidateAttestationOccurrenceResponse_Result
type ValidateAttestationOccurrenceResponse_Result int32The enum returned in the "result" field.
ValidateAttestationOccurrenceResponse_RESULT_UNSPECIFIED, ValidateAttestationOccurrenceResponse_VERIFIED, ValidateAttestationOccurrenceResponse_ATTESTATION_NOT_VERIFIABLE
const (
// Unspecified.
ValidateAttestationOccurrenceResponse_RESULT_UNSPECIFIED ValidateAttestationOccurrenceResponse_Result = 0
// The Attestation was able to verified by the Attestor.
ValidateAttestationOccurrenceResponse_VERIFIED ValidateAttestationOccurrenceResponse_Result = 1
// The Attestation was not able to verified by the Attestor.
ValidateAttestationOccurrenceResponse_ATTESTATION_NOT_VERIFIABLE ValidateAttestationOccurrenceResponse_Result = 2
)func (ValidateAttestationOccurrenceResponse_Result) Descriptor
func (ValidateAttestationOccurrenceResponse_Result) Descriptor() protoreflect.EnumDescriptorfunc (ValidateAttestationOccurrenceResponse_Result) Enum
func (x ValidateAttestationOccurrenceResponse_Result) Enum() *ValidateAttestationOccurrenceResponse_Resultfunc (ValidateAttestationOccurrenceResponse_Result) EnumDescriptor
func (ValidateAttestationOccurrenceResponse_Result) EnumDescriptor() ([]byte, []int)Deprecated: Use ValidateAttestationOccurrenceResponse_Result.Descriptor instead.
func (ValidateAttestationOccurrenceResponse_Result) Number
func (x ValidateAttestationOccurrenceResponse_Result) Number() protoreflect.EnumNumberfunc (ValidateAttestationOccurrenceResponse_Result) String
func (x ValidateAttestationOccurrenceResponse_Result) String() stringfunc (ValidateAttestationOccurrenceResponse_Result) Type
func (ValidateAttestationOccurrenceResponse_Result) Type() protoreflect.EnumTypeValidationHelperV1Client
type ValidationHelperV1Client interface {
// Returns whether the given Attestation for the given image URI
// was signed by the given Attestor
ValidateAttestationOccurrence(ctx context.Context, in *ValidateAttestationOccurrenceRequest, opts ...grpc.CallOption) (*ValidateAttestationOccurrenceResponse, error)
}ValidationHelperV1Client is the client API for ValidationHelperV1 service.
For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
func NewValidationHelperV1Client
func NewValidationHelperV1Client(cc grpc.ClientConnInterface) ValidationHelperV1ClientValidationHelperV1Server
type ValidationHelperV1Server interface {
// Returns whether the given Attestation for the given image URI
// was signed by the given Attestor
ValidateAttestationOccurrence(context.Context, *ValidateAttestationOccurrenceRequest) (*ValidateAttestationOccurrenceResponse, error)
}ValidationHelperV1Server is the server API for ValidationHelperV1 service. All implementations should embed UnimplementedValidationHelperV1Server for forward compatibility