Google Cloud Native is in preview. Google Cloud Classic is fully supported.
google-native.binaryauthorization/v1.Policy
Explore with Pulumi AI
Google Cloud Native is in preview. Google Cloud Classic is fully supported.
Creates a platform policy, and returns a copy of it. Returns NOT_FOUND
if the project or platform doesn’t exist, INVALID_ARGUMENT
if the request is malformed, ALREADY_EXISTS
if the policy already exists, and INVALID_ARGUMENT
if the policy contains a platform-specific policy that does not match the platform value specified in the URL.
Auto-naming is currently not supported for this resource.
Create Policy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Policy(name: string, args: PolicyArgs, opts?: CustomResourceOptions);
@overload
def Policy(resource_name: str,
args: PolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Policy(resource_name: str,
opts: Optional[ResourceOptions] = None,
platform_id: Optional[str] = None,
policy_id: Optional[str] = None,
description: Optional[str] = None,
gke_policy: Optional[GkePolicyArgs] = None,
project: Optional[str] = None)
func NewPolicy(ctx *Context, name string, args PolicyArgs, opts ...ResourceOption) (*Policy, error)
public Policy(string name, PolicyArgs args, CustomResourceOptions? opts = null)
public Policy(String name, PolicyArgs args)
public Policy(String name, PolicyArgs args, CustomResourceOptions options)
type: google-native:binaryauthorization/v1:Policy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args PolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args PolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args PolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args PolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args PolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var policyResource = new GoogleNative.BinaryAuthorization.V1.Policy("policyResource", new()
{
PlatformId = "string",
PolicyId = "string",
Description = "string",
GkePolicy = new GoogleNative.BinaryAuthorization.V1.Inputs.GkePolicyArgs
{
CheckSets = new[]
{
new GoogleNative.BinaryAuthorization.V1.Inputs.CheckSetArgs
{
Checks = new[]
{
new GoogleNative.BinaryAuthorization.V1.Inputs.CheckArgs
{
AlwaysDeny = false,
DisplayName = "string",
ImageAllowlist = new GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlistArgs
{
AllowPattern = new[]
{
"string",
},
},
ImageFreshnessCheck = new GoogleNative.BinaryAuthorization.V1.Inputs.ImageFreshnessCheckArgs
{
MaxUploadAgeDays = 0,
},
SimpleSigningAttestationCheck = new GoogleNative.BinaryAuthorization.V1.Inputs.SimpleSigningAttestationCheckArgs
{
AttestationAuthenticators = new[]
{
new GoogleNative.BinaryAuthorization.V1.Inputs.AttestationAuthenticatorArgs
{
DisplayName = "string",
PkixPublicKeySet = new GoogleNative.BinaryAuthorization.V1.Inputs.PkixPublicKeySetArgs
{
PkixPublicKeys = new[]
{
new GoogleNative.BinaryAuthorization.V1.Inputs.PkixPublicKeyArgs
{
KeyId = "string",
PublicKeyPem = "string",
SignatureAlgorithm = GoogleNative.BinaryAuthorization.V1.PkixPublicKeySignatureAlgorithm.SignatureAlgorithmUnspecified,
},
},
},
},
},
ContainerAnalysisAttestationProjects = new[]
{
"string",
},
},
SlsaCheck = new GoogleNative.BinaryAuthorization.V1.Inputs.SlsaCheckArgs
{
Rules = new[]
{
new GoogleNative.BinaryAuthorization.V1.Inputs.VerificationRuleArgs
{
AttestationSource = new GoogleNative.BinaryAuthorization.V1.Inputs.AttestationSourceArgs
{
ContainerAnalysisAttestationProjects = new[]
{
"string",
},
},
ConfigBasedBuildRequired = false,
TrustedBuilder = GoogleNative.BinaryAuthorization.V1.VerificationRuleTrustedBuilder.BuilderUnspecified,
TrustedSourceRepoPatterns = new[]
{
"string",
},
},
},
},
TrustedDirectoryCheck = new GoogleNative.BinaryAuthorization.V1.Inputs.TrustedDirectoryCheckArgs
{
TrustedDirPatterns = new[]
{
"string",
},
},
VulnerabilityCheck = new GoogleNative.BinaryAuthorization.V1.Inputs.VulnerabilityCheckArgs
{
MaximumFixableSeverity = GoogleNative.BinaryAuthorization.V1.VulnerabilityCheckMaximumFixableSeverity.MaximumAllowedSeverityUnspecified,
MaximumUnfixableSeverity = GoogleNative.BinaryAuthorization.V1.VulnerabilityCheckMaximumUnfixableSeverity.MaximumAllowedSeverityUnspecified,
AllowedCves = new[]
{
"string",
},
BlockedCves = new[]
{
"string",
},
ContainerAnalysisVulnerabilityProjects = new[]
{
"string",
},
},
},
},
DisplayName = "string",
ImageAllowlist = new GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlistArgs
{
AllowPattern = new[]
{
"string",
},
},
Scope = new GoogleNative.BinaryAuthorization.V1.Inputs.ScopeArgs
{
KubernetesNamespace = "string",
KubernetesServiceAccount = "string",
},
},
},
ImageAllowlist = new GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlistArgs
{
AllowPattern = new[]
{
"string",
},
},
},
Project = "string",
});
example, err := binaryauthorization.NewPolicy(ctx, "policyResource", &binaryauthorization.PolicyArgs{
PlatformId: pulumi.String("string"),
PolicyId: pulumi.String("string"),
Description: pulumi.String("string"),
GkePolicy: &binaryauthorization.GkePolicyArgs{
CheckSets: binaryauthorization.CheckSetArray{
&binaryauthorization.CheckSetArgs{
Checks: binaryauthorization.CheckArray{
&binaryauthorization.CheckArgs{
AlwaysDeny: pulumi.Bool(false),
DisplayName: pulumi.String("string"),
ImageAllowlist: &binaryauthorization.ImageAllowlistArgs{
AllowPattern: pulumi.StringArray{
pulumi.String("string"),
},
},
ImageFreshnessCheck: &binaryauthorization.ImageFreshnessCheckArgs{
MaxUploadAgeDays: pulumi.Int(0),
},
SimpleSigningAttestationCheck: &binaryauthorization.SimpleSigningAttestationCheckArgs{
AttestationAuthenticators: binaryauthorization.AttestationAuthenticatorArray{
&binaryauthorization.AttestationAuthenticatorArgs{
DisplayName: pulumi.String("string"),
PkixPublicKeySet: &binaryauthorization.PkixPublicKeySetArgs{
PkixPublicKeys: binaryauthorization.PkixPublicKeyArray{
&binaryauthorization.PkixPublicKeyArgs{
KeyId: pulumi.String("string"),
PublicKeyPem: pulumi.String("string"),
SignatureAlgorithm: binaryauthorization.PkixPublicKeySignatureAlgorithmSignatureAlgorithmUnspecified,
},
},
},
},
},
ContainerAnalysisAttestationProjects: pulumi.StringArray{
pulumi.String("string"),
},
},
SlsaCheck: &binaryauthorization.SlsaCheckArgs{
Rules: binaryauthorization.VerificationRuleArray{
&binaryauthorization.VerificationRuleArgs{
AttestationSource: &binaryauthorization.AttestationSourceArgs{
ContainerAnalysisAttestationProjects: pulumi.StringArray{
pulumi.String("string"),
},
},
ConfigBasedBuildRequired: pulumi.Bool(false),
TrustedBuilder: binaryauthorization.VerificationRuleTrustedBuilderBuilderUnspecified,
TrustedSourceRepoPatterns: pulumi.StringArray{
pulumi.String("string"),
},
},
},
},
TrustedDirectoryCheck: &binaryauthorization.TrustedDirectoryCheckArgs{
TrustedDirPatterns: pulumi.StringArray{
pulumi.String("string"),
},
},
VulnerabilityCheck: &binaryauthorization.VulnerabilityCheckArgs{
MaximumFixableSeverity: binaryauthorization.VulnerabilityCheckMaximumFixableSeverityMaximumAllowedSeverityUnspecified,
MaximumUnfixableSeverity: binaryauthorization.VulnerabilityCheckMaximumUnfixableSeverityMaximumAllowedSeverityUnspecified,
AllowedCves: pulumi.StringArray{
pulumi.String("string"),
},
BlockedCves: pulumi.StringArray{
pulumi.String("string"),
},
ContainerAnalysisVulnerabilityProjects: pulumi.StringArray{
pulumi.String("string"),
},
},
},
},
DisplayName: pulumi.String("string"),
ImageAllowlist: &binaryauthorization.ImageAllowlistArgs{
AllowPattern: pulumi.StringArray{
pulumi.String("string"),
},
},
Scope: &binaryauthorization.ScopeArgs{
KubernetesNamespace: pulumi.String("string"),
KubernetesServiceAccount: pulumi.String("string"),
},
},
},
ImageAllowlist: &binaryauthorization.ImageAllowlistArgs{
AllowPattern: pulumi.StringArray{
pulumi.String("string"),
},
},
},
Project: pulumi.String("string"),
})
var policyResource = new Policy("policyResource", PolicyArgs.builder()
.platformId("string")
.policyId("string")
.description("string")
.gkePolicy(GkePolicyArgs.builder()
.checkSets(CheckSetArgs.builder()
.checks(CheckArgs.builder()
.alwaysDeny(false)
.displayName("string")
.imageAllowlist(ImageAllowlistArgs.builder()
.allowPattern("string")
.build())
.imageFreshnessCheck(ImageFreshnessCheckArgs.builder()
.maxUploadAgeDays(0)
.build())
.simpleSigningAttestationCheck(SimpleSigningAttestationCheckArgs.builder()
.attestationAuthenticators(AttestationAuthenticatorArgs.builder()
.displayName("string")
.pkixPublicKeySet(PkixPublicKeySetArgs.builder()
.pkixPublicKeys(PkixPublicKeyArgs.builder()
.keyId("string")
.publicKeyPem("string")
.signatureAlgorithm("SIGNATURE_ALGORITHM_UNSPECIFIED")
.build())
.build())
.build())
.containerAnalysisAttestationProjects("string")
.build())
.slsaCheck(SlsaCheckArgs.builder()
.rules(VerificationRuleArgs.builder()
.attestationSource(AttestationSourceArgs.builder()
.containerAnalysisAttestationProjects("string")
.build())
.configBasedBuildRequired(false)
.trustedBuilder("BUILDER_UNSPECIFIED")
.trustedSourceRepoPatterns("string")
.build())
.build())
.trustedDirectoryCheck(TrustedDirectoryCheckArgs.builder()
.trustedDirPatterns("string")
.build())
.vulnerabilityCheck(VulnerabilityCheckArgs.builder()
.maximumFixableSeverity("MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED")
.maximumUnfixableSeverity("MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED")
.allowedCves("string")
.blockedCves("string")
.containerAnalysisVulnerabilityProjects("string")
.build())
.build())
.displayName("string")
.imageAllowlist(ImageAllowlistArgs.builder()
.allowPattern("string")
.build())
.scope(ScopeArgs.builder()
.kubernetesNamespace("string")
.kubernetesServiceAccount("string")
.build())
.build())
.imageAllowlist(ImageAllowlistArgs.builder()
.allowPattern("string")
.build())
.build())
.project("string")
.build());
policy_resource = google_native.binaryauthorization.v1.Policy("policyResource",
platform_id="string",
policy_id="string",
description="string",
gke_policy={
"check_sets": [{
"checks": [{
"always_deny": False,
"display_name": "string",
"image_allowlist": {
"allow_pattern": ["string"],
},
"image_freshness_check": {
"max_upload_age_days": 0,
},
"simple_signing_attestation_check": {
"attestation_authenticators": [{
"display_name": "string",
"pkix_public_key_set": {
"pkix_public_keys": [{
"key_id": "string",
"public_key_pem": "string",
"signature_algorithm": google_native.binaryauthorization.v1.PkixPublicKeySignatureAlgorithm.SIGNATURE_ALGORITHM_UNSPECIFIED,
}],
},
}],
"container_analysis_attestation_projects": ["string"],
},
"slsa_check": {
"rules": [{
"attestation_source": {
"container_analysis_attestation_projects": ["string"],
},
"config_based_build_required": False,
"trusted_builder": google_native.binaryauthorization.v1.VerificationRuleTrustedBuilder.BUILDER_UNSPECIFIED,
"trusted_source_repo_patterns": ["string"],
}],
},
"trusted_directory_check": {
"trusted_dir_patterns": ["string"],
},
"vulnerability_check": {
"maximum_fixable_severity": google_native.binaryauthorization.v1.VulnerabilityCheckMaximumFixableSeverity.MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED,
"maximum_unfixable_severity": google_native.binaryauthorization.v1.VulnerabilityCheckMaximumUnfixableSeverity.MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED,
"allowed_cves": ["string"],
"blocked_cves": ["string"],
"container_analysis_vulnerability_projects": ["string"],
},
}],
"display_name": "string",
"image_allowlist": {
"allow_pattern": ["string"],
},
"scope": {
"kubernetes_namespace": "string",
"kubernetes_service_account": "string",
},
}],
"image_allowlist": {
"allow_pattern": ["string"],
},
},
project="string")
const policyResource = new google_native.binaryauthorization.v1.Policy("policyResource", {
platformId: "string",
policyId: "string",
description: "string",
gkePolicy: {
checkSets: [{
checks: [{
alwaysDeny: false,
displayName: "string",
imageAllowlist: {
allowPattern: ["string"],
},
imageFreshnessCheck: {
maxUploadAgeDays: 0,
},
simpleSigningAttestationCheck: {
attestationAuthenticators: [{
displayName: "string",
pkixPublicKeySet: {
pkixPublicKeys: [{
keyId: "string",
publicKeyPem: "string",
signatureAlgorithm: google_native.binaryauthorization.v1.PkixPublicKeySignatureAlgorithm.SignatureAlgorithmUnspecified,
}],
},
}],
containerAnalysisAttestationProjects: ["string"],
},
slsaCheck: {
rules: [{
attestationSource: {
containerAnalysisAttestationProjects: ["string"],
},
configBasedBuildRequired: false,
trustedBuilder: google_native.binaryauthorization.v1.VerificationRuleTrustedBuilder.BuilderUnspecified,
trustedSourceRepoPatterns: ["string"],
}],
},
trustedDirectoryCheck: {
trustedDirPatterns: ["string"],
},
vulnerabilityCheck: {
maximumFixableSeverity: google_native.binaryauthorization.v1.VulnerabilityCheckMaximumFixableSeverity.MaximumAllowedSeverityUnspecified,
maximumUnfixableSeverity: google_native.binaryauthorization.v1.VulnerabilityCheckMaximumUnfixableSeverity.MaximumAllowedSeverityUnspecified,
allowedCves: ["string"],
blockedCves: ["string"],
containerAnalysisVulnerabilityProjects: ["string"],
},
}],
displayName: "string",
imageAllowlist: {
allowPattern: ["string"],
},
scope: {
kubernetesNamespace: "string",
kubernetesServiceAccount: "string",
},
}],
imageAllowlist: {
allowPattern: ["string"],
},
},
project: "string",
});
type: google-native:binaryauthorization/v1:Policy
properties:
description: string
gkePolicy:
checkSets:
- checks:
- alwaysDeny: false
displayName: string
imageAllowlist:
allowPattern:
- string
imageFreshnessCheck:
maxUploadAgeDays: 0
simpleSigningAttestationCheck:
attestationAuthenticators:
- displayName: string
pkixPublicKeySet:
pkixPublicKeys:
- keyId: string
publicKeyPem: string
signatureAlgorithm: SIGNATURE_ALGORITHM_UNSPECIFIED
containerAnalysisAttestationProjects:
- string
slsaCheck:
rules:
- attestationSource:
containerAnalysisAttestationProjects:
- string
configBasedBuildRequired: false
trustedBuilder: BUILDER_UNSPECIFIED
trustedSourceRepoPatterns:
- string
trustedDirectoryCheck:
trustedDirPatterns:
- string
vulnerabilityCheck:
allowedCves:
- string
blockedCves:
- string
containerAnalysisVulnerabilityProjects:
- string
maximumFixableSeverity: MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED
maximumUnfixableSeverity: MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED
displayName: string
imageAllowlist:
allowPattern:
- string
scope:
kubernetesNamespace: string
kubernetesServiceAccount: string
imageAllowlist:
allowPattern:
- string
platformId: string
policyId: string
project: string
Policy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Policy resource accepts the following input properties:
- Platform
Id string - Policy
Id string - Required. The platform policy ID.
- Description string
- Optional. A description comment about the policy.
- Gke
Policy Pulumi.Google Native. Binary Authorization. V1. Inputs. Gke Policy - Optional. GKE platform-specific policy.
- Project string
- Platform
Id string - Policy
Id string - Required. The platform policy ID.
- Description string
- Optional. A description comment about the policy.
- Gke
Policy GkePolicy Args - Optional. GKE platform-specific policy.
- Project string
- platform
Id String - policy
Id String - Required. The platform policy ID.
- description String
- Optional. A description comment about the policy.
- gke
Policy GkePolicy - Optional. GKE platform-specific policy.
- project String
- platform
Id string - policy
Id string - Required. The platform policy ID.
- description string
- Optional. A description comment about the policy.
- gke
Policy GkePolicy - Optional. GKE platform-specific policy.
- project string
- platform_
id str - policy_
id str - Required. The platform policy ID.
- description str
- Optional. A description comment about the policy.
- gke_
policy GkePolicy Args - Optional. GKE platform-specific policy.
- project str
- platform
Id String - policy
Id String - Required. The platform policy ID.
- description String
- Optional. A description comment about the policy.
- gke
Policy Property Map - Optional. GKE platform-specific policy.
- project String
Outputs
All input properties are implicitly available as output properties. Additionally, the Policy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- The relative resource name of the Binary Authorization platform policy, in the form of
projects/*/platforms/*/policies/*
. - Update
Time string - Time when the policy was last updated.
- Id string
- The provider-assigned unique ID for this managed resource.
- Name string
- The relative resource name of the Binary Authorization platform policy, in the form of
projects/*/platforms/*/policies/*
. - Update
Time string - Time when the policy was last updated.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- The relative resource name of the Binary Authorization platform policy, in the form of
projects/*/platforms/*/policies/*
. - update
Time String - Time when the policy was last updated.
- id string
- The provider-assigned unique ID for this managed resource.
- name string
- The relative resource name of the Binary Authorization platform policy, in the form of
projects/*/platforms/*/policies/*
. - update
Time string - Time when the policy was last updated.
- id str
- The provider-assigned unique ID for this managed resource.
- name str
- The relative resource name of the Binary Authorization platform policy, in the form of
projects/*/platforms/*/policies/*
. - update_
time str - Time when the policy was last updated.
- id String
- The provider-assigned unique ID for this managed resource.
- name String
- The relative resource name of the Binary Authorization platform policy, in the form of
projects/*/platforms/*/policies/*
. - update
Time String - Time when the policy was last updated.
Supporting Types
AttestationAuthenticator, AttestationAuthenticatorArgs
- Display
Name string - Optional. A user-provided name for this
AttestationAuthenticator
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - Pkix
Public Pulumi.Key Set Google Native. Binary Authorization. V1. Inputs. Pkix Public Key Set - Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
- Display
Name string - Optional. A user-provided name for this
AttestationAuthenticator
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - Pkix
Public PkixKey Set Public Key Set - Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
- display
Name String - Optional. A user-provided name for this
AttestationAuthenticator
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - pkix
Public PkixKey Set Public Key Set - Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
- display
Name string - Optional. A user-provided name for this
AttestationAuthenticator
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - pkix
Public PkixKey Set Public Key Set - Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
- display_
name str - Optional. A user-provided name for this
AttestationAuthenticator
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - pkix_
public_ Pkixkey_ set Public Key Set - Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
- display
Name String - Optional. A user-provided name for this
AttestationAuthenticator
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - pkix
Public Property MapKey Set - Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
AttestationAuthenticatorResponse, AttestationAuthenticatorResponseArgs
- Display
Name string - Optional. A user-provided name for this
AttestationAuthenticator
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - Pkix
Public Pulumi.Key Set Google Native. Binary Authorization. V1. Inputs. Pkix Public Key Set Response - Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
- Display
Name string - Optional. A user-provided name for this
AttestationAuthenticator
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - Pkix
Public PkixKey Set Public Key Set Response - Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
- display
Name String - Optional. A user-provided name for this
AttestationAuthenticator
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - pkix
Public PkixKey Set Public Key Set Response - Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
- display
Name string - Optional. A user-provided name for this
AttestationAuthenticator
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - pkix
Public PkixKey Set Public Key Set Response - Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
- display_
name str - Optional. A user-provided name for this
AttestationAuthenticator
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - pkix_
public_ Pkixkey_ set Public Key Set Response - Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
- display
Name String - Optional. A user-provided name for this
AttestationAuthenticator
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - pkix
Public Property MapKey Set - Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
AttestationSource, AttestationSourceArgs
- Container
Analysis List<string>Attestation Projects - The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.
- Container
Analysis []stringAttestation Projects - The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.
- container
Analysis List<String>Attestation Projects - The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.
- container
Analysis string[]Attestation Projects - The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.
- container_
analysis_ Sequence[str]attestation_ projects - The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.
- container
Analysis List<String>Attestation Projects - The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.
AttestationSourceResponse, AttestationSourceResponseArgs
- Container
Analysis List<string>Attestation Projects - The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.
- Container
Analysis []stringAttestation Projects - The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.
- container
Analysis List<String>Attestation Projects - The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.
- container
Analysis string[]Attestation Projects - The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.
- container_
analysis_ Sequence[str]attestation_ projects - The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.
- container
Analysis List<String>Attestation Projects - The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.
Check, CheckArgs
- Always
Deny bool - Optional. A special-case check that always denies. Note that this still only applies when the scope of the
CheckSet
applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny". - Display
Name string - Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
- Image
Allowlist Pulumi.Google Native. Binary Authorization. V1. Inputs. Image Allowlist - Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
- Image
Freshness Pulumi.Check Google Native. Binary Authorization. V1. Inputs. Image Freshness Check - Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
- Simple
Signing Pulumi.Attestation Check Google Native. Binary Authorization. V1. Inputs. Simple Signing Attestation Check - Optional. Require a SimpleSigning-type attestation for every image in the deployment.
- Slsa
Check Pulumi.Google Native. Binary Authorization. V1. Inputs. Slsa Check - Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
- Trusted
Directory Pulumi.Check Google Native. Binary Authorization. V1. Inputs. Trusted Directory Check - Optional. Require that an image lives in a trusted directory.
- Vulnerability
Check Pulumi.Google Native. Binary Authorization. V1. Inputs. Vulnerability Check - Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
- Always
Deny bool - Optional. A special-case check that always denies. Note that this still only applies when the scope of the
CheckSet
applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny". - Display
Name string - Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
- Image
Allowlist ImageAllowlist - Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
- Image
Freshness ImageCheck Freshness Check - Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
- Simple
Signing SimpleAttestation Check Signing Attestation Check - Optional. Require a SimpleSigning-type attestation for every image in the deployment.
- Slsa
Check SlsaCheck - Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
- Trusted
Directory TrustedCheck Directory Check - Optional. Require that an image lives in a trusted directory.
- Vulnerability
Check VulnerabilityCheck - Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
- always
Deny Boolean - Optional. A special-case check that always denies. Note that this still only applies when the scope of the
CheckSet
applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny". - display
Name String - Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
- image
Allowlist ImageAllowlist - Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
- image
Freshness ImageCheck Freshness Check - Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
- simple
Signing SimpleAttestation Check Signing Attestation Check - Optional. Require a SimpleSigning-type attestation for every image in the deployment.
- slsa
Check SlsaCheck - Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
- trusted
Directory TrustedCheck Directory Check - Optional. Require that an image lives in a trusted directory.
- vulnerability
Check VulnerabilityCheck - Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
- always
Deny boolean - Optional. A special-case check that always denies. Note that this still only applies when the scope of the
CheckSet
applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny". - display
Name string - Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
- image
Allowlist ImageAllowlist - Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
- image
Freshness ImageCheck Freshness Check - Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
- simple
Signing SimpleAttestation Check Signing Attestation Check - Optional. Require a SimpleSigning-type attestation for every image in the deployment.
- slsa
Check SlsaCheck - Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
- trusted
Directory TrustedCheck Directory Check - Optional. Require that an image lives in a trusted directory.
- vulnerability
Check VulnerabilityCheck - Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
- always_
deny bool - Optional. A special-case check that always denies. Note that this still only applies when the scope of the
CheckSet
applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny". - display_
name str - Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
- image_
allowlist ImageAllowlist - Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
- image_
freshness_ Imagecheck Freshness Check - Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
- simple_
signing_ Simpleattestation_ check Signing Attestation Check - Optional. Require a SimpleSigning-type attestation for every image in the deployment.
- slsa_
check SlsaCheck - Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
- trusted_
directory_ Trustedcheck Directory Check - Optional. Require that an image lives in a trusted directory.
- vulnerability_
check VulnerabilityCheck - Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
- always
Deny Boolean - Optional. A special-case check that always denies. Note that this still only applies when the scope of the
CheckSet
applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny". - display
Name String - Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
- image
Allowlist Property Map - Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
- image
Freshness Property MapCheck - Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
- simple
Signing Property MapAttestation Check - Optional. Require a SimpleSigning-type attestation for every image in the deployment.
- slsa
Check Property Map - Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
- trusted
Directory Property MapCheck - Optional. Require that an image lives in a trusted directory.
- vulnerability
Check Property Map - Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
CheckResponse, CheckResponseArgs
- Always
Deny bool - Optional. A special-case check that always denies. Note that this still only applies when the scope of the
CheckSet
applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny". - Display
Name string - Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
- Image
Allowlist Pulumi.Google Native. Binary Authorization. V1. Inputs. Image Allowlist Response - Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
- Image
Freshness Pulumi.Check Google Native. Binary Authorization. V1. Inputs. Image Freshness Check Response - Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
- Simple
Signing Pulumi.Attestation Check Google Native. Binary Authorization. V1. Inputs. Simple Signing Attestation Check Response - Optional. Require a SimpleSigning-type attestation for every image in the deployment.
- Slsa
Check Pulumi.Google Native. Binary Authorization. V1. Inputs. Slsa Check Response - Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
- Trusted
Directory Pulumi.Check Google Native. Binary Authorization. V1. Inputs. Trusted Directory Check Response - Optional. Require that an image lives in a trusted directory.
- Vulnerability
Check Pulumi.Google Native. Binary Authorization. V1. Inputs. Vulnerability Check Response - Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
- Always
Deny bool - Optional. A special-case check that always denies. Note that this still only applies when the scope of the
CheckSet
applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny". - Display
Name string - Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
- Image
Allowlist ImageAllowlist Response - Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
- Image
Freshness ImageCheck Freshness Check Response - Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
- Simple
Signing SimpleAttestation Check Signing Attestation Check Response - Optional. Require a SimpleSigning-type attestation for every image in the deployment.
- Slsa
Check SlsaCheck Response - Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
- Trusted
Directory TrustedCheck Directory Check Response - Optional. Require that an image lives in a trusted directory.
- Vulnerability
Check VulnerabilityCheck Response - Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
- always
Deny Boolean - Optional. A special-case check that always denies. Note that this still only applies when the scope of the
CheckSet
applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny". - display
Name String - Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
- image
Allowlist ImageAllowlist Response - Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
- image
Freshness ImageCheck Freshness Check Response - Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
- simple
Signing SimpleAttestation Check Signing Attestation Check Response - Optional. Require a SimpleSigning-type attestation for every image in the deployment.
- slsa
Check SlsaCheck Response - Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
- trusted
Directory TrustedCheck Directory Check Response - Optional. Require that an image lives in a trusted directory.
- vulnerability
Check VulnerabilityCheck Response - Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
- always
Deny boolean - Optional. A special-case check that always denies. Note that this still only applies when the scope of the
CheckSet
applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny". - display
Name string - Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
- image
Allowlist ImageAllowlist Response - Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
- image
Freshness ImageCheck Freshness Check Response - Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
- simple
Signing SimpleAttestation Check Signing Attestation Check Response - Optional. Require a SimpleSigning-type attestation for every image in the deployment.
- slsa
Check SlsaCheck Response - Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
- trusted
Directory TrustedCheck Directory Check Response - Optional. Require that an image lives in a trusted directory.
- vulnerability
Check VulnerabilityCheck Response - Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
- always_
deny bool - Optional. A special-case check that always denies. Note that this still only applies when the scope of the
CheckSet
applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny". - display_
name str - Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
- image_
allowlist ImageAllowlist Response - Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
- image_
freshness_ Imagecheck Freshness Check Response - Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
- simple_
signing_ Simpleattestation_ check Signing Attestation Check Response - Optional. Require a SimpleSigning-type attestation for every image in the deployment.
- slsa_
check SlsaCheck Response - Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
- trusted_
directory_ Trustedcheck Directory Check Response - Optional. Require that an image lives in a trusted directory.
- vulnerability_
check VulnerabilityCheck Response - Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
- always
Deny Boolean - Optional. A special-case check that always denies. Note that this still only applies when the scope of the
CheckSet
applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny". - display
Name String - Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
- image
Allowlist Property Map - Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
- image
Freshness Property MapCheck - Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
- simple
Signing Property MapAttestation Check - Optional. Require a SimpleSigning-type attestation for every image in the deployment.
- slsa
Check Property Map - Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
- trusted
Directory Property MapCheck - Optional. Require that an image lives in a trusted directory.
- vulnerability
Check Property Map - Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
CheckSet, CheckSetArgs
- Checks
List<Pulumi.
Google Native. Binary Authorization. V1. Inputs. Check> - Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in
checks
evaluates to "allow". Ifchecks
is empty, the default behavior is "always allow". - Display
Name string - Optional. A user-provided name for this
CheckSet
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - Image
Allowlist Pulumi.Google Native. Binary Authorization. V1. Inputs. Image Allowlist - Optional. Images exempted from this
CheckSet
. If any of the patterns match the image being evaluated, no checks in theCheckSet
will be evaluated. - Scope
Pulumi.
Google Native. Binary Authorization. V1. Inputs. Scope - Optional. The scope to which this
CheckSet
applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See theScope
message documentation for details on scoping rules.
- Checks []Check
- Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in
checks
evaluates to "allow". Ifchecks
is empty, the default behavior is "always allow". - Display
Name string - Optional. A user-provided name for this
CheckSet
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - Image
Allowlist ImageAllowlist - Optional. Images exempted from this
CheckSet
. If any of the patterns match the image being evaluated, no checks in theCheckSet
will be evaluated. - Scope Scope
- Optional. The scope to which this
CheckSet
applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See theScope
message documentation for details on scoping rules.
- checks List<Check>
- Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in
checks
evaluates to "allow". Ifchecks
is empty, the default behavior is "always allow". - display
Name String - Optional. A user-provided name for this
CheckSet
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - image
Allowlist ImageAllowlist - Optional. Images exempted from this
CheckSet
. If any of the patterns match the image being evaluated, no checks in theCheckSet
will be evaluated. - scope Scope
- Optional. The scope to which this
CheckSet
applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See theScope
message documentation for details on scoping rules.
- checks Check[]
- Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in
checks
evaluates to "allow". Ifchecks
is empty, the default behavior is "always allow". - display
Name string - Optional. A user-provided name for this
CheckSet
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - image
Allowlist ImageAllowlist - Optional. Images exempted from this
CheckSet
. If any of the patterns match the image being evaluated, no checks in theCheckSet
will be evaluated. - scope Scope
- Optional. The scope to which this
CheckSet
applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See theScope
message documentation for details on scoping rules.
- checks Sequence[Check]
- Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in
checks
evaluates to "allow". Ifchecks
is empty, the default behavior is "always allow". - display_
name str - Optional. A user-provided name for this
CheckSet
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - image_
allowlist ImageAllowlist - Optional. Images exempted from this
CheckSet
. If any of the patterns match the image being evaluated, no checks in theCheckSet
will be evaluated. - scope Scope
- Optional. The scope to which this
CheckSet
applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See theScope
message documentation for details on scoping rules.
- checks List<Property Map>
- Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in
checks
evaluates to "allow". Ifchecks
is empty, the default behavior is "always allow". - display
Name String - Optional. A user-provided name for this
CheckSet
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - image
Allowlist Property Map - Optional. Images exempted from this
CheckSet
. If any of the patterns match the image being evaluated, no checks in theCheckSet
will be evaluated. - scope Property Map
- Optional. The scope to which this
CheckSet
applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See theScope
message documentation for details on scoping rules.
CheckSetResponse, CheckSetResponseArgs
- Checks
List<Pulumi.
Google Native. Binary Authorization. V1. Inputs. Check Response> - Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in
checks
evaluates to "allow". Ifchecks
is empty, the default behavior is "always allow". - Display
Name string - Optional. A user-provided name for this
CheckSet
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - Image
Allowlist Pulumi.Google Native. Binary Authorization. V1. Inputs. Image Allowlist Response - Optional. Images exempted from this
CheckSet
. If any of the patterns match the image being evaluated, no checks in theCheckSet
will be evaluated. - Scope
Pulumi.
Google Native. Binary Authorization. V1. Inputs. Scope Response - Optional. The scope to which this
CheckSet
applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See theScope
message documentation for details on scoping rules.
- Checks
[]Check
Response - Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in
checks
evaluates to "allow". Ifchecks
is empty, the default behavior is "always allow". - Display
Name string - Optional. A user-provided name for this
CheckSet
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - Image
Allowlist ImageAllowlist Response - Optional. Images exempted from this
CheckSet
. If any of the patterns match the image being evaluated, no checks in theCheckSet
will be evaluated. - Scope
Scope
Response - Optional. The scope to which this
CheckSet
applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See theScope
message documentation for details on scoping rules.
- checks
List<Check
Response> - Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in
checks
evaluates to "allow". Ifchecks
is empty, the default behavior is "always allow". - display
Name String - Optional. A user-provided name for this
CheckSet
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - image
Allowlist ImageAllowlist Response - Optional. Images exempted from this
CheckSet
. If any of the patterns match the image being evaluated, no checks in theCheckSet
will be evaluated. - scope
Scope
Response - Optional. The scope to which this
CheckSet
applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See theScope
message documentation for details on scoping rules.
- checks
Check
Response[] - Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in
checks
evaluates to "allow". Ifchecks
is empty, the default behavior is "always allow". - display
Name string - Optional. A user-provided name for this
CheckSet
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - image
Allowlist ImageAllowlist Response - Optional. Images exempted from this
CheckSet
. If any of the patterns match the image being evaluated, no checks in theCheckSet
will be evaluated. - scope
Scope
Response - Optional. The scope to which this
CheckSet
applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See theScope
message documentation for details on scoping rules.
- checks
Sequence[Check
Response] - Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in
checks
evaluates to "allow". Ifchecks
is empty, the default behavior is "always allow". - display_
name str - Optional. A user-provided name for this
CheckSet
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - image_
allowlist ImageAllowlist Response - Optional. Images exempted from this
CheckSet
. If any of the patterns match the image being evaluated, no checks in theCheckSet
will be evaluated. - scope
Scope
Response - Optional. The scope to which this
CheckSet
applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See theScope
message documentation for details on scoping rules.
- checks List<Property Map>
- Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in
checks
evaluates to "allow". Ifchecks
is empty, the default behavior is "always allow". - display
Name String - Optional. A user-provided name for this
CheckSet
. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results. - image
Allowlist Property Map - Optional. Images exempted from this
CheckSet
. If any of the patterns match the image being evaluated, no checks in theCheckSet
will be evaluated. - scope Property Map
- Optional. The scope to which this
CheckSet
applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See theScope
message documentation for details on scoping rules.
GkePolicy, GkePolicyArgs
- Check
Sets List<Pulumi.Google Native. Binary Authorization. V1. Inputs. Check Set> - Optional. The
CheckSet
objects to apply, scoped by namespace or namespace and service account. Exactly oneCheckSet
will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multipleCheckSet
objects have scopes that match the namespace and service account of the Pod being evaluated, only theCheckSet
with the MOST SPECIFIC scope will match.CheckSet
objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before aCheckSet
with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than oneCheckSet
matches a given Pod, theCheckSet
that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). Ifcheck_sets
is empty, the default behavior is to allow all images. Ifcheck_sets
is non-empty, the lastcheck_sets
entry must always be aCheckSet
with no scope set, i.e. a catchall to handle any situation not caught by the precedingCheckSet
objects. - Image
Allowlist Pulumi.Google Native. Binary Authorization. V1. Inputs. Image Allowlist - Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
- Check
Sets []CheckSet - Optional. The
CheckSet
objects to apply, scoped by namespace or namespace and service account. Exactly oneCheckSet
will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multipleCheckSet
objects have scopes that match the namespace and service account of the Pod being evaluated, only theCheckSet
with the MOST SPECIFIC scope will match.CheckSet
objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before aCheckSet
with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than oneCheckSet
matches a given Pod, theCheckSet
that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). Ifcheck_sets
is empty, the default behavior is to allow all images. Ifcheck_sets
is non-empty, the lastcheck_sets
entry must always be aCheckSet
with no scope set, i.e. a catchall to handle any situation not caught by the precedingCheckSet
objects. - Image
Allowlist ImageAllowlist - Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
- check
Sets List<CheckSet> - Optional. The
CheckSet
objects to apply, scoped by namespace or namespace and service account. Exactly oneCheckSet
will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multipleCheckSet
objects have scopes that match the namespace and service account of the Pod being evaluated, only theCheckSet
with the MOST SPECIFIC scope will match.CheckSet
objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before aCheckSet
with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than oneCheckSet
matches a given Pod, theCheckSet
that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). Ifcheck_sets
is empty, the default behavior is to allow all images. Ifcheck_sets
is non-empty, the lastcheck_sets
entry must always be aCheckSet
with no scope set, i.e. a catchall to handle any situation not caught by the precedingCheckSet
objects. - image
Allowlist ImageAllowlist - Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
- check
Sets CheckSet[] - Optional. The
CheckSet
objects to apply, scoped by namespace or namespace and service account. Exactly oneCheckSet
will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multipleCheckSet
objects have scopes that match the namespace and service account of the Pod being evaluated, only theCheckSet
with the MOST SPECIFIC scope will match.CheckSet
objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before aCheckSet
with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than oneCheckSet
matches a given Pod, theCheckSet
that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). Ifcheck_sets
is empty, the default behavior is to allow all images. Ifcheck_sets
is non-empty, the lastcheck_sets
entry must always be aCheckSet
with no scope set, i.e. a catchall to handle any situation not caught by the precedingCheckSet
objects. - image
Allowlist ImageAllowlist - Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
- check_
sets Sequence[CheckSet] - Optional. The
CheckSet
objects to apply, scoped by namespace or namespace and service account. Exactly oneCheckSet
will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multipleCheckSet
objects have scopes that match the namespace and service account of the Pod being evaluated, only theCheckSet
with the MOST SPECIFIC scope will match.CheckSet
objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before aCheckSet
with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than oneCheckSet
matches a given Pod, theCheckSet
that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). Ifcheck_sets
is empty, the default behavior is to allow all images. Ifcheck_sets
is non-empty, the lastcheck_sets
entry must always be aCheckSet
with no scope set, i.e. a catchall to handle any situation not caught by the precedingCheckSet
objects. - image_
allowlist ImageAllowlist - Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
- check
Sets List<Property Map> - Optional. The
CheckSet
objects to apply, scoped by namespace or namespace and service account. Exactly oneCheckSet
will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multipleCheckSet
objects have scopes that match the namespace and service account of the Pod being evaluated, only theCheckSet
with the MOST SPECIFIC scope will match.CheckSet
objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before aCheckSet
with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than oneCheckSet
matches a given Pod, theCheckSet
that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). Ifcheck_sets
is empty, the default behavior is to allow all images. Ifcheck_sets
is non-empty, the lastcheck_sets
entry must always be aCheckSet
with no scope set, i.e. a catchall to handle any situation not caught by the precedingCheckSet
objects. - image
Allowlist Property Map - Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
GkePolicyResponse, GkePolicyResponseArgs
- Check
Sets List<Pulumi.Google Native. Binary Authorization. V1. Inputs. Check Set Response> - Optional. The
CheckSet
objects to apply, scoped by namespace or namespace and service account. Exactly oneCheckSet
will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multipleCheckSet
objects have scopes that match the namespace and service account of the Pod being evaluated, only theCheckSet
with the MOST SPECIFIC scope will match.CheckSet
objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before aCheckSet
with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than oneCheckSet
matches a given Pod, theCheckSet
that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). Ifcheck_sets
is empty, the default behavior is to allow all images. Ifcheck_sets
is non-empty, the lastcheck_sets
entry must always be aCheckSet
with no scope set, i.e. a catchall to handle any situation not caught by the precedingCheckSet
objects. - Image
Allowlist Pulumi.Google Native. Binary Authorization. V1. Inputs. Image Allowlist Response - Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
- Check
Sets []CheckSet Response - Optional. The
CheckSet
objects to apply, scoped by namespace or namespace and service account. Exactly oneCheckSet
will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multipleCheckSet
objects have scopes that match the namespace and service account of the Pod being evaluated, only theCheckSet
with the MOST SPECIFIC scope will match.CheckSet
objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before aCheckSet
with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than oneCheckSet
matches a given Pod, theCheckSet
that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). Ifcheck_sets
is empty, the default behavior is to allow all images. Ifcheck_sets
is non-empty, the lastcheck_sets
entry must always be aCheckSet
with no scope set, i.e. a catchall to handle any situation not caught by the precedingCheckSet
objects. - Image
Allowlist ImageAllowlist Response - Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
- check
Sets List<CheckSet Response> - Optional. The
CheckSet
objects to apply, scoped by namespace or namespace and service account. Exactly oneCheckSet
will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multipleCheckSet
objects have scopes that match the namespace and service account of the Pod being evaluated, only theCheckSet
with the MOST SPECIFIC scope will match.CheckSet
objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before aCheckSet
with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than oneCheckSet
matches a given Pod, theCheckSet
that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). Ifcheck_sets
is empty, the default behavior is to allow all images. Ifcheck_sets
is non-empty, the lastcheck_sets
entry must always be aCheckSet
with no scope set, i.e. a catchall to handle any situation not caught by the precedingCheckSet
objects. - image
Allowlist ImageAllowlist Response - Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
- check
Sets CheckSet Response[] - Optional. The
CheckSet
objects to apply, scoped by namespace or namespace and service account. Exactly oneCheckSet
will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multipleCheckSet
objects have scopes that match the namespace and service account of the Pod being evaluated, only theCheckSet
with the MOST SPECIFIC scope will match.CheckSet
objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before aCheckSet
with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than oneCheckSet
matches a given Pod, theCheckSet
that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). Ifcheck_sets
is empty, the default behavior is to allow all images. Ifcheck_sets
is non-empty, the lastcheck_sets
entry must always be aCheckSet
with no scope set, i.e. a catchall to handle any situation not caught by the precedingCheckSet
objects. - image
Allowlist ImageAllowlist Response - Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
- check_
sets Sequence[CheckSet Response] - Optional. The
CheckSet
objects to apply, scoped by namespace or namespace and service account. Exactly oneCheckSet
will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multipleCheckSet
objects have scopes that match the namespace and service account of the Pod being evaluated, only theCheckSet
with the MOST SPECIFIC scope will match.CheckSet
objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before aCheckSet
with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than oneCheckSet
matches a given Pod, theCheckSet
that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). Ifcheck_sets
is empty, the default behavior is to allow all images. Ifcheck_sets
is non-empty, the lastcheck_sets
entry must always be aCheckSet
with no scope set, i.e. a catchall to handle any situation not caught by the precedingCheckSet
objects. - image_
allowlist ImageAllowlist Response - Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
- check
Sets List<Property Map> - Optional. The
CheckSet
objects to apply, scoped by namespace or namespace and service account. Exactly oneCheckSet
will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multipleCheckSet
objects have scopes that match the namespace and service account of the Pod being evaluated, only theCheckSet
with the MOST SPECIFIC scope will match.CheckSet
objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before aCheckSet
with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than oneCheckSet
matches a given Pod, theCheckSet
that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). Ifcheck_sets
is empty, the default behavior is to allow all images. Ifcheck_sets
is non-empty, the lastcheck_sets
entry must always be aCheckSet
with no scope set, i.e. a catchall to handle any situation not caught by the precedingCheckSet
objects. - image
Allowlist Property Map - Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
ImageAllowlist, ImageAllowlistArgs
- Allow
Pattern List<string> - A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
- Allow
Pattern []string - A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
- allow
Pattern List<String> - A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
- allow
Pattern string[] - A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
- allow_
pattern Sequence[str] - A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
- allow
Pattern List<String> - A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
ImageAllowlistResponse, ImageAllowlistResponseArgs
- Allow
Pattern List<string> - A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
- Allow
Pattern []string - A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
- allow
Pattern List<String> - A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
- allow
Pattern string[] - A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
- allow_
pattern Sequence[str] - A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
- allow
Pattern List<String> - A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
ImageFreshnessCheck, ImageFreshnessCheckArgs
- Max
Upload intAge Days - The max number of days that is allowed since the image was uploaded. Must be greater than zero.
- Max
Upload intAge Days - The max number of days that is allowed since the image was uploaded. Must be greater than zero.
- max
Upload IntegerAge Days - The max number of days that is allowed since the image was uploaded. Must be greater than zero.
- max
Upload numberAge Days - The max number of days that is allowed since the image was uploaded. Must be greater than zero.
- max_
upload_ intage_ days - The max number of days that is allowed since the image was uploaded. Must be greater than zero.
- max
Upload NumberAge Days - The max number of days that is allowed since the image was uploaded. Must be greater than zero.
ImageFreshnessCheckResponse, ImageFreshnessCheckResponseArgs
- Max
Upload intAge Days - The max number of days that is allowed since the image was uploaded. Must be greater than zero.
- Max
Upload intAge Days - The max number of days that is allowed since the image was uploaded. Must be greater than zero.
- max
Upload IntegerAge Days - The max number of days that is allowed since the image was uploaded. Must be greater than zero.
- max
Upload numberAge Days - The max number of days that is allowed since the image was uploaded. Must be greater than zero.
- max_
upload_ intage_ days - The max number of days that is allowed since the image was uploaded. Must be greater than zero.
- max
Upload NumberAge Days - The max number of days that is allowed since the image was uploaded. Must be greater than zero.
PkixPublicKey, PkixPublicKeyArgs
- Key
Id string - Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If
key_id
is left blank and thisPkixPublicKey
is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If thisPkixPublicKey
is used in the context of a wrapper that has its own notion of key ID (e.g.AttestorPublicKey
), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value. - Public
Key stringPem - A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
- Signature
Algorithm Pulumi.Google Native. Binary Authorization. V1. Pkix Public Key Signature Algorithm - The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in
public_key_pem
(i.e. this algorithm must match that of the public key).
- Key
Id string - Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If
key_id
is left blank and thisPkixPublicKey
is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If thisPkixPublicKey
is used in the context of a wrapper that has its own notion of key ID (e.g.AttestorPublicKey
), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value. - Public
Key stringPem - A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
- Signature
Algorithm PkixPublic Key Signature Algorithm - The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in
public_key_pem
(i.e. this algorithm must match that of the public key).
- key
Id String - Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If
key_id
is left blank and thisPkixPublicKey
is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If thisPkixPublicKey
is used in the context of a wrapper that has its own notion of key ID (e.g.AttestorPublicKey
), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value. - public
Key StringPem - A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
- signature
Algorithm PkixPublic Key Signature Algorithm - The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in
public_key_pem
(i.e. this algorithm must match that of the public key).
- key
Id string - Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If
key_id
is left blank and thisPkixPublicKey
is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If thisPkixPublicKey
is used in the context of a wrapper that has its own notion of key ID (e.g.AttestorPublicKey
), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value. - public
Key stringPem - A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
- signature
Algorithm PkixPublic Key Signature Algorithm - The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in
public_key_pem
(i.e. this algorithm must match that of the public key).
- key_
id str - Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If
key_id
is left blank and thisPkixPublicKey
is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If thisPkixPublicKey
is used in the context of a wrapper that has its own notion of key ID (e.g.AttestorPublicKey
), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value. - public_
key_ strpem - A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
- signature_
algorithm PkixPublic Key Signature Algorithm - The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in
public_key_pem
(i.e. this algorithm must match that of the public key).
- key
Id String - Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If
key_id
is left blank and thisPkixPublicKey
is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If thisPkixPublicKey
is used in the context of a wrapper that has its own notion of key ID (e.g.AttestorPublicKey
), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value. - public
Key StringPem - A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
- signature
Algorithm "SIGNATURE_ALGORITHM_UNSPECIFIED" | "RSA_PSS_2048_SHA256" | "RSA_SIGN_PSS_2048_SHA256" | "RSA_PSS_3072_SHA256" | "RSA_SIGN_PSS_3072_SHA256" | "RSA_PSS_4096_SHA256" | "RSA_SIGN_PSS_4096_SHA256" | "RSA_PSS_4096_SHA512" | "RSA_SIGN_PSS_4096_SHA512" | "RSA_SIGN_PKCS1_2048_SHA256" | "RSA_SIGN_PKCS1_3072_SHA256" | "RSA_SIGN_PKCS1_4096_SHA256" | "RSA_SIGN_PKCS1_4096_SHA512" | "ECDSA_P256_SHA256" | "EC_SIGN_P256_SHA256" | "ECDSA_P384_SHA384" | "EC_SIGN_P384_SHA384" | "ECDSA_P521_SHA512" | "EC_SIGN_P521_SHA512" - The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in
public_key_pem
(i.e. this algorithm must match that of the public key).
PkixPublicKeyResponse, PkixPublicKeyResponseArgs
- Key
Id string - Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If
key_id
is left blank and thisPkixPublicKey
is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If thisPkixPublicKey
is used in the context of a wrapper that has its own notion of key ID (e.g.AttestorPublicKey
), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value. - Public
Key stringPem - A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
- Signature
Algorithm string - The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in
public_key_pem
(i.e. this algorithm must match that of the public key).
- Key
Id string - Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If
key_id
is left blank and thisPkixPublicKey
is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If thisPkixPublicKey
is used in the context of a wrapper that has its own notion of key ID (e.g.AttestorPublicKey
), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value. - Public
Key stringPem - A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
- Signature
Algorithm string - The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in
public_key_pem
(i.e. this algorithm must match that of the public key).
- key
Id String - Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If
key_id
is left blank and thisPkixPublicKey
is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If thisPkixPublicKey
is used in the context of a wrapper that has its own notion of key ID (e.g.AttestorPublicKey
), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value. - public
Key StringPem - A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
- signature
Algorithm String - The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in
public_key_pem
(i.e. this algorithm must match that of the public key).
- key
Id string - Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If
key_id
is left blank and thisPkixPublicKey
is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If thisPkixPublicKey
is used in the context of a wrapper that has its own notion of key ID (e.g.AttestorPublicKey
), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value. - public
Key stringPem - A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
- signature
Algorithm string - The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in
public_key_pem
(i.e. this algorithm must match that of the public key).
- key_
id str - Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If
key_id
is left blank and thisPkixPublicKey
is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If thisPkixPublicKey
is used in the context of a wrapper that has its own notion of key ID (e.g.AttestorPublicKey
), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value. - public_
key_ strpem - A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
- signature_
algorithm str - The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in
public_key_pem
(i.e. this algorithm must match that of the public key).
- key
Id String - Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If
key_id
is left blank and thisPkixPublicKey
is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If thisPkixPublicKey
is used in the context of a wrapper that has its own notion of key ID (e.g.AttestorPublicKey
), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value. - public
Key StringPem - A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
- signature
Algorithm String - The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in
public_key_pem
(i.e. this algorithm must match that of the public key).
PkixPublicKeySet, PkixPublicKeySetArgs
- Pkix
Public List<Pulumi.Keys Google Native. Binary Authorization. V1. Inputs. Pkix Public Key> pkix_public_keys
must have at least one entry.
- Pkix
Public []PkixKeys Public Key pkix_public_keys
must have at least one entry.
- pkix
Public List<PkixKeys Public Key> pkix_public_keys
must have at least one entry.
- pkix
Public PkixKeys Public Key[] pkix_public_keys
must have at least one entry.
- pkix_
public_ Sequence[Pkixkeys Public Key] pkix_public_keys
must have at least one entry.
- pkix
Public List<Property Map>Keys pkix_public_keys
must have at least one entry.
PkixPublicKeySetResponse, PkixPublicKeySetResponseArgs
- Pkix
Public List<Pulumi.Keys Google Native. Binary Authorization. V1. Inputs. Pkix Public Key Response> pkix_public_keys
must have at least one entry.
- Pkix
Public []PkixKeys Public Key Response pkix_public_keys
must have at least one entry.
- pkix
Public List<PkixKeys Public Key Response> pkix_public_keys
must have at least one entry.
- pkix
Public PkixKeys Public Key Response[] pkix_public_keys
must have at least one entry.
- pkix_
public_ Sequence[Pkixkeys Public Key Response] pkix_public_keys
must have at least one entry.
- pkix
Public List<Property Map>Keys pkix_public_keys
must have at least one entry.
PkixPublicKeySignatureAlgorithm, PkixPublicKeySignatureAlgorithmArgs
- Signature
Algorithm Unspecified - SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified.
- Rsa
Pss2048Sha256 - RSA_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
- Rsa
Sign Pss2048Sha256 - RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
- Rsa
Pss3072Sha256 - RSA_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
- Rsa
Sign Pss3072Sha256 - RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
- Rsa
Pss4096Sha256 - RSA_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
- Rsa
Sign Pss4096Sha256 - RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
- Rsa
Pss4096Sha512 - RSA_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
- Rsa
Sign Pss4096Sha512 - RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
- Rsa
Sign Pkcs12048Sha256 - RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
- Rsa
Sign Pkcs13072Sha256 - RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
- Rsa
Sign Pkcs14096Sha256 - RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
- Rsa
Sign Pkcs14096Sha512 - RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
- Ecdsa
P256Sha256 - ECDSA_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
- Ec
Sign P256Sha256 - EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
- Ecdsa
P384Sha384 - ECDSA_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
- Ec
Sign P384Sha384 - EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
- Ecdsa
P521Sha512 - ECDSA_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
- Ec
Sign P521Sha512 - EC_SIGN_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
- Pkix
Public Key Signature Algorithm Signature Algorithm Unspecified - SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified.
- Pkix
Public Key Signature Algorithm Rsa Pss2048Sha256 - RSA_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
- Pkix
Public Key Signature Algorithm Rsa Sign Pss2048Sha256 - RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
- Pkix
Public Key Signature Algorithm Rsa Pss3072Sha256 - RSA_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
- Pkix
Public Key Signature Algorithm Rsa Sign Pss3072Sha256 - RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
- Pkix
Public Key Signature Algorithm Rsa Pss4096Sha256 - RSA_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
- Pkix
Public Key Signature Algorithm Rsa Sign Pss4096Sha256 - RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
- Pkix
Public Key Signature Algorithm Rsa Pss4096Sha512 - RSA_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
- Pkix
Public Key Signature Algorithm Rsa Sign Pss4096Sha512 - RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
- Pkix
Public Key Signature Algorithm Rsa Sign Pkcs12048Sha256 - RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
- Pkix
Public Key Signature Algorithm Rsa Sign Pkcs13072Sha256 - RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
- Pkix
Public Key Signature Algorithm Rsa Sign Pkcs14096Sha256 - RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
- Pkix
Public Key Signature Algorithm Rsa Sign Pkcs14096Sha512 - RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
- Pkix
Public Key Signature Algorithm Ecdsa P256Sha256 - ECDSA_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
- Pkix
Public Key Signature Algorithm Ec Sign P256Sha256 - EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
- Pkix
Public Key Signature Algorithm Ecdsa P384Sha384 - ECDSA_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
- Pkix
Public Key Signature Algorithm Ec Sign P384Sha384 - EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
- Pkix
Public Key Signature Algorithm Ecdsa P521Sha512 - ECDSA_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
- Pkix
Public Key Signature Algorithm Ec Sign P521Sha512 - EC_SIGN_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
- Signature
Algorithm Unspecified - SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified.
- Rsa
Pss2048Sha256 - RSA_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
- Rsa
Sign Pss2048Sha256 - RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
- Rsa
Pss3072Sha256 - RSA_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
- Rsa
Sign Pss3072Sha256 - RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
- Rsa
Pss4096Sha256 - RSA_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
- Rsa
Sign Pss4096Sha256 - RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
- Rsa
Pss4096Sha512 - RSA_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
- Rsa
Sign Pss4096Sha512 - RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
- Rsa
Sign Pkcs12048Sha256 - RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
- Rsa
Sign Pkcs13072Sha256 - RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
- Rsa
Sign Pkcs14096Sha256 - RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
- Rsa
Sign Pkcs14096Sha512 - RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
- Ecdsa
P256Sha256 - ECDSA_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
- Ec
Sign P256Sha256 - EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
- Ecdsa
P384Sha384 - ECDSA_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
- Ec
Sign P384Sha384 - EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
- Ecdsa
P521Sha512 - ECDSA_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
- Ec
Sign P521Sha512 - EC_SIGN_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
- Signature
Algorithm Unspecified - SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified.
- Rsa
Pss2048Sha256 - RSA_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
- Rsa
Sign Pss2048Sha256 - RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
- Rsa
Pss3072Sha256 - RSA_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
- Rsa
Sign Pss3072Sha256 - RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
- Rsa
Pss4096Sha256 - RSA_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
- Rsa
Sign Pss4096Sha256 - RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
- Rsa
Pss4096Sha512 - RSA_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
- Rsa
Sign Pss4096Sha512 - RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
- Rsa
Sign Pkcs12048Sha256 - RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
- Rsa
Sign Pkcs13072Sha256 - RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
- Rsa
Sign Pkcs14096Sha256 - RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
- Rsa
Sign Pkcs14096Sha512 - RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
- Ecdsa
P256Sha256 - ECDSA_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
- Ec
Sign P256Sha256 - EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
- Ecdsa
P384Sha384 - ECDSA_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
- Ec
Sign P384Sha384 - EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
- Ecdsa
P521Sha512 - ECDSA_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
- Ec
Sign P521Sha512 - EC_SIGN_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
- SIGNATURE_ALGORITHM_UNSPECIFIED
- SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified.
- RSA_PSS2048_SHA256
- RSA_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
- RSA_SIGN_PSS2048_SHA256
- RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
- RSA_PSS3072_SHA256
- RSA_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
- RSA_SIGN_PSS3072_SHA256
- RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
- RSA_PSS4096_SHA256
- RSA_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
- RSA_SIGN_PSS4096_SHA256
- RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
- RSA_PSS4096_SHA512
- RSA_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
- RSA_SIGN_PSS4096_SHA512
- RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
- RSA_SIGN_PKCS12048_SHA256
- RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
- RSA_SIGN_PKCS13072_SHA256
- RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
- RSA_SIGN_PKCS14096_SHA256
- RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
- RSA_SIGN_PKCS14096_SHA512
- RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
- ECDSA_P256_SHA256
- ECDSA_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
- EC_SIGN_P256_SHA256
- EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
- ECDSA_P384_SHA384
- ECDSA_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
- EC_SIGN_P384_SHA384
- EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
- ECDSA_P521_SHA512
- ECDSA_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
- EC_SIGN_P521_SHA512
- EC_SIGN_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
- "SIGNATURE_ALGORITHM_UNSPECIFIED"
- SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified.
- "RSA_PSS_2048_SHA256"
- RSA_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
- "RSA_SIGN_PSS_2048_SHA256"
- RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
- "RSA_PSS_3072_SHA256"
- RSA_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
- "RSA_SIGN_PSS_3072_SHA256"
- RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
- "RSA_PSS_4096_SHA256"
- RSA_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
- "RSA_SIGN_PSS_4096_SHA256"
- RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
- "RSA_PSS_4096_SHA512"
- RSA_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
- "RSA_SIGN_PSS_4096_SHA512"
- RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
- "RSA_SIGN_PKCS1_2048_SHA256"
- RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
- "RSA_SIGN_PKCS1_3072_SHA256"
- RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
- "RSA_SIGN_PKCS1_4096_SHA256"
- RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
- "RSA_SIGN_PKCS1_4096_SHA512"
- RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
- "ECDSA_P256_SHA256"
- ECDSA_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
- "EC_SIGN_P256_SHA256"
- EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
- "ECDSA_P384_SHA384"
- ECDSA_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
- "EC_SIGN_P384_SHA384"
- EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
- "ECDSA_P521_SHA512"
- ECDSA_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
- "EC_SIGN_P521_SHA512"
- EC_SIGN_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
Scope, ScopeArgs
- Kubernetes
Namespace string - Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific
kubernetes_service_account
scope already matched. - Kubernetes
Service stringAccount - Optional. Matches a single Kubernetes service account, e.g.
my-namespace:my-service-account
.kubernetes_service_account
scope is always more specific thankubernetes_namespace
scope for the same namespace.
- Kubernetes
Namespace string - Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific
kubernetes_service_account
scope already matched. - Kubernetes
Service stringAccount - Optional. Matches a single Kubernetes service account, e.g.
my-namespace:my-service-account
.kubernetes_service_account
scope is always more specific thankubernetes_namespace
scope for the same namespace.
- kubernetes
Namespace String - Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific
kubernetes_service_account
scope already matched. - kubernetes
Service StringAccount - Optional. Matches a single Kubernetes service account, e.g.
my-namespace:my-service-account
.kubernetes_service_account
scope is always more specific thankubernetes_namespace
scope for the same namespace.
- kubernetes
Namespace string - Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific
kubernetes_service_account
scope already matched. - kubernetes
Service stringAccount - Optional. Matches a single Kubernetes service account, e.g.
my-namespace:my-service-account
.kubernetes_service_account
scope is always more specific thankubernetes_namespace
scope for the same namespace.
- kubernetes_
namespace str - Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific
kubernetes_service_account
scope already matched. - kubernetes_
service_ straccount - Optional. Matches a single Kubernetes service account, e.g.
my-namespace:my-service-account
.kubernetes_service_account
scope is always more specific thankubernetes_namespace
scope for the same namespace.
- kubernetes
Namespace String - Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific
kubernetes_service_account
scope already matched. - kubernetes
Service StringAccount - Optional. Matches a single Kubernetes service account, e.g.
my-namespace:my-service-account
.kubernetes_service_account
scope is always more specific thankubernetes_namespace
scope for the same namespace.
ScopeResponse, ScopeResponseArgs
- Kubernetes
Namespace string - Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific
kubernetes_service_account
scope already matched. - Kubernetes
Service stringAccount - Optional. Matches a single Kubernetes service account, e.g.
my-namespace:my-service-account
.kubernetes_service_account
scope is always more specific thankubernetes_namespace
scope for the same namespace.
- Kubernetes
Namespace string - Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific
kubernetes_service_account
scope already matched. - Kubernetes
Service stringAccount - Optional. Matches a single Kubernetes service account, e.g.
my-namespace:my-service-account
.kubernetes_service_account
scope is always more specific thankubernetes_namespace
scope for the same namespace.
- kubernetes
Namespace String - Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific
kubernetes_service_account
scope already matched. - kubernetes
Service StringAccount - Optional. Matches a single Kubernetes service account, e.g.
my-namespace:my-service-account
.kubernetes_service_account
scope is always more specific thankubernetes_namespace
scope for the same namespace.
- kubernetes
Namespace string - Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific
kubernetes_service_account
scope already matched. - kubernetes
Service stringAccount - Optional. Matches a single Kubernetes service account, e.g.
my-namespace:my-service-account
.kubernetes_service_account
scope is always more specific thankubernetes_namespace
scope for the same namespace.
- kubernetes_
namespace str - Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific
kubernetes_service_account
scope already matched. - kubernetes_
service_ straccount - Optional. Matches a single Kubernetes service account, e.g.
my-namespace:my-service-account
.kubernetes_service_account
scope is always more specific thankubernetes_namespace
scope for the same namespace.
- kubernetes
Namespace String - Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific
kubernetes_service_account
scope already matched. - kubernetes
Service StringAccount - Optional. Matches a single Kubernetes service account, e.g.
my-namespace:my-service-account
.kubernetes_service_account
scope is always more specific thankubernetes_namespace
scope for the same namespace.
SimpleSigningAttestationCheck, SimpleSigningAttestationCheckArgs
- Attestation
Authenticators List<Pulumi.Google Native. Binary Authorization. V1. Inputs. Attestation Authenticator> - The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
- Container
Analysis List<string>Attestation Projects - Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of
container_analysis_attestation_projects
is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.
- Attestation
Authenticators []AttestationAuthenticator - The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
- Container
Analysis []stringAttestation Projects - Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of
container_analysis_attestation_projects
is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.
- attestation
Authenticators List<AttestationAuthenticator> - The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
- container
Analysis List<String>Attestation Projects - Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of
container_analysis_attestation_projects
is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.
- attestation
Authenticators AttestationAuthenticator[] - The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
- container
Analysis string[]Attestation Projects - Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of
container_analysis_attestation_projects
is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.
- attestation_
authenticators Sequence[AttestationAuthenticator] - The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
- container_
analysis_ Sequence[str]attestation_ projects - Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of
container_analysis_attestation_projects
is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.
- attestation
Authenticators List<Property Map> - The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
- container
Analysis List<String>Attestation Projects - Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of
container_analysis_attestation_projects
is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.
SimpleSigningAttestationCheckResponse, SimpleSigningAttestationCheckResponseArgs
- Attestation
Authenticators List<Pulumi.Google Native. Binary Authorization. V1. Inputs. Attestation Authenticator Response> - The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
- Container
Analysis List<string>Attestation Projects - Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of
container_analysis_attestation_projects
is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.
- Attestation
Authenticators []AttestationAuthenticator Response - The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
- Container
Analysis []stringAttestation Projects - Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of
container_analysis_attestation_projects
is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.
- attestation
Authenticators List<AttestationAuthenticator Response> - The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
- container
Analysis List<String>Attestation Projects - Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of
container_analysis_attestation_projects
is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.
- attestation
Authenticators AttestationAuthenticator Response[] - The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
- container
Analysis string[]Attestation Projects - Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of
container_analysis_attestation_projects
is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.
- attestation_
authenticators Sequence[AttestationAuthenticator Response] - The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
- container_
analysis_ Sequence[str]attestation_ projects - Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of
container_analysis_attestation_projects
is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.
- attestation
Authenticators List<Property Map> - The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
- container
Analysis List<String>Attestation Projects - Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of
container_analysis_attestation_projects
is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.
SlsaCheck, SlsaCheckArgs
- Rules
List<Pulumi.
Google Native. Binary Authorization. V1. Inputs. Verification Rule> - Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
- Rules
[]Verification
Rule - Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
- rules
List<Verification
Rule> - Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
- rules
Verification
Rule[] - Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
- rules
Sequence[Verification
Rule] - Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
- rules List<Property Map>
- Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
SlsaCheckResponse, SlsaCheckResponseArgs
- Rules
List<Pulumi.
Google Native. Binary Authorization. V1. Inputs. Verification Rule Response> - Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
- Rules
[]Verification
Rule Response - Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
- rules
List<Verification
Rule Response> - Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
- rules
Verification
Rule Response[] - Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
- rules
Sequence[Verification
Rule Response] - Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
- rules List<Property Map>
- Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
TrustedDirectoryCheck, TrustedDirectoryCheckArgs
- Trusted
Dir List<string>Patterns - List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g.,
us.pkg.dev
, orgcr.io
. Additionally,*
can be used in three ways as wildcards: 1. leading*
to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing*
after registry/ to match varying endings; 3. trailing**
after registry/ to match "/" as well. For example: --gcr.io/my-project/my-repo
is valid to match a single directory --*-docker.pkg.dev/my-project/my-repo
or*.gcr.io/my-project
are valid to match varying prefixes --gcr.io/my-project/*
will match all direct directories inmy-project
--gcr.io/my-project/**
would match all directories inmy-project
--gcr.i*
is not allowed since the registry is not completely specified --sub*domain.gcr.io/nginx
is not valid because only leading*
or trailing*
are allowed. --*pkg.dev/my-project/my-repo
is not valid because leading*
can only match subdomain --**-docker.pkg.dev
is not valid because one leading*
is allowed, and that it cannot match/
- Trusted
Dir []stringPatterns - List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g.,
us.pkg.dev
, orgcr.io
. Additionally,*
can be used in three ways as wildcards: 1. leading*
to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing*
after registry/ to match varying endings; 3. trailing**
after registry/ to match "/" as well. For example: --gcr.io/my-project/my-repo
is valid to match a single directory --*-docker.pkg.dev/my-project/my-repo
or*.gcr.io/my-project
are valid to match varying prefixes --gcr.io/my-project/*
will match all direct directories inmy-project
--gcr.io/my-project/**
would match all directories inmy-project
--gcr.i*
is not allowed since the registry is not completely specified --sub*domain.gcr.io/nginx
is not valid because only leading*
or trailing*
are allowed. --*pkg.dev/my-project/my-repo
is not valid because leading*
can only match subdomain --**-docker.pkg.dev
is not valid because one leading*
is allowed, and that it cannot match/
- trusted
Dir List<String>Patterns - List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g.,
us.pkg.dev
, orgcr.io
. Additionally,*
can be used in three ways as wildcards: 1. leading*
to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing*
after registry/ to match varying endings; 3. trailing**
after registry/ to match "/" as well. For example: --gcr.io/my-project/my-repo
is valid to match a single directory --*-docker.pkg.dev/my-project/my-repo
or*.gcr.io/my-project
are valid to match varying prefixes --gcr.io/my-project/*
will match all direct directories inmy-project
--gcr.io/my-project/**
would match all directories inmy-project
--gcr.i*
is not allowed since the registry is not completely specified --sub*domain.gcr.io/nginx
is not valid because only leading*
or trailing*
are allowed. --*pkg.dev/my-project/my-repo
is not valid because leading*
can only match subdomain --**-docker.pkg.dev
is not valid because one leading*
is allowed, and that it cannot match/
- trusted
Dir string[]Patterns - List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g.,
us.pkg.dev
, orgcr.io
. Additionally,*
can be used in three ways as wildcards: 1. leading*
to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing*
after registry/ to match varying endings; 3. trailing**
after registry/ to match "/" as well. For example: --gcr.io/my-project/my-repo
is valid to match a single directory --*-docker.pkg.dev/my-project/my-repo
or*.gcr.io/my-project
are valid to match varying prefixes --gcr.io/my-project/*
will match all direct directories inmy-project
--gcr.io/my-project/**
would match all directories inmy-project
--gcr.i*
is not allowed since the registry is not completely specified --sub*domain.gcr.io/nginx
is not valid because only leading*
or trailing*
are allowed. --*pkg.dev/my-project/my-repo
is not valid because leading*
can only match subdomain --**-docker.pkg.dev
is not valid because one leading*
is allowed, and that it cannot match/
- trusted_
dir_ Sequence[str]patterns - List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g.,
us.pkg.dev
, orgcr.io
. Additionally,*
can be used in three ways as wildcards: 1. leading*
to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing*
after registry/ to match varying endings; 3. trailing**
after registry/ to match "/" as well. For example: --gcr.io/my-project/my-repo
is valid to match a single directory --*-docker.pkg.dev/my-project/my-repo
or*.gcr.io/my-project
are valid to match varying prefixes --gcr.io/my-project/*
will match all direct directories inmy-project
--gcr.io/my-project/**
would match all directories inmy-project
--gcr.i*
is not allowed since the registry is not completely specified --sub*domain.gcr.io/nginx
is not valid because only leading*
or trailing*
are allowed. --*pkg.dev/my-project/my-repo
is not valid because leading*
can only match subdomain --**-docker.pkg.dev
is not valid because one leading*
is allowed, and that it cannot match/
- trusted
Dir List<String>Patterns - List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g.,
us.pkg.dev
, orgcr.io
. Additionally,*
can be used in three ways as wildcards: 1. leading*
to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing*
after registry/ to match varying endings; 3. trailing**
after registry/ to match "/" as well. For example: --gcr.io/my-project/my-repo
is valid to match a single directory --*-docker.pkg.dev/my-project/my-repo
or*.gcr.io/my-project
are valid to match varying prefixes --gcr.io/my-project/*
will match all direct directories inmy-project
--gcr.io/my-project/**
would match all directories inmy-project
--gcr.i*
is not allowed since the registry is not completely specified --sub*domain.gcr.io/nginx
is not valid because only leading*
or trailing*
are allowed. --*pkg.dev/my-project/my-repo
is not valid because leading*
can only match subdomain --**-docker.pkg.dev
is not valid because one leading*
is allowed, and that it cannot match/
TrustedDirectoryCheckResponse, TrustedDirectoryCheckResponseArgs
- Trusted
Dir List<string>Patterns - List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g.,
us.pkg.dev
, orgcr.io
. Additionally,*
can be used in three ways as wildcards: 1. leading*
to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing*
after registry/ to match varying endings; 3. trailing**
after registry/ to match "/" as well. For example: --gcr.io/my-project/my-repo
is valid to match a single directory --*-docker.pkg.dev/my-project/my-repo
or*.gcr.io/my-project
are valid to match varying prefixes --gcr.io/my-project/*
will match all direct directories inmy-project
--gcr.io/my-project/**
would match all directories inmy-project
--gcr.i*
is not allowed since the registry is not completely specified --sub*domain.gcr.io/nginx
is not valid because only leading*
or trailing*
are allowed. --*pkg.dev/my-project/my-repo
is not valid because leading*
can only match subdomain --**-docker.pkg.dev
is not valid because one leading*
is allowed, and that it cannot match/
- Trusted
Dir []stringPatterns - List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g.,
us.pkg.dev
, orgcr.io
. Additionally,*
can be used in three ways as wildcards: 1. leading*
to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing*
after registry/ to match varying endings; 3. trailing**
after registry/ to match "/" as well. For example: --gcr.io/my-project/my-repo
is valid to match a single directory --*-docker.pkg.dev/my-project/my-repo
or*.gcr.io/my-project
are valid to match varying prefixes --gcr.io/my-project/*
will match all direct directories inmy-project
--gcr.io/my-project/**
would match all directories inmy-project
--gcr.i*
is not allowed since the registry is not completely specified --sub*domain.gcr.io/nginx
is not valid because only leading*
or trailing*
are allowed. --*pkg.dev/my-project/my-repo
is not valid because leading*
can only match subdomain --**-docker.pkg.dev
is not valid because one leading*
is allowed, and that it cannot match/
- trusted
Dir List<String>Patterns - List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g.,
us.pkg.dev
, orgcr.io
. Additionally,*
can be used in three ways as wildcards: 1. leading*
to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing*
after registry/ to match varying endings; 3. trailing**
after registry/ to match "/" as well. For example: --gcr.io/my-project/my-repo
is valid to match a single directory --*-docker.pkg.dev/my-project/my-repo
or*.gcr.io/my-project
are valid to match varying prefixes --gcr.io/my-project/*
will match all direct directories inmy-project
--gcr.io/my-project/**
would match all directories inmy-project
--gcr.i*
is not allowed since the registry is not completely specified --sub*domain.gcr.io/nginx
is not valid because only leading*
or trailing*
are allowed. --*pkg.dev/my-project/my-repo
is not valid because leading*
can only match subdomain --**-docker.pkg.dev
is not valid because one leading*
is allowed, and that it cannot match/
- trusted
Dir string[]Patterns - List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g.,
us.pkg.dev
, orgcr.io
. Additionally,*
can be used in three ways as wildcards: 1. leading*
to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing*
after registry/ to match varying endings; 3. trailing**
after registry/ to match "/" as well. For example: --gcr.io/my-project/my-repo
is valid to match a single directory --*-docker.pkg.dev/my-project/my-repo
or*.gcr.io/my-project
are valid to match varying prefixes --gcr.io/my-project/*
will match all direct directories inmy-project
--gcr.io/my-project/**
would match all directories inmy-project
--gcr.i*
is not allowed since the registry is not completely specified --sub*domain.gcr.io/nginx
is not valid because only leading*
or trailing*
are allowed. --*pkg.dev/my-project/my-repo
is not valid because leading*
can only match subdomain --**-docker.pkg.dev
is not valid because one leading*
is allowed, and that it cannot match/
- trusted_
dir_ Sequence[str]patterns - List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g.,
us.pkg.dev
, orgcr.io
. Additionally,*
can be used in three ways as wildcards: 1. leading*
to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing*
after registry/ to match varying endings; 3. trailing**
after registry/ to match "/" as well. For example: --gcr.io/my-project/my-repo
is valid to match a single directory --*-docker.pkg.dev/my-project/my-repo
or*.gcr.io/my-project
are valid to match varying prefixes --gcr.io/my-project/*
will match all direct directories inmy-project
--gcr.io/my-project/**
would match all directories inmy-project
--gcr.i*
is not allowed since the registry is not completely specified --sub*domain.gcr.io/nginx
is not valid because only leading*
or trailing*
are allowed. --*pkg.dev/my-project/my-repo
is not valid because leading*
can only match subdomain --**-docker.pkg.dev
is not valid because one leading*
is allowed, and that it cannot match/
- trusted
Dir List<String>Patterns - List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g.,
us.pkg.dev
, orgcr.io
. Additionally,*
can be used in three ways as wildcards: 1. leading*
to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing*
after registry/ to match varying endings; 3. trailing**
after registry/ to match "/" as well. For example: --gcr.io/my-project/my-repo
is valid to match a single directory --*-docker.pkg.dev/my-project/my-repo
or*.gcr.io/my-project
are valid to match varying prefixes --gcr.io/my-project/*
will match all direct directories inmy-project
--gcr.io/my-project/**
would match all directories inmy-project
--gcr.i*
is not allowed since the registry is not completely specified --sub*domain.gcr.io/nginx
is not valid because only leading*
or trailing*
are allowed. --*pkg.dev/my-project/my-repo
is not valid because leading*
can only match subdomain --**-docker.pkg.dev
is not valid because one leading*
is allowed, and that it cannot match/
VerificationRule, VerificationRuleArgs
- Attestation
Source Pulumi.Google Native. Binary Authorization. V1. Inputs. Attestation Source - Specifies where to fetch the provenances attestations generated by the builder (group).
- Config
Based boolBuild Required - If true, require the image to be built from a top-level configuration.
trusted_source_repo_patterns
specifies the repositories containing this configuration. - Trusted
Builder Pulumi.Google Native. Binary Authorization. V1. Verification Rule Trusted Builder - Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
- Trusted
Source List<string>Repo Patterns - List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g.
https://
). The patterns must not include schemes. For example, the patternsource.cloud.google.com/my-project/my-repo-name
matches the following URLs: -source.cloud.google.com/my-project/my-repo-name
-git+ssh://source.cloud.google.com/my-project/my-repo-name
-https://source.cloud.google.com/my-project/my-repo-name
A pattern matches a URL either exactly or with*
wildcards.*
can be used in only two ways: 1. trailing*
after hosturi/ to match varying endings; 2. trailing**
after hosturi/ to match/
as well.*
and**
can only be used as wildcards and can only occur at the end of the pattern after a/
. (So it's not possible to match a URL that contains literal*
.) For example: -github.com/my-project/my-repo
is valid to match a single repo -github.com/my-project/*
will match all direct repos inmy-project
-github.com/**
matches all repos in GitHub
- Attestation
Source AttestationSource - Specifies where to fetch the provenances attestations generated by the builder (group).
- Config
Based boolBuild Required - If true, require the image to be built from a top-level configuration.
trusted_source_repo_patterns
specifies the repositories containing this configuration. - Trusted
Builder VerificationRule Trusted Builder - Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
- Trusted
Source []stringRepo Patterns - List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g.
https://
). The patterns must not include schemes. For example, the patternsource.cloud.google.com/my-project/my-repo-name
matches the following URLs: -source.cloud.google.com/my-project/my-repo-name
-git+ssh://source.cloud.google.com/my-project/my-repo-name
-https://source.cloud.google.com/my-project/my-repo-name
A pattern matches a URL either exactly or with*
wildcards.*
can be used in only two ways: 1. trailing*
after hosturi/ to match varying endings; 2. trailing**
after hosturi/ to match/
as well.*
and**
can only be used as wildcards and can only occur at the end of the pattern after a/
. (So it's not possible to match a URL that contains literal*
.) For example: -github.com/my-project/my-repo
is valid to match a single repo -github.com/my-project/*
will match all direct repos inmy-project
-github.com/**
matches all repos in GitHub
- attestation
Source AttestationSource - Specifies where to fetch the provenances attestations generated by the builder (group).
- config
Based BooleanBuild Required - If true, require the image to be built from a top-level configuration.
trusted_source_repo_patterns
specifies the repositories containing this configuration. - trusted
Builder VerificationRule Trusted Builder - Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
- trusted
Source List<String>Repo Patterns - List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g.
https://
). The patterns must not include schemes. For example, the patternsource.cloud.google.com/my-project/my-repo-name
matches the following URLs: -source.cloud.google.com/my-project/my-repo-name
-git+ssh://source.cloud.google.com/my-project/my-repo-name
-https://source.cloud.google.com/my-project/my-repo-name
A pattern matches a URL either exactly or with*
wildcards.*
can be used in only two ways: 1. trailing*
after hosturi/ to match varying endings; 2. trailing**
after hosturi/ to match/
as well.*
and**
can only be used as wildcards and can only occur at the end of the pattern after a/
. (So it's not possible to match a URL that contains literal*
.) For example: -github.com/my-project/my-repo
is valid to match a single repo -github.com/my-project/*
will match all direct repos inmy-project
-github.com/**
matches all repos in GitHub
- attestation
Source AttestationSource - Specifies where to fetch the provenances attestations generated by the builder (group).
- config
Based booleanBuild Required - If true, require the image to be built from a top-level configuration.
trusted_source_repo_patterns
specifies the repositories containing this configuration. - trusted
Builder VerificationRule Trusted Builder - Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
- trusted
Source string[]Repo Patterns - List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g.
https://
). The patterns must not include schemes. For example, the patternsource.cloud.google.com/my-project/my-repo-name
matches the following URLs: -source.cloud.google.com/my-project/my-repo-name
-git+ssh://source.cloud.google.com/my-project/my-repo-name
-https://source.cloud.google.com/my-project/my-repo-name
A pattern matches a URL either exactly or with*
wildcards.*
can be used in only two ways: 1. trailing*
after hosturi/ to match varying endings; 2. trailing**
after hosturi/ to match/
as well.*
and**
can only be used as wildcards and can only occur at the end of the pattern after a/
. (So it's not possible to match a URL that contains literal*
.) For example: -github.com/my-project/my-repo
is valid to match a single repo -github.com/my-project/*
will match all direct repos inmy-project
-github.com/**
matches all repos in GitHub
- attestation_
source AttestationSource - Specifies where to fetch the provenances attestations generated by the builder (group).
- config_
based_ boolbuild_ required - If true, require the image to be built from a top-level configuration.
trusted_source_repo_patterns
specifies the repositories containing this configuration. - trusted_
builder VerificationRule Trusted Builder - Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
- trusted_
source_ Sequence[str]repo_ patterns - List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g.
https://
). The patterns must not include schemes. For example, the patternsource.cloud.google.com/my-project/my-repo-name
matches the following URLs: -source.cloud.google.com/my-project/my-repo-name
-git+ssh://source.cloud.google.com/my-project/my-repo-name
-https://source.cloud.google.com/my-project/my-repo-name
A pattern matches a URL either exactly or with*
wildcards.*
can be used in only two ways: 1. trailing*
after hosturi/ to match varying endings; 2. trailing**
after hosturi/ to match/
as well.*
and**
can only be used as wildcards and can only occur at the end of the pattern after a/
. (So it's not possible to match a URL that contains literal*
.) For example: -github.com/my-project/my-repo
is valid to match a single repo -github.com/my-project/*
will match all direct repos inmy-project
-github.com/**
matches all repos in GitHub
- attestation
Source Property Map - Specifies where to fetch the provenances attestations generated by the builder (group).
- config
Based BooleanBuild Required - If true, require the image to be built from a top-level configuration.
trusted_source_repo_patterns
specifies the repositories containing this configuration. - trusted
Builder "BUILDER_UNSPECIFIED" | "GOOGLE_CLOUD_BUILD" - Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
- trusted
Source List<String>Repo Patterns - List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g.
https://
). The patterns must not include schemes. For example, the patternsource.cloud.google.com/my-project/my-repo-name
matches the following URLs: -source.cloud.google.com/my-project/my-repo-name
-git+ssh://source.cloud.google.com/my-project/my-repo-name
-https://source.cloud.google.com/my-project/my-repo-name
A pattern matches a URL either exactly or with*
wildcards.*
can be used in only two ways: 1. trailing*
after hosturi/ to match varying endings; 2. trailing**
after hosturi/ to match/
as well.*
and**
can only be used as wildcards and can only occur at the end of the pattern after a/
. (So it's not possible to match a URL that contains literal*
.) For example: -github.com/my-project/my-repo
is valid to match a single repo -github.com/my-project/*
will match all direct repos inmy-project
-github.com/**
matches all repos in GitHub
VerificationRuleResponse, VerificationRuleResponseArgs
- Attestation
Source Pulumi.Google Native. Binary Authorization. V1. Inputs. Attestation Source Response - Specifies where to fetch the provenances attestations generated by the builder (group).
- Config
Based boolBuild Required - If true, require the image to be built from a top-level configuration.
trusted_source_repo_patterns
specifies the repositories containing this configuration. - Trusted
Builder string - Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
- Trusted
Source List<string>Repo Patterns - List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g.
https://
). The patterns must not include schemes. For example, the patternsource.cloud.google.com/my-project/my-repo-name
matches the following URLs: -source.cloud.google.com/my-project/my-repo-name
-git+ssh://source.cloud.google.com/my-project/my-repo-name
-https://source.cloud.google.com/my-project/my-repo-name
A pattern matches a URL either exactly or with*
wildcards.*
can be used in only two ways: 1. trailing*
after hosturi/ to match varying endings; 2. trailing**
after hosturi/ to match/
as well.*
and**
can only be used as wildcards and can only occur at the end of the pattern after a/
. (So it's not possible to match a URL that contains literal*
.) For example: -github.com/my-project/my-repo
is valid to match a single repo -github.com/my-project/*
will match all direct repos inmy-project
-github.com/**
matches all repos in GitHub
- Attestation
Source AttestationSource Response - Specifies where to fetch the provenances attestations generated by the builder (group).
- Config
Based boolBuild Required - If true, require the image to be built from a top-level configuration.
trusted_source_repo_patterns
specifies the repositories containing this configuration. - Trusted
Builder string - Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
- Trusted
Source []stringRepo Patterns - List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g.
https://
). The patterns must not include schemes. For example, the patternsource.cloud.google.com/my-project/my-repo-name
matches the following URLs: -source.cloud.google.com/my-project/my-repo-name
-git+ssh://source.cloud.google.com/my-project/my-repo-name
-https://source.cloud.google.com/my-project/my-repo-name
A pattern matches a URL either exactly or with*
wildcards.*
can be used in only two ways: 1. trailing*
after hosturi/ to match varying endings; 2. trailing**
after hosturi/ to match/
as well.*
and**
can only be used as wildcards and can only occur at the end of the pattern after a/
. (So it's not possible to match a URL that contains literal*
.) For example: -github.com/my-project/my-repo
is valid to match a single repo -github.com/my-project/*
will match all direct repos inmy-project
-github.com/**
matches all repos in GitHub
- attestation
Source AttestationSource Response - Specifies where to fetch the provenances attestations generated by the builder (group).
- config
Based BooleanBuild Required - If true, require the image to be built from a top-level configuration.
trusted_source_repo_patterns
specifies the repositories containing this configuration. - trusted
Builder String - Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
- trusted
Source List<String>Repo Patterns - List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g.
https://
). The patterns must not include schemes. For example, the patternsource.cloud.google.com/my-project/my-repo-name
matches the following URLs: -source.cloud.google.com/my-project/my-repo-name
-git+ssh://source.cloud.google.com/my-project/my-repo-name
-https://source.cloud.google.com/my-project/my-repo-name
A pattern matches a URL either exactly or with*
wildcards.*
can be used in only two ways: 1. trailing*
after hosturi/ to match varying endings; 2. trailing**
after hosturi/ to match/
as well.*
and**
can only be used as wildcards and can only occur at the end of the pattern after a/
. (So it's not possible to match a URL that contains literal*
.) For example: -github.com/my-project/my-repo
is valid to match a single repo -github.com/my-project/*
will match all direct repos inmy-project
-github.com/**
matches all repos in GitHub
- attestation
Source AttestationSource Response - Specifies where to fetch the provenances attestations generated by the builder (group).
- config
Based booleanBuild Required - If true, require the image to be built from a top-level configuration.
trusted_source_repo_patterns
specifies the repositories containing this configuration. - trusted
Builder string - Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
- trusted
Source string[]Repo Patterns - List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g.
https://
). The patterns must not include schemes. For example, the patternsource.cloud.google.com/my-project/my-repo-name
matches the following URLs: -source.cloud.google.com/my-project/my-repo-name
-git+ssh://source.cloud.google.com/my-project/my-repo-name
-https://source.cloud.google.com/my-project/my-repo-name
A pattern matches a URL either exactly or with*
wildcards.*
can be used in only two ways: 1. trailing*
after hosturi/ to match varying endings; 2. trailing**
after hosturi/ to match/
as well.*
and**
can only be used as wildcards and can only occur at the end of the pattern after a/
. (So it's not possible to match a URL that contains literal*
.) For example: -github.com/my-project/my-repo
is valid to match a single repo -github.com/my-project/*
will match all direct repos inmy-project
-github.com/**
matches all repos in GitHub
- attestation_
source AttestationSource Response - Specifies where to fetch the provenances attestations generated by the builder (group).
- config_
based_ boolbuild_ required - If true, require the image to be built from a top-level configuration.
trusted_source_repo_patterns
specifies the repositories containing this configuration. - trusted_
builder str - Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
- trusted_
source_ Sequence[str]repo_ patterns - List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g.
https://
). The patterns must not include schemes. For example, the patternsource.cloud.google.com/my-project/my-repo-name
matches the following URLs: -source.cloud.google.com/my-project/my-repo-name
-git+ssh://source.cloud.google.com/my-project/my-repo-name
-https://source.cloud.google.com/my-project/my-repo-name
A pattern matches a URL either exactly or with*
wildcards.*
can be used in only two ways: 1. trailing*
after hosturi/ to match varying endings; 2. trailing**
after hosturi/ to match/
as well.*
and**
can only be used as wildcards and can only occur at the end of the pattern after a/
. (So it's not possible to match a URL that contains literal*
.) For example: -github.com/my-project/my-repo
is valid to match a single repo -github.com/my-project/*
will match all direct repos inmy-project
-github.com/**
matches all repos in GitHub
- attestation
Source Property Map - Specifies where to fetch the provenances attestations generated by the builder (group).
- config
Based BooleanBuild Required - If true, require the image to be built from a top-level configuration.
trusted_source_repo_patterns
specifies the repositories containing this configuration. - trusted
Builder String - Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
- trusted
Source List<String>Repo Patterns - List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g.
https://
). The patterns must not include schemes. For example, the patternsource.cloud.google.com/my-project/my-repo-name
matches the following URLs: -source.cloud.google.com/my-project/my-repo-name
-git+ssh://source.cloud.google.com/my-project/my-repo-name
-https://source.cloud.google.com/my-project/my-repo-name
A pattern matches a URL either exactly or with*
wildcards.*
can be used in only two ways: 1. trailing*
after hosturi/ to match varying endings; 2. trailing**
after hosturi/ to match/
as well.*
and**
can only be used as wildcards and can only occur at the end of the pattern after a/
. (So it's not possible to match a URL that contains literal*
.) For example: -github.com/my-project/my-repo
is valid to match a single repo -github.com/my-project/*
will match all direct repos inmy-project
-github.com/**
matches all repos in GitHub
VerificationRuleTrustedBuilder, VerificationRuleTrustedBuilderArgs
- Builder
Unspecified - BUILDER_UNSPECIFIEDShould never happen.
- Google
Cloud Build - GOOGLE_CLOUD_BUILDThe whole Google Cloud Build (GCB) builder group, including all GCB builder types.
- Verification
Rule Trusted Builder Builder Unspecified - BUILDER_UNSPECIFIEDShould never happen.
- Verification
Rule Trusted Builder Google Cloud Build - GOOGLE_CLOUD_BUILDThe whole Google Cloud Build (GCB) builder group, including all GCB builder types.
- Builder
Unspecified - BUILDER_UNSPECIFIEDShould never happen.
- Google
Cloud Build - GOOGLE_CLOUD_BUILDThe whole Google Cloud Build (GCB) builder group, including all GCB builder types.
- Builder
Unspecified - BUILDER_UNSPECIFIEDShould never happen.
- Google
Cloud Build - GOOGLE_CLOUD_BUILDThe whole Google Cloud Build (GCB) builder group, including all GCB builder types.
- BUILDER_UNSPECIFIED
- BUILDER_UNSPECIFIEDShould never happen.
- GOOGLE_CLOUD_BUILD
- GOOGLE_CLOUD_BUILDThe whole Google Cloud Build (GCB) builder group, including all GCB builder types.
- "BUILDER_UNSPECIFIED"
- BUILDER_UNSPECIFIEDShould never happen.
- "GOOGLE_CLOUD_BUILD"
- GOOGLE_CLOUD_BUILDThe whole Google Cloud Build (GCB) builder group, including all GCB builder types.
VulnerabilityCheck, VulnerabilityCheckArgs
- Maximum
Fixable Pulumi.Severity Google Native. Binary Authorization. V1. Vulnerability Check Maximum Fixable Severity - The threshold for severity for which a fix is currently available. This field is required and must be set.
- Maximum
Unfixable Pulumi.Severity Google Native. Binary Authorization. V1. Vulnerability Check Maximum Unfixable Severity - The threshold for severity for which a fix isn't currently available. This field is required and must be set.
- Allowed
Cves List<string> - Optional. A list of specific CVEs to ignore even if the vulnerability level violates
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will allow vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - Blocked
Cves List<string> - Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will block vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - Container
Analysis List<string>Vulnerability Projects - Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of
projects/[PROJECT_ID]
, e.g.,projects/my-gcp-project
. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
- Maximum
Fixable VulnerabilitySeverity Check Maximum Fixable Severity - The threshold for severity for which a fix is currently available. This field is required and must be set.
- Maximum
Unfixable VulnerabilitySeverity Check Maximum Unfixable Severity - The threshold for severity for which a fix isn't currently available. This field is required and must be set.
- Allowed
Cves []string - Optional. A list of specific CVEs to ignore even if the vulnerability level violates
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will allow vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - Blocked
Cves []string - Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will block vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - Container
Analysis []stringVulnerability Projects - Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of
projects/[PROJECT_ID]
, e.g.,projects/my-gcp-project
. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
- maximum
Fixable VulnerabilitySeverity Check Maximum Fixable Severity - The threshold for severity for which a fix is currently available. This field is required and must be set.
- maximum
Unfixable VulnerabilitySeverity Check Maximum Unfixable Severity - The threshold for severity for which a fix isn't currently available. This field is required and must be set.
- allowed
Cves List<String> - Optional. A list of specific CVEs to ignore even if the vulnerability level violates
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will allow vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - blocked
Cves List<String> - Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will block vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - container
Analysis List<String>Vulnerability Projects - Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of
projects/[PROJECT_ID]
, e.g.,projects/my-gcp-project
. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
- maximum
Fixable VulnerabilitySeverity Check Maximum Fixable Severity - The threshold for severity for which a fix is currently available. This field is required and must be set.
- maximum
Unfixable VulnerabilitySeverity Check Maximum Unfixable Severity - The threshold for severity for which a fix isn't currently available. This field is required and must be set.
- allowed
Cves string[] - Optional. A list of specific CVEs to ignore even if the vulnerability level violates
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will allow vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - blocked
Cves string[] - Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will block vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - container
Analysis string[]Vulnerability Projects - Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of
projects/[PROJECT_ID]
, e.g.,projects/my-gcp-project
. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
- maximum_
fixable_ Vulnerabilityseverity Check Maximum Fixable Severity - The threshold for severity for which a fix is currently available. This field is required and must be set.
- maximum_
unfixable_ Vulnerabilityseverity Check Maximum Unfixable Severity - The threshold for severity for which a fix isn't currently available. This field is required and must be set.
- allowed_
cves Sequence[str] - Optional. A list of specific CVEs to ignore even if the vulnerability level violates
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will allow vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - blocked_
cves Sequence[str] - Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will block vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - container_
analysis_ Sequence[str]vulnerability_ projects - Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of
projects/[PROJECT_ID]
, e.g.,projects/my-gcp-project
. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
- maximum
Fixable "MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED" | "BLOCK_ALL" | "MINIMAL" | "LOW" | "MEDIUM" | "HIGH" | "CRITICAL" | "ALLOW_ALL"Severity - The threshold for severity for which a fix is currently available. This field is required and must be set.
- maximum
Unfixable "MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED" | "BLOCK_ALL" | "MINIMAL" | "LOW" | "MEDIUM" | "HIGH" | "CRITICAL" | "ALLOW_ALL"Severity - The threshold for severity for which a fix isn't currently available. This field is required and must be set.
- allowed
Cves List<String> - Optional. A list of specific CVEs to ignore even if the vulnerability level violates
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will allow vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - blocked
Cves List<String> - Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will block vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - container
Analysis List<String>Vulnerability Projects - Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of
projects/[PROJECT_ID]
, e.g.,projects/my-gcp-project
. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
VulnerabilityCheckMaximumFixableSeverity, VulnerabilityCheckMaximumFixableSeverityArgs
- Maximum
Allowed Severity Unspecified - MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
- Block
All - BLOCK_ALLBlock any vulnerability.
- Minimal
- MINIMALAllow only minimal severity.
- Low
- LOWAllow only low severity and lower.
- Medium
- MEDIUMAllow medium severity and lower.
- High
- HIGHAllow high severity and lower.
- Critical
- CRITICALAllow critical severity and lower.
- Allow
All - ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.
- Vulnerability
Check Maximum Fixable Severity Maximum Allowed Severity Unspecified - MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
- Vulnerability
Check Maximum Fixable Severity Block All - BLOCK_ALLBlock any vulnerability.
- Vulnerability
Check Maximum Fixable Severity Minimal - MINIMALAllow only minimal severity.
- Vulnerability
Check Maximum Fixable Severity Low - LOWAllow only low severity and lower.
- Vulnerability
Check Maximum Fixable Severity Medium - MEDIUMAllow medium severity and lower.
- Vulnerability
Check Maximum Fixable Severity High - HIGHAllow high severity and lower.
- Vulnerability
Check Maximum Fixable Severity Critical - CRITICALAllow critical severity and lower.
- Vulnerability
Check Maximum Fixable Severity Allow All - ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.
- Maximum
Allowed Severity Unspecified - MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
- Block
All - BLOCK_ALLBlock any vulnerability.
- Minimal
- MINIMALAllow only minimal severity.
- Low
- LOWAllow only low severity and lower.
- Medium
- MEDIUMAllow medium severity and lower.
- High
- HIGHAllow high severity and lower.
- Critical
- CRITICALAllow critical severity and lower.
- Allow
All - ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.
- Maximum
Allowed Severity Unspecified - MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
- Block
All - BLOCK_ALLBlock any vulnerability.
- Minimal
- MINIMALAllow only minimal severity.
- Low
- LOWAllow only low severity and lower.
- Medium
- MEDIUMAllow medium severity and lower.
- High
- HIGHAllow high severity and lower.
- Critical
- CRITICALAllow critical severity and lower.
- Allow
All - ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.
- MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED
- MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
- BLOCK_ALL
- BLOCK_ALLBlock any vulnerability.
- MINIMAL
- MINIMALAllow only minimal severity.
- LOW
- LOWAllow only low severity and lower.
- MEDIUM
- MEDIUMAllow medium severity and lower.
- HIGH
- HIGHAllow high severity and lower.
- CRITICAL
- CRITICALAllow critical severity and lower.
- ALLOW_ALL
- ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.
- "MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED"
- MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
- "BLOCK_ALL"
- BLOCK_ALLBlock any vulnerability.
- "MINIMAL"
- MINIMALAllow only minimal severity.
- "LOW"
- LOWAllow only low severity and lower.
- "MEDIUM"
- MEDIUMAllow medium severity and lower.
- "HIGH"
- HIGHAllow high severity and lower.
- "CRITICAL"
- CRITICALAllow critical severity and lower.
- "ALLOW_ALL"
- ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.
VulnerabilityCheckMaximumUnfixableSeverity, VulnerabilityCheckMaximumUnfixableSeverityArgs
- Maximum
Allowed Severity Unspecified - MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
- Block
All - BLOCK_ALLBlock any vulnerability.
- Minimal
- MINIMALAllow only minimal severity.
- Low
- LOWAllow only low severity and lower.
- Medium
- MEDIUMAllow medium severity and lower.
- High
- HIGHAllow high severity and lower.
- Critical
- CRITICALAllow critical severity and lower.
- Allow
All - ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.
- Vulnerability
Check Maximum Unfixable Severity Maximum Allowed Severity Unspecified - MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
- Vulnerability
Check Maximum Unfixable Severity Block All - BLOCK_ALLBlock any vulnerability.
- Vulnerability
Check Maximum Unfixable Severity Minimal - MINIMALAllow only minimal severity.
- Vulnerability
Check Maximum Unfixable Severity Low - LOWAllow only low severity and lower.
- Vulnerability
Check Maximum Unfixable Severity Medium - MEDIUMAllow medium severity and lower.
- Vulnerability
Check Maximum Unfixable Severity High - HIGHAllow high severity and lower.
- Vulnerability
Check Maximum Unfixable Severity Critical - CRITICALAllow critical severity and lower.
- Vulnerability
Check Maximum Unfixable Severity Allow All - ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.
- Maximum
Allowed Severity Unspecified - MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
- Block
All - BLOCK_ALLBlock any vulnerability.
- Minimal
- MINIMALAllow only minimal severity.
- Low
- LOWAllow only low severity and lower.
- Medium
- MEDIUMAllow medium severity and lower.
- High
- HIGHAllow high severity and lower.
- Critical
- CRITICALAllow critical severity and lower.
- Allow
All - ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.
- Maximum
Allowed Severity Unspecified - MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
- Block
All - BLOCK_ALLBlock any vulnerability.
- Minimal
- MINIMALAllow only minimal severity.
- Low
- LOWAllow only low severity and lower.
- Medium
- MEDIUMAllow medium severity and lower.
- High
- HIGHAllow high severity and lower.
- Critical
- CRITICALAllow critical severity and lower.
- Allow
All - ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.
- MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED
- MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
- BLOCK_ALL
- BLOCK_ALLBlock any vulnerability.
- MINIMAL
- MINIMALAllow only minimal severity.
- LOW
- LOWAllow only low severity and lower.
- MEDIUM
- MEDIUMAllow medium severity and lower.
- HIGH
- HIGHAllow high severity and lower.
- CRITICAL
- CRITICALAllow critical severity and lower.
- ALLOW_ALL
- ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.
- "MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED"
- MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
- "BLOCK_ALL"
- BLOCK_ALLBlock any vulnerability.
- "MINIMAL"
- MINIMALAllow only minimal severity.
- "LOW"
- LOWAllow only low severity and lower.
- "MEDIUM"
- MEDIUMAllow medium severity and lower.
- "HIGH"
- HIGHAllow high severity and lower.
- "CRITICAL"
- CRITICALAllow critical severity and lower.
- "ALLOW_ALL"
- ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.
VulnerabilityCheckResponse, VulnerabilityCheckResponseArgs
- Allowed
Cves List<string> - Optional. A list of specific CVEs to ignore even if the vulnerability level violates
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will allow vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - Blocked
Cves List<string> - Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will block vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - Container
Analysis List<string>Vulnerability Projects - Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of
projects/[PROJECT_ID]
, e.g.,projects/my-gcp-project
. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check. - Maximum
Fixable stringSeverity - The threshold for severity for which a fix is currently available. This field is required and must be set.
- Maximum
Unfixable stringSeverity - The threshold for severity for which a fix isn't currently available. This field is required and must be set.
- Allowed
Cves []string - Optional. A list of specific CVEs to ignore even if the vulnerability level violates
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will allow vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - Blocked
Cves []string - Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will block vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - Container
Analysis []stringVulnerability Projects - Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of
projects/[PROJECT_ID]
, e.g.,projects/my-gcp-project
. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check. - Maximum
Fixable stringSeverity - The threshold for severity for which a fix is currently available. This field is required and must be set.
- Maximum
Unfixable stringSeverity - The threshold for severity for which a fix isn't currently available. This field is required and must be set.
- allowed
Cves List<String> - Optional. A list of specific CVEs to ignore even if the vulnerability level violates
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will allow vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - blocked
Cves List<String> - Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will block vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - container
Analysis List<String>Vulnerability Projects - Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of
projects/[PROJECT_ID]
, e.g.,projects/my-gcp-project
. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check. - maximum
Fixable StringSeverity - The threshold for severity for which a fix is currently available. This field is required and must be set.
- maximum
Unfixable StringSeverity - The threshold for severity for which a fix isn't currently available. This field is required and must be set.
- allowed
Cves string[] - Optional. A list of specific CVEs to ignore even if the vulnerability level violates
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will allow vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - blocked
Cves string[] - Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will block vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - container
Analysis string[]Vulnerability Projects - Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of
projects/[PROJECT_ID]
, e.g.,projects/my-gcp-project
. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check. - maximum
Fixable stringSeverity - The threshold for severity for which a fix is currently available. This field is required and must be set.
- maximum
Unfixable stringSeverity - The threshold for severity for which a fix isn't currently available. This field is required and must be set.
- allowed_
cves Sequence[str] - Optional. A list of specific CVEs to ignore even if the vulnerability level violates
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will allow vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - blocked_
cves Sequence[str] - Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will block vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - container_
analysis_ Sequence[str]vulnerability_ projects - Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of
projects/[PROJECT_ID]
, e.g.,projects/my-gcp-project
. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check. - maximum_
fixable_ strseverity - The threshold for severity for which a fix is currently available. This field is required and must be set.
- maximum_
unfixable_ strseverity - The threshold for severity for which a fix isn't currently available. This field is required and must be set.
- allowed
Cves List<String> - Optional. A list of specific CVEs to ignore even if the vulnerability level violates
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will allow vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - blocked
Cves List<String> - Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets
maximumUnfixableSeverity
ormaximumFixableSeverity
. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry ofCVE-2021-20305
will block vulnerabilities with a note name of eitherprojects/goog-vulnz/notes/CVE-2021-20305
orprojects/CUSTOM-PROJECT/notes/CVE-2021-20305
. - container
Analysis List<String>Vulnerability Projects - Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of
projects/[PROJECT_ID]
, e.g.,projects/my-gcp-project
. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check. - maximum
Fixable StringSeverity - The threshold for severity for which a fix is currently available. This field is required and must be set.
- maximum
Unfixable StringSeverity - The threshold for severity for which a fix isn't currently available. This field is required and must be set.
Package Details
- Repository
- Google Cloud Native pulumi/pulumi-google-native
- License
- Apache-2.0
Google Cloud Native is in preview. Google Cloud Classic is fully supported.