xref: /aosp_15_r20/external/googleapis/google/cloud/binaryauthorization/v1/resources.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9) 
1// Copyright 2021 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.cloud.binaryauthorization.v1;
18
19import "google/api/field_behavior.proto";
20import "google/api/resource.proto";
21import "google/protobuf/timestamp.proto";
22
23option cc_enable_arenas = true;
24option csharp_namespace = "Google.Cloud.BinaryAuthorization.V1";
25option go_package = "cloud.google.com/go/binaryauthorization/apiv1/binaryauthorizationpb;binaryauthorizationpb";
26option java_multiple_files = false;
27option java_package = "com.google.protos.google.cloud.binaryauthorization.v1";
28option php_namespace = "Google\\Cloud\\BinaryAuthorization\\V1";
29option ruby_package = "Google::Cloud::BinaryAuthorization::V1";
30
31// A [policy][google.cloud.binaryauthorization.v1.Policy] for container image binary authorization.
32message Policy {
33  option (google.api.resource) = {
34    type: "binaryauthorization.googleapis.com/Policy"
35    pattern: "projects/{project}/policy"
36    pattern: "locations/{location}/policy"
37  };
38
39  enum GlobalPolicyEvaluationMode {
40    // Not specified: DISABLE is assumed.
41    GLOBAL_POLICY_EVALUATION_MODE_UNSPECIFIED = 0;
42
43    // Enables system policy evaluation.
44    ENABLE = 1;
45
46    // Disables system policy evaluation.
47    DISABLE = 2;
48  }
49
50  // Output only. The resource name, in the format `projects/*/policy`. There is
51  // at most one policy per project.
52  string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
53
54  // Optional. A descriptive comment.
55  string description = 6 [(google.api.field_behavior) = OPTIONAL];
56
57  // Optional. Controls the evaluation of a Google-maintained global admission
58  // policy for common system-level images. Images not covered by the global
59  // policy will be subject to the project admission policy. This setting
60  // has no effect when specified inside a global admission policy.
61  GlobalPolicyEvaluationMode global_policy_evaluation_mode = 7 [(google.api.field_behavior) = OPTIONAL];
62
63  // Optional. Admission policy allowlisting. A matching admission request will
64  // always be permitted. This feature is typically used to exclude Google or
65  // third-party infrastructure images from Binary Authorization policies.
66  repeated AdmissionWhitelistPattern admission_whitelist_patterns = 2 [(google.api.field_behavior) = OPTIONAL];
67
68  // Optional. Per-cluster admission rules. Cluster spec format:
69  // `location.clusterId`. There can be at most one admission rule per cluster
70  // spec.
71  // A `location` is either a compute zone (e.g. us-central1-a) or a region
72  // (e.g. us-central1).
73  // For `clusterId` syntax restrictions see
74  // https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
75  map<string, AdmissionRule> cluster_admission_rules = 3 [(google.api.field_behavior) = OPTIONAL];
76
77  // Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format:
78  // [a-z.-]+, e.g. 'some-namespace'
79  map<string, AdmissionRule> kubernetes_namespace_admission_rules = 10 [(google.api.field_behavior) = OPTIONAL];
80
81  // Optional. Per-kubernetes-service-account admission rules. Service account
82  // spec format: `namespace:serviceaccount`. e.g. 'test-ns:default'
83  map<string, AdmissionRule> kubernetes_service_account_admission_rules = 8 [(google.api.field_behavior) = OPTIONAL];
84
85  // Optional. Per-istio-service-identity admission rules. Istio service
86  // identity spec format:
87  // spiffe://<domain>/ns/<namespace>/sa/<serviceaccount> or
88  // <domain>/ns/<namespace>/sa/<serviceaccount>
89  // e.g. spiffe://example.com/ns/test-ns/sa/default
90  map<string, AdmissionRule> istio_service_identity_admission_rules = 9 [(google.api.field_behavior) = OPTIONAL];
91
92  // Required. Default admission rule for a cluster without a per-cluster, per-
93  // kubernetes-service-account, or per-istio-service-identity admission rule.
94  AdmissionRule default_admission_rule = 4 [(google.api.field_behavior) = REQUIRED];
95
96  // Output only. Time when the policy was last updated.
97  google.protobuf.Timestamp update_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
98}
99
100// An [admission allowlist pattern][google.cloud.binaryauthorization.v1.AdmissionWhitelistPattern] exempts images
101// from checks by [admission rules][google.cloud.binaryauthorization.v1.AdmissionRule].
102message AdmissionWhitelistPattern {
103  // An image name pattern to allowlist, in the form `registry/path/to/image`.
104  // This supports a trailing `*` wildcard, but this is allowed only in
105  // text after the `registry/` part. This also supports a trailing `**`
106  // wildcard which matches subdirectories of a given entry.
107  string name_pattern = 1;
108}
109
110// An [admission rule][google.cloud.binaryauthorization.v1.AdmissionRule] specifies either that all container images
111// used in a pod creation request must be attested to by one or more
112// [attestors][google.cloud.binaryauthorization.v1.Attestor], that all pod creations will be allowed, or that all
113// pod creations will be denied.
114//
115// Images matching an [admission allowlist pattern][google.cloud.binaryauthorization.v1.AdmissionWhitelistPattern]
116// are exempted from admission rules and will never block a pod creation.
117message AdmissionRule {
118  enum EvaluationMode {
119    // Do not use.
120    EVALUATION_MODE_UNSPECIFIED = 0;
121
122    // This rule allows all all pod creations.
123    ALWAYS_ALLOW = 1;
124
125    // This rule allows a pod creation if all the attestors listed in
126    // 'require_attestations_by' have valid attestations for all of the
127    // images in the pod spec.
128    REQUIRE_ATTESTATION = 2;
129
130    // This rule denies all pod creations.
131    ALWAYS_DENY = 3;
132  }
133
134  // Defines the possible actions when a pod creation is denied by an admission
135  // rule.
136  enum EnforcementMode {
137    // Do not use.
138    ENFORCEMENT_MODE_UNSPECIFIED = 0;
139
140    // Enforce the admission rule by blocking the pod creation.
141    ENFORCED_BLOCK_AND_AUDIT_LOG = 1;
142
143    // Dryrun mode: Audit logging only.  This will allow the pod creation as if
144    // the admission request had specified break-glass.
145    DRYRUN_AUDIT_LOG_ONLY = 2;
146  }
147
148  // Required. How this admission rule will be evaluated.
149  EvaluationMode evaluation_mode = 1 [(google.api.field_behavior) = REQUIRED];
150
151  // Optional. The resource names of the attestors that must attest to
152  // a container image, in the format `projects/*/attestors/*`. Each
153  // attestor must exist before a policy can reference it.  To add an attestor
154  // to a policy the principal issuing the policy change request must be able
155  // to read the attestor resource.
156  //
157  // Note: this field must be non-empty when the evaluation_mode field specifies
158  // REQUIRE_ATTESTATION, otherwise it must be empty.
159  repeated string require_attestations_by = 2 [(google.api.field_behavior) = OPTIONAL];
160
161  // Required. The action when a pod creation is denied by the admission rule.
162  EnforcementMode enforcement_mode = 3 [(google.api.field_behavior) = REQUIRED];
163}
164
165// An [attestor][google.cloud.binaryauthorization.v1.Attestor] that attests to container image
166// artifacts. An existing attestor cannot be modified except where
167// indicated.
168message Attestor {
169  option (google.api.resource) = {
170    type: "binaryauthorization.googleapis.com/Attestor"
171    pattern: "projects/{project}/attestors/{attestor}"
172  };
173
174  // Required. The resource name, in the format:
175  // `projects/*/attestors/*`. This field may not be updated.
176  string name = 1 [(google.api.field_behavior) = REQUIRED];
177
178  // Optional. A descriptive comment.  This field may be updated.
179  // The field may be displayed in chooser dialogs.
180  string description = 6 [(google.api.field_behavior) = OPTIONAL];
181
182  oneof attestor_type {
183    // This specifies how an attestation will be read, and how it will be used
184    // during policy enforcement.
185    UserOwnedGrafeasNote user_owned_grafeas_note = 3;
186  }
187
188  // Output only. Time when the attestor was last updated.
189  google.protobuf.Timestamp update_time = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
190}
191
192// An [user owned Grafeas note][google.cloud.binaryauthorization.v1.UserOwnedGrafeasNote] references a Grafeas
193// Attestation.Authority Note created by the user.
194message UserOwnedGrafeasNote {
195  // Required. The Grafeas resource name of a Attestation.Authority Note,
196  // created by the user, in the format: `projects/*/notes/*`. This field may
197  // not be updated.
198  //
199  // An attestation by this attestor is stored as a Grafeas
200  // Attestation.Authority Occurrence that names a container image and that
201  // links to this Note. Grafeas is an external dependency.
202  string note_reference = 1 [(google.api.field_behavior) = REQUIRED];
203
204  // Optional. Public keys that verify attestations signed by this
205  // attestor.  This field may be updated.
206  //
207  // If this field is non-empty, one of the specified public keys must
208  // verify that an attestation was signed by this attestor for the
209  // image specified in the admission request.
210  //
211  // If this field is empty, this attestor always returns that no
212  // valid attestations exist.
213  repeated AttestorPublicKey public_keys = 2 [(google.api.field_behavior) = OPTIONAL];
214
215  // Output only. This field will contain the service account email address
216  // that this Attestor will use as the principal when querying Container
217  // Analysis. Attestor administrators must grant this service account the
218  // IAM role needed to read attestations from the [note_reference][Note] in
219  // Container Analysis (`containeranalysis.notes.occurrences.viewer`).
220  //
221  // This email address is fixed for the lifetime of the Attestor, but callers
222  // should not make any other assumptions about the service account email;
223  // future versions may use an email based on a different naming pattern.
224  string delegation_service_account_email = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
225}
226
227// A public key in the PkixPublicKey format (see
228// https://tools.ietf.org/html/rfc5280#section-4.1.2.7 for details).
229// Public keys of this type are typically textually encoded using the PEM
230// format.
231message PkixPublicKey {
232  // Represents a signature algorithm and other information necessary to verify
233  // signatures with a given public key.
234  // This is based primarily on the public key types supported by Tink's
235  // PemKeyType, which is in turn based on KMS's supported signing algorithms.
236  // See https://cloud.google.com/kms/docs/algorithms. In the future, BinAuthz
237  // might support additional public key types independently of Tink and/or KMS.
238  enum SignatureAlgorithm {
239    option allow_alias = true;
240
241    // Not specified.
242    SIGNATURE_ALGORITHM_UNSPECIFIED = 0;
243
244    // RSASSA-PSS 2048 bit key with a SHA256 digest.
245    RSA_PSS_2048_SHA256 = 1;
246
247    // RSASSA-PSS 3072 bit key with a SHA256 digest.
248    RSA_PSS_3072_SHA256 = 2;
249
250    // RSASSA-PSS 4096 bit key with a SHA256 digest.
251    RSA_PSS_4096_SHA256 = 3;
252
253    // RSASSA-PSS 4096 bit key with a SHA512 digest.
254    RSA_PSS_4096_SHA512 = 4;
255
256    // RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
257    RSA_SIGN_PKCS1_2048_SHA256 = 5;
258
259    // RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
260    RSA_SIGN_PKCS1_3072_SHA256 = 6;
261
262    // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
263    RSA_SIGN_PKCS1_4096_SHA256 = 7;
264
265    // RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
266    RSA_SIGN_PKCS1_4096_SHA512 = 8;
267
268    // ECDSA on the NIST P-256 curve with a SHA256 digest.
269    ECDSA_P256_SHA256 = 9;
270
271    // ECDSA on the NIST P-256 curve with a SHA256 digest.
272    EC_SIGN_P256_SHA256 = 9;
273
274    // ECDSA on the NIST P-384 curve with a SHA384 digest.
275    ECDSA_P384_SHA384 = 10;
276
277    // ECDSA on the NIST P-384 curve with a SHA384 digest.
278    EC_SIGN_P384_SHA384 = 10;
279
280    // ECDSA on the NIST P-521 curve with a SHA512 digest.
281    ECDSA_P521_SHA512 = 11;
282
283    // ECDSA on the NIST P-521 curve with a SHA512 digest.
284    EC_SIGN_P521_SHA512 = 11;
285  }
286
287  // A PEM-encoded public key, as described in
288  // https://tools.ietf.org/html/rfc7468#section-13
289  string public_key_pem = 1;
290
291  // The signature algorithm used to verify a message against a signature using
292  // this key.
293  // These signature algorithm must match the structure and any object
294  // identifiers encoded in `public_key_pem` (i.e. this algorithm must match
295  // that of the public key).
296  SignatureAlgorithm signature_algorithm = 2;
297}
298
299// An [attestor public key][google.cloud.binaryauthorization.v1.AttestorPublicKey] that will be used to verify
300// attestations signed by this attestor.
301message AttestorPublicKey {
302  // Optional. A descriptive comment. This field may be updated.
303  string comment = 1 [(google.api.field_behavior) = OPTIONAL];
304
305  // The ID of this public key.
306  // Signatures verified by BinAuthz must include the ID of the public key that
307  // can be used to verify them, and that ID must match the contents of this
308  // field exactly.
309  // Additional restrictions on this field can be imposed based on which public
310  // key type is encapsulated. See the documentation on `public_key` cases below
311  // for details.
312  string id = 2;
313
314  oneof public_key {
315    // ASCII-armored representation of a PGP public key, as the entire output by
316    // the command `gpg --export --armor [email protected]` (either LF or CRLF
317    // line endings).
318    // When using this field, `id` should be left blank.  The BinAuthz API
319    // handlers will calculate the ID and fill it in automatically.  BinAuthz
320    // computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as
321    // upper-case hex.  If `id` is provided by the caller, it will be
322    // overwritten by the API-calculated ID.
323    string ascii_armored_pgp_public_key = 3;
324
325    // A raw PKIX SubjectPublicKeyInfo format public key.
326    //
327    // NOTE: `id` may be explicitly provided by the caller when using this
328    // type of public key, but it MUST be a valid RFC3986 URI. If `id` is left
329    // blank, a default one will be computed based on the digest of the DER
330    // encoding of the public key.
331    PkixPublicKey pkix_public_key = 5;
332  }
333}
334