-
Notifications
You must be signed in to change notification settings - Fork 217
/
binaryauthorization_v1beta1_binaryauthorizationattestor.yaml
280 lines (277 loc) · 13.5 KB
/
binaryauthorization_v1beta1_binaryauthorizationattestor.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
cnrm.cloud.google.com/version: 1.111.0
creationTimestamp: null
labels:
cnrm.cloud.google.com/dcl2crd: "true"
cnrm.cloud.google.com/managed-by-kcc: "true"
cnrm.cloud.google.com/stability-level: stable
cnrm.cloud.google.com/system: "true"
name: binaryauthorizationattestors.binaryauthorization.cnrm.cloud.google.com
spec:
group: binaryauthorization.cnrm.cloud.google.com
names:
categories:
- gcp
kind: BinaryAuthorizationAttestor
plural: binaryauthorizationattestors
shortNames:
- gcpbinaryauthorizationattestor
- gcpbinaryauthorizationattestors
singular: binaryauthorizationattestor
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: When 'True', the most recent reconcile of the resource succeeded
jsonPath: .status.conditions[?(@.type=='Ready')].status
name: Ready
type: string
- description: The reason for the value in 'Ready'
jsonPath: .status.conditions[?(@.type=='Ready')].reason
name: Status
type: string
- description: The last transition time for the value in 'Status'
jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
name: Status Age
type: date
name: v1beta1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: 'apiVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
type: string
kind:
description: 'kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
description:
description: Optional. A descriptive comment. This field may be updated.
The field may be displayed in chooser dialogs.
type: string
projectRef:
description: Immutable. The Project that this resource belongs to.
oneOf:
- not:
required:
- external
required:
- name
- not:
anyOf:
- required:
- name
- required:
- namespace
required:
- external
properties:
external:
description: |-
The project for the resource
Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
type: object
resourceID:
description: Immutable. Optional. The name of the resource. Used for
creation and acquisition. When unset, the value of `metadata.name`
is used as the default.
type: string
userOwnedDrydockNote:
description: This specifies how an attestation will be read, and how
it will be used during policy enforcement.
properties:
noteRef:
description: Immutable.
oneOf:
- not:
required:
- external
required:
- name
- not:
anyOf:
- required:
- name
- required:
- namespace
required:
- external
properties:
external:
description: |-
Required. The Drydock resource name of a Attestation. Authority Note, created by the user, in the format: `projects/*/notes/*`. This field may not be updated. An attestation by this attestor is stored as a Grafeas Attestation. Authority Occurrence that names a container image and that links to this Note. Grafeas is an external dependency.
Allowed value: The Google Cloud resource name of a `ContainerAnalysisNote` resource (format: `projects/{{project}}/notes/{{name}}`).
type: string
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
type: string
namespace:
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
type: string
type: object
publicKeys:
description: Optional. Public keys that verify attestations signed
by this attestor. This field may be updated. If this field is
non-empty, one of the specified public keys must verify that
an attestation was signed by this attestor for the image specified
in the admission request. If this field is empty, this attestor
always returns that no valid attestations exist.
items:
properties:
asciiArmoredPgpPublicKey:
description: ASCII-armored representation of a PGP public
key, as the entire output by the command `gpg --export
--armor foo@example.com` (either LF or CRLF line endings).
When using this field, `id` should be left blank. The
BinAuthz API handlers will calculate the ID and fill it
in automatically. BinAuthz computes this ID as the OpenPGP
RFC4880 V4 fingerprint, represented as upper-case hex.
If `id` is provided by the caller, it will be overwritten
by the API-calculated ID.
type: string
comment:
description: Optional. A descriptive comment. This field
may be updated.
type: string
id:
description: The ID of this public key. Signatures verified
by BinAuthz must include the ID of the public key that
can be used to verify them, and that ID must match the
contents of this field exactly. Additional restrictions
on this field can be imposed based on which public key
type is encapsulated. See the documentation on `public_key`
cases below for details.
type: string
pkixPublicKey:
description: 'A raw PKIX SubjectPublicKeyInfo format public
key. NOTE: `id` may be explicitly provided by the caller
when using this type of public key, but it MUST be a valid
RFC3986 URI. If `id` is left blank, a default one will
be computed based on the digest of the DER encoding of
the public key.'
properties:
publicKeyPem:
description: A PEM-encoded public key, as described
in https://tools.ietf.org/html/rfc7468#section-13
type: string
signatureAlgorithm:
description: 'The signature algorithm used to verify
a message against a signature using this key. These
signature algorithm must match the structure and any
object identifiers encoded in `public_key_pem` (i.e.
this algorithm must match that of the public key).
Possible values: SIGNATURE_ALGORITHM_UNSPECIFIED,
RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256,
RSA_PSS_4096_SHA512, RSA_SIGN_PKCS1_2048_SHA256, RSA_SIGN_PKCS1_3072_SHA256,
RSA_SIGN_PKCS1_4096_SHA256, RSA_SIGN_PKCS1_4096_SHA512,
ECDSA_P256_SHA256, EC_SIGN_P256_SHA256, ECDSA_P384_SHA384,
EC_SIGN_P384_SHA384, ECDSA_P521_SHA512, EC_SIGN_P521_SHA512'
type: string
type: object
type: object
type: array
required:
- noteRef
type: object
required:
- projectRef
type: object
status:
properties:
conditions:
description: Conditions represent the latest available observation
of the resource's current state.
items:
properties:
lastTransitionTime:
description: Last time the condition transitioned from one status
to another.
type: string
message:
description: Human-readable message indicating details about
last transition.
type: string
reason:
description: Unique, one-word, CamelCase reason for the condition's
last transition.
type: string
status:
description: Status is the status of the condition. Can be True,
False, Unknown.
type: string
type:
description: Type is the type of the condition.
type: string
type: object
type: array
observedGeneration:
description: ObservedGeneration is the generation of the resource
that was most recently observed by the Config Connector controller.
If this is equal to metadata.generation, then that means that the
current reported status reflects the most recent desired state of
the resource.
type: integer
updateTime:
description: Output only. Time when the attestor was last updated.
format: date-time
type: string
userOwnedDrydockNote:
properties:
delegationServiceAccountEmail:
description: Output only. This field will contain the service
account email address that this Attestor will use as the principal
when querying Container Analysis. Attestor administrators must
grant this service account the IAM role needed to read attestations
from the in Container Analysis (`containeranalysis.notes.occurrences.viewer`).
This email address is fixed for the lifetime of the Attestor,
but callers should not make any other assumptions about the
service account email; future versions may use an email based
on a different naming pattern.
type: string
type: object
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []