Google Cloud Native v0.32.0, Nov 29 23

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

google-native.binaryauthorization/v1.Policy

Explore with Pulumi AI

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

Creates a platform policy, and returns a copy of it. Returns NOT_FOUND if the project or platform doesn’t exist, INVALID_ARGUMENT if the request is malformed, ALREADY_EXISTS if the policy already exists, and INVALID_ARGUMENT if the policy contains a platform-specific policy that does not match the platform value specified in the URL. Auto-naming is currently not supported for this resource.

Create Policy Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

new Policy(name: string, args: PolicyArgs, opts?: CustomResourceOptions);

@overload
def Policy(resource_name: str,
           args: PolicyArgs,
           opts: Optional[ResourceOptions] = None)

@overload
def Policy(resource_name: str,
           opts: Optional[ResourceOptions] = None,
           platform_id: Optional[str] = None,
           policy_id: Optional[str] = None,
           description: Optional[str] = None,
           gke_policy: Optional[GkePolicyArgs] = None,
           project: Optional[str] = None)

func NewPolicy(ctx *Context, name string, args PolicyArgs, opts ...ResourceOption) (*Policy, error)

public Policy(string name, PolicyArgs args, CustomResourceOptions? opts = null)

public Policy(String name, PolicyArgs args)
public Policy(String name, PolicyArgs args, CustomResourceOptions options)

type: google-native:binaryauthorization/v1:Policy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args PolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args PolicyArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args PolicyArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args PolicyArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args PolicyArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

TypeScript
Python
Go
C#
Java
YAML

var policyResource = new GoogleNative.BinaryAuthorization.V1.Policy("policyResource", new()
{
    PlatformId = "string",
    PolicyId = "string",
    Description = "string",
    GkePolicy = new GoogleNative.BinaryAuthorization.V1.Inputs.GkePolicyArgs
    {
        CheckSets = new[]
        {
            new GoogleNative.BinaryAuthorization.V1.Inputs.CheckSetArgs
            {
                Checks = new[]
                {
                    new GoogleNative.BinaryAuthorization.V1.Inputs.CheckArgs
                    {
                        AlwaysDeny = false,
                        DisplayName = "string",
                        ImageAllowlist = new GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlistArgs
                        {
                            AllowPattern = new[]
                            {
                                "string",
                            },
                        },
                        ImageFreshnessCheck = new GoogleNative.BinaryAuthorization.V1.Inputs.ImageFreshnessCheckArgs
                        {
                            MaxUploadAgeDays = 0,
                        },
                        SimpleSigningAttestationCheck = new GoogleNative.BinaryAuthorization.V1.Inputs.SimpleSigningAttestationCheckArgs
                        {
                            AttestationAuthenticators = new[]
                            {
                                new GoogleNative.BinaryAuthorization.V1.Inputs.AttestationAuthenticatorArgs
                                {
                                    DisplayName = "string",
                                    PkixPublicKeySet = new GoogleNative.BinaryAuthorization.V1.Inputs.PkixPublicKeySetArgs
                                    {
                                        PkixPublicKeys = new[]
                                        {
                                            new GoogleNative.BinaryAuthorization.V1.Inputs.PkixPublicKeyArgs
                                            {
                                                KeyId = "string",
                                                PublicKeyPem = "string",
                                                SignatureAlgorithm = GoogleNative.BinaryAuthorization.V1.PkixPublicKeySignatureAlgorithm.SignatureAlgorithmUnspecified,
                                            },
                                        },
                                    },
                                },
                            },
                            ContainerAnalysisAttestationProjects = new[]
                            {
                                "string",
                            },
                        },
                        SlsaCheck = new GoogleNative.BinaryAuthorization.V1.Inputs.SlsaCheckArgs
                        {
                            Rules = new[]
                            {
                                new GoogleNative.BinaryAuthorization.V1.Inputs.VerificationRuleArgs
                                {
                                    AttestationSource = new GoogleNative.BinaryAuthorization.V1.Inputs.AttestationSourceArgs
                                    {
                                        ContainerAnalysisAttestationProjects = new[]
                                        {
                                            "string",
                                        },
                                    },
                                    ConfigBasedBuildRequired = false,
                                    TrustedBuilder = GoogleNative.BinaryAuthorization.V1.VerificationRuleTrustedBuilder.BuilderUnspecified,
                                    TrustedSourceRepoPatterns = new[]
                                    {
                                        "string",
                                    },
                                },
                            },
                        },
                        TrustedDirectoryCheck = new GoogleNative.BinaryAuthorization.V1.Inputs.TrustedDirectoryCheckArgs
                        {
                            TrustedDirPatterns = new[]
                            {
                                "string",
                            },
                        },
                        VulnerabilityCheck = new GoogleNative.BinaryAuthorization.V1.Inputs.VulnerabilityCheckArgs
                        {
                            MaximumFixableSeverity = GoogleNative.BinaryAuthorization.V1.VulnerabilityCheckMaximumFixableSeverity.MaximumAllowedSeverityUnspecified,
                            MaximumUnfixableSeverity = GoogleNative.BinaryAuthorization.V1.VulnerabilityCheckMaximumUnfixableSeverity.MaximumAllowedSeverityUnspecified,
                            AllowedCves = new[]
                            {
                                "string",
                            },
                            BlockedCves = new[]
                            {
                                "string",
                            },
                            ContainerAnalysisVulnerabilityProjects = new[]
                            {
                                "string",
                            },
                        },
                    },
                },
                DisplayName = "string",
                ImageAllowlist = new GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlistArgs
                {
                    AllowPattern = new[]
                    {
                        "string",
                    },
                },
                Scope = new GoogleNative.BinaryAuthorization.V1.Inputs.ScopeArgs
                {
                    KubernetesNamespace = "string",
                    KubernetesServiceAccount = "string",
                },
            },
        },
        ImageAllowlist = new GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlistArgs
        {
            AllowPattern = new[]
            {
                "string",
            },
        },
    },
    Project = "string",
});

example, err := binaryauthorization.NewPolicy(ctx, "policyResource", &binaryauthorization.PolicyArgs{
	PlatformId:  pulumi.String("string"),
	PolicyId:    pulumi.String("string"),
	Description: pulumi.String("string"),
	GkePolicy: &binaryauthorization.GkePolicyArgs{
		CheckSets: binaryauthorization.CheckSetArray{
			&binaryauthorization.CheckSetArgs{
				Checks: binaryauthorization.CheckArray{
					&binaryauthorization.CheckArgs{
						AlwaysDeny:  pulumi.Bool(false),
						DisplayName: pulumi.String("string"),
						ImageAllowlist: &binaryauthorization.ImageAllowlistArgs{
							AllowPattern: pulumi.StringArray{
								pulumi.String("string"),
							},
						},
						ImageFreshnessCheck: &binaryauthorization.ImageFreshnessCheckArgs{
							MaxUploadAgeDays: pulumi.Int(0),
						},
						SimpleSigningAttestationCheck: &binaryauthorization.SimpleSigningAttestationCheckArgs{
							AttestationAuthenticators: binaryauthorization.AttestationAuthenticatorArray{
								&binaryauthorization.AttestationAuthenticatorArgs{
									DisplayName: pulumi.String("string"),
									PkixPublicKeySet: &binaryauthorization.PkixPublicKeySetArgs{
										PkixPublicKeys: binaryauthorization.PkixPublicKeyArray{
											&binaryauthorization.PkixPublicKeyArgs{
												KeyId:              pulumi.String("string"),
												PublicKeyPem:       pulumi.String("string"),
												SignatureAlgorithm: binaryauthorization.PkixPublicKeySignatureAlgorithmSignatureAlgorithmUnspecified,
											},
										},
									},
								},
							},
							ContainerAnalysisAttestationProjects: pulumi.StringArray{
								pulumi.String("string"),
							},
						},
						SlsaCheck: &binaryauthorization.SlsaCheckArgs{
							Rules: binaryauthorization.VerificationRuleArray{
								&binaryauthorization.VerificationRuleArgs{
									AttestationSource: &binaryauthorization.AttestationSourceArgs{
										ContainerAnalysisAttestationProjects: pulumi.StringArray{
											pulumi.String("string"),
										},
									},
									ConfigBasedBuildRequired: pulumi.Bool(false),
									TrustedBuilder:           binaryauthorization.VerificationRuleTrustedBuilderBuilderUnspecified,
									TrustedSourceRepoPatterns: pulumi.StringArray{
										pulumi.String("string"),
									},
								},
							},
						},
						TrustedDirectoryCheck: &binaryauthorization.TrustedDirectoryCheckArgs{
							TrustedDirPatterns: pulumi.StringArray{
								pulumi.String("string"),
							},
						},
						VulnerabilityCheck: &binaryauthorization.VulnerabilityCheckArgs{
							MaximumFixableSeverity:   binaryauthorization.VulnerabilityCheckMaximumFixableSeverityMaximumAllowedSeverityUnspecified,
							MaximumUnfixableSeverity: binaryauthorization.VulnerabilityCheckMaximumUnfixableSeverityMaximumAllowedSeverityUnspecified,
							AllowedCves: pulumi.StringArray{
								pulumi.String("string"),
							},
							BlockedCves: pulumi.StringArray{
								pulumi.String("string"),
							},
							ContainerAnalysisVulnerabilityProjects: pulumi.StringArray{
								pulumi.String("string"),
							},
						},
					},
				},
				DisplayName: pulumi.String("string"),
				ImageAllowlist: &binaryauthorization.ImageAllowlistArgs{
					AllowPattern: pulumi.StringArray{
						pulumi.String("string"),
					},
				},
				Scope: &binaryauthorization.ScopeArgs{
					KubernetesNamespace:      pulumi.String("string"),
					KubernetesServiceAccount: pulumi.String("string"),
				},
			},
		},
		ImageAllowlist: &binaryauthorization.ImageAllowlistArgs{
			AllowPattern: pulumi.StringArray{
				pulumi.String("string"),
			},
		},
	},
	Project: pulumi.String("string"),
})

var policyResource = new Policy("policyResource", PolicyArgs.builder()
    .platformId("string")
    .policyId("string")
    .description("string")
    .gkePolicy(GkePolicyArgs.builder()
        .checkSets(CheckSetArgs.builder()
            .checks(CheckArgs.builder()
                .alwaysDeny(false)
                .displayName("string")
                .imageAllowlist(ImageAllowlistArgs.builder()
                    .allowPattern("string")
                    .build())
                .imageFreshnessCheck(ImageFreshnessCheckArgs.builder()
                    .maxUploadAgeDays(0)
                    .build())
                .simpleSigningAttestationCheck(SimpleSigningAttestationCheckArgs.builder()
                    .attestationAuthenticators(AttestationAuthenticatorArgs.builder()
                        .displayName("string")
                        .pkixPublicKeySet(PkixPublicKeySetArgs.builder()
                            .pkixPublicKeys(PkixPublicKeyArgs.builder()
                                .keyId("string")
                                .publicKeyPem("string")
                                .signatureAlgorithm("SIGNATURE_ALGORITHM_UNSPECIFIED")
                                .build())
                            .build())
                        .build())
                    .containerAnalysisAttestationProjects("string")
                    .build())
                .slsaCheck(SlsaCheckArgs.builder()
                    .rules(VerificationRuleArgs.builder()
                        .attestationSource(AttestationSourceArgs.builder()
                            .containerAnalysisAttestationProjects("string")
                            .build())
                        .configBasedBuildRequired(false)
                        .trustedBuilder("BUILDER_UNSPECIFIED")
                        .trustedSourceRepoPatterns("string")
                        .build())
                    .build())
                .trustedDirectoryCheck(TrustedDirectoryCheckArgs.builder()
                    .trustedDirPatterns("string")
                    .build())
                .vulnerabilityCheck(VulnerabilityCheckArgs.builder()
                    .maximumFixableSeverity("MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED")
                    .maximumUnfixableSeverity("MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED")
                    .allowedCves("string")
                    .blockedCves("string")
                    .containerAnalysisVulnerabilityProjects("string")
                    .build())
                .build())
            .displayName("string")
            .imageAllowlist(ImageAllowlistArgs.builder()
                .allowPattern("string")
                .build())
            .scope(ScopeArgs.builder()
                .kubernetesNamespace("string")
                .kubernetesServiceAccount("string")
                .build())
            .build())
        .imageAllowlist(ImageAllowlistArgs.builder()
            .allowPattern("string")
            .build())
        .build())
    .project("string")
    .build());

policy_resource = google_native.binaryauthorization.v1.Policy("policyResource",
    platform_id="string",
    policy_id="string",
    description="string",
    gke_policy={
        "check_sets": [{
            "checks": [{
                "always_deny": False,
                "display_name": "string",
                "image_allowlist": {
                    "allow_pattern": ["string"],
                },
                "image_freshness_check": {
                    "max_upload_age_days": 0,
                },
                "simple_signing_attestation_check": {
                    "attestation_authenticators": [{
                        "display_name": "string",
                        "pkix_public_key_set": {
                            "pkix_public_keys": [{
                                "key_id": "string",
                                "public_key_pem": "string",
                                "signature_algorithm": google_native.binaryauthorization.v1.PkixPublicKeySignatureAlgorithm.SIGNATURE_ALGORITHM_UNSPECIFIED,
                            }],
                        },
                    }],
                    "container_analysis_attestation_projects": ["string"],
                },
                "slsa_check": {
                    "rules": [{
                        "attestation_source": {
                            "container_analysis_attestation_projects": ["string"],
                        },
                        "config_based_build_required": False,
                        "trusted_builder": google_native.binaryauthorization.v1.VerificationRuleTrustedBuilder.BUILDER_UNSPECIFIED,
                        "trusted_source_repo_patterns": ["string"],
                    }],
                },
                "trusted_directory_check": {
                    "trusted_dir_patterns": ["string"],
                },
                "vulnerability_check": {
                    "maximum_fixable_severity": google_native.binaryauthorization.v1.VulnerabilityCheckMaximumFixableSeverity.MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED,
                    "maximum_unfixable_severity": google_native.binaryauthorization.v1.VulnerabilityCheckMaximumUnfixableSeverity.MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED,
                    "allowed_cves": ["string"],
                    "blocked_cves": ["string"],
                    "container_analysis_vulnerability_projects": ["string"],
                },
            }],
            "display_name": "string",
            "image_allowlist": {
                "allow_pattern": ["string"],
            },
            "scope": {
                "kubernetes_namespace": "string",
                "kubernetes_service_account": "string",
            },
        }],
        "image_allowlist": {
            "allow_pattern": ["string"],
        },
    },
    project="string")

const policyResource = new google_native.binaryauthorization.v1.Policy("policyResource", {
    platformId: "string",
    policyId: "string",
    description: "string",
    gkePolicy: {
        checkSets: [{
            checks: [{
                alwaysDeny: false,
                displayName: "string",
                imageAllowlist: {
                    allowPattern: ["string"],
                },
                imageFreshnessCheck: {
                    maxUploadAgeDays: 0,
                },
                simpleSigningAttestationCheck: {
                    attestationAuthenticators: [{
                        displayName: "string",
                        pkixPublicKeySet: {
                            pkixPublicKeys: [{
                                keyId: "string",
                                publicKeyPem: "string",
                                signatureAlgorithm: google_native.binaryauthorization.v1.PkixPublicKeySignatureAlgorithm.SignatureAlgorithmUnspecified,
                            }],
                        },
                    }],
                    containerAnalysisAttestationProjects: ["string"],
                },
                slsaCheck: {
                    rules: [{
                        attestationSource: {
                            containerAnalysisAttestationProjects: ["string"],
                        },
                        configBasedBuildRequired: false,
                        trustedBuilder: google_native.binaryauthorization.v1.VerificationRuleTrustedBuilder.BuilderUnspecified,
                        trustedSourceRepoPatterns: ["string"],
                    }],
                },
                trustedDirectoryCheck: {
                    trustedDirPatterns: ["string"],
                },
                vulnerabilityCheck: {
                    maximumFixableSeverity: google_native.binaryauthorization.v1.VulnerabilityCheckMaximumFixableSeverity.MaximumAllowedSeverityUnspecified,
                    maximumUnfixableSeverity: google_native.binaryauthorization.v1.VulnerabilityCheckMaximumUnfixableSeverity.MaximumAllowedSeverityUnspecified,
                    allowedCves: ["string"],
                    blockedCves: ["string"],
                    containerAnalysisVulnerabilityProjects: ["string"],
                },
            }],
            displayName: "string",
            imageAllowlist: {
                allowPattern: ["string"],
            },
            scope: {
                kubernetesNamespace: "string",
                kubernetesServiceAccount: "string",
            },
        }],
        imageAllowlist: {
            allowPattern: ["string"],
        },
    },
    project: "string",
});

type: google-native:binaryauthorization/v1:Policy
properties:
    description: string
    gkePolicy:
        checkSets:
            - checks:
                - alwaysDeny: false
                  displayName: string
                  imageAllowlist:
                    allowPattern:
                        - string
                  imageFreshnessCheck:
                    maxUploadAgeDays: 0
                  simpleSigningAttestationCheck:
                    attestationAuthenticators:
                        - displayName: string
                          pkixPublicKeySet:
                            pkixPublicKeys:
                                - keyId: string
                                  publicKeyPem: string
                                  signatureAlgorithm: SIGNATURE_ALGORITHM_UNSPECIFIED
                    containerAnalysisAttestationProjects:
                        - string
                  slsaCheck:
                    rules:
                        - attestationSource:
                            containerAnalysisAttestationProjects:
                                - string
                          configBasedBuildRequired: false
                          trustedBuilder: BUILDER_UNSPECIFIED
                          trustedSourceRepoPatterns:
                            - string
                  trustedDirectoryCheck:
                    trustedDirPatterns:
                        - string
                  vulnerabilityCheck:
                    allowedCves:
                        - string
                    blockedCves:
                        - string
                    containerAnalysisVulnerabilityProjects:
                        - string
                    maximumFixableSeverity: MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED
                    maximumUnfixableSeverity: MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED
              displayName: string
              imageAllowlist:
                allowPattern:
                    - string
              scope:
                kubernetesNamespace: string
                kubernetesServiceAccount: string
        imageAllowlist:
            allowPattern:
                - string
    platformId: string
    policyId: string
    project: string

Policy Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The Policy resource accepts the following input properties:

PlatformId string
PolicyId string: Required. The platform policy ID.
Description string: Optional. A description comment about the policy.
GkePolicy Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.GkePolicy: Optional. GKE platform-specific policy.
Project string

PlatformId string
PolicyId string: Required. The platform policy ID.
Description string: Optional. A description comment about the policy.
GkePolicy GkePolicyArgs: Optional. GKE platform-specific policy.
Project string

platformId String
policyId String: Required. The platform policy ID.
description String: Optional. A description comment about the policy.
gkePolicy GkePolicy: Optional. GKE platform-specific policy.
project String

platformId string
policyId string: Required. The platform policy ID.
description string: Optional. A description comment about the policy.
gkePolicy GkePolicy: Optional. GKE platform-specific policy.
project string

platform_id str
policy_id str: Required. The platform policy ID.
description str: Optional. A description comment about the policy.
gke_policy GkePolicyArgs: Optional. GKE platform-specific policy.
project str

platformId String
policyId String: Required. The platform policy ID.
description String: Optional. A description comment about the policy.
gkePolicy Property Map: Optional. GKE platform-specific policy.
project String

Outputs

All input properties are implicitly available as output properties. Additionally, the Policy resource produces the following output properties:

Id string: The provider-assigned unique ID for this managed resource.
Name string: The relative resource name of the Binary Authorization platform policy, in the form of projects/*/platforms/*/policies/*.
UpdateTime string: Time when the policy was last updated.

Id string: The provider-assigned unique ID for this managed resource.
Name string: The relative resource name of the Binary Authorization platform policy, in the form of projects/*/platforms/*/policies/*.
UpdateTime string: Time when the policy was last updated.

id String: The provider-assigned unique ID for this managed resource.
name String: The relative resource name of the Binary Authorization platform policy, in the form of projects/*/platforms/*/policies/*.
updateTime String: Time when the policy was last updated.

id string: The provider-assigned unique ID for this managed resource.
name string: The relative resource name of the Binary Authorization platform policy, in the form of projects/*/platforms/*/policies/*.
updateTime string: Time when the policy was last updated.

id str: The provider-assigned unique ID for this managed resource.
name str: The relative resource name of the Binary Authorization platform policy, in the form of projects/*/platforms/*/policies/*.
update_time str: Time when the policy was last updated.

id String: The provider-assigned unique ID for this managed resource.
name String: The relative resource name of the Binary Authorization platform policy, in the form of projects/*/platforms/*/policies/*.
updateTime String: Time when the policy was last updated.

Supporting Types

AttestationAuthenticator
, AttestationAuthenticatorArgs

DisplayName string: Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
PkixPublicKeySet Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.PkixPublicKeySet: Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).

DisplayName string: Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
PkixPublicKeySet PkixPublicKeySet: Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).

displayName String: Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
pkixPublicKeySet PkixPublicKeySet: Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).

displayName string: Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
pkixPublicKeySet PkixPublicKeySet: Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).

display_name str: Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
pkix_public_key_set PkixPublicKeySet: Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).

displayName String: Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
pkixPublicKeySet Property Map: Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).

AttestationAuthenticatorResponse
, AttestationAuthenticatorResponseArgs

DisplayName string: Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
PkixPublicKeySet Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.PkixPublicKeySetResponse: Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).

DisplayName string: Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
PkixPublicKeySet PkixPublicKeySetResponse: Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).

displayName String: Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
pkixPublicKeySet PkixPublicKeySetResponse: Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).

displayName string: Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
pkixPublicKeySet PkixPublicKeySetResponse: Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).

display_name str: Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
pkix_public_key_set PkixPublicKeySetResponse: Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).

displayName String: Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
pkixPublicKeySet Property Map: Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).

AttestationSource
, AttestationSourceArgs

ContainerAnalysisAttestationProjects List<string>: The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.

ContainerAnalysisAttestationProjects []string: The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.

containerAnalysisAttestationProjects List<String>: The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.

containerAnalysisAttestationProjects string[]: The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.

container_analysis_attestation_projects Sequence[str]: The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.

containerAnalysisAttestationProjects List<String>: The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.

AttestationSourceResponse
, AttestationSourceResponseArgs

ContainerAnalysisAttestationProjects List<string>: The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.

ContainerAnalysisAttestationProjects []string: The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.

containerAnalysisAttestationProjects List<String>: The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.

containerAnalysisAttestationProjects string[]: The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.

container_analysis_attestation_projects Sequence[str]: The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.

containerAnalysisAttestationProjects List<String>: The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.

Check
, CheckArgs

AlwaysDeny bool: Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
DisplayName string: Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
ImageAllowlist Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlist: Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
ImageFreshnessCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ImageFreshnessCheck: Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
SimpleSigningAttestationCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.SimpleSigningAttestationCheck: Optional. Require a SimpleSigning-type attestation for every image in the deployment.
SlsaCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.SlsaCheck: Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
TrustedDirectoryCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.TrustedDirectoryCheck: Optional. Require that an image lives in a trusted directory.
VulnerabilityCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.VulnerabilityCheck: Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.

AlwaysDeny bool: Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
DisplayName string: Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
ImageAllowlist ImageAllowlist: Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
ImageFreshnessCheck ImageFreshnessCheck: Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
SimpleSigningAttestationCheck SimpleSigningAttestationCheck: Optional. Require a SimpleSigning-type attestation for every image in the deployment.
SlsaCheck SlsaCheck: Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
TrustedDirectoryCheck TrustedDirectoryCheck: Optional. Require that an image lives in a trusted directory.
VulnerabilityCheck VulnerabilityCheck: Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.

alwaysDeny Boolean: Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
displayName String: Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
imageAllowlist ImageAllowlist: Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
imageFreshnessCheck ImageFreshnessCheck: Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
simpleSigningAttestationCheck SimpleSigningAttestationCheck: Optional. Require a SimpleSigning-type attestation for every image in the deployment.
slsaCheck SlsaCheck: Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
trustedDirectoryCheck TrustedDirectoryCheck: Optional. Require that an image lives in a trusted directory.
vulnerabilityCheck VulnerabilityCheck: Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.

alwaysDeny boolean: Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
displayName string: Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
imageAllowlist ImageAllowlist: Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
imageFreshnessCheck ImageFreshnessCheck: Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
simpleSigningAttestationCheck SimpleSigningAttestationCheck: Optional. Require a SimpleSigning-type attestation for every image in the deployment.
slsaCheck SlsaCheck: Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
trustedDirectoryCheck TrustedDirectoryCheck: Optional. Require that an image lives in a trusted directory.
vulnerabilityCheck VulnerabilityCheck: Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.

always_deny bool: Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
display_name str: Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
image_allowlist ImageAllowlist: Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
image_freshness_check ImageFreshnessCheck: Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
simple_signing_attestation_check SimpleSigningAttestationCheck: Optional. Require a SimpleSigning-type attestation for every image in the deployment.
slsa_check SlsaCheck: Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
trusted_directory_check TrustedDirectoryCheck: Optional. Require that an image lives in a trusted directory.
vulnerability_check VulnerabilityCheck: Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.

alwaysDeny Boolean: Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
displayName String: Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
imageAllowlist Property Map: Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
imageFreshnessCheck Property Map: Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
simpleSigningAttestationCheck Property Map: Optional. Require a SimpleSigning-type attestation for every image in the deployment.
slsaCheck Property Map: Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
trustedDirectoryCheck Property Map: Optional. Require that an image lives in a trusted directory.
vulnerabilityCheck Property Map: Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.

CheckResponse
, CheckResponseArgs

AlwaysDeny bool: Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
DisplayName string: Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
ImageAllowlist Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlistResponse: Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
ImageFreshnessCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ImageFreshnessCheckResponse: Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
SimpleSigningAttestationCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.SimpleSigningAttestationCheckResponse: Optional. Require a SimpleSigning-type attestation for every image in the deployment.
SlsaCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.SlsaCheckResponse: Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
TrustedDirectoryCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.TrustedDirectoryCheckResponse: Optional. Require that an image lives in a trusted directory.
VulnerabilityCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.VulnerabilityCheckResponse: Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.

AlwaysDeny bool: Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
DisplayName string: Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
ImageAllowlist ImageAllowlistResponse: Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
ImageFreshnessCheck ImageFreshnessCheckResponse: Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
SimpleSigningAttestationCheck SimpleSigningAttestationCheckResponse: Optional. Require a SimpleSigning-type attestation for every image in the deployment.
SlsaCheck SlsaCheckResponse: Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
TrustedDirectoryCheck TrustedDirectoryCheckResponse: Optional. Require that an image lives in a trusted directory.
VulnerabilityCheck VulnerabilityCheckResponse: Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.

alwaysDeny Boolean: Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
displayName String: Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
imageAllowlist ImageAllowlistResponse: Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
imageFreshnessCheck ImageFreshnessCheckResponse: Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
simpleSigningAttestationCheck SimpleSigningAttestationCheckResponse: Optional. Require a SimpleSigning-type attestation for every image in the deployment.
slsaCheck SlsaCheckResponse: Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
trustedDirectoryCheck TrustedDirectoryCheckResponse: Optional. Require that an image lives in a trusted directory.
vulnerabilityCheck VulnerabilityCheckResponse: Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.

alwaysDeny boolean: Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
displayName string: Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
imageAllowlist ImageAllowlistResponse: Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
imageFreshnessCheck ImageFreshnessCheckResponse: Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
simpleSigningAttestationCheck SimpleSigningAttestationCheckResponse: Optional. Require a SimpleSigning-type attestation for every image in the deployment.
slsaCheck SlsaCheckResponse: Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
trustedDirectoryCheck TrustedDirectoryCheckResponse: Optional. Require that an image lives in a trusted directory.
vulnerabilityCheck VulnerabilityCheckResponse: Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.

always_deny bool: Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
display_name str: Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
image_allowlist ImageAllowlistResponse: Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
image_freshness_check ImageFreshnessCheckResponse: Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
simple_signing_attestation_check SimpleSigningAttestationCheckResponse: Optional. Require a SimpleSigning-type attestation for every image in the deployment.
slsa_check SlsaCheckResponse: Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
trusted_directory_check TrustedDirectoryCheckResponse: Optional. Require that an image lives in a trusted directory.
vulnerability_check VulnerabilityCheckResponse: Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.

alwaysDeny Boolean: Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
displayName String: Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
imageAllowlist Property Map: Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
imageFreshnessCheck Property Map: Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
simpleSigningAttestationCheck Property Map: Optional. Require a SimpleSigning-type attestation for every image in the deployment.
slsaCheck Property Map: Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
trustedDirectoryCheck Property Map: Optional. Require that an image lives in a trusted directory.
vulnerabilityCheck Property Map: Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.

CheckSet
, CheckSetArgs

Checks List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.Check>: Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
DisplayName string: Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
ImageAllowlist Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlist: Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
Scope Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.Scope: Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.

Checks []Check: Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
DisplayName string: Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
ImageAllowlist ImageAllowlist: Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
Scope Scope: Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.

checks List<Check>: Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
displayName String: Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
imageAllowlist ImageAllowlist: Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
scope Scope: Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.

checks Check[]: Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
displayName string: Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
imageAllowlist ImageAllowlist: Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
scope Scope: Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.

checks Sequence[Check]: Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
display_name str: Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
image_allowlist ImageAllowlist: Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
scope Scope: Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.

checks List<Property Map>: Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
displayName String: Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
imageAllowlist Property Map: Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
scope Property Map: Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.

CheckSetResponse
, CheckSetResponseArgs

Checks List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.CheckResponse>: Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
DisplayName string: Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
ImageAllowlist Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlistResponse: Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
Scope Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ScopeResponse: Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.

Checks []CheckResponse: Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
DisplayName string: Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
ImageAllowlist ImageAllowlistResponse: Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
Scope ScopeResponse: Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.

checks List<CheckResponse>: Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
displayName String: Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
imageAllowlist ImageAllowlistResponse: Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
scope ScopeResponse: Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.

checks CheckResponse[]: Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
displayName string: Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
imageAllowlist ImageAllowlistResponse: Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
scope ScopeResponse: Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.

checks Sequence[CheckResponse]: Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
display_name str: Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
image_allowlist ImageAllowlistResponse: Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
scope ScopeResponse: Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.

checks List<Property Map>: Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
displayName String: Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
imageAllowlist Property Map: Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
scope Property Map: Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.

GkePolicy
, GkePolicyArgs

CheckSets List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.CheckSet>: Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
ImageAllowlist Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlist: Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.

CheckSets []CheckSet: Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
ImageAllowlist ImageAllowlist: Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.

checkSets List<CheckSet>: Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
imageAllowlist ImageAllowlist: Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.

checkSets CheckSet[]: Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
imageAllowlist ImageAllowlist: Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.

check_sets Sequence[CheckSet]: Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
image_allowlist ImageAllowlist: Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.

checkSets List<Property Map>: Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
imageAllowlist Property Map: Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.

GkePolicyResponse
, GkePolicyResponseArgs

CheckSets List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.CheckSetResponse>: Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
ImageAllowlist Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlistResponse: Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.

CheckSets []CheckSetResponse: Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
ImageAllowlist ImageAllowlistResponse: Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.

checkSets List<CheckSetResponse>: Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
imageAllowlist ImageAllowlistResponse: Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.

checkSets CheckSetResponse[]: Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
imageAllowlist ImageAllowlistResponse: Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.

check_sets Sequence[CheckSetResponse]: Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
image_allowlist ImageAllowlistResponse: Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.

checkSets List<Property Map>: Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
imageAllowlist Property Map: Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.

ImageAllowlist
, ImageAllowlistArgs

AllowPattern List<string>: A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.

AllowPattern []string: A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.

allowPattern List<String>: A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.

allowPattern string[]: A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.

allow_pattern Sequence[str]: A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.

allowPattern List<String>: A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.

ImageAllowlistResponse
, ImageAllowlistResponseArgs

AllowPattern List<string>: A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.

AllowPattern []string: A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.

allowPattern List<String>: A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.

allowPattern string[]: A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.

allow_pattern Sequence[str]: A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.

allowPattern List<String>: A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.

ImageFreshnessCheck
, ImageFreshnessCheckArgs

MaxUploadAgeDays int: The max number of days that is allowed since the image was uploaded. Must be greater than zero.

MaxUploadAgeDays int: The max number of days that is allowed since the image was uploaded. Must be greater than zero.

maxUploadAgeDays Integer: The max number of days that is allowed since the image was uploaded. Must be greater than zero.

maxUploadAgeDays number: The max number of days that is allowed since the image was uploaded. Must be greater than zero.

max_upload_age_days int: The max number of days that is allowed since the image was uploaded. Must be greater than zero.

maxUploadAgeDays Number: The max number of days that is allowed since the image was uploaded. Must be greater than zero.

ImageFreshnessCheckResponse
, ImageFreshnessCheckResponseArgs

MaxUploadAgeDays int: The max number of days that is allowed since the image was uploaded. Must be greater than zero.

MaxUploadAgeDays int: The max number of days that is allowed since the image was uploaded. Must be greater than zero.

maxUploadAgeDays Integer: The max number of days that is allowed since the image was uploaded. Must be greater than zero.

maxUploadAgeDays number: The max number of days that is allowed since the image was uploaded. Must be greater than zero.

max_upload_age_days int: The max number of days that is allowed since the image was uploaded. Must be greater than zero.

maxUploadAgeDays Number: The max number of days that is allowed since the image was uploaded. Must be greater than zero.

PkixPublicKey
, PkixPublicKeyArgs

KeyId string: Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
PublicKeyPem string: A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
SignatureAlgorithm Pulumi.GoogleNative.BinaryAuthorization.V1.PkixPublicKeySignatureAlgorithm: The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).

KeyId string: Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
PublicKeyPem string: A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
SignatureAlgorithm PkixPublicKeySignatureAlgorithm: The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).

keyId String: Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
publicKeyPem String: A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
signatureAlgorithm PkixPublicKeySignatureAlgorithm: The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).

keyId string: Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
publicKeyPem string: A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
signatureAlgorithm PkixPublicKeySignatureAlgorithm: The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).

key_id str: Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
public_key_pem str: A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
signature_algorithm PkixPublicKeySignatureAlgorithm: The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).

keyId String: Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
publicKeyPem String: A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
signatureAlgorithm "SIGNATURE_ALGORITHM_UNSPECIFIED" | "RSA_PSS_2048_SHA256" | "RSA_SIGN_PSS_2048_SHA256" | "RSA_PSS_3072_SHA256" | "RSA_SIGN_PSS_3072_SHA256" | "RSA_PSS_4096_SHA256" | "RSA_SIGN_PSS_4096_SHA256" | "RSA_PSS_4096_SHA512" | "RSA_SIGN_PSS_4096_SHA512" | "RSA_SIGN_PKCS1_2048_SHA256" | "RSA_SIGN_PKCS1_3072_SHA256" | "RSA_SIGN_PKCS1_4096_SHA256" | "RSA_SIGN_PKCS1_4096_SHA512" | "ECDSA_P256_SHA256" | "EC_SIGN_P256_SHA256" | "ECDSA_P384_SHA384" | "EC_SIGN_P384_SHA384" | "ECDSA_P521_SHA512" | "EC_SIGN_P521_SHA512": The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).

PkixPublicKeyResponse
, PkixPublicKeyResponseArgs

KeyId string: Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
PublicKeyPem string: A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
SignatureAlgorithm string: The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).

KeyId string: Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
PublicKeyPem string: A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
SignatureAlgorithm string: The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).

keyId String: Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
publicKeyPem String: A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
signatureAlgorithm String: The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).

keyId string: Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
publicKeyPem string: A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
signatureAlgorithm string: The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).

key_id str: Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
public_key_pem str: A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
signature_algorithm str: The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).

keyId String: Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
publicKeyPem String: A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
signatureAlgorithm String: The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).

PkixPublicKeySet
, PkixPublicKeySetArgs

PkixPublicKeys List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.PkixPublicKey>: pkix_public_keys must have at least one entry.

PkixPublicKeys []PkixPublicKey: pkix_public_keys must have at least one entry.

pkixPublicKeys List<PkixPublicKey>: pkix_public_keys must have at least one entry.

pkixPublicKeys PkixPublicKey[]: pkix_public_keys must have at least one entry.

pkix_public_keys Sequence[PkixPublicKey]: pkix_public_keys must have at least one entry.

pkixPublicKeys List<Property Map>: pkix_public_keys must have at least one entry.

PkixPublicKeySetResponse
, PkixPublicKeySetResponseArgs

PkixPublicKeys List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.PkixPublicKeyResponse>: pkix_public_keys must have at least one entry.

PkixPublicKeys []PkixPublicKeyResponse: pkix_public_keys must have at least one entry.

pkixPublicKeys List<PkixPublicKeyResponse>: pkix_public_keys must have at least one entry.

pkixPublicKeys PkixPublicKeyResponse[]: pkix_public_keys must have at least one entry.

pkix_public_keys Sequence[PkixPublicKeyResponse]: pkix_public_keys must have at least one entry.

pkixPublicKeys List<Property Map>: pkix_public_keys must have at least one entry.

PkixPublicKeySignatureAlgorithm
, PkixPublicKeySignatureAlgorithmArgs

SignatureAlgorithmUnspecified: SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified.
RsaPss2048Sha256: RSA_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
RsaSignPss2048Sha256: RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
RsaPss3072Sha256: RSA_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
RsaSignPss3072Sha256: RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
RsaPss4096Sha256: RSA_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
RsaSignPss4096Sha256: RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
RsaPss4096Sha512: RSA_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
RsaSignPss4096Sha512: RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
RsaSignPkcs12048Sha256: RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
RsaSignPkcs13072Sha256: RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
RsaSignPkcs14096Sha256: RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
RsaSignPkcs14096Sha512: RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
EcdsaP256Sha256: ECDSA_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
EcSignP256Sha256: EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
EcdsaP384Sha384: ECDSA_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
EcSignP384Sha384: EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
EcdsaP521Sha512: ECDSA_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
EcSignP521Sha512: EC_SIGN_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.

PkixPublicKeySignatureAlgorithmSignatureAlgorithmUnspecified: SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified.
PkixPublicKeySignatureAlgorithmRsaPss2048Sha256: RSA_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
PkixPublicKeySignatureAlgorithmRsaSignPss2048Sha256: RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
PkixPublicKeySignatureAlgorithmRsaPss3072Sha256: RSA_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
PkixPublicKeySignatureAlgorithmRsaSignPss3072Sha256: RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
PkixPublicKeySignatureAlgorithmRsaPss4096Sha256: RSA_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
PkixPublicKeySignatureAlgorithmRsaSignPss4096Sha256: RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
PkixPublicKeySignatureAlgorithmRsaPss4096Sha512: RSA_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
PkixPublicKeySignatureAlgorithmRsaSignPss4096Sha512: RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
PkixPublicKeySignatureAlgorithmRsaSignPkcs12048Sha256: RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
PkixPublicKeySignatureAlgorithmRsaSignPkcs13072Sha256: RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
PkixPublicKeySignatureAlgorithmRsaSignPkcs14096Sha256: RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
PkixPublicKeySignatureAlgorithmRsaSignPkcs14096Sha512: RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
PkixPublicKeySignatureAlgorithmEcdsaP256Sha256: ECDSA_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
PkixPublicKeySignatureAlgorithmEcSignP256Sha256: EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
PkixPublicKeySignatureAlgorithmEcdsaP384Sha384: ECDSA_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
PkixPublicKeySignatureAlgorithmEcSignP384Sha384: EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
PkixPublicKeySignatureAlgorithmEcdsaP521Sha512: ECDSA_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
PkixPublicKeySignatureAlgorithmEcSignP521Sha512: EC_SIGN_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.

SignatureAlgorithmUnspecified: SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified.
RsaPss2048Sha256: RSA_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
RsaSignPss2048Sha256: RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
RsaPss3072Sha256: RSA_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
RsaSignPss3072Sha256: RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
RsaPss4096Sha256: RSA_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
RsaSignPss4096Sha256: RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
RsaPss4096Sha512: RSA_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
RsaSignPss4096Sha512: RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
RsaSignPkcs12048Sha256: RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
RsaSignPkcs13072Sha256: RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
RsaSignPkcs14096Sha256: RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
RsaSignPkcs14096Sha512: RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
EcdsaP256Sha256: ECDSA_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
EcSignP256Sha256: EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
EcdsaP384Sha384: ECDSA_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
EcSignP384Sha384: EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
EcdsaP521Sha512: ECDSA_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
EcSignP521Sha512: EC_SIGN_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.

SignatureAlgorithmUnspecified: SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified.
RsaPss2048Sha256: RSA_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
RsaSignPss2048Sha256: RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
RsaPss3072Sha256: RSA_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
RsaSignPss3072Sha256: RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
RsaPss4096Sha256: RSA_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
RsaSignPss4096Sha256: RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
RsaPss4096Sha512: RSA_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
RsaSignPss4096Sha512: RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
RsaSignPkcs12048Sha256: RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
RsaSignPkcs13072Sha256: RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
RsaSignPkcs14096Sha256: RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
RsaSignPkcs14096Sha512: RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
EcdsaP256Sha256: ECDSA_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
EcSignP256Sha256: EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
EcdsaP384Sha384: ECDSA_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
EcSignP384Sha384: EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
EcdsaP521Sha512: ECDSA_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
EcSignP521Sha512: EC_SIGN_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.

SIGNATURE_ALGORITHM_UNSPECIFIED: SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified.
RSA_PSS2048_SHA256: RSA_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
RSA_SIGN_PSS2048_SHA256: RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
RSA_PSS3072_SHA256: RSA_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
RSA_SIGN_PSS3072_SHA256: RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
RSA_PSS4096_SHA256: RSA_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
RSA_SIGN_PSS4096_SHA256: RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
RSA_PSS4096_SHA512: RSA_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
RSA_SIGN_PSS4096_SHA512: RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
RSA_SIGN_PKCS12048_SHA256: RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
RSA_SIGN_PKCS13072_SHA256: RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
RSA_SIGN_PKCS14096_SHA256: RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
RSA_SIGN_PKCS14096_SHA512: RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
ECDSA_P256_SHA256: ECDSA_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
EC_SIGN_P256_SHA256: EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
ECDSA_P384_SHA384: ECDSA_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
EC_SIGN_P384_SHA384: EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
ECDSA_P521_SHA512: ECDSA_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
EC_SIGN_P521_SHA512: EC_SIGN_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.

"SIGNATURE_ALGORITHM_UNSPECIFIED": SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified.
"RSA_PSS_2048_SHA256": RSA_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
"RSA_SIGN_PSS_2048_SHA256": RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
"RSA_PSS_3072_SHA256": RSA_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
"RSA_SIGN_PSS_3072_SHA256": RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
"RSA_PSS_4096_SHA256": RSA_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
"RSA_SIGN_PSS_4096_SHA256": RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
"RSA_PSS_4096_SHA512": RSA_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
"RSA_SIGN_PSS_4096_SHA512": RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
"RSA_SIGN_PKCS1_2048_SHA256": RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
"RSA_SIGN_PKCS1_3072_SHA256": RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
"RSA_SIGN_PKCS1_4096_SHA256": RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
"RSA_SIGN_PKCS1_4096_SHA512": RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
"ECDSA_P256_SHA256": ECDSA_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
"EC_SIGN_P256_SHA256": EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
"ECDSA_P384_SHA384": ECDSA_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
"EC_SIGN_P384_SHA384": EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
"ECDSA_P521_SHA512": ECDSA_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
"EC_SIGN_P521_SHA512": EC_SIGN_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.

Scope
, ScopeArgs

KubernetesNamespace string: Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
KubernetesServiceAccount string: Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.

KubernetesNamespace string: Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
KubernetesServiceAccount string: Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.

kubernetesNamespace String: Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
kubernetesServiceAccount String: Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.

kubernetesNamespace string: Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
kubernetesServiceAccount string: Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.

kubernetes_namespace str: Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
kubernetes_service_account str: Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.

kubernetesNamespace String: Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
kubernetesServiceAccount String: Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.

ScopeResponse
, ScopeResponseArgs

KubernetesNamespace string: Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
KubernetesServiceAccount string: Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.

KubernetesNamespace string: Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
KubernetesServiceAccount string: Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.

kubernetesNamespace String: Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
kubernetesServiceAccount String: Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.

kubernetesNamespace string: Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
kubernetesServiceAccount string: Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.

kubernetes_namespace str: Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
kubernetes_service_account str: Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.

kubernetesNamespace String: Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
kubernetesServiceAccount String: Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.

SimpleSigningAttestationCheck
, SimpleSigningAttestationCheckArgs

AttestationAuthenticators List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.AttestationAuthenticator>: The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
ContainerAnalysisAttestationProjects List<string>: Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.

AttestationAuthenticators []AttestationAuthenticator: The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
ContainerAnalysisAttestationProjects []string: Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.

attestationAuthenticators List<AttestationAuthenticator>: The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
containerAnalysisAttestationProjects List<String>: Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.

attestationAuthenticators AttestationAuthenticator[]: The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
containerAnalysisAttestationProjects string[]: Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.

attestation_authenticators Sequence[AttestationAuthenticator]: The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
container_analysis_attestation_projects Sequence[str]: Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.

attestationAuthenticators List<Property Map>: The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
containerAnalysisAttestationProjects List<String>: Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.

SimpleSigningAttestationCheckResponse
, SimpleSigningAttestationCheckResponseArgs

AttestationAuthenticators List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.AttestationAuthenticatorResponse>: The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
ContainerAnalysisAttestationProjects List<string>: Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.

AttestationAuthenticators []AttestationAuthenticatorResponse: The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
ContainerAnalysisAttestationProjects []string: Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.

attestationAuthenticators List<AttestationAuthenticatorResponse>: The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
containerAnalysisAttestationProjects List<String>: Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.

attestationAuthenticators AttestationAuthenticatorResponse[]: The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
containerAnalysisAttestationProjects string[]: Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.

attestation_authenticators Sequence[AttestationAuthenticatorResponse]: The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
container_analysis_attestation_projects Sequence[str]: Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.

attestationAuthenticators List<Property Map>: The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
containerAnalysisAttestationProjects List<String>: Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.

SlsaCheck
, SlsaCheckArgs

Rules List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.VerificationRule>: Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.

Rules []VerificationRule: Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.

rules List<VerificationRule>: Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.

rules VerificationRule[]: Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.

rules Sequence[VerificationRule]: Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.

rules List<Property Map>: Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.

SlsaCheckResponse
, SlsaCheckResponseArgs

Rules List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.VerificationRuleResponse>: Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.

Rules []VerificationRuleResponse: Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.

rules List<VerificationRuleResponse>: Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.

rules VerificationRuleResponse[]: Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.

rules Sequence[VerificationRuleResponse]: Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.

rules List<Property Map>: Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.

TrustedDirectoryCheck
, TrustedDirectoryCheckArgs

TrustedDirPatterns List<string>: List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /

TrustedDirPatterns []string: List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /

trustedDirPatterns List<String>: List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /

trustedDirPatterns string[]: List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /

trusted_dir_patterns Sequence[str]: List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /

trustedDirPatterns List<String>: List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /

TrustedDirectoryCheckResponse
, TrustedDirectoryCheckResponseArgs

TrustedDirPatterns List<string>: List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /

TrustedDirPatterns []string: List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /

trustedDirPatterns List<String>: List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /

trustedDirPatterns string[]: List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /

trusted_dir_patterns Sequence[str]: List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /

trustedDirPatterns List<String>: List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /

VerificationRule
, VerificationRuleArgs

AttestationSource Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.AttestationSource: Specifies where to fetch the provenances attestations generated by the builder (group).
ConfigBasedBuildRequired bool: If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
TrustedBuilder Pulumi.GoogleNative.BinaryAuthorization.V1.VerificationRuleTrustedBuilder: Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
TrustedSourceRepoPatterns List<string>: List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub

AttestationSource AttestationSource: Specifies where to fetch the provenances attestations generated by the builder (group).
ConfigBasedBuildRequired bool: If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
TrustedBuilder VerificationRuleTrustedBuilder: Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
TrustedSourceRepoPatterns []string: List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub

attestationSource AttestationSource: Specifies where to fetch the provenances attestations generated by the builder (group).
configBasedBuildRequired Boolean: If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
trustedBuilder VerificationRuleTrustedBuilder: Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
trustedSourceRepoPatterns List<String>: List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub

attestationSource AttestationSource: Specifies where to fetch the provenances attestations generated by the builder (group).
configBasedBuildRequired boolean: If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
trustedBuilder VerificationRuleTrustedBuilder: Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
trustedSourceRepoPatterns string[]: List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub

attestation_source AttestationSource: Specifies where to fetch the provenances attestations generated by the builder (group).
config_based_build_required bool: If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
trusted_builder VerificationRuleTrustedBuilder: Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
trusted_source_repo_patterns Sequence[str]: List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub

attestationSource Property Map: Specifies where to fetch the provenances attestations generated by the builder (group).
configBasedBuildRequired Boolean: If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
trustedBuilder "BUILDER_UNSPECIFIED" | "GOOGLE_CLOUD_BUILD": Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
trustedSourceRepoPatterns List<String>: List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub

VerificationRuleResponse
, VerificationRuleResponseArgs

AttestationSource Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.AttestationSourceResponse: Specifies where to fetch the provenances attestations generated by the builder (group).
ConfigBasedBuildRequired bool: If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
TrustedBuilder string: Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
TrustedSourceRepoPatterns List<string>: List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub

AttestationSource AttestationSourceResponse: Specifies where to fetch the provenances attestations generated by the builder (group).
ConfigBasedBuildRequired bool: If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
TrustedBuilder string: Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
TrustedSourceRepoPatterns []string: List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub

attestationSource AttestationSourceResponse: Specifies where to fetch the provenances attestations generated by the builder (group).
configBasedBuildRequired Boolean: If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
trustedBuilder String: Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
trustedSourceRepoPatterns List<String>: List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub

attestationSource AttestationSourceResponse: Specifies where to fetch the provenances attestations generated by the builder (group).
configBasedBuildRequired boolean: If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
trustedBuilder string: Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
trustedSourceRepoPatterns string[]: List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub

attestation_source AttestationSourceResponse: Specifies where to fetch the provenances attestations generated by the builder (group).
config_based_build_required bool: If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
trusted_builder str: Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
trusted_source_repo_patterns Sequence[str]: List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub

attestationSource Property Map: Specifies where to fetch the provenances attestations generated by the builder (group).
configBasedBuildRequired Boolean: If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
trustedBuilder String: Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
trustedSourceRepoPatterns List<String>: List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub

VerificationRuleTrustedBuilder
, VerificationRuleTrustedBuilderArgs

BuilderUnspecified: BUILDER_UNSPECIFIEDShould never happen.
GoogleCloudBuild: GOOGLE_CLOUD_BUILDThe whole Google Cloud Build (GCB) builder group, including all GCB builder types.

VerificationRuleTrustedBuilderBuilderUnspecified: BUILDER_UNSPECIFIEDShould never happen.
VerificationRuleTrustedBuilderGoogleCloudBuild: GOOGLE_CLOUD_BUILDThe whole Google Cloud Build (GCB) builder group, including all GCB builder types.

BuilderUnspecified: BUILDER_UNSPECIFIEDShould never happen.
GoogleCloudBuild: GOOGLE_CLOUD_BUILDThe whole Google Cloud Build (GCB) builder group, including all GCB builder types.

BuilderUnspecified: BUILDER_UNSPECIFIEDShould never happen.
GoogleCloudBuild: GOOGLE_CLOUD_BUILDThe whole Google Cloud Build (GCB) builder group, including all GCB builder types.

BUILDER_UNSPECIFIED: BUILDER_UNSPECIFIEDShould never happen.
GOOGLE_CLOUD_BUILD: GOOGLE_CLOUD_BUILDThe whole Google Cloud Build (GCB) builder group, including all GCB builder types.

"BUILDER_UNSPECIFIED": BUILDER_UNSPECIFIEDShould never happen.
"GOOGLE_CLOUD_BUILD": GOOGLE_CLOUD_BUILDThe whole Google Cloud Build (GCB) builder group, including all GCB builder types.

VulnerabilityCheck
, VulnerabilityCheckArgs

MaximumFixableSeverity Pulumi.GoogleNative.BinaryAuthorization.V1.VulnerabilityCheckMaximumFixableSeverity: The threshold for severity for which a fix is currently available. This field is required and must be set.
MaximumUnfixableSeverity Pulumi.GoogleNative.BinaryAuthorization.V1.VulnerabilityCheckMaximumUnfixableSeverity: The threshold for severity for which a fix isn't currently available. This field is required and must be set.
AllowedCves List<string>: Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
BlockedCves List<string>: Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
ContainerAnalysisVulnerabilityProjects List<string>: Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.

MaximumFixableSeverity VulnerabilityCheckMaximumFixableSeverity: The threshold for severity for which a fix is currently available. This field is required and must be set.
MaximumUnfixableSeverity VulnerabilityCheckMaximumUnfixableSeverity: The threshold for severity for which a fix isn't currently available. This field is required and must be set.
AllowedCves []string: Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
BlockedCves []string: Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
ContainerAnalysisVulnerabilityProjects []string: Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.

maximumFixableSeverity VulnerabilityCheckMaximumFixableSeverity: The threshold for severity for which a fix is currently available. This field is required and must be set.
maximumUnfixableSeverity VulnerabilityCheckMaximumUnfixableSeverity: The threshold for severity for which a fix isn't currently available. This field is required and must be set.
allowedCves List<String>: Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
blockedCves List<String>: Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
containerAnalysisVulnerabilityProjects List<String>: Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.

maximumFixableSeverity VulnerabilityCheckMaximumFixableSeverity: The threshold for severity for which a fix is currently available. This field is required and must be set.
maximumUnfixableSeverity VulnerabilityCheckMaximumUnfixableSeverity: The threshold for severity for which a fix isn't currently available. This field is required and must be set.
allowedCves string[]: Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
blockedCves string[]: Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
containerAnalysisVulnerabilityProjects string[]: Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.

maximum_fixable_severity VulnerabilityCheckMaximumFixableSeverity: The threshold for severity for which a fix is currently available. This field is required and must be set.
maximum_unfixable_severity VulnerabilityCheckMaximumUnfixableSeverity: The threshold for severity for which a fix isn't currently available. This field is required and must be set.
allowed_cves Sequence[str]: Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
blocked_cves Sequence[str]: Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
container_analysis_vulnerability_projects Sequence[str]: Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.

maximumFixableSeverity "MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED" | "BLOCK_ALL" | "MINIMAL" | "LOW" | "MEDIUM" | "HIGH" | "CRITICAL" | "ALLOW_ALL": The threshold for severity for which a fix is currently available. This field is required and must be set.
maximumUnfixableSeverity "MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED" | "BLOCK_ALL" | "MINIMAL" | "LOW" | "MEDIUM" | "HIGH" | "CRITICAL" | "ALLOW_ALL": The threshold for severity for which a fix isn't currently available. This field is required and must be set.
allowedCves List<String>: Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
blockedCves List<String>: Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
containerAnalysisVulnerabilityProjects List<String>: Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.

VulnerabilityCheckMaximumFixableSeverity
, VulnerabilityCheckMaximumFixableSeverityArgs

MaximumAllowedSeverityUnspecified: MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
BlockAll: BLOCK_ALLBlock any vulnerability.
Minimal: MINIMALAllow only minimal severity.
Low: LOWAllow only low severity and lower.
Medium: MEDIUMAllow medium severity and lower.
High: HIGHAllow high severity and lower.
Critical: CRITICALAllow critical severity and lower.
AllowAll: ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.

VulnerabilityCheckMaximumFixableSeverityMaximumAllowedSeverityUnspecified: MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
VulnerabilityCheckMaximumFixableSeverityBlockAll: BLOCK_ALLBlock any vulnerability.
VulnerabilityCheckMaximumFixableSeverityMinimal: MINIMALAllow only minimal severity.
VulnerabilityCheckMaximumFixableSeverityLow: LOWAllow only low severity and lower.
VulnerabilityCheckMaximumFixableSeverityMedium: MEDIUMAllow medium severity and lower.
VulnerabilityCheckMaximumFixableSeverityHigh: HIGHAllow high severity and lower.
VulnerabilityCheckMaximumFixableSeverityCritical: CRITICALAllow critical severity and lower.
VulnerabilityCheckMaximumFixableSeverityAllowAll: ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.

MaximumAllowedSeverityUnspecified: MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
BlockAll: BLOCK_ALLBlock any vulnerability.
Minimal: MINIMALAllow only minimal severity.
Low: LOWAllow only low severity and lower.
Medium: MEDIUMAllow medium severity and lower.
High: HIGHAllow high severity and lower.
Critical: CRITICALAllow critical severity and lower.
AllowAll: ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.

MaximumAllowedSeverityUnspecified: MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
BlockAll: BLOCK_ALLBlock any vulnerability.
Minimal: MINIMALAllow only minimal severity.
Low: LOWAllow only low severity and lower.
Medium: MEDIUMAllow medium severity and lower.
High: HIGHAllow high severity and lower.
Critical: CRITICALAllow critical severity and lower.
AllowAll: ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.

MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED: MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
BLOCK_ALL: BLOCK_ALLBlock any vulnerability.
MINIMAL: MINIMALAllow only minimal severity.
LOW: LOWAllow only low severity and lower.
MEDIUM: MEDIUMAllow medium severity and lower.
HIGH: HIGHAllow high severity and lower.
CRITICAL: CRITICALAllow critical severity and lower.
ALLOW_ALL: ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.

"MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED": MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
"BLOCK_ALL": BLOCK_ALLBlock any vulnerability.
"MINIMAL": MINIMALAllow only minimal severity.
"LOW": LOWAllow only low severity and lower.
"MEDIUM": MEDIUMAllow medium severity and lower.
"HIGH": HIGHAllow high severity and lower.
"CRITICAL": CRITICALAllow critical severity and lower.
"ALLOW_ALL": ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.

VulnerabilityCheckMaximumUnfixableSeverity
, VulnerabilityCheckMaximumUnfixableSeverityArgs

MaximumAllowedSeverityUnspecified: MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
BlockAll: BLOCK_ALLBlock any vulnerability.
Minimal: MINIMALAllow only minimal severity.
Low: LOWAllow only low severity and lower.
Medium: MEDIUMAllow medium severity and lower.
High: HIGHAllow high severity and lower.
Critical: CRITICALAllow critical severity and lower.
AllowAll: ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.

VulnerabilityCheckMaximumUnfixableSeverityMaximumAllowedSeverityUnspecified: MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
VulnerabilityCheckMaximumUnfixableSeverityBlockAll: BLOCK_ALLBlock any vulnerability.
VulnerabilityCheckMaximumUnfixableSeverityMinimal: MINIMALAllow only minimal severity.
VulnerabilityCheckMaximumUnfixableSeverityLow: LOWAllow only low severity and lower.
VulnerabilityCheckMaximumUnfixableSeverityMedium: MEDIUMAllow medium severity and lower.
VulnerabilityCheckMaximumUnfixableSeverityHigh: HIGHAllow high severity and lower.
VulnerabilityCheckMaximumUnfixableSeverityCritical: CRITICALAllow critical severity and lower.
VulnerabilityCheckMaximumUnfixableSeverityAllowAll: ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.

MaximumAllowedSeverityUnspecified: MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
BlockAll: BLOCK_ALLBlock any vulnerability.
Minimal: MINIMALAllow only minimal severity.
Low: LOWAllow only low severity and lower.
Medium: MEDIUMAllow medium severity and lower.
High: HIGHAllow high severity and lower.
Critical: CRITICALAllow critical severity and lower.
AllowAll: ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.

MaximumAllowedSeverityUnspecified: MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
BlockAll: BLOCK_ALLBlock any vulnerability.
Minimal: MINIMALAllow only minimal severity.
Low: LOWAllow only low severity and lower.
Medium: MEDIUMAllow medium severity and lower.
High: HIGHAllow high severity and lower.
Critical: CRITICALAllow critical severity and lower.
AllowAll: ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.

MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED: MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
BLOCK_ALL: BLOCK_ALLBlock any vulnerability.
MINIMAL: MINIMALAllow only minimal severity.
LOW: LOWAllow only low severity and lower.
MEDIUM: MEDIUMAllow medium severity and lower.
HIGH: HIGHAllow high severity and lower.
CRITICAL: CRITICALAllow critical severity and lower.
ALLOW_ALL: ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.

"MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED": MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
"BLOCK_ALL": BLOCK_ALLBlock any vulnerability.
"MINIMAL": MINIMALAllow only minimal severity.
"LOW": LOWAllow only low severity and lower.
"MEDIUM": MEDIUMAllow medium severity and lower.
"HIGH": HIGHAllow high severity and lower.
"CRITICAL": CRITICALAllow critical severity and lower.
"ALLOW_ALL": ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.

VulnerabilityCheckResponse
, VulnerabilityCheckResponseArgs

AllowedCves List<string>: Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
BlockedCves List<string>: Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
ContainerAnalysisVulnerabilityProjects List<string>: Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
MaximumFixableSeverity string: The threshold for severity for which a fix is currently available. This field is required and must be set.
MaximumUnfixableSeverity string: The threshold for severity for which a fix isn't currently available. This field is required and must be set.

AllowedCves []string: Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
BlockedCves []string: Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
ContainerAnalysisVulnerabilityProjects []string: Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
MaximumFixableSeverity string: The threshold for severity for which a fix is currently available. This field is required and must be set.
MaximumUnfixableSeverity string: The threshold for severity for which a fix isn't currently available. This field is required and must be set.

allowedCves List<String>: Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
blockedCves List<String>: Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
containerAnalysisVulnerabilityProjects List<String>: Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
maximumFixableSeverity String: The threshold for severity for which a fix is currently available. This field is required and must be set.
maximumUnfixableSeverity String: The threshold for severity for which a fix isn't currently available. This field is required and must be set.

allowedCves string[]: Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
blockedCves string[]: Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
containerAnalysisVulnerabilityProjects string[]: Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
maximumFixableSeverity string: The threshold for severity for which a fix is currently available. This field is required and must be set.
maximumUnfixableSeverity string: The threshold for severity for which a fix isn't currently available. This field is required and must be set.

allowed_cves Sequence[str]: Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
blocked_cves Sequence[str]: Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
container_analysis_vulnerability_projects Sequence[str]: Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
maximum_fixable_severity str: The threshold for severity for which a fix is currently available. This field is required and must be set.
maximum_unfixable_severity str: The threshold for severity for which a fix isn't currently available. This field is required and must be set.

allowedCves List<String>: Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
blockedCves List<String>: Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
containerAnalysisVulnerabilityProjects List<String>: Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
maximumFixableSeverity String: The threshold for severity for which a fix is currently available. This field is required and must be set.
maximumUnfixableSeverity String: The threshold for severity for which a fix isn't currently available. This field is required and must be set.

Package Details

Repository: Google Cloud Native pulumi/pulumi-google-native
License: Apache-2.0

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

pulumi/pulumi-google-native

google-native.binaryauthorization/v1.Policy

On this page

On this page

Create Policy Resource

Constructor syntax

Parameters

Constructor example

Policy Resource Properties

Inputs

Outputs

Supporting Types

AttestationAuthenticator, AttestationAuthenticatorArgs

AttestationAuthenticatorResponse, AttestationAuthenticatorResponseArgs

AttestationSource, AttestationSourceArgs

AttestationSourceResponse, AttestationSourceResponseArgs

Check, CheckArgs

CheckResponse, CheckResponseArgs

CheckSet, CheckSetArgs

CheckSetResponse, CheckSetResponseArgs

GkePolicy, GkePolicyArgs

GkePolicyResponse, GkePolicyResponseArgs

ImageAllowlist, ImageAllowlistArgs

ImageAllowlistResponse, ImageAllowlistResponseArgs

ImageFreshnessCheck, ImageFreshnessCheckArgs

ImageFreshnessCheckResponse, ImageFreshnessCheckResponseArgs

PkixPublicKey, PkixPublicKeyArgs

PkixPublicKeyResponse, PkixPublicKeyResponseArgs

PkixPublicKeySet, PkixPublicKeySetArgs

PkixPublicKeySetResponse, PkixPublicKeySetResponseArgs

PkixPublicKeySignatureAlgorithm, PkixPublicKeySignatureAlgorithmArgs

Scope, ScopeArgs

ScopeResponse, ScopeResponseArgs

SimpleSigningAttestationCheck, SimpleSigningAttestationCheckArgs

SimpleSigningAttestationCheckResponse, SimpleSigningAttestationCheckResponseArgs

SlsaCheck, SlsaCheckArgs

SlsaCheckResponse, SlsaCheckResponseArgs

TrustedDirectoryCheck, TrustedDirectoryCheckArgs

TrustedDirectoryCheckResponse, TrustedDirectoryCheckResponseArgs

VerificationRule, VerificationRuleArgs

VerificationRuleResponse, VerificationRuleResponseArgs

VerificationRuleTrustedBuilder, VerificationRuleTrustedBuilderArgs

VulnerabilityCheck, VulnerabilityCheckArgs

VulnerabilityCheckMaximumFixableSeverity, VulnerabilityCheckMaximumFixableSeverityArgs

VulnerabilityCheckMaximumUnfixableSeverity, VulnerabilityCheckMaximumUnfixableSeverityArgs

VulnerabilityCheckResponse, VulnerabilityCheckResponseArgs

Package Details

On this page

On this page

AttestationAuthenticator
, AttestationAuthenticatorArgs

AttestationAuthenticatorResponse
, AttestationAuthenticatorResponseArgs

AttestationSource
, AttestationSourceArgs

AttestationSourceResponse
, AttestationSourceResponseArgs

Check
, CheckArgs

CheckResponse
, CheckResponseArgs

CheckSet
, CheckSetArgs

CheckSetResponse
, CheckSetResponseArgs

GkePolicy
, GkePolicyArgs

GkePolicyResponse
, GkePolicyResponseArgs

ImageAllowlist
, ImageAllowlistArgs

ImageAllowlistResponse
, ImageAllowlistResponseArgs

ImageFreshnessCheck
, ImageFreshnessCheckArgs

ImageFreshnessCheckResponse
, ImageFreshnessCheckResponseArgs

PkixPublicKey
, PkixPublicKeyArgs

PkixPublicKeyResponse
, PkixPublicKeyResponseArgs

PkixPublicKeySet
, PkixPublicKeySetArgs

PkixPublicKeySetResponse
, PkixPublicKeySetResponseArgs

PkixPublicKeySignatureAlgorithm
, PkixPublicKeySignatureAlgorithmArgs

Scope
, ScopeArgs

ScopeResponse
, ScopeResponseArgs

SimpleSigningAttestationCheck
, SimpleSigningAttestationCheckArgs

SimpleSigningAttestationCheckResponse
, SimpleSigningAttestationCheckResponseArgs

SlsaCheck
, SlsaCheckArgs

SlsaCheckResponse
, SlsaCheckResponseArgs

TrustedDirectoryCheck
, TrustedDirectoryCheckArgs

TrustedDirectoryCheckResponse
, TrustedDirectoryCheckResponseArgs

VerificationRule
, VerificationRuleArgs

VerificationRuleResponse
, VerificationRuleResponseArgs

VerificationRuleTrustedBuilder
, VerificationRuleTrustedBuilderArgs

VulnerabilityCheck
, VulnerabilityCheckArgs

VulnerabilityCheckMaximumFixableSeverity
, VulnerabilityCheckMaximumFixableSeverityArgs

VulnerabilityCheckMaximumUnfixableSeverity
, VulnerabilityCheckMaximumUnfixableSeverityArgs

VulnerabilityCheckResponse
, VulnerabilityCheckResponseArgs