BinaryAuthorizationAttestor


Property Value
Google Cloud Service Name Binary Authorization
Google Cloud Service Documentation /binary-authorization/docs/
Google Cloud REST Resource Name binaryauthorization/v1/projects.attestors
Google Cloud REST Resource Documentation /binary-authorization/docs/reference/rest/v1/projects.attestors
Config Connector Resource Short Names gcpbinaryauthorizationattestor
gcpbinaryauthorizationattestors
binaryauthorizationattestor
Config Connector Service Name binaryauthorization.googleapis.com
Config Connector Resource Fully Qualified Name binaryauthorizationattestors.binaryauthorization.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No
Config Connector Default Average Reconcile Interval In Seconds 600

Custom Resource Definition Properties

Spec

Schema

description: string
projectRef:
  external: string
  name: string
  namespace: string
resourceID: string
userOwnedDrydockNote:
  noteRef:
    external: string
    name: string
    namespace: string
  publicKeys:
  - asciiArmoredPgpPublicKey: string
    comment: string
    id: string
    pkixPublicKey:
      publicKeyPem: string
      signatureAlgorithm: string
Fields

description

Optional

string

Optional. A descriptive comment. This field may be updated. The field may be displayed in chooser dialogs.

projectRef

Required

object

Immutable. The Project that this resource belongs to.

projectRef.external

Optional

string

The project for the resource Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).

projectRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

projectRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

resourceID

Optional

string

Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.

userOwnedDrydockNote

Optional

object

This specifies how an attestation will be read, and how it will be used during policy enforcement.

userOwnedDrydockNote.noteRef

Required*

object

Immutable.

userOwnedDrydockNote.noteRef.external

Optional

string

Required. The Drydock resource name of a Attestation. Authority Note, created by the user, in the format: `projects/*/notes/*`. This field may not be updated. An attestation by this attestor is stored as a Grafeas Attestation. Authority Occurrence that names a container image and that links to this Note. Grafeas is an external dependency. Allowed value: The Google Cloud resource name of a `ContainerAnalysisNote` resource (format: `projects/{{project}}/notes/{{name}}`).

userOwnedDrydockNote.noteRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

userOwnedDrydockNote.noteRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

userOwnedDrydockNote.publicKeys

Optional

list (object)

Optional. Public keys that verify attestations signed by this attestor. This field may be updated. If this field is non-empty, one of the specified public keys must verify that an attestation was signed by this attestor for the image specified in the admission request. If this field is empty, this attestor always returns that no valid attestations exist.

userOwnedDrydockNote.publicKeys[]

Optional

object

userOwnedDrydockNote.publicKeys[].asciiArmoredPgpPublicKey

Optional

string

ASCII-armored representation of a PGP public key, as the entire output by the command `gpg --export --armor foo@example.com` (either LF or CRLF line endings). When using this field, `id` should be left blank. The BinAuthz API handlers will calculate the ID and fill it in automatically. BinAuthz computes this ID as the OpenPGP RFC4880 V4 fingerprint, represented as upper-case hex. If `id` is provided by the caller, it will be overwritten by the API-calculated ID.

userOwnedDrydockNote.publicKeys[].comment

Optional

string

Optional. A descriptive comment. This field may be updated.

userOwnedDrydockNote.publicKeys[].id

Optional

string

The ID of this public key. Signatures verified by BinAuthz must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. Additional restrictions on this field can be imposed based on which public key type is encapsulated. See the documentation on `public_key` cases below for details.

userOwnedDrydockNote.publicKeys[].pkixPublicKey

Optional

object

A raw PKIX SubjectPublicKeyInfo format public key. NOTE: `id` may be explicitly provided by the caller when using this type of public key, but it MUST be a valid RFC3986 URI. If `id` is left blank, a default one will be computed based on the digest of the DER encoding of the public key.

userOwnedDrydockNote.publicKeys[].pkixPublicKey.publicKeyPem

Optional

string

A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13

userOwnedDrydockNote.publicKeys[].pkixPublicKey.signatureAlgorithm

Optional

string

The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in `public_key_pem` (i.e. this algorithm must match that of the public key). Possible values: SIGNATURE_ALGORITHM_UNSPECIFIED, RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256, RSA_PSS_4096_SHA512, RSA_SIGN_PKCS1_2048_SHA256, RSA_SIGN_PKCS1_3072_SHA256, RSA_SIGN_PKCS1_4096_SHA256, RSA_SIGN_PKCS1_4096_SHA512, ECDSA_P256_SHA256, EC_SIGN_P256_SHA256, ECDSA_P384_SHA384, EC_SIGN_P384_SHA384, ECDSA_P521_SHA512, EC_SIGN_P521_SHA512

* Field is required when parent field is specified

Status

Schema

conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
observedGeneration: integer
updateTime: string
userOwnedDrydockNote:
  delegationServiceAccountEmail: string
Fields
conditions

list (object)

Conditions represent the latest available observation of the resource's current state.

conditions[]

object

conditions[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions[].message

string

Human-readable message indicating details about last transition.

conditions[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions[].type

string

Type is the type of the condition.

observedGeneration

integer

ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.

updateTime

string

Output only. Time when the attestor was last updated.

userOwnedDrydockNote

object

userOwnedDrydockNote.delegationServiceAccountEmail

string

Output only. This field will contain the service account email address that this Attestor will use as the principal when querying Container Analysis. Attestor administrators must grant this service account the IAM role needed to read attestations from the in Container Analysis (`containeranalysis.notes.occurrences.viewer`). This email address is fixed for the lifetime of the Attestor, but callers should not make any other assumptions about the service account email; future versions may use an email based on a different naming pattern.

Sample YAML(s)

Typical Use Case

# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: binaryauthorization.cnrm.cloud.google.com/v1beta1
kind: BinaryAuthorizationAttestor
metadata:
  name: binaryauthorizationattestor-sample
spec:
  projectRef:
     # Replace ${PROJECT_ID?} with your project ID
     external: "projects/${PROJECT_ID?}"
  description: A sample binary authorization attestor.
  userOwnedDrydockNote:
    noteRef:
      name: binaryauthorizationattestor-dep
    publicKeys:
      - comment: A sample key
        pkixPublicKey:
          publicKeyPem: |
            -----BEGIN PUBLIC KEY-----
            MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8qErzp1izKNonCWqj5KSqdz6g2Tf
            ZWvtX3I6huRWGD0pIMieOOUdFD/hbMH6xYx0ml2vVkUqFJzeSmQt8pbtnw==
            -----END PUBLIC KEY-----
          signatureAlgorithm: ECDSA_P256_SHA256
---
apiVersion: containeranalysis.cnrm.cloud.google.com/v1beta1
kind: ContainerAnalysisNote
metadata:
  name: binaryauthorizationattestor-dep
spec:
  package:
    name: test-package