binaryauthorization/v1 library

Binary Authorization API - v1

The management interface for Binary Authorization, a service that provides policy-based deployment validation and control for images deployed to Google Kubernetes Engine (GKE), Anthos Service Mesh, Anthos Clusters, and Cloud Run.

For more information, see cloud.google.com/binary-authorization/

Create an instance of BinaryAuthorizationApi to access these resources:

Classes

AdmissionRule
An admission rule specifies either that all container images used in a pod creation request must be attested to by one or more attestors, that all pod creations will be allowed, or that all pod creations will be denied.
AdmissionWhitelistPattern
An admission allowlist pattern exempts images from checks by admission rules.
AllowlistResult
Result of evaluating an image name allowlist.
AttestationAuthenticator
An attestation authenticator that will be used to verify attestations.
AttestationOccurrence
Occurrence that represents a single "attestation".
AttestationSource
Specifies the locations for fetching the provenance attestations.
Attestor
An attestor that attests to container image artifacts.
AttestorPublicKey
An attestor public key that will be used to verify attestations signed by this attestor.
BinaryAuthorizationApi
The management interface for Binary Authorization, a service that provides policy-based deployment validation and control for images deployed to Google Kubernetes Engine (GKE), Anthos Service Mesh, Anthos Clusters, and Cloud Run.
Binding
Associates members, or principals, with a role.
Check
A single check to perform against a Pod.
CheckResult
Result of evaluating one check.
CheckResults
Result of evaluating one or more checks.
CheckSet
A conjunction of policy checks, scoped to a particular namespace or Kubernetes service account.
CheckSetResult
Result of evaluating one check set.
EvaluateGkePolicyRequest
Request message for PlatformPolicyEvaluationService.EvaluateGkePolicy.
EvaluateGkePolicyResponse
Response message for PlatformPolicyEvaluationService.EvaluateGkePolicy.
EvaluationResult
Result of evaluating one check.
GkePolicy
A Binary Authorization policy for a GKE cluster.
IamPolicy
An Identity and Access Management (IAM) policy, which specifies access controls for Google Cloud resources.
ImageAllowlist
Images that are exempted from normal checks based on name pattern only.
ImageFreshnessCheck
An image freshness check, which rejects images that were uploaded before the set number of days ago to the supported repositories.
ImageResult
Result of evaluating one image.
ListAttestorsResponse
Response message for BinauthzManagementServiceV1.ListAttestors.
ListPlatformPoliciesResponse
Response message for PlatformPolicyManagementService.ListPlatformPolicies.
PkixPublicKey
A public key in the PkixPublicKey format.
PkixPublicKeySet
A bundle of PKIX public keys, used to authenticate attestation signatures.
PlatformPolicy
A Binary Authorization platform policy for deployments on various platforms.
PodResult
Result of evaluating the whole GKE policy for one Pod.
Policy
A policy for container image binary authorization.
ProjectsAttestorsResource
ProjectsPlatformsGkePoliciesResource
ProjectsPlatformsGkeResource
ProjectsPlatformsPoliciesResource
ProjectsPlatformsResource
ProjectsPolicyResource
ProjectsResource
Scope
A scope specifier for CheckSet objects.
SetIamPolicyRequest
Request message for SetIamPolicy method.
SigstoreAuthority
A Sigstore authority, used to verify signatures that are created by Sigstore.
SigstorePublicKey
A Sigstore public key.
SigstorePublicKeySet
A bundle of Sigstore public keys, used to verify Sigstore signatures.
SigstoreSignatureCheck
A Sigstore signature check, which verifies the Sigstore signature associated with an image.
SimpleSigningAttestationCheck
Require a signed DSSE attestation with type SimpleSigning.
SlsaCheck
A SLSA provenance attestation check, which ensures that images are built by a trusted builder using source code from its trusted repositories only.
SystempolicyResource
TrustedDirectoryCheck
A trusted directory check, which rejects images that do not come from the set of user-configured trusted directories.
UserOwnedGrafeasNote
An user owned Grafeas note references a Grafeas Attestation.Authority Note created by the user.
ValidateAttestationOccurrenceRequest
Request message for ValidationHelperV1.ValidateAttestationOccurrence.
ValidateAttestationOccurrenceResponse
Response message for ValidationHelperV1.ValidateAttestationOccurrence.
VerificationRule
Specifies verification rules for evaluating the SLSA attestations including: which builders to trust, where to fetch the SLSA attestations generated by those builders, and other builder-specific evaluation rules such as which source repositories are trusted.
VulnerabilityCheck
An image vulnerability check, which rejects images that violate the configured vulnerability rules.

Typedefs

Empty = $Empty
A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs.
Expr = $Expr
Represents a textual expression in the Common Expression Language (CEL) syntax.
Jwt = $Jwt
Signature = $Signature
Verifiers (e.g. Kritis implementations) MUST verify signatures with respect to the trust anchors defined in policy (e.g. a Kritis policy).
TestIamPermissionsRequest = $TestIamPermissionsRequest00
Request message for TestIamPermissions method.
TestIamPermissionsResponse = $PermissionsResponse
Response message for TestIamPermissions method.

Exceptions / Errors

ApiRequestError
Represents a general error reported by the API endpoint.
DetailedApiRequestError
Represents a specific error reported by the API endpoint.