1. Packages
  2. Google Cloud Native
  3. API Docs
  4. binaryauthorization
  5. binaryauthorization/v1
  6. Policy

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

google-native.binaryauthorization/v1.Policy

Explore with Pulumi AI

google-native logo

Google Cloud Native is in preview. Google Cloud Classic is fully supported.

Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi

    Creates a platform policy, and returns a copy of it. Returns NOT_FOUND if the project or platform doesn’t exist, INVALID_ARGUMENT if the request is malformed, ALREADY_EXISTS if the policy already exists, and INVALID_ARGUMENT if the policy contains a platform-specific policy that does not match the platform value specified in the URL. Auto-naming is currently not supported for this resource.

    Create Policy Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new Policy(name: string, args: PolicyArgs, opts?: CustomResourceOptions);
    @overload
    def Policy(resource_name: str,
               args: PolicyArgs,
               opts: Optional[ResourceOptions] = None)
    
    @overload
    def Policy(resource_name: str,
               opts: Optional[ResourceOptions] = None,
               platform_id: Optional[str] = None,
               policy_id: Optional[str] = None,
               description: Optional[str] = None,
               gke_policy: Optional[GkePolicyArgs] = None,
               project: Optional[str] = None)
    func NewPolicy(ctx *Context, name string, args PolicyArgs, opts ...ResourceOption) (*Policy, error)
    public Policy(string name, PolicyArgs args, CustomResourceOptions? opts = null)
    public Policy(String name, PolicyArgs args)
    public Policy(String name, PolicyArgs args, CustomResourceOptions options)
    
    type: google-native:binaryauthorization/v1:Policy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args PolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var policyResource = new GoogleNative.BinaryAuthorization.V1.Policy("policyResource", new()
    {
        PlatformId = "string",
        PolicyId = "string",
        Description = "string",
        GkePolicy = new GoogleNative.BinaryAuthorization.V1.Inputs.GkePolicyArgs
        {
            CheckSets = new[]
            {
                new GoogleNative.BinaryAuthorization.V1.Inputs.CheckSetArgs
                {
                    Checks = new[]
                    {
                        new GoogleNative.BinaryAuthorization.V1.Inputs.CheckArgs
                        {
                            AlwaysDeny = false,
                            DisplayName = "string",
                            ImageAllowlist = new GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlistArgs
                            {
                                AllowPattern = new[]
                                {
                                    "string",
                                },
                            },
                            ImageFreshnessCheck = new GoogleNative.BinaryAuthorization.V1.Inputs.ImageFreshnessCheckArgs
                            {
                                MaxUploadAgeDays = 0,
                            },
                            SimpleSigningAttestationCheck = new GoogleNative.BinaryAuthorization.V1.Inputs.SimpleSigningAttestationCheckArgs
                            {
                                AttestationAuthenticators = new[]
                                {
                                    new GoogleNative.BinaryAuthorization.V1.Inputs.AttestationAuthenticatorArgs
                                    {
                                        DisplayName = "string",
                                        PkixPublicKeySet = new GoogleNative.BinaryAuthorization.V1.Inputs.PkixPublicKeySetArgs
                                        {
                                            PkixPublicKeys = new[]
                                            {
                                                new GoogleNative.BinaryAuthorization.V1.Inputs.PkixPublicKeyArgs
                                                {
                                                    KeyId = "string",
                                                    PublicKeyPem = "string",
                                                    SignatureAlgorithm = GoogleNative.BinaryAuthorization.V1.PkixPublicKeySignatureAlgorithm.SignatureAlgorithmUnspecified,
                                                },
                                            },
                                        },
                                    },
                                },
                                ContainerAnalysisAttestationProjects = new[]
                                {
                                    "string",
                                },
                            },
                            SlsaCheck = new GoogleNative.BinaryAuthorization.V1.Inputs.SlsaCheckArgs
                            {
                                Rules = new[]
                                {
                                    new GoogleNative.BinaryAuthorization.V1.Inputs.VerificationRuleArgs
                                    {
                                        AttestationSource = new GoogleNative.BinaryAuthorization.V1.Inputs.AttestationSourceArgs
                                        {
                                            ContainerAnalysisAttestationProjects = new[]
                                            {
                                                "string",
                                            },
                                        },
                                        ConfigBasedBuildRequired = false,
                                        TrustedBuilder = GoogleNative.BinaryAuthorization.V1.VerificationRuleTrustedBuilder.BuilderUnspecified,
                                        TrustedSourceRepoPatterns = new[]
                                        {
                                            "string",
                                        },
                                    },
                                },
                            },
                            TrustedDirectoryCheck = new GoogleNative.BinaryAuthorization.V1.Inputs.TrustedDirectoryCheckArgs
                            {
                                TrustedDirPatterns = new[]
                                {
                                    "string",
                                },
                            },
                            VulnerabilityCheck = new GoogleNative.BinaryAuthorization.V1.Inputs.VulnerabilityCheckArgs
                            {
                                MaximumFixableSeverity = GoogleNative.BinaryAuthorization.V1.VulnerabilityCheckMaximumFixableSeverity.MaximumAllowedSeverityUnspecified,
                                MaximumUnfixableSeverity = GoogleNative.BinaryAuthorization.V1.VulnerabilityCheckMaximumUnfixableSeverity.MaximumAllowedSeverityUnspecified,
                                AllowedCves = new[]
                                {
                                    "string",
                                },
                                BlockedCves = new[]
                                {
                                    "string",
                                },
                                ContainerAnalysisVulnerabilityProjects = new[]
                                {
                                    "string",
                                },
                            },
                        },
                    },
                    DisplayName = "string",
                    ImageAllowlist = new GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlistArgs
                    {
                        AllowPattern = new[]
                        {
                            "string",
                        },
                    },
                    Scope = new GoogleNative.BinaryAuthorization.V1.Inputs.ScopeArgs
                    {
                        KubernetesNamespace = "string",
                        KubernetesServiceAccount = "string",
                    },
                },
            },
            ImageAllowlist = new GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlistArgs
            {
                AllowPattern = new[]
                {
                    "string",
                },
            },
        },
        Project = "string",
    });
    
    example, err := binaryauthorization.NewPolicy(ctx, "policyResource", &binaryauthorization.PolicyArgs{
    PlatformId: pulumi.String("string"),
    PolicyId: pulumi.String("string"),
    Description: pulumi.String("string"),
    GkePolicy: &binaryauthorization.GkePolicyArgs{
    CheckSets: binaryauthorization.CheckSetArray{
    &binaryauthorization.CheckSetArgs{
    Checks: binaryauthorization.CheckArray{
    &binaryauthorization.CheckArgs{
    AlwaysDeny: pulumi.Bool(false),
    DisplayName: pulumi.String("string"),
    ImageAllowlist: &binaryauthorization.ImageAllowlistArgs{
    AllowPattern: pulumi.StringArray{
    pulumi.String("string"),
    },
    },
    ImageFreshnessCheck: &binaryauthorization.ImageFreshnessCheckArgs{
    MaxUploadAgeDays: pulumi.Int(0),
    },
    SimpleSigningAttestationCheck: &binaryauthorization.SimpleSigningAttestationCheckArgs{
    AttestationAuthenticators: binaryauthorization.AttestationAuthenticatorArray{
    &binaryauthorization.AttestationAuthenticatorArgs{
    DisplayName: pulumi.String("string"),
    PkixPublicKeySet: &binaryauthorization.PkixPublicKeySetArgs{
    PkixPublicKeys: binaryauthorization.PkixPublicKeyArray{
    &binaryauthorization.PkixPublicKeyArgs{
    KeyId: pulumi.String("string"),
    PublicKeyPem: pulumi.String("string"),
    SignatureAlgorithm: binaryauthorization.PkixPublicKeySignatureAlgorithmSignatureAlgorithmUnspecified,
    },
    },
    },
    },
    },
    ContainerAnalysisAttestationProjects: pulumi.StringArray{
    pulumi.String("string"),
    },
    },
    SlsaCheck: &binaryauthorization.SlsaCheckArgs{
    Rules: binaryauthorization.VerificationRuleArray{
    &binaryauthorization.VerificationRuleArgs{
    AttestationSource: &binaryauthorization.AttestationSourceArgs{
    ContainerAnalysisAttestationProjects: pulumi.StringArray{
    pulumi.String("string"),
    },
    },
    ConfigBasedBuildRequired: pulumi.Bool(false),
    TrustedBuilder: binaryauthorization.VerificationRuleTrustedBuilderBuilderUnspecified,
    TrustedSourceRepoPatterns: pulumi.StringArray{
    pulumi.String("string"),
    },
    },
    },
    },
    TrustedDirectoryCheck: &binaryauthorization.TrustedDirectoryCheckArgs{
    TrustedDirPatterns: pulumi.StringArray{
    pulumi.String("string"),
    },
    },
    VulnerabilityCheck: &binaryauthorization.VulnerabilityCheckArgs{
    MaximumFixableSeverity: binaryauthorization.VulnerabilityCheckMaximumFixableSeverityMaximumAllowedSeverityUnspecified,
    MaximumUnfixableSeverity: binaryauthorization.VulnerabilityCheckMaximumUnfixableSeverityMaximumAllowedSeverityUnspecified,
    AllowedCves: pulumi.StringArray{
    pulumi.String("string"),
    },
    BlockedCves: pulumi.StringArray{
    pulumi.String("string"),
    },
    ContainerAnalysisVulnerabilityProjects: pulumi.StringArray{
    pulumi.String("string"),
    },
    },
    },
    },
    DisplayName: pulumi.String("string"),
    ImageAllowlist: &binaryauthorization.ImageAllowlistArgs{
    AllowPattern: pulumi.StringArray{
    pulumi.String("string"),
    },
    },
    Scope: &binaryauthorization.ScopeArgs{
    KubernetesNamespace: pulumi.String("string"),
    KubernetesServiceAccount: pulumi.String("string"),
    },
    },
    },
    ImageAllowlist: &binaryauthorization.ImageAllowlistArgs{
    AllowPattern: pulumi.StringArray{
    pulumi.String("string"),
    },
    },
    },
    Project: pulumi.String("string"),
    })
    
    var policyResource = new Policy("policyResource", PolicyArgs.builder()
        .platformId("string")
        .policyId("string")
        .description("string")
        .gkePolicy(GkePolicyArgs.builder()
            .checkSets(CheckSetArgs.builder()
                .checks(CheckArgs.builder()
                    .alwaysDeny(false)
                    .displayName("string")
                    .imageAllowlist(ImageAllowlistArgs.builder()
                        .allowPattern("string")
                        .build())
                    .imageFreshnessCheck(ImageFreshnessCheckArgs.builder()
                        .maxUploadAgeDays(0)
                        .build())
                    .simpleSigningAttestationCheck(SimpleSigningAttestationCheckArgs.builder()
                        .attestationAuthenticators(AttestationAuthenticatorArgs.builder()
                            .displayName("string")
                            .pkixPublicKeySet(PkixPublicKeySetArgs.builder()
                                .pkixPublicKeys(PkixPublicKeyArgs.builder()
                                    .keyId("string")
                                    .publicKeyPem("string")
                                    .signatureAlgorithm("SIGNATURE_ALGORITHM_UNSPECIFIED")
                                    .build())
                                .build())
                            .build())
                        .containerAnalysisAttestationProjects("string")
                        .build())
                    .slsaCheck(SlsaCheckArgs.builder()
                        .rules(VerificationRuleArgs.builder()
                            .attestationSource(AttestationSourceArgs.builder()
                                .containerAnalysisAttestationProjects("string")
                                .build())
                            .configBasedBuildRequired(false)
                            .trustedBuilder("BUILDER_UNSPECIFIED")
                            .trustedSourceRepoPatterns("string")
                            .build())
                        .build())
                    .trustedDirectoryCheck(TrustedDirectoryCheckArgs.builder()
                        .trustedDirPatterns("string")
                        .build())
                    .vulnerabilityCheck(VulnerabilityCheckArgs.builder()
                        .maximumFixableSeverity("MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED")
                        .maximumUnfixableSeverity("MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED")
                        .allowedCves("string")
                        .blockedCves("string")
                        .containerAnalysisVulnerabilityProjects("string")
                        .build())
                    .build())
                .displayName("string")
                .imageAllowlist(ImageAllowlistArgs.builder()
                    .allowPattern("string")
                    .build())
                .scope(ScopeArgs.builder()
                    .kubernetesNamespace("string")
                    .kubernetesServiceAccount("string")
                    .build())
                .build())
            .imageAllowlist(ImageAllowlistArgs.builder()
                .allowPattern("string")
                .build())
            .build())
        .project("string")
        .build());
    
    policy_resource = google_native.binaryauthorization.v1.Policy("policyResource",
        platform_id="string",
        policy_id="string",
        description="string",
        gke_policy=google_native.binaryauthorization.v1.GkePolicyArgs(
            check_sets=[google_native.binaryauthorization.v1.CheckSetArgs(
                checks=[google_native.binaryauthorization.v1.CheckArgs(
                    always_deny=False,
                    display_name="string",
                    image_allowlist=google_native.binaryauthorization.v1.ImageAllowlistArgs(
                        allow_pattern=["string"],
                    ),
                    image_freshness_check=google_native.binaryauthorization.v1.ImageFreshnessCheckArgs(
                        max_upload_age_days=0,
                    ),
                    simple_signing_attestation_check=google_native.binaryauthorization.v1.SimpleSigningAttestationCheckArgs(
                        attestation_authenticators=[google_native.binaryauthorization.v1.AttestationAuthenticatorArgs(
                            display_name="string",
                            pkix_public_key_set=google_native.binaryauthorization.v1.PkixPublicKeySetArgs(
                                pkix_public_keys=[google_native.binaryauthorization.v1.PkixPublicKeyArgs(
                                    key_id="string",
                                    public_key_pem="string",
                                    signature_algorithm=google_native.binaryauthorization.v1.PkixPublicKeySignatureAlgorithm.SIGNATURE_ALGORITHM_UNSPECIFIED,
                                )],
                            ),
                        )],
                        container_analysis_attestation_projects=["string"],
                    ),
                    slsa_check=google_native.binaryauthorization.v1.SlsaCheckArgs(
                        rules=[google_native.binaryauthorization.v1.VerificationRuleArgs(
                            attestation_source=google_native.binaryauthorization.v1.AttestationSourceArgs(
                                container_analysis_attestation_projects=["string"],
                            ),
                            config_based_build_required=False,
                            trusted_builder=google_native.binaryauthorization.v1.VerificationRuleTrustedBuilder.BUILDER_UNSPECIFIED,
                            trusted_source_repo_patterns=["string"],
                        )],
                    ),
                    trusted_directory_check=google_native.binaryauthorization.v1.TrustedDirectoryCheckArgs(
                        trusted_dir_patterns=["string"],
                    ),
                    vulnerability_check=google_native.binaryauthorization.v1.VulnerabilityCheckArgs(
                        maximum_fixable_severity=google_native.binaryauthorization.v1.VulnerabilityCheckMaximumFixableSeverity.MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED,
                        maximum_unfixable_severity=google_native.binaryauthorization.v1.VulnerabilityCheckMaximumUnfixableSeverity.MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED,
                        allowed_cves=["string"],
                        blocked_cves=["string"],
                        container_analysis_vulnerability_projects=["string"],
                    ),
                )],
                display_name="string",
                image_allowlist=google_native.binaryauthorization.v1.ImageAllowlistArgs(
                    allow_pattern=["string"],
                ),
                scope=google_native.binaryauthorization.v1.ScopeArgs(
                    kubernetes_namespace="string",
                    kubernetes_service_account="string",
                ),
            )],
            image_allowlist=google_native.binaryauthorization.v1.ImageAllowlistArgs(
                allow_pattern=["string"],
            ),
        ),
        project="string")
    
    const policyResource = new google_native.binaryauthorization.v1.Policy("policyResource", {
        platformId: "string",
        policyId: "string",
        description: "string",
        gkePolicy: {
            checkSets: [{
                checks: [{
                    alwaysDeny: false,
                    displayName: "string",
                    imageAllowlist: {
                        allowPattern: ["string"],
                    },
                    imageFreshnessCheck: {
                        maxUploadAgeDays: 0,
                    },
                    simpleSigningAttestationCheck: {
                        attestationAuthenticators: [{
                            displayName: "string",
                            pkixPublicKeySet: {
                                pkixPublicKeys: [{
                                    keyId: "string",
                                    publicKeyPem: "string",
                                    signatureAlgorithm: google_native.binaryauthorization.v1.PkixPublicKeySignatureAlgorithm.SignatureAlgorithmUnspecified,
                                }],
                            },
                        }],
                        containerAnalysisAttestationProjects: ["string"],
                    },
                    slsaCheck: {
                        rules: [{
                            attestationSource: {
                                containerAnalysisAttestationProjects: ["string"],
                            },
                            configBasedBuildRequired: false,
                            trustedBuilder: google_native.binaryauthorization.v1.VerificationRuleTrustedBuilder.BuilderUnspecified,
                            trustedSourceRepoPatterns: ["string"],
                        }],
                    },
                    trustedDirectoryCheck: {
                        trustedDirPatterns: ["string"],
                    },
                    vulnerabilityCheck: {
                        maximumFixableSeverity: google_native.binaryauthorization.v1.VulnerabilityCheckMaximumFixableSeverity.MaximumAllowedSeverityUnspecified,
                        maximumUnfixableSeverity: google_native.binaryauthorization.v1.VulnerabilityCheckMaximumUnfixableSeverity.MaximumAllowedSeverityUnspecified,
                        allowedCves: ["string"],
                        blockedCves: ["string"],
                        containerAnalysisVulnerabilityProjects: ["string"],
                    },
                }],
                displayName: "string",
                imageAllowlist: {
                    allowPattern: ["string"],
                },
                scope: {
                    kubernetesNamespace: "string",
                    kubernetesServiceAccount: "string",
                },
            }],
            imageAllowlist: {
                allowPattern: ["string"],
            },
        },
        project: "string",
    });
    
    type: google-native:binaryauthorization/v1:Policy
    properties:
        description: string
        gkePolicy:
            checkSets:
                - checks:
                    - alwaysDeny: false
                      displayName: string
                      imageAllowlist:
                        allowPattern:
                            - string
                      imageFreshnessCheck:
                        maxUploadAgeDays: 0
                      simpleSigningAttestationCheck:
                        attestationAuthenticators:
                            - displayName: string
                              pkixPublicKeySet:
                                pkixPublicKeys:
                                    - keyId: string
                                      publicKeyPem: string
                                      signatureAlgorithm: SIGNATURE_ALGORITHM_UNSPECIFIED
                        containerAnalysisAttestationProjects:
                            - string
                      slsaCheck:
                        rules:
                            - attestationSource:
                                containerAnalysisAttestationProjects:
                                    - string
                              configBasedBuildRequired: false
                              trustedBuilder: BUILDER_UNSPECIFIED
                              trustedSourceRepoPatterns:
                                - string
                      trustedDirectoryCheck:
                        trustedDirPatterns:
                            - string
                      vulnerabilityCheck:
                        allowedCves:
                            - string
                        blockedCves:
                            - string
                        containerAnalysisVulnerabilityProjects:
                            - string
                        maximumFixableSeverity: MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED
                        maximumUnfixableSeverity: MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED
                  displayName: string
                  imageAllowlist:
                    allowPattern:
                        - string
                  scope:
                    kubernetesNamespace: string
                    kubernetesServiceAccount: string
            imageAllowlist:
                allowPattern:
                    - string
        platformId: string
        policyId: string
        project: string
    

    Policy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Policy resource accepts the following input properties:

    PlatformId string
    PolicyId string
    Required. The platform policy ID.
    Description string
    Optional. A description comment about the policy.
    GkePolicy Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.GkePolicy
    Optional. GKE platform-specific policy.
    Project string
    PlatformId string
    PolicyId string
    Required. The platform policy ID.
    Description string
    Optional. A description comment about the policy.
    GkePolicy GkePolicyArgs
    Optional. GKE platform-specific policy.
    Project string
    platformId String
    policyId String
    Required. The platform policy ID.
    description String
    Optional. A description comment about the policy.
    gkePolicy GkePolicy
    Optional. GKE platform-specific policy.
    project String
    platformId string
    policyId string
    Required. The platform policy ID.
    description string
    Optional. A description comment about the policy.
    gkePolicy GkePolicy
    Optional. GKE platform-specific policy.
    project string
    platform_id str
    policy_id str
    Required. The platform policy ID.
    description str
    Optional. A description comment about the policy.
    gke_policy GkePolicyArgs
    Optional. GKE platform-specific policy.
    project str
    platformId String
    policyId String
    Required. The platform policy ID.
    description String
    Optional. A description comment about the policy.
    gkePolicy Property Map
    Optional. GKE platform-specific policy.
    project String

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Policy resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    The relative resource name of the Binary Authorization platform policy, in the form of projects/*/platforms/*/policies/*.
    UpdateTime string
    Time when the policy was last updated.
    Id string
    The provider-assigned unique ID for this managed resource.
    Name string
    The relative resource name of the Binary Authorization platform policy, in the form of projects/*/platforms/*/policies/*.
    UpdateTime string
    Time when the policy was last updated.
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    The relative resource name of the Binary Authorization platform policy, in the form of projects/*/platforms/*/policies/*.
    updateTime String
    Time when the policy was last updated.
    id string
    The provider-assigned unique ID for this managed resource.
    name string
    The relative resource name of the Binary Authorization platform policy, in the form of projects/*/platforms/*/policies/*.
    updateTime string
    Time when the policy was last updated.
    id str
    The provider-assigned unique ID for this managed resource.
    name str
    The relative resource name of the Binary Authorization platform policy, in the form of projects/*/platforms/*/policies/*.
    update_time str
    Time when the policy was last updated.
    id String
    The provider-assigned unique ID for this managed resource.
    name String
    The relative resource name of the Binary Authorization platform policy, in the form of projects/*/platforms/*/policies/*.
    updateTime String
    Time when the policy was last updated.

    Supporting Types

    AttestationAuthenticator, AttestationAuthenticatorArgs

    DisplayName string
    Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    PkixPublicKeySet Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.PkixPublicKeySet
    Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
    DisplayName string
    Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    PkixPublicKeySet PkixPublicKeySet
    Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
    displayName String
    Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    pkixPublicKeySet PkixPublicKeySet
    Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
    displayName string
    Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    pkixPublicKeySet PkixPublicKeySet
    Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
    display_name str
    Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    pkix_public_key_set PkixPublicKeySet
    Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
    displayName String
    Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    pkixPublicKeySet Property Map
    Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).

    AttestationAuthenticatorResponse, AttestationAuthenticatorResponseArgs

    DisplayName string
    Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    PkixPublicKeySet Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.PkixPublicKeySetResponse
    Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
    DisplayName string
    Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    PkixPublicKeySet PkixPublicKeySetResponse
    Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
    displayName String
    Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    pkixPublicKeySet PkixPublicKeySetResponse
    Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
    displayName string
    Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    pkixPublicKeySet PkixPublicKeySetResponse
    Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
    display_name str
    Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    pkix_public_key_set PkixPublicKeySetResponse
    Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).
    displayName String
    Optional. A user-provided name for this AttestationAuthenticator. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    pkixPublicKeySet Property Map
    Optional. A set of raw PKIX SubjectPublicKeyInfo format public keys. If any public key in the set validates the attestation signature, then the signature is considered authenticated (i.e. any one key is sufficient to authenticate).

    AttestationSource, AttestationSourceArgs

    ContainerAnalysisAttestationProjects List<string>
    The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.
    ContainerAnalysisAttestationProjects []string
    The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.
    containerAnalysisAttestationProjects List<String>
    The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.
    containerAnalysisAttestationProjects string[]
    The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.
    container_analysis_attestation_projects Sequence[str]
    The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.
    containerAnalysisAttestationProjects List<String>
    The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.

    AttestationSourceResponse, AttestationSourceResponseArgs

    ContainerAnalysisAttestationProjects List<string>
    The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.
    ContainerAnalysisAttestationProjects []string
    The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.
    containerAnalysisAttestationProjects List<String>
    The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.
    containerAnalysisAttestationProjects string[]
    The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.
    container_analysis_attestation_projects Sequence[str]
    The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.
    containerAnalysisAttestationProjects List<String>
    The IDs of the GCP projects storing the SLSA attestations as Container Analysis Occurrences.

    Check, CheckArgs

    AlwaysDeny bool
    Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
    DisplayName string
    Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    ImageAllowlist Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlist
    Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
    ImageFreshnessCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ImageFreshnessCheck
    Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
    SimpleSigningAttestationCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.SimpleSigningAttestationCheck
    Optional. Require a SimpleSigning-type attestation for every image in the deployment.
    SlsaCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.SlsaCheck
    Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
    TrustedDirectoryCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.TrustedDirectoryCheck
    Optional. Require that an image lives in a trusted directory.
    VulnerabilityCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.VulnerabilityCheck
    Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
    AlwaysDeny bool
    Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
    DisplayName string
    Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    ImageAllowlist ImageAllowlist
    Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
    ImageFreshnessCheck ImageFreshnessCheck
    Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
    SimpleSigningAttestationCheck SimpleSigningAttestationCheck
    Optional. Require a SimpleSigning-type attestation for every image in the deployment.
    SlsaCheck SlsaCheck
    Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
    TrustedDirectoryCheck TrustedDirectoryCheck
    Optional. Require that an image lives in a trusted directory.
    VulnerabilityCheck VulnerabilityCheck
    Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
    alwaysDeny Boolean
    Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
    displayName String
    Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    imageAllowlist ImageAllowlist
    Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
    imageFreshnessCheck ImageFreshnessCheck
    Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
    simpleSigningAttestationCheck SimpleSigningAttestationCheck
    Optional. Require a SimpleSigning-type attestation for every image in the deployment.
    slsaCheck SlsaCheck
    Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
    trustedDirectoryCheck TrustedDirectoryCheck
    Optional. Require that an image lives in a trusted directory.
    vulnerabilityCheck VulnerabilityCheck
    Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
    alwaysDeny boolean
    Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
    displayName string
    Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    imageAllowlist ImageAllowlist
    Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
    imageFreshnessCheck ImageFreshnessCheck
    Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
    simpleSigningAttestationCheck SimpleSigningAttestationCheck
    Optional. Require a SimpleSigning-type attestation for every image in the deployment.
    slsaCheck SlsaCheck
    Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
    trustedDirectoryCheck TrustedDirectoryCheck
    Optional. Require that an image lives in a trusted directory.
    vulnerabilityCheck VulnerabilityCheck
    Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
    always_deny bool
    Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
    display_name str
    Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    image_allowlist ImageAllowlist
    Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
    image_freshness_check ImageFreshnessCheck
    Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
    simple_signing_attestation_check SimpleSigningAttestationCheck
    Optional. Require a SimpleSigning-type attestation for every image in the deployment.
    slsa_check SlsaCheck
    Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
    trusted_directory_check TrustedDirectoryCheck
    Optional. Require that an image lives in a trusted directory.
    vulnerability_check VulnerabilityCheck
    Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
    alwaysDeny Boolean
    Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
    displayName String
    Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    imageAllowlist Property Map
    Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
    imageFreshnessCheck Property Map
    Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
    simpleSigningAttestationCheck Property Map
    Optional. Require a SimpleSigning-type attestation for every image in the deployment.
    slsaCheck Property Map
    Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
    trustedDirectoryCheck Property Map
    Optional. Require that an image lives in a trusted directory.
    vulnerabilityCheck Property Map
    Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.

    CheckResponse, CheckResponseArgs

    AlwaysDeny bool
    Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
    DisplayName string
    Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    ImageAllowlist Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlistResponse
    Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
    ImageFreshnessCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ImageFreshnessCheckResponse
    Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
    SimpleSigningAttestationCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.SimpleSigningAttestationCheckResponse
    Optional. Require a SimpleSigning-type attestation for every image in the deployment.
    SlsaCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.SlsaCheckResponse
    Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
    TrustedDirectoryCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.TrustedDirectoryCheckResponse
    Optional. Require that an image lives in a trusted directory.
    VulnerabilityCheck Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.VulnerabilityCheckResponse
    Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
    AlwaysDeny bool
    Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
    DisplayName string
    Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    ImageAllowlist ImageAllowlistResponse
    Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
    ImageFreshnessCheck ImageFreshnessCheckResponse
    Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
    SimpleSigningAttestationCheck SimpleSigningAttestationCheckResponse
    Optional. Require a SimpleSigning-type attestation for every image in the deployment.
    SlsaCheck SlsaCheckResponse
    Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
    TrustedDirectoryCheck TrustedDirectoryCheckResponse
    Optional. Require that an image lives in a trusted directory.
    VulnerabilityCheck VulnerabilityCheckResponse
    Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
    alwaysDeny Boolean
    Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
    displayName String
    Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    imageAllowlist ImageAllowlistResponse
    Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
    imageFreshnessCheck ImageFreshnessCheckResponse
    Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
    simpleSigningAttestationCheck SimpleSigningAttestationCheckResponse
    Optional. Require a SimpleSigning-type attestation for every image in the deployment.
    slsaCheck SlsaCheckResponse
    Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
    trustedDirectoryCheck TrustedDirectoryCheckResponse
    Optional. Require that an image lives in a trusted directory.
    vulnerabilityCheck VulnerabilityCheckResponse
    Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
    alwaysDeny boolean
    Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
    displayName string
    Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    imageAllowlist ImageAllowlistResponse
    Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
    imageFreshnessCheck ImageFreshnessCheckResponse
    Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
    simpleSigningAttestationCheck SimpleSigningAttestationCheckResponse
    Optional. Require a SimpleSigning-type attestation for every image in the deployment.
    slsaCheck SlsaCheckResponse
    Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
    trustedDirectoryCheck TrustedDirectoryCheckResponse
    Optional. Require that an image lives in a trusted directory.
    vulnerabilityCheck VulnerabilityCheckResponse
    Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
    always_deny bool
    Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
    display_name str
    Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    image_allowlist ImageAllowlistResponse
    Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
    image_freshness_check ImageFreshnessCheckResponse
    Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
    simple_signing_attestation_check SimpleSigningAttestationCheckResponse
    Optional. Require a SimpleSigning-type attestation for every image in the deployment.
    slsa_check SlsaCheckResponse
    Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
    trusted_directory_check TrustedDirectoryCheckResponse
    Optional. Require that an image lives in a trusted directory.
    vulnerability_check VulnerabilityCheckResponse
    Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.
    alwaysDeny Boolean
    Optional. A special-case check that always denies. Note that this still only applies when the scope of the CheckSet applies and the image isn't exempted by an image allowlist. This check is primarily useful for testing, or to set the default behavior for all unmatched scopes to "deny".
    displayName String
    Optional. A user-provided name for this check. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    imageAllowlist Property Map
    Optional. Images exempted from this check. If any of the patterns match the image url, the check will not be evaluated.
    imageFreshnessCheck Property Map
    Optional. Require that an image is no older than a configured expiration time. Image age is determined by its upload time.
    simpleSigningAttestationCheck Property Map
    Optional. Require a SimpleSigning-type attestation for every image in the deployment.
    slsaCheck Property Map
    Optional. Require that an image was built by a trusted builder (such as Google Cloud Build), meets requirements for Supply chain Levels for Software Artifacts (SLSA), and was built from a trusted source code repostitory.
    trustedDirectoryCheck Property Map
    Optional. Require that an image lives in a trusted directory.
    vulnerabilityCheck Property Map
    Optional. Require that an image does not contain vulnerabilities that violate the configured rules, such as based on severity levels.

    CheckSet, CheckSetArgs

    Checks List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.Check>
    Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
    DisplayName string
    Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    ImageAllowlist Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlist
    Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
    Scope Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.Scope
    Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.
    Checks []Check
    Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
    DisplayName string
    Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    ImageAllowlist ImageAllowlist
    Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
    Scope Scope
    Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.
    checks List<Check>
    Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
    displayName String
    Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    imageAllowlist ImageAllowlist
    Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
    scope Scope
    Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.
    checks Check[]
    Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
    displayName string
    Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    imageAllowlist ImageAllowlist
    Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
    scope Scope
    Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.
    checks Sequence[Check]
    Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
    display_name str
    Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    image_allowlist ImageAllowlist
    Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
    scope Scope
    Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.
    checks List<Property Map>
    Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
    displayName String
    Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    imageAllowlist Property Map
    Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
    scope Property Map
    Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.

    CheckSetResponse, CheckSetResponseArgs

    Checks List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.CheckResponse>
    Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
    DisplayName string
    Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    ImageAllowlist Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlistResponse
    Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
    Scope Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ScopeResponse
    Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.
    Checks []CheckResponse
    Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
    DisplayName string
    Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    ImageAllowlist ImageAllowlistResponse
    Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
    Scope ScopeResponse
    Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.
    checks List<CheckResponse>
    Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
    displayName String
    Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    imageAllowlist ImageAllowlistResponse
    Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
    scope ScopeResponse
    Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.
    checks CheckResponse[]
    Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
    displayName string
    Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    imageAllowlist ImageAllowlistResponse
    Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
    scope ScopeResponse
    Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.
    checks Sequence[CheckResponse]
    Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
    display_name str
    Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    image_allowlist ImageAllowlistResponse
    Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
    scope ScopeResponse
    Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.
    checks List<Property Map>
    Optional. The checks to apply. The ultimate result of evaluating the check set will be "allow" if and only if every check in checks evaluates to "allow". If checks is empty, the default behavior is "always allow".
    displayName String
    Optional. A user-provided name for this CheckSet. This field has no effect on the policy evaluation behavior except to improve readability of messages in evaluation results.
    imageAllowlist Property Map
    Optional. Images exempted from this CheckSet. If any of the patterns match the image being evaluated, no checks in the CheckSet will be evaluated.
    scope Property Map
    Optional. The scope to which this CheckSet applies. If unset or an empty string (the default), applies to all namespaces and service accounts. See the Scope message documentation for details on scoping rules.

    GkePolicy, GkePolicyArgs

    CheckSets List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.CheckSet>
    Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
    ImageAllowlist Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlist
    Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
    CheckSets []CheckSet
    Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
    ImageAllowlist ImageAllowlist
    Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
    checkSets List<CheckSet>
    Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
    imageAllowlist ImageAllowlist
    Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
    checkSets CheckSet[]
    Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
    imageAllowlist ImageAllowlist
    Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
    check_sets Sequence[CheckSet]
    Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
    image_allowlist ImageAllowlist
    Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
    checkSets List<Property Map>
    Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
    imageAllowlist Property Map
    Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.

    GkePolicyResponse, GkePolicyResponseArgs

    CheckSets List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.CheckSetResponse>
    Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
    ImageAllowlist Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.ImageAllowlistResponse
    Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
    CheckSets []CheckSetResponse
    Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
    ImageAllowlist ImageAllowlistResponse
    Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
    checkSets List<CheckSetResponse>
    Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
    imageAllowlist ImageAllowlistResponse
    Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
    checkSets CheckSetResponse[]
    Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
    imageAllowlist ImageAllowlistResponse
    Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
    check_sets Sequence[CheckSetResponse]
    Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
    image_allowlist ImageAllowlistResponse
    Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.
    checkSets List<Property Map>
    Optional. The CheckSet objects to apply, scoped by namespace or namespace and service account. Exactly one CheckSet will be evaluated for a given Pod (unless the list is empty, in which case the behavior is "always allow"). If multiple CheckSet objects have scopes that match the namespace and service account of the Pod being evaluated, only the CheckSet with the MOST SPECIFIC scope will match. CheckSet objects must be listed in order of decreasing specificity, i.e. if a scope matches a given service account (which must include the namespace), it must come before a CheckSet with a scope matching just that namespace. This property is enforced by server-side validation. The purpose of this restriction is to ensure that if more than one CheckSet matches a given Pod, the CheckSet that will be evaluated will always be the first in the list to match (because if any other matches, it must be less specific). If check_sets is empty, the default behavior is to allow all images. If check_sets is non-empty, the last check_sets entry must always be a CheckSet with no scope set, i.e. a catchall to handle any situation not caught by the preceding CheckSet objects.
    imageAllowlist Property Map
    Optional. Images exempted from this policy. If any of the patterns match the image being evaluated, the rest of the policy will not be evaluated.

    ImageAllowlist, ImageAllowlistArgs

    AllowPattern List<string>
    A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
    AllowPattern []string
    A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
    allowPattern List<String>
    A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
    allowPattern string[]
    A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
    allow_pattern Sequence[str]
    A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
    allowPattern List<String>
    A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.

    ImageAllowlistResponse, ImageAllowlistResponseArgs

    AllowPattern List<string>
    A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
    AllowPattern []string
    A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
    allowPattern List<String>
    A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
    allowPattern string[]
    A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
    allow_pattern Sequence[str]
    A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.
    allowPattern List<String>
    A disjunction of image patterns to allow. If any of these patterns match, then the image is considered exempted by this allowlist.

    ImageFreshnessCheck, ImageFreshnessCheckArgs

    MaxUploadAgeDays int
    The max number of days that is allowed since the image was uploaded. Must be greater than zero.
    MaxUploadAgeDays int
    The max number of days that is allowed since the image was uploaded. Must be greater than zero.
    maxUploadAgeDays Integer
    The max number of days that is allowed since the image was uploaded. Must be greater than zero.
    maxUploadAgeDays number
    The max number of days that is allowed since the image was uploaded. Must be greater than zero.
    max_upload_age_days int
    The max number of days that is allowed since the image was uploaded. Must be greater than zero.
    maxUploadAgeDays Number
    The max number of days that is allowed since the image was uploaded. Must be greater than zero.

    ImageFreshnessCheckResponse, ImageFreshnessCheckResponseArgs

    MaxUploadAgeDays int
    The max number of days that is allowed since the image was uploaded. Must be greater than zero.
    MaxUploadAgeDays int
    The max number of days that is allowed since the image was uploaded. Must be greater than zero.
    maxUploadAgeDays Integer
    The max number of days that is allowed since the image was uploaded. Must be greater than zero.
    maxUploadAgeDays number
    The max number of days that is allowed since the image was uploaded. Must be greater than zero.
    max_upload_age_days int
    The max number of days that is allowed since the image was uploaded. Must be greater than zero.
    maxUploadAgeDays Number
    The max number of days that is allowed since the image was uploaded. Must be greater than zero.

    PkixPublicKey, PkixPublicKeyArgs

    KeyId string
    Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
    PublicKeyPem string
    A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
    SignatureAlgorithm Pulumi.GoogleNative.BinaryAuthorization.V1.PkixPublicKeySignatureAlgorithm
    The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).
    KeyId string
    Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
    PublicKeyPem string
    A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
    SignatureAlgorithm PkixPublicKeySignatureAlgorithm
    The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).
    keyId String
    Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
    publicKeyPem String
    A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
    signatureAlgorithm PkixPublicKeySignatureAlgorithm
    The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).
    keyId string
    Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
    publicKeyPem string
    A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
    signatureAlgorithm PkixPublicKeySignatureAlgorithm
    The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).
    key_id str
    Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
    public_key_pem str
    A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
    signature_algorithm PkixPublicKeySignatureAlgorithm
    The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).
    keyId String
    Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
    publicKeyPem String
    A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
    signatureAlgorithm "SIGNATURE_ALGORITHM_UNSPECIFIED" | "RSA_PSS_2048_SHA256" | "RSA_SIGN_PSS_2048_SHA256" | "RSA_PSS_3072_SHA256" | "RSA_SIGN_PSS_3072_SHA256" | "RSA_PSS_4096_SHA256" | "RSA_SIGN_PSS_4096_SHA256" | "RSA_PSS_4096_SHA512" | "RSA_SIGN_PSS_4096_SHA512" | "RSA_SIGN_PKCS1_2048_SHA256" | "RSA_SIGN_PKCS1_3072_SHA256" | "RSA_SIGN_PKCS1_4096_SHA256" | "RSA_SIGN_PKCS1_4096_SHA512" | "ECDSA_P256_SHA256" | "EC_SIGN_P256_SHA256" | "ECDSA_P384_SHA384" | "EC_SIGN_P384_SHA384" | "ECDSA_P521_SHA512" | "EC_SIGN_P521_SHA512"
    The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).

    PkixPublicKeyResponse, PkixPublicKeyResponseArgs

    KeyId string
    Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
    PublicKeyPem string
    A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
    SignatureAlgorithm string
    The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).
    KeyId string
    Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
    PublicKeyPem string
    A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
    SignatureAlgorithm string
    The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).
    keyId String
    Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
    publicKeyPem String
    A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
    signatureAlgorithm String
    The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).
    keyId string
    Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
    publicKeyPem string
    A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
    signatureAlgorithm string
    The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).
    key_id str
    Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
    public_key_pem str
    A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
    signature_algorithm str
    The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).
    keyId String
    Optional. The ID of this public key. Signatures verified by Binary Authorization must include the ID of the public key that can be used to verify them, and that ID must match the contents of this field exactly. This may be explicitly provided by the caller, but it MUST be a valid RFC3986 URI. If key_id is left blank and this PkixPublicKey is not used in the context of a wrapper (see next paragraph), a default key ID will be computed based on the digest of the DER encoding of the public key. If this PkixPublicKey is used in the context of a wrapper that has its own notion of key ID (e.g. AttestorPublicKey), then this field can either: * Match that value exactly. * Or be left blank, in which case it behaves exactly as though it is equal to that wrapper value.
    publicKeyPem String
    A PEM-encoded public key, as described in https://tools.ietf.org/html/rfc7468#section-13
    signatureAlgorithm String
    The signature algorithm used to verify a message against a signature using this key. These signature algorithm must match the structure and any object identifiers encoded in public_key_pem (i.e. this algorithm must match that of the public key).

    PkixPublicKeySet, PkixPublicKeySetArgs

    PkixPublicKeys []PkixPublicKey
    pkix_public_keys must have at least one entry.
    pkixPublicKeys List<PkixPublicKey>
    pkix_public_keys must have at least one entry.
    pkixPublicKeys PkixPublicKey[]
    pkix_public_keys must have at least one entry.
    pkix_public_keys Sequence[PkixPublicKey]
    pkix_public_keys must have at least one entry.
    pkixPublicKeys List<Property Map>
    pkix_public_keys must have at least one entry.

    PkixPublicKeySetResponse, PkixPublicKeySetResponseArgs

    PkixPublicKeys []PkixPublicKeyResponse
    pkix_public_keys must have at least one entry.
    pkixPublicKeys List<PkixPublicKeyResponse>
    pkix_public_keys must have at least one entry.
    pkixPublicKeys PkixPublicKeyResponse[]
    pkix_public_keys must have at least one entry.
    pkix_public_keys Sequence[PkixPublicKeyResponse]
    pkix_public_keys must have at least one entry.
    pkixPublicKeys List<Property Map>
    pkix_public_keys must have at least one entry.

    PkixPublicKeySignatureAlgorithm, PkixPublicKeySignatureAlgorithmArgs

    SignatureAlgorithmUnspecified
    SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified.
    RsaPss2048Sha256
    RSA_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
    RsaSignPss2048Sha256
    RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
    RsaPss3072Sha256
    RSA_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
    RsaSignPss3072Sha256
    RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
    RsaPss4096Sha256
    RSA_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
    RsaSignPss4096Sha256
    RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
    RsaPss4096Sha512
    RSA_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
    RsaSignPss4096Sha512
    RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
    RsaSignPkcs12048Sha256
    RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
    RsaSignPkcs13072Sha256
    RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
    RsaSignPkcs14096Sha256
    RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
    RsaSignPkcs14096Sha512
    RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
    EcdsaP256Sha256
    ECDSA_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
    EcSignP256Sha256
    EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
    EcdsaP384Sha384
    ECDSA_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
    EcSignP384Sha384
    EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
    EcdsaP521Sha512
    ECDSA_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
    EcSignP521Sha512
    EC_SIGN_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
    PkixPublicKeySignatureAlgorithmSignatureAlgorithmUnspecified
    SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified.
    PkixPublicKeySignatureAlgorithmRsaPss2048Sha256
    RSA_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
    PkixPublicKeySignatureAlgorithmRsaSignPss2048Sha256
    RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
    PkixPublicKeySignatureAlgorithmRsaPss3072Sha256
    RSA_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
    PkixPublicKeySignatureAlgorithmRsaSignPss3072Sha256
    RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
    PkixPublicKeySignatureAlgorithmRsaPss4096Sha256
    RSA_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
    PkixPublicKeySignatureAlgorithmRsaSignPss4096Sha256
    RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
    PkixPublicKeySignatureAlgorithmRsaPss4096Sha512
    RSA_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
    PkixPublicKeySignatureAlgorithmRsaSignPss4096Sha512
    RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
    PkixPublicKeySignatureAlgorithmRsaSignPkcs12048Sha256
    RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
    PkixPublicKeySignatureAlgorithmRsaSignPkcs13072Sha256
    RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
    PkixPublicKeySignatureAlgorithmRsaSignPkcs14096Sha256
    RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
    PkixPublicKeySignatureAlgorithmRsaSignPkcs14096Sha512
    RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
    PkixPublicKeySignatureAlgorithmEcdsaP256Sha256
    ECDSA_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
    PkixPublicKeySignatureAlgorithmEcSignP256Sha256
    EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
    PkixPublicKeySignatureAlgorithmEcdsaP384Sha384
    ECDSA_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
    PkixPublicKeySignatureAlgorithmEcSignP384Sha384
    EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
    PkixPublicKeySignatureAlgorithmEcdsaP521Sha512
    ECDSA_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
    PkixPublicKeySignatureAlgorithmEcSignP521Sha512
    EC_SIGN_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
    SignatureAlgorithmUnspecified
    SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified.
    RsaPss2048Sha256
    RSA_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
    RsaSignPss2048Sha256
    RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
    RsaPss3072Sha256
    RSA_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
    RsaSignPss3072Sha256
    RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
    RsaPss4096Sha256
    RSA_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
    RsaSignPss4096Sha256
    RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
    RsaPss4096Sha512
    RSA_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
    RsaSignPss4096Sha512
    RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
    RsaSignPkcs12048Sha256
    RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
    RsaSignPkcs13072Sha256
    RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
    RsaSignPkcs14096Sha256
    RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
    RsaSignPkcs14096Sha512
    RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
    EcdsaP256Sha256
    ECDSA_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
    EcSignP256Sha256
    EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
    EcdsaP384Sha384
    ECDSA_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
    EcSignP384Sha384
    EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
    EcdsaP521Sha512
    ECDSA_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
    EcSignP521Sha512
    EC_SIGN_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
    SignatureAlgorithmUnspecified
    SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified.
    RsaPss2048Sha256
    RSA_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
    RsaSignPss2048Sha256
    RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
    RsaPss3072Sha256
    RSA_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
    RsaSignPss3072Sha256
    RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
    RsaPss4096Sha256
    RSA_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
    RsaSignPss4096Sha256
    RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
    RsaPss4096Sha512
    RSA_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
    RsaSignPss4096Sha512
    RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
    RsaSignPkcs12048Sha256
    RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
    RsaSignPkcs13072Sha256
    RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
    RsaSignPkcs14096Sha256
    RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
    RsaSignPkcs14096Sha512
    RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
    EcdsaP256Sha256
    ECDSA_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
    EcSignP256Sha256
    EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
    EcdsaP384Sha384
    ECDSA_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
    EcSignP384Sha384
    EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
    EcdsaP521Sha512
    ECDSA_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
    EcSignP521Sha512
    EC_SIGN_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
    SIGNATURE_ALGORITHM_UNSPECIFIED
    SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified.
    RSA_PSS2048_SHA256
    RSA_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
    RSA_SIGN_PSS2048_SHA256
    RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
    RSA_PSS3072_SHA256
    RSA_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
    RSA_SIGN_PSS3072_SHA256
    RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
    RSA_PSS4096_SHA256
    RSA_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
    RSA_SIGN_PSS4096_SHA256
    RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
    RSA_PSS4096_SHA512
    RSA_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
    RSA_SIGN_PSS4096_SHA512
    RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
    RSA_SIGN_PKCS12048_SHA256
    RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
    RSA_SIGN_PKCS13072_SHA256
    RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
    RSA_SIGN_PKCS14096_SHA256
    RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
    RSA_SIGN_PKCS14096_SHA512
    RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
    ECDSA_P256_SHA256
    ECDSA_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
    EC_SIGN_P256_SHA256
    EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
    ECDSA_P384_SHA384
    ECDSA_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
    EC_SIGN_P384_SHA384
    EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
    ECDSA_P521_SHA512
    ECDSA_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
    EC_SIGN_P521_SHA512
    EC_SIGN_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
    "SIGNATURE_ALGORITHM_UNSPECIFIED"
    SIGNATURE_ALGORITHM_UNSPECIFIEDNot specified.
    "RSA_PSS_2048_SHA256"
    RSA_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
    "RSA_SIGN_PSS_2048_SHA256"
    RSA_SIGN_PSS_2048_SHA256RSASSA-PSS 2048 bit key with a SHA256 digest.
    "RSA_PSS_3072_SHA256"
    RSA_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
    "RSA_SIGN_PSS_3072_SHA256"
    RSA_SIGN_PSS_3072_SHA256RSASSA-PSS 3072 bit key with a SHA256 digest.
    "RSA_PSS_4096_SHA256"
    RSA_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
    "RSA_SIGN_PSS_4096_SHA256"
    RSA_SIGN_PSS_4096_SHA256RSASSA-PSS 4096 bit key with a SHA256 digest.
    "RSA_PSS_4096_SHA512"
    RSA_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
    "RSA_SIGN_PSS_4096_SHA512"
    RSA_SIGN_PSS_4096_SHA512RSASSA-PSS 4096 bit key with a SHA512 digest.
    "RSA_SIGN_PKCS1_2048_SHA256"
    RSA_SIGN_PKCS1_2048_SHA256RSASSA-PKCS1-v1_5 with a 2048 bit key and a SHA256 digest.
    "RSA_SIGN_PKCS1_3072_SHA256"
    RSA_SIGN_PKCS1_3072_SHA256RSASSA-PKCS1-v1_5 with a 3072 bit key and a SHA256 digest.
    "RSA_SIGN_PKCS1_4096_SHA256"
    RSA_SIGN_PKCS1_4096_SHA256RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA256 digest.
    "RSA_SIGN_PKCS1_4096_SHA512"
    RSA_SIGN_PKCS1_4096_SHA512RSASSA-PKCS1-v1_5 with a 4096 bit key and a SHA512 digest.
    "ECDSA_P256_SHA256"
    ECDSA_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
    "EC_SIGN_P256_SHA256"
    EC_SIGN_P256_SHA256ECDSA on the NIST P-256 curve with a SHA256 digest.
    "ECDSA_P384_SHA384"
    ECDSA_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
    "EC_SIGN_P384_SHA384"
    EC_SIGN_P384_SHA384ECDSA on the NIST P-384 curve with a SHA384 digest.
    "ECDSA_P521_SHA512"
    ECDSA_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.
    "EC_SIGN_P521_SHA512"
    EC_SIGN_P521_SHA512ECDSA on the NIST P-521 curve with a SHA512 digest.

    Scope, ScopeArgs

    KubernetesNamespace string
    Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
    KubernetesServiceAccount string
    Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.
    KubernetesNamespace string
    Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
    KubernetesServiceAccount string
    Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.
    kubernetesNamespace String
    Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
    kubernetesServiceAccount String
    Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.
    kubernetesNamespace string
    Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
    kubernetesServiceAccount string
    Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.
    kubernetes_namespace str
    Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
    kubernetes_service_account str
    Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.
    kubernetesNamespace String
    Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
    kubernetesServiceAccount String
    Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.

    ScopeResponse, ScopeResponseArgs

    KubernetesNamespace string
    Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
    KubernetesServiceAccount string
    Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.
    KubernetesNamespace string
    Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
    KubernetesServiceAccount string
    Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.
    kubernetesNamespace String
    Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
    kubernetesServiceAccount String
    Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.
    kubernetesNamespace string
    Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
    kubernetesServiceAccount string
    Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.
    kubernetes_namespace str
    Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
    kubernetes_service_account str
    Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.
    kubernetesNamespace String
    Optional. Matches all Kubernetes service accounts in the provided namespace, unless a more specific kubernetes_service_account scope already matched.
    kubernetesServiceAccount String
    Optional. Matches a single Kubernetes service account, e.g. my-namespace:my-service-account. kubernetes_service_account scope is always more specific than kubernetes_namespace scope for the same namespace.

    SimpleSigningAttestationCheck, SimpleSigningAttestationCheckArgs

    AttestationAuthenticators List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.AttestationAuthenticator>
    The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
    ContainerAnalysisAttestationProjects List<string>
    Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.
    AttestationAuthenticators []AttestationAuthenticator
    The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
    ContainerAnalysisAttestationProjects []string
    Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.
    attestationAuthenticators List<AttestationAuthenticator>
    The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
    containerAnalysisAttestationProjects List<String>
    Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.
    attestationAuthenticators AttestationAuthenticator[]
    The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
    containerAnalysisAttestationProjects string[]
    Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.
    attestation_authenticators Sequence[AttestationAuthenticator]
    The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
    container_analysis_attestation_projects Sequence[str]
    Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.
    attestationAuthenticators List<Property Map>
    The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
    containerAnalysisAttestationProjects List<String>
    Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.

    SimpleSigningAttestationCheckResponse, SimpleSigningAttestationCheckResponseArgs

    AttestationAuthenticators List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.AttestationAuthenticatorResponse>
    The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
    ContainerAnalysisAttestationProjects List<string>
    Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.
    AttestationAuthenticators []AttestationAuthenticatorResponse
    The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
    ContainerAnalysisAttestationProjects []string
    Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.
    attestationAuthenticators List<AttestationAuthenticatorResponse>
    The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
    containerAnalysisAttestationProjects List<String>
    Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.
    attestationAuthenticators AttestationAuthenticatorResponse[]
    The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
    containerAnalysisAttestationProjects string[]
    Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.
    attestation_authenticators Sequence[AttestationAuthenticatorResponse]
    The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
    container_analysis_attestation_projects Sequence[str]
    Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.
    attestationAuthenticators List<Property Map>
    The authenticators required by this check to verify an attestation. Typically this is one or more PKIX public keys for signature verification. Only one authenticator needs to consider an attestation verified in order for an attestation to be considered fully authenticated. In otherwords, this list of authenticators is an "OR" of the authenticator results. At least one authenticator is required.
    containerAnalysisAttestationProjects List<String>
    Optional. The projects where attestations are stored as Container Analysis Occurrences. Only one attestation needs to successfully verify an image for this check to pass, so a single verified attestation found in any of container_analysis_attestation_projects is sufficient for the check to pass. When fetching Occurrences from Container Analysis, only 'AttestationOccurrence' kinds are considered. In the future, additional Occurrence kinds may be added to the query.

    SlsaCheck, SlsaCheckArgs

    Rules List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.VerificationRule>
    Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
    Rules []VerificationRule
    Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
    rules List<VerificationRule>
    Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
    rules VerificationRule[]
    Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
    rules Sequence[VerificationRule]
    Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
    rules List<Property Map>
    Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.

    SlsaCheckResponse, SlsaCheckResponseArgs

    Rules List<Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.VerificationRuleResponse>
    Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
    Rules []VerificationRuleResponse
    Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
    rules List<VerificationRuleResponse>
    Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
    rules VerificationRuleResponse[]
    Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
    rules Sequence[VerificationRuleResponse]
    Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.
    rules List<Property Map>
    Specifies a list of verification rules for the SLSA attestations. An image is considered compliant with the SlsaCheck if any of the rules are satisfied.

    TrustedDirectoryCheck, TrustedDirectoryCheckArgs

    TrustedDirPatterns List<string>
    List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /
    TrustedDirPatterns []string
    List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /
    trustedDirPatterns List<String>
    List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /
    trustedDirPatterns string[]
    List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /
    trusted_dir_patterns Sequence[str]
    List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /
    trustedDirPatterns List<String>
    List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /

    TrustedDirectoryCheckResponse, TrustedDirectoryCheckResponseArgs

    TrustedDirPatterns List<string>
    List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /
    TrustedDirPatterns []string
    List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /
    trustedDirPatterns List<String>
    List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /
    trustedDirPatterns string[]
    List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /
    trusted_dir_patterns Sequence[str]
    List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /
    trustedDirPatterns List<String>
    List of trusted directory patterns. A pattern is in the form "registry/path/to/directory". The registry domain part is defined as two or more dot-separated words, e.g., us.pkg.dev, or gcr.io. Additionally, * can be used in three ways as wildcards: 1. leading * to match varying prefixes in registry subdomain (useful for location prefixes); 2. trailing * after registry/ to match varying endings; 3. trailing ** after registry/ to match "/" as well. For example: -- gcr.io/my-project/my-repo is valid to match a single directory -- *-docker.pkg.dev/my-project/my-repo or *.gcr.io/my-project are valid to match varying prefixes -- gcr.io/my-project/* will match all direct directories in my-project -- gcr.io/my-project/** would match all directories in my-project -- gcr.i* is not allowed since the registry is not completely specified -- sub*domain.gcr.io/nginx is not valid because only leading * or trailing * are allowed. -- *pkg.dev/my-project/my-repo is not valid because leading * can only match subdomain -- **-docker.pkg.dev is not valid because one leading * is allowed, and that it cannot match /

    VerificationRule, VerificationRuleArgs

    AttestationSource Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.AttestationSource
    Specifies where to fetch the provenances attestations generated by the builder (group).
    ConfigBasedBuildRequired bool
    If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
    TrustedBuilder Pulumi.GoogleNative.BinaryAuthorization.V1.VerificationRuleTrustedBuilder
    Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
    TrustedSourceRepoPatterns List<string>
    List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub
    AttestationSource AttestationSource
    Specifies where to fetch the provenances attestations generated by the builder (group).
    ConfigBasedBuildRequired bool
    If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
    TrustedBuilder VerificationRuleTrustedBuilder
    Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
    TrustedSourceRepoPatterns []string
    List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub
    attestationSource AttestationSource
    Specifies where to fetch the provenances attestations generated by the builder (group).
    configBasedBuildRequired Boolean
    If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
    trustedBuilder VerificationRuleTrustedBuilder
    Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
    trustedSourceRepoPatterns List<String>
    List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub
    attestationSource AttestationSource
    Specifies where to fetch the provenances attestations generated by the builder (group).
    configBasedBuildRequired boolean
    If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
    trustedBuilder VerificationRuleTrustedBuilder
    Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
    trustedSourceRepoPatterns string[]
    List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub
    attestation_source AttestationSource
    Specifies where to fetch the provenances attestations generated by the builder (group).
    config_based_build_required bool
    If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
    trusted_builder VerificationRuleTrustedBuilder
    Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
    trusted_source_repo_patterns Sequence[str]
    List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub
    attestationSource Property Map
    Specifies where to fetch the provenances attestations generated by the builder (group).
    configBasedBuildRequired Boolean
    If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
    trustedBuilder "BUILDER_UNSPECIFIED" | "GOOGLE_CLOUD_BUILD"
    Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
    trustedSourceRepoPatterns List<String>
    List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub

    VerificationRuleResponse, VerificationRuleResponseArgs

    AttestationSource Pulumi.GoogleNative.BinaryAuthorization.V1.Inputs.AttestationSourceResponse
    Specifies where to fetch the provenances attestations generated by the builder (group).
    ConfigBasedBuildRequired bool
    If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
    TrustedBuilder string
    Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
    TrustedSourceRepoPatterns List<string>
    List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub
    AttestationSource AttestationSourceResponse
    Specifies where to fetch the provenances attestations generated by the builder (group).
    ConfigBasedBuildRequired bool
    If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
    TrustedBuilder string
    Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
    TrustedSourceRepoPatterns []string
    List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub
    attestationSource AttestationSourceResponse
    Specifies where to fetch the provenances attestations generated by the builder (group).
    configBasedBuildRequired Boolean
    If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
    trustedBuilder String
    Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
    trustedSourceRepoPatterns List<String>
    List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub
    attestationSource AttestationSourceResponse
    Specifies where to fetch the provenances attestations generated by the builder (group).
    configBasedBuildRequired boolean
    If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
    trustedBuilder string
    Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
    trustedSourceRepoPatterns string[]
    List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub
    attestation_source AttestationSourceResponse
    Specifies where to fetch the provenances attestations generated by the builder (group).
    config_based_build_required bool
    If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
    trusted_builder str
    Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
    trusted_source_repo_patterns Sequence[str]
    List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub
    attestationSource Property Map
    Specifies where to fetch the provenances attestations generated by the builder (group).
    configBasedBuildRequired Boolean
    If true, require the image to be built from a top-level configuration. trusted_source_repo_patterns specifies the repositories containing this configuration.
    trustedBuilder String
    Each verification rule is used for evaluation against provenances generated by a specific builder (group). For some of the builders, such as the Google Cloud Build, users don't need to explicitly specify their roots of trust in the policy since the evaluation service can automatically fetch them based on the builder (group).
    trustedSourceRepoPatterns List<String>
    List of trusted source code repository URL patterns. These patterns match the full repository URL without its scheme (e.g. https://). The patterns must not include schemes. For example, the pattern source.cloud.google.com/my-project/my-repo-name matches the following URLs: - source.cloud.google.com/my-project/my-repo-name - git+ssh://source.cloud.google.com/my-project/my-repo-name - https://source.cloud.google.com/my-project/my-repo-name A pattern matches a URL either exactly or with * wildcards. * can be used in only two ways: 1. trailing * after hosturi/ to match varying endings; 2. trailing ** after hosturi/ to match / as well. * and ** can only be used as wildcards and can only occur at the end of the pattern after a /. (So it's not possible to match a URL that contains literal *.) For example: - github.com/my-project/my-repo is valid to match a single repo - github.com/my-project/* will match all direct repos in my-project - github.com/** matches all repos in GitHub

    VerificationRuleTrustedBuilder, VerificationRuleTrustedBuilderArgs

    BuilderUnspecified
    BUILDER_UNSPECIFIEDShould never happen.
    GoogleCloudBuild
    GOOGLE_CLOUD_BUILDThe whole Google Cloud Build (GCB) builder group, including all GCB builder types.
    VerificationRuleTrustedBuilderBuilderUnspecified
    BUILDER_UNSPECIFIEDShould never happen.
    VerificationRuleTrustedBuilderGoogleCloudBuild
    GOOGLE_CLOUD_BUILDThe whole Google Cloud Build (GCB) builder group, including all GCB builder types.
    BuilderUnspecified
    BUILDER_UNSPECIFIEDShould never happen.
    GoogleCloudBuild
    GOOGLE_CLOUD_BUILDThe whole Google Cloud Build (GCB) builder group, including all GCB builder types.
    BuilderUnspecified
    BUILDER_UNSPECIFIEDShould never happen.
    GoogleCloudBuild
    GOOGLE_CLOUD_BUILDThe whole Google Cloud Build (GCB) builder group, including all GCB builder types.
    BUILDER_UNSPECIFIED
    BUILDER_UNSPECIFIEDShould never happen.
    GOOGLE_CLOUD_BUILD
    GOOGLE_CLOUD_BUILDThe whole Google Cloud Build (GCB) builder group, including all GCB builder types.
    "BUILDER_UNSPECIFIED"
    BUILDER_UNSPECIFIEDShould never happen.
    "GOOGLE_CLOUD_BUILD"
    GOOGLE_CLOUD_BUILDThe whole Google Cloud Build (GCB) builder group, including all GCB builder types.

    VulnerabilityCheck, VulnerabilityCheckArgs

    MaximumFixableSeverity Pulumi.GoogleNative.BinaryAuthorization.V1.VulnerabilityCheckMaximumFixableSeverity
    The threshold for severity for which a fix is currently available. This field is required and must be set.
    MaximumUnfixableSeverity Pulumi.GoogleNative.BinaryAuthorization.V1.VulnerabilityCheckMaximumUnfixableSeverity
    The threshold for severity for which a fix isn't currently available. This field is required and must be set.
    AllowedCves List<string>
    Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    BlockedCves List<string>
    Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    ContainerAnalysisVulnerabilityProjects List<string>
    Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
    MaximumFixableSeverity VulnerabilityCheckMaximumFixableSeverity
    The threshold for severity for which a fix is currently available. This field is required and must be set.
    MaximumUnfixableSeverity VulnerabilityCheckMaximumUnfixableSeverity
    The threshold for severity for which a fix isn't currently available. This field is required and must be set.
    AllowedCves []string
    Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    BlockedCves []string
    Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    ContainerAnalysisVulnerabilityProjects []string
    Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
    maximumFixableSeverity VulnerabilityCheckMaximumFixableSeverity
    The threshold for severity for which a fix is currently available. This field is required and must be set.
    maximumUnfixableSeverity VulnerabilityCheckMaximumUnfixableSeverity
    The threshold for severity for which a fix isn't currently available. This field is required and must be set.
    allowedCves List<String>
    Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    blockedCves List<String>
    Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    containerAnalysisVulnerabilityProjects List<String>
    Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
    maximumFixableSeverity VulnerabilityCheckMaximumFixableSeverity
    The threshold for severity for which a fix is currently available. This field is required and must be set.
    maximumUnfixableSeverity VulnerabilityCheckMaximumUnfixableSeverity
    The threshold for severity for which a fix isn't currently available. This field is required and must be set.
    allowedCves string[]
    Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    blockedCves string[]
    Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    containerAnalysisVulnerabilityProjects string[]
    Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
    maximum_fixable_severity VulnerabilityCheckMaximumFixableSeverity
    The threshold for severity for which a fix is currently available. This field is required and must be set.
    maximum_unfixable_severity VulnerabilityCheckMaximumUnfixableSeverity
    The threshold for severity for which a fix isn't currently available. This field is required and must be set.
    allowed_cves Sequence[str]
    Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    blocked_cves Sequence[str]
    Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    container_analysis_vulnerability_projects Sequence[str]
    Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
    maximumFixableSeverity "MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED" | "BLOCK_ALL" | "MINIMAL" | "LOW" | "MEDIUM" | "HIGH" | "CRITICAL" | "ALLOW_ALL"
    The threshold for severity for which a fix is currently available. This field is required and must be set.
    maximumUnfixableSeverity "MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED" | "BLOCK_ALL" | "MINIMAL" | "LOW" | "MEDIUM" | "HIGH" | "CRITICAL" | "ALLOW_ALL"
    The threshold for severity for which a fix isn't currently available. This field is required and must be set.
    allowedCves List<String>
    Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    blockedCves List<String>
    Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    containerAnalysisVulnerabilityProjects List<String>
    Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.

    VulnerabilityCheckMaximumFixableSeverity, VulnerabilityCheckMaximumFixableSeverityArgs

    MaximumAllowedSeverityUnspecified
    MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
    BlockAll
    BLOCK_ALLBlock any vulnerability.
    Minimal
    MINIMALAllow only minimal severity.
    Low
    LOWAllow only low severity and lower.
    Medium
    MEDIUMAllow medium severity and lower.
    High
    HIGHAllow high severity and lower.
    Critical
    CRITICALAllow critical severity and lower.
    AllowAll
    ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.
    VulnerabilityCheckMaximumFixableSeverityMaximumAllowedSeverityUnspecified
    MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
    VulnerabilityCheckMaximumFixableSeverityBlockAll
    BLOCK_ALLBlock any vulnerability.
    VulnerabilityCheckMaximumFixableSeverityMinimal
    MINIMALAllow only minimal severity.
    VulnerabilityCheckMaximumFixableSeverityLow
    LOWAllow only low severity and lower.
    VulnerabilityCheckMaximumFixableSeverityMedium
    MEDIUMAllow medium severity and lower.
    VulnerabilityCheckMaximumFixableSeverityHigh
    HIGHAllow high severity and lower.
    VulnerabilityCheckMaximumFixableSeverityCritical
    CRITICALAllow critical severity and lower.
    VulnerabilityCheckMaximumFixableSeverityAllowAll
    ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.
    MaximumAllowedSeverityUnspecified
    MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
    BlockAll
    BLOCK_ALLBlock any vulnerability.
    Minimal
    MINIMALAllow only minimal severity.
    Low
    LOWAllow only low severity and lower.
    Medium
    MEDIUMAllow medium severity and lower.
    High
    HIGHAllow high severity and lower.
    Critical
    CRITICALAllow critical severity and lower.
    AllowAll
    ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.
    MaximumAllowedSeverityUnspecified
    MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
    BlockAll
    BLOCK_ALLBlock any vulnerability.
    Minimal
    MINIMALAllow only minimal severity.
    Low
    LOWAllow only low severity and lower.
    Medium
    MEDIUMAllow medium severity and lower.
    High
    HIGHAllow high severity and lower.
    Critical
    CRITICALAllow critical severity and lower.
    AllowAll
    ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.
    MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED
    MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
    BLOCK_ALL
    BLOCK_ALLBlock any vulnerability.
    MINIMAL
    MINIMALAllow only minimal severity.
    LOW
    LOWAllow only low severity and lower.
    MEDIUM
    MEDIUMAllow medium severity and lower.
    HIGH
    HIGHAllow high severity and lower.
    CRITICAL
    CRITICALAllow critical severity and lower.
    ALLOW_ALL
    ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.
    "MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED"
    MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
    "BLOCK_ALL"
    BLOCK_ALLBlock any vulnerability.
    "MINIMAL"
    MINIMALAllow only minimal severity.
    "LOW"
    LOWAllow only low severity and lower.
    "MEDIUM"
    MEDIUMAllow medium severity and lower.
    "HIGH"
    HIGHAllow high severity and lower.
    "CRITICAL"
    CRITICALAllow critical severity and lower.
    "ALLOW_ALL"
    ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.

    VulnerabilityCheckMaximumUnfixableSeverity, VulnerabilityCheckMaximumUnfixableSeverityArgs

    MaximumAllowedSeverityUnspecified
    MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
    BlockAll
    BLOCK_ALLBlock any vulnerability.
    Minimal
    MINIMALAllow only minimal severity.
    Low
    LOWAllow only low severity and lower.
    Medium
    MEDIUMAllow medium severity and lower.
    High
    HIGHAllow high severity and lower.
    Critical
    CRITICALAllow critical severity and lower.
    AllowAll
    ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.
    VulnerabilityCheckMaximumUnfixableSeverityMaximumAllowedSeverityUnspecified
    MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
    VulnerabilityCheckMaximumUnfixableSeverityBlockAll
    BLOCK_ALLBlock any vulnerability.
    VulnerabilityCheckMaximumUnfixableSeverityMinimal
    MINIMALAllow only minimal severity.
    VulnerabilityCheckMaximumUnfixableSeverityLow
    LOWAllow only low severity and lower.
    VulnerabilityCheckMaximumUnfixableSeverityMedium
    MEDIUMAllow medium severity and lower.
    VulnerabilityCheckMaximumUnfixableSeverityHigh
    HIGHAllow high severity and lower.
    VulnerabilityCheckMaximumUnfixableSeverityCritical
    CRITICALAllow critical severity and lower.
    VulnerabilityCheckMaximumUnfixableSeverityAllowAll
    ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.
    MaximumAllowedSeverityUnspecified
    MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
    BlockAll
    BLOCK_ALLBlock any vulnerability.
    Minimal
    MINIMALAllow only minimal severity.
    Low
    LOWAllow only low severity and lower.
    Medium
    MEDIUMAllow medium severity and lower.
    High
    HIGHAllow high severity and lower.
    Critical
    CRITICALAllow critical severity and lower.
    AllowAll
    ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.
    MaximumAllowedSeverityUnspecified
    MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
    BlockAll
    BLOCK_ALLBlock any vulnerability.
    Minimal
    MINIMALAllow only minimal severity.
    Low
    LOWAllow only low severity and lower.
    Medium
    MEDIUMAllow medium severity and lower.
    High
    HIGHAllow high severity and lower.
    Critical
    CRITICALAllow critical severity and lower.
    AllowAll
    ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.
    MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED
    MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
    BLOCK_ALL
    BLOCK_ALLBlock any vulnerability.
    MINIMAL
    MINIMALAllow only minimal severity.
    LOW
    LOWAllow only low severity and lower.
    MEDIUM
    MEDIUMAllow medium severity and lower.
    HIGH
    HIGHAllow high severity and lower.
    CRITICAL
    CRITICALAllow critical severity and lower.
    ALLOW_ALL
    ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.
    "MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIED"
    MAXIMUM_ALLOWED_SEVERITY_UNSPECIFIEDNot specified.
    "BLOCK_ALL"
    BLOCK_ALLBlock any vulnerability.
    "MINIMAL"
    MINIMALAllow only minimal severity.
    "LOW"
    LOWAllow only low severity and lower.
    "MEDIUM"
    MEDIUMAllow medium severity and lower.
    "HIGH"
    HIGHAllow high severity and lower.
    "CRITICAL"
    CRITICALAllow critical severity and lower.
    "ALLOW_ALL"
    ALLOW_ALLAllow all severity, even vulnerability with unspecified severity.

    VulnerabilityCheckResponse, VulnerabilityCheckResponseArgs

    AllowedCves List<string>
    Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    BlockedCves List<string>
    Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    ContainerAnalysisVulnerabilityProjects List<string>
    Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
    MaximumFixableSeverity string
    The threshold for severity for which a fix is currently available. This field is required and must be set.
    MaximumUnfixableSeverity string
    The threshold for severity for which a fix isn't currently available. This field is required and must be set.
    AllowedCves []string
    Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    BlockedCves []string
    Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    ContainerAnalysisVulnerabilityProjects []string
    Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
    MaximumFixableSeverity string
    The threshold for severity for which a fix is currently available. This field is required and must be set.
    MaximumUnfixableSeverity string
    The threshold for severity for which a fix isn't currently available. This field is required and must be set.
    allowedCves List<String>
    Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    blockedCves List<String>
    Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    containerAnalysisVulnerabilityProjects List<String>
    Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
    maximumFixableSeverity String
    The threshold for severity for which a fix is currently available. This field is required and must be set.
    maximumUnfixableSeverity String
    The threshold for severity for which a fix isn't currently available. This field is required and must be set.
    allowedCves string[]
    Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    blockedCves string[]
    Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    containerAnalysisVulnerabilityProjects string[]
    Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
    maximumFixableSeverity string
    The threshold for severity for which a fix is currently available. This field is required and must be set.
    maximumUnfixableSeverity string
    The threshold for severity for which a fix isn't currently available. This field is required and must be set.
    allowed_cves Sequence[str]
    Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    blocked_cves Sequence[str]
    Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    container_analysis_vulnerability_projects Sequence[str]
    Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
    maximum_fixable_severity str
    The threshold for severity for which a fix is currently available. This field is required and must be set.
    maximum_unfixable_severity str
    The threshold for severity for which a fix isn't currently available. This field is required and must be set.
    allowedCves List<String>
    Optional. A list of specific CVEs to ignore even if the vulnerability level violates maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will allow vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    blockedCves List<String>
    Optional. A list of specific CVEs to always raise warnings about even if the vulnerability level meets maximumUnfixableSeverity or maximumFixableSeverity. CVEs are listed in the format of Container Analysis note id. For example: - CVE-2021-20305 - CVE-2020-10543 The CVEs are applicable regardless of note provider project, e.g., an entry of CVE-2021-20305 will block vulnerabilities with a note name of either projects/goog-vulnz/notes/CVE-2021-20305 or projects/CUSTOM-PROJECT/notes/CVE-2021-20305.
    containerAnalysisVulnerabilityProjects List<String>
    Optional. The projects where vulnerabilities are stored as Container Analysis Occurrences. Each project is expressed in the resource format of projects/[PROJECT_ID], e.g., projects/my-gcp-project. An attempt will be made for each project to fetch vulnerabilities, and all valid vulnerabilities will be used to check against the vulnerability policy. If no valid scan is found in all projects configured here, an error will be returned for the check.
    maximumFixableSeverity String
    The threshold for severity for which a fix is currently available. This field is required and must be set.
    maximumUnfixableSeverity String
    The threshold for severity for which a fix isn't currently available. This field is required and must be set.

    Package Details

    Repository
    Google Cloud Native pulumi/pulumi-google-native
    License
    Apache-2.0
    google-native logo

    Google Cloud Native is in preview. Google Cloud Classic is fully supported.

    Google Cloud Native v0.32.0 published on Wednesday, Nov 29, 2023 by Pulumi