feat: add new admission rule types to Policy

feat: update SignatureAlgorithm enum to match algorithm names in KMS
feat: add SystemPolicyV1Beta1 service

PiperOrigin-RevId: 408346628

google/cloud/binaryauthorization/v1beta1/binaryauthorization_v1beta1.yaml

@@ -5,6 +5,7 @@ title: Binary Authorization API
 
 apis:
 - name: google.cloud.binaryauthorization.v1beta1.BinauthzManagementServiceV1Beta1
+- name: google.cloud.binaryauthorization.v1beta1.SystemPolicyV1Beta1
 
 documentation:
   summary: |-
@@ -21,25 +22,48 @@ documentation:
       Sets the access control policy on the specified resource. Replaces
       any existing policy.
 
-      Can return Public Errors: NOT_FOUND, INVALID_ARGUMENT and
-      PERMISSION_DENIED
+      Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED`
+      errors.
 
   - selector: google.iam.v1.IAMPolicy.TestIamPermissions
     description: |-
       Returns permissions that a caller has on the specified resource. If the
       resource does not exist, this will return an empty set of
-      permissions, not a NOT_FOUND error.
+      permissions, not a `NOT_FOUND` error.
 
       Note: This operation is designed to be used for building
       permission-aware UIs and command-line tools, not for authorization
       checking. This operation may "fail open" without warning.
 
+http:
+  rules:
+  - selector: google.iam.v1.IAMPolicy.GetIamPolicy
+    get: '/v1beta1/{resource=projects/*/policy}:getIamPolicy'
+    additional_bindings:
+    - get: '/v1beta1/{resource=projects/*/attestors/*}:getIamPolicy'
+  - selector: google.iam.v1.IAMPolicy.SetIamPolicy
+    post: '/v1beta1/{resource=projects/*/policy}:setIamPolicy'
+    body: '*'
+    additional_bindings:
+    - post: '/v1beta1/{resource=projects/*/attestors/*}:setIamPolicy'
+      body: '*'
+  - selector: google.iam.v1.IAMPolicy.TestIamPermissions
+    post: '/v1beta1/{resource=projects/*/policy}:testIamPermissions'
+    body: '*'
+    additional_bindings:
+    - post: '/v1beta1/{resource=projects/*/attestors/*}:testIamPermissions'
+      body: '*'
+
 authentication:
   rules:
   - selector: 'google.cloud.binaryauthorization.v1beta1.BinauthzManagementServiceV1Beta1.*'
     oauth:
       canonical_scopes: |-
         https://www.googleapis.com/auth/cloud-platform
+  - selector: google.cloud.binaryauthorization.v1beta1.SystemPolicyV1Beta1.GetSystemPolicy
+    oauth:
+      canonical_scopes: |-
+        https://www.googleapis.com/auth/cloud-platform
   - selector: 'google.iam.v1.IAMPolicy.*'
     oauth:
       canonical_scopes: |-

google/cloud/binaryauthorization/v1beta1/resources.proto

@@ -1,4 +1,4 @@
-// Copyright 2021 Google LLC.
+// Copyright 2021 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -11,16 +11,15 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
-//
 
 syntax = "proto3";
 
 package google.cloud.binaryauthorization.v1beta1;
 
-import "google/api/annotations.proto";
 import "google/api/field_behavior.proto";
 import "google/api/resource.proto";
 import "google/protobuf/timestamp.proto";
+import "google/api/annotations.proto";
 
 option cc_enable_arenas = true;
 option csharp_namespace = "Google.Cloud.BinaryAuthorization.V1Beta1";
@@ -31,12 +30,12 @@ option java_package = "com.google.cloud.binaryauthorization.v1beta1";
 option php_namespace = "Google\\Cloud\\BinaryAuthorization\\V1beta1";
 option ruby_package = "Google::Cloud::BinaryAuthorization::V1beta1";
 
-// A [policy][google.cloud.binaryauthorization.v1beta1.Policy] for container
-// image binary authorization.
+// A [policy][google.cloud.binaryauthorization.v1beta1.Policy] for Binary Authorization.
 message Policy {
   option (google.api.resource) = {
     type: "binaryauthorization.googleapis.com/Policy"
     pattern: "projects/{project}/policy"
+    pattern: "locations/{location}/policy"
   };
 
   enum GlobalPolicyEvaluationMode {
@@ -61,14 +60,12 @@ message Policy {
   // policy for common system-level images. Images not covered by the global
   // policy will be subject to the project admission policy. This setting
   // has no effect when specified inside a global admission policy.
-  GlobalPolicyEvaluationMode global_policy_evaluation_mode = 7
-      [(google.api.field_behavior) = OPTIONAL];
+  GlobalPolicyEvaluationMode global_policy_evaluation_mode = 7 [(google.api.field_behavior) = OPTIONAL];
 
   // Optional. Admission policy allowlisting. A matching admission request will
   // always be permitted. This feature is typically used to exclude Google or
   // third-party infrastructure images from Binary Authorization policies.
-  repeated AdmissionWhitelistPattern admission_whitelist_patterns = 2
-      [(google.api.field_behavior) = OPTIONAL];
+  repeated AdmissionWhitelistPattern admission_whitelist_patterns = 2 [(google.api.field_behavior) = OPTIONAL];
 
   // Optional. Per-cluster admission rules. Cluster spec format:
   // `location.clusterId`. There can be at most one admission rule per cluster
@@ -77,38 +74,50 @@ message Policy {
   // (e.g. us-central1).
   // For `clusterId` syntax restrictions see
   // https://cloud.google.com/container-engine/reference/rest/v1/projects.zones.clusters.
-  map<string, AdmissionRule> cluster_admission_rules = 3
-      [(google.api.field_behavior) = OPTIONAL];
+  map<string, AdmissionRule> cluster_admission_rules = 3 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Per-kubernetes-namespace admission rules. K8s namespace spec format:
+  //   `[a-z.-]+`, e.g. `some-namespace`
+  map<string, AdmissionRule> kubernetes_namespace_admission_rules = 10 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Per-kubernetes-service-account admission rules. Service account
+  // spec format: `namespace:serviceaccount`. e.g. `test-ns:default`
+  map<string, AdmissionRule> kubernetes_service_account_admission_rules = 8 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Per-istio-service-identity admission rules. Istio service
+  // identity spec format:
+  // `spiffe://<domain>/ns/<namespace>/sa/<serviceaccount>` or
+  // `<domain>/ns/<namespace>/sa/<serviceaccount>`
+  // e.g. `spiffe://example.com/ns/test-ns/sa/default`
+  map<string, AdmissionRule> istio_service_identity_admission_rules = 9 [(google.api.field_behavior) = OPTIONAL];
 
   // Required. Default admission rule for a cluster without a per-cluster, per-
   // kubernetes-service-account, or per-istio-service-identity admission rule.
-  AdmissionRule default_admission_rule = 4
-      [(google.api.field_behavior) = REQUIRED];
+  AdmissionRule default_admission_rule = 4 [(google.api.field_behavior) = REQUIRED];
 
   // Output only. Time when the policy was last updated.
-  google.protobuf.Timestamp update_time = 5
-      [(google.api.field_behavior) = OUTPUT_ONLY];
+  google.protobuf.Timestamp update_time = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
 }
 
-// An [admission allowlist
-// pattern][google.cloud.binaryauthorization.v1beta1.AdmissionWhitelistPattern]
-// exempts images from checks by [admission
-// rules][google.cloud.binaryauthorization.v1beta1.AdmissionRule].
+// An [admission allowlist pattern][google.cloud.binaryauthorization.v1beta1.AdmissionWhitelistPattern] exempts images
+// from checks by [admission rules][google.cloud.binaryauthorization.v1beta1.AdmissionRule].
 message AdmissionWhitelistPattern {
-  // An image name pattern to allow, in the form `registry/path/to/image`.
+  // An image name pattern to allowlist, in the form `registry/path/to/image`.
   // This supports a trailing `*` as a wildcard, but this is allowed only in
-  // text after the `registry/` part.
+  // text after the `registry/` part. `*` wildcard does not match `/`, i.e.,
+  // `gcr.io/nginx*` matches `gcr.io/nginx@latest`, but it does not match
+  // `gcr.io/nginx/image`. This also supports a trailing `**` wildcard which
+  // matches subdirectories, i.e., `gcr.io/nginx**` matches
+  // `gcr.io/nginx/image`.
   string name_pattern = 1;
 }
 
-// An [admission rule][google.cloud.binaryauthorization.v1beta1.AdmissionRule]
-// specifies either that all container images used in a pod creation request
-// must be attested to by one or more
-// [attestors][google.cloud.binaryauthorization.v1beta1.Attestor], that all pod
-// creations will be allowed, or that all pod creations will be denied.
+// An [admission rule][google.cloud.binaryauthorization.v1beta1.AdmissionRule] specifies either that all container images
+// used in a pod creation request must be attested to by one or more
+// [attestors][google.cloud.binaryauthorization.v1beta1.Attestor], that all pod creations will be allowed, or that all
+// pod creations will be denied.
 //
-// Images matching an [admission allowlist
-// pattern][google.cloud.binaryauthorization.v1beta1.AdmissionWhitelistPattern]
+// Images matching an [admission allowlist pattern][google.cloud.binaryauthorization.v1beta1.AdmissionWhitelistPattern]
 // are exempted from admission rules and will never block a pod creation.
 message AdmissionRule {
   enum EvaluationMode {
@@ -119,7 +128,7 @@ message AdmissionRule {
     ALWAYS_ALLOW = 1;
 
     // This rule allows a pod creation if all the attestors listed in
-    // 'require_attestations_by' have valid attestations for all of the
+    // `require_attestations_by` have valid attestations for all of the
     // images in the pod spec.
     REQUIRE_ATTESTATION = 2;
 
@@ -152,16 +161,15 @@ message AdmissionRule {
   //
   // Note: this field must be non-empty when the evaluation_mode field specifies
   // REQUIRE_ATTESTATION, otherwise it must be empty.
-  repeated string require_attestations_by = 2
-      [(google.api.field_behavior) = OPTIONAL];
+  repeated string require_attestations_by = 2 [(google.api.field_behavior) = OPTIONAL];
 
   // Required. The action when a pod creation is denied by the admission rule.
   EnforcementMode enforcement_mode = 3 [(google.api.field_behavior) = REQUIRED];
 }
 
-// An [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] that attests
-// to container image artifacts. An existing attestor cannot be modified except
-// where indicated.
+// An [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] that attests to container image
+// artifacts. An existing attestor cannot be modified except where
+// indicated.
 message Attestor {
   option (google.api.resource) = {
     type: "binaryauthorization.googleapis.com/Attestor"
@@ -176,24 +184,22 @@ message Attestor {
   // The field may be displayed in chooser dialogs.
   string description = 6 [(google.api.field_behavior) = OPTIONAL];
 
-  // Required. Identifies an
-  // [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] that attests
-  // to a container image artifact. This determines how an attestation will be
-  // stored, and how it will be used during policy enforcement. Updates may not
-  // change the attestor type, but individual attestor fields may be updated
+  // Required. Identifies an [attestor][google.cloud.binaryauthorization.v1beta1.Attestor] that attests to a
+  // container image artifact. This determines how an attestation will
+  // be stored, and how it will be used during policy
+  // enforcement. Updates may not change the attestor type, but individual
+  // attestor fields may be updated.
   oneof attestor_type {
     // A Drydock ATTESTATION_AUTHORITY Note, created by the user.
     UserOwnedDrydockNote user_owned_drydock_note = 3;
   }
 
   // Output only. Time when the attestor was last updated.
-  google.protobuf.Timestamp update_time = 4
-      [(google.api.field_behavior) = OUTPUT_ONLY];
+  google.protobuf.Timestamp update_time = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
 }
 
-// An [user owned drydock
-// note][google.cloud.binaryauthorization.v1beta1.UserOwnedDrydockNote]
-// references a Drydock ATTESTATION_AUTHORITY Note created by the user.
+// An [user owned drydock note][google.cloud.binaryauthorization.v1beta1.UserOwnedDrydockNote] references a Drydock
+// ATTESTATION_AUTHORITY Note created by the user.
 message UserOwnedDrydockNote {
   // Required. The Drydock resource name of a ATTESTATION_AUTHORITY Note,
   // created by the user, in the format: `projects/*/notes/*` (or the legacy
@@ -213,8 +219,7 @@ message UserOwnedDrydockNote {
   //
   // If this field is empty, this attestor always returns that no
   // valid attestations exist.
-  repeated AttestorPublicKey public_keys = 2
-      [(google.api.field_behavior) = OPTIONAL];
+  repeated AttestorPublicKey public_keys = 2 [(google.api.field_behavior) = OPTIONAL];
 
   // Output only. This field will contain the service account email address
   // that this Attestor will use as the principal when querying Container
@@ -225,8 +230,7 @@ message UserOwnedDrydockNote {
   // This email address is fixed for the lifetime of the Attestor, but callers
   // should not make any other assumptions about the service account email;
   // future versions may use an email based on a different naming pattern.
-  string delegation_service_account_email = 3
-      [(google.api.field_behavior) = OUTPUT_ONLY];
+  string delegation_service_account_email = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
 }
 
 // A public key in the PkixPublicKey format (see
@@ -241,6 +245,8 @@ message PkixPublicKey {
   // See https://cloud.google.com/kms/docs/algorithms. In the future, BinAuthz
   // might support additional public key types independently of Tink and/or KMS.
   enum SignatureAlgorithm {
+    option allow_alias = true;
+
     // Not specified.
     SIGNATURE_ALGORITHM_UNSPECIFIED = 0;
 
@@ -271,11 +277,20 @@ message PkixPublicKey {
     // ECDSA on the NIST P-256 curve with a SHA256 digest.
     ECDSA_P256_SHA256 = 9;
 
+    // ECDSA on the NIST P-256 curve with a SHA256 digest.
+    EC_SIGN_P256_SHA256 = 9;
+
     // ECDSA on the NIST P-384 curve with a SHA384 digest.
     ECDSA_P384_SHA384 = 10;
 
+    // ECDSA on the NIST P-384 curve with a SHA384 digest.
+    EC_SIGN_P384_SHA384 = 10;
+
     // ECDSA on the NIST P-521 curve with a SHA512 digest.
     ECDSA_P521_SHA512 = 11;
+
+    // ECDSA on the NIST P-521 curve with a SHA512 digest.
+    EC_SIGN_P521_SHA512 = 11;
   }
 
   // A PEM-encoded public key, as described in
@@ -290,9 +305,8 @@ message PkixPublicKey {
   SignatureAlgorithm signature_algorithm = 2;
 }
 
-// An [attestor public
-// key][google.cloud.binaryauthorization.v1beta1.AttestorPublicKey] that will be
-// used to verify attestations signed by this attestor.
+// An [attestor public key][google.cloud.binaryauthorization.v1beta1.AttestorPublicKey] that will be used to verify
+// attestations signed by this attestor.
 message AttestorPublicKey {
   // Optional. A descriptive comment. This field may be updated.
   string comment = 1 [(google.api.field_behavior) = OPTIONAL];