feat: Adds support for check-based platform policy evaluation to Binary Authorization Continuous Validation logs

Google APIs · copybara-github · commit 6c2b07fea4ee · 2023-08-15T08:54:30.000-07:00
feat: Adds support for communicating configuration issues that prevent Continuous Validation from monitoring pods

fix!: Remove unused unsupported_policy_event event_type from ContinuousValidationPodEvent

PiperOrigin-RevId: 557146775
diff --git a/google/cloud/binaryauthorization/v1beta1/continuous_validation_logging.proto b/google/cloud/binaryauthorization/v1beta1/continuous_validation_logging.proto
@@ -1,4 +1,4 @@
-// Copyright 2022 Google LLC
+// Copyright 2023 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -54,6 +54,58 @@ message ContinuousValidationEvent {
         DENY = 2;
       }
 
+      message CheckResult {
+        // A scope specifier for check sets.
+        message CheckSetScope {
+          oneof scope {
+            // Matches a single Kubernetes service account, e.g.
+            // 'my-namespace:my-service-account'.
+            // `kubernetes_service_account` scope is always more specific than
+            // `kubernetes_namespace` scope for the same namespace.
+            string kubernetes_service_account = 1;
+
+            // Matches all Kubernetes service accounts in the provided
+            // namespace, unless a more specific `kubernetes_service_account`
+            // scope already matched.
+            string kubernetes_namespace = 2;
+          }
+        }
+
+        // Result of evaluating one check.
+        enum CheckVerdict {
+          // We should always have a verdict. This is an error.
+          CHECK_VERDICT_UNSPECIFIED = 0;
+
+          // The check was successfully evaluated and the image did not satisfy
+          // the check.
+          NON_CONFORMANT = 1;
+        }
+
+        // The index of the check set.
+        string check_set_index = 1;
+
+        // The name of the check set.
+        string check_set_name = 2;
+
+        // The scope of the check set.
+        CheckSetScope check_set_scope = 3;
+
+        // The index of the check.
+        string check_index = 4;
+
+        // The name of the check.
+        string check_name = 5;
+
+        // The type of the check.
+        string check_type = 6;
+
+        // The verdict of this check.
+        CheckVerdict verdict = 7;
+
+        // User-friendly explanation of this check result.
+        string explanation = 8;
+      }
+
       // The name of the image.
       string image = 1;
 
@@ -62,6 +114,9 @@ message ContinuousValidationEvent {
 
       // Description of the above result.
       string description = 3;
+
+      // List of check results.
+      repeated CheckResult check_results = 4;
     }
 
     // The k8s namespace of the Pod.
@@ -70,6 +125,9 @@ message ContinuousValidationEvent {
     // The name of the Pod.
     string pod = 1;
 
+    // The name of the policy.
+    string policy_name = 8;
+
     // Deploy time of the Pod from k8s.
     google.protobuf.Timestamp deploy_time = 2;
 
@@ -83,9 +141,10 @@ message ContinuousValidationEvent {
     repeated ImageDetails images = 5;
   }
 
-  // An event describing that the project policy is unsupported by CV.
-  message UnsupportedPolicyEvent {
-    // A description of the unsupported policy.
+  // An event describing a user-actionable configuration issue that prevents CV
+  // from auditing.
+  message ConfigErrorEvent {
+    // A description of the issue.
     string description = 1;
   }
 
@@ -94,7 +153,7 @@ message ContinuousValidationEvent {
     // Pod event.
     ContinuousValidationPodEvent pod_event = 1;
 
-    // Unsupported policy event.
-    UnsupportedPolicyEvent unsupported_policy_event = 2;
+    // Config error event.
+    ConfigErrorEvent config_error_event = 4;
   }
 }
