1apiVersion: apiextensions.k8s.io/v1
2kind: CustomResourceDefinition
3metadata:
4 annotations:
5 cnrm.cloud.google.com/version: 0.0.0-dev
6 creationTimestamp: null
7 labels:
8 cnrm.cloud.google.com/dcl2crd: "true"
9 cnrm.cloud.google.com/managed-by-kcc: "true"
10 cnrm.cloud.google.com/stability-level: stable
11 cnrm.cloud.google.com/system: "true"
12 name: dlpjobtriggers.dlp.cnrm.cloud.google.com
13spec:
14 group: dlp.cnrm.cloud.google.com
15 names:
16 categories:
17 - gcp
18 kind: DLPJobTrigger
19 plural: dlpjobtriggers
20 shortNames:
21 - gcpdlpjobtrigger
22 - gcpdlpjobtriggers
23 singular: dlpjobtrigger
24 preserveUnknownFields: false
25 scope: Namespaced
26 versions:
27 - additionalPrinterColumns:
28 - jsonPath: .metadata.creationTimestamp
29 name: Age
30 type: date
31 - description: When 'True', the most recent reconcile of the resource succeeded
32 jsonPath: .status.conditions[?(@.type=='Ready')].status
33 name: Ready
34 type: string
35 - description: The reason for the value in 'Ready'
36 jsonPath: .status.conditions[?(@.type=='Ready')].reason
37 name: Status
38 type: string
39 - description: The last transition time for the value in 'Status'
40 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
41 name: Status Age
42 type: date
43 name: v1beta1
44 schema:
45 openAPIV3Schema:
46 properties:
47 apiVersion:
48 description: 'apiVersion defines the versioned schema of this representation
49 of an object. Servers should convert recognized schemas to the latest
50 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
51 type: string
52 kind:
53 description: 'kind is a string value representing the REST resource this
54 object represents. Servers may infer this from the endpoint the client
55 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
56 type: string
57 metadata:
58 type: object
59 spec:
60 properties:
61 description:
62 description: User provided description (max 256 chars)
63 type: string
64 displayName:
65 description: Display name (max 100 chars)
66 type: string
67 inspectJob:
68 description: For inspect jobs, a snapshot of the configuration.
69 properties:
70 actions:
71 description: Actions to execute at the completion of the job.
72 items:
73 properties:
74 jobNotificationEmails:
75 description: Enable email notification for project owners
76 and editors on job's completion/failure.
77 type: object
78 x-kubernetes-preserve-unknown-fields: true
79 pubSub:
80 description: Publish a notification to a pubsub topic.
81 properties:
82 topicRef:
83 oneOf:
84 - not:
85 required:
86 - external
87 required:
88 - name
89 - not:
90 anyOf:
91 - required:
92 - name
93 - required:
94 - namespace
95 required:
96 - external
97 properties:
98 external:
99 description: |-
100 Cloud Pub/Sub topic to send notifications to. The topic must have given publishing access rights to the DLP API service account executing the long running DlpJob sending the notifications. Format is projects/{project}/topics/{topic}.
101
102 Allowed value: The Google Cloud resource name of a `PubSubTopic` resource (format: `projects/{{project}}/topics/{{name}}`).
103 type: string
104 name:
105 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
106 type: string
107 namespace:
108 description: 'Namespace of the referent. More info:
109 https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
110 type: string
111 type: object
112 type: object
113 publishFindingsToCloudDataCatalog:
114 description: Publish findings to Cloud Datahub.
115 type: object
116 x-kubernetes-preserve-unknown-fields: true
117 publishSummaryToCscc:
118 description: Publish summary to Cloud Security Command Center
119 (Alpha).
120 type: object
121 x-kubernetes-preserve-unknown-fields: true
122 publishToStackdriver:
123 description: Enable Stackdriver metric dlp.googleapis.com/finding_count.
124 type: object
125 x-kubernetes-preserve-unknown-fields: true
126 saveFindings:
127 description: Save resulting findings in a provided location.
128 properties:
129 outputConfig:
130 description: Location to store findings outside of DLP.
131 properties:
132 dlpStorage:
133 description: Store findings directly to DLP. If
134 neither this or bigquery is chosen only summary
135 stats of total infotype count will be stored.
136 Quotes will not be stored to dlp findings. If
137 quotes are needed, store to BigQuery. Currently
138 only for inspect jobs.
139 type: object
140 x-kubernetes-preserve-unknown-fields: true
141 outputSchema:
142 description: 'Schema used for writing the findings
143 for Inspect jobs. This field is only used for
144 Inspect and must be unspecified for Risk jobs.
145 Columns are derived from the `Finding` object.
146 If appending to an existing table, any columns
147 from the predefined schema that are missing will
148 be added. No columns in the existing table will
149 be deleted. If unspecified, then all available
150 columns will be used for a new table or an (existing)
151 table with no schema, and no changes will be made
152 to an existing table that has a schema. Only for
153 use with external storage. Possible values: OUTPUT_SCHEMA_UNSPECIFIED,
154 BASIC_COLUMNS, GCS_COLUMNS, DATASTORE_COLUMNS,
155 BIG_QUERY_COLUMNS, ALL_COLUMNS'
156 type: string
157 table:
158 description: 'Store findings in an existing table
159 or a new table in an existing dataset. If table_id
160 is not set a new one will be generated for you
161 with the following format: dlp_googleapis_yyyy_mm_dd_[dlp_job_id].
162 Pacific timezone will be used for generating the
163 date details. For Inspect, each column in an existing
164 output table must have the same name, type, and
165 mode of a field in the `Finding` object. For Risk,
166 an existing output table should be the output
167 of a previous Risk analysis job run on the same
168 source table, with the same privacy metric and
169 quasi-identifiers. Risk jobs that analyze the
170 same table but compute a different privacy metric,
171 or use different sets of quasi-identifiers, cannot
172 store their results in the same table.'
173 properties:
174 datasetRef:
175 oneOf:
176 - not:
177 required:
178 - external
179 required:
180 - name
181 - not:
182 anyOf:
183 - required:
184 - name
185 - required:
186 - namespace
187 required:
188 - external
189 properties:
190 external:
191 description: |-
192 Dataset ID of the table.
193
194 Allowed value: The Google Cloud resource name of a `BigQueryDataset` resource (format: `projects/{{project}}/datasets/{{name}}`).
195 type: string
196 name:
197 description: 'Name of the referent. More
198 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
199 type: string
200 namespace:
201 description: 'Namespace of the referent.
202 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
203 type: string
204 type: object
205 projectRef:
206 oneOf:
207 - not:
208 required:
209 - external
210 required:
211 - name
212 - not:
213 anyOf:
214 - required:
215 - name
216 - required:
217 - namespace
218 required:
219 - external
220 properties:
221 external:
222 description: |-
223 The Google Cloud Platform project ID of the project containing the table. If omitted, project ID is inferred from the API call.
224
225 Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).
226 type: string
227 name:
228 description: 'Name of the referent. More
229 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
230 type: string
231 namespace:
232 description: 'Namespace of the referent.
233 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
234 type: string
235 type: object
236 tableRef:
237 oneOf:
238 - not:
239 required:
240 - external
241 required:
242 - name
243 - not:
244 anyOf:
245 - required:
246 - name
247 - required:
248 - namespace
249 required:
250 - external
251 properties:
252 external:
253 description: |-
254 Name of the table.
255
256 Allowed value: The Google Cloud resource name of a `BigQueryTable` resource (format: `projects/{{project}}/datasets/{{dataset_id}}/tables/{{name}}`).
257 type: string
258 name:
259 description: 'Name of the referent. More
260 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
261 type: string
262 namespace:
263 description: 'Namespace of the referent.
264 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
265 type: string
266 type: object
267 type: object
268 type: object
269 type: object
270 type: object
271 type: array
272 inspectConfig:
273 description: How and what to scan for.
274 properties:
275 customInfoTypes:
276 description: CustomInfoTypes provided by the user. See https://cloud.google.com/dlp/docs/creating-custom-infotypes
277 to learn more.
278 items:
279 properties:
280 detectionRules:
281 description: Set of detection rules to apply to all
282 findings of this CustomInfoType. Rules are applied
283 in order that they are specified. Not supported for
284 the `surrogate_type` CustomInfoType.
285 items:
286 properties:
287 hotwordRule:
288 description: Hotword-based detection rule.
289 properties:
290 hotwordRegex:
291 description: Regular expression pattern defining
292 what qualifies as a hotword.
293 properties:
294 groupIndexes:
295 description: The index of the submatch
296 to extract as findings. When not specified,
297 the entire match is returned. No more
298 than 3 may be included.
299 items:
300 format: int64
301 type: integer
302 type: array
303 pattern:
304 description: Pattern defining the regular
305 expression. Its syntax (https://github.com/google/re2/wiki/Syntax)
306 can be found under the google/re2 repository
307 on GitHub.
308 type: string
309 type: object
310 likelihoodAdjustment:
311 description: Likelihood adjustment to apply
312 to all matching findings.
313 properties:
314 fixedLikelihood:
315 description: 'Set the likelihood of a
316 finding to a fixed value. Possible values:
317 LIKELIHOOD_UNSPECIFIED, VERY_UNLIKELY,
318 UNLIKELY, POSSIBLE, LIKELY, VERY_LIKELY'
319 type: string
320 relativeLikelihood:
321 description: Increase or decrease the
322 likelihood by the specified number of
323 levels. For example, if a finding would
324 be `POSSIBLE` without the detection
325 rule and `relative_likelihood` is 1,
326 then it is upgraded to `LIKELY`, while
327 a value of -1 would downgrade it to
328 `UNLIKELY`. Likelihood may never drop
329 below `VERY_UNLIKELY` or exceed `VERY_LIKELY`,
330 so applying an adjustment of 1 followed
331 by an adjustment of -1 when base likelihood
332 is `VERY_LIKELY` will result in a final
333 likelihood of `LIKELY`.
334 format: int64
335 type: integer
336 type: object
337 proximity:
338 description: Proximity of the finding within
339 which the entire hotword must reside. The
340 total length of the window cannot exceed
341 1000 characters. Note that the finding itself
342 will be included in the window, so that
343 hotwords may be used to match substrings
344 of the finding itself. For example, the
345 certainty of a phone number regex "(d{3})
346 d{3}-d{4}" could be adjusted upwards if
347 the area code is known to be the local area
348 code of a company office using the hotword
349 regex "(xxx)", where "xxx" is the area code
350 in question.
351 properties:
352 windowAfter:
353 description: Number of characters after
354 the finding to consider.
355 format: int64
356 type: integer
357 windowBefore:
358 description: Number of characters before
359 the finding to consider.
360 format: int64
361 type: integer
362 type: object
363 type: object
364 type: object
365 type: array
366 dictionary:
367 description: A list of phrases to detect as a CustomInfoType.
368 properties:
369 cloudStoragePath:
370 description: Newline-delimited file of words in
371 Cloud Storage. Only a single file is accepted.
372 properties:
373 path:
374 description: 'A url representing a file or path
375 (no wildcards) in Cloud Storage. Example:
376 gs://[BUCKET_NAME]/dictionary.txt'
377 type: string
378 type: object
379 wordList:
380 description: List of words or phrases to search
381 for.
382 properties:
383 words:
384 description: Words or phrases defining the dictionary.
385 The dictionary must contain at least one phrase
386 and every phrase must contain at least 2 characters
387 that are letters or digits. [required]
388 items:
389 type: string
390 type: array
391 type: object
392 type: object
393 exclusionType:
394 description: 'If set to EXCLUSION_TYPE_EXCLUDE this
395 infoType will not cause a finding to be returned.
396 It still can be used for rules matching. Possible
397 values: EXCLUSION_TYPE_UNSPECIFIED, EXCLUSION_TYPE_EXCLUDE'
398 type: string
399 infoType:
400 description: CustomInfoType can either be a new infoType,
401 or an extension of built-in infoType, when the name
402 matches one of existing infoTypes and that infoType
403 is specified in `InspectContent.info_types` field.
404 Specifying the latter adds findings to the one detected
405 by the system. If built-in info type is not specified
406 in `InspectContent.info_types` list then the name
407 is treated as a custom info type.
408 properties:
409 name:
410 description: Name of the information type. Either
411 a name of your choosing when creating a CustomInfoType,
412 or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference
413 when specifying a built-in type. When sending
414 Cloud DLP results to Data Catalog, infoType names
415 should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
416 type: string
417 version:
418 description: Optional version name for this InfoType.
419 type: string
420 type: object
421 likelihood:
422 description: 'Likelihood to return for this CustomInfoType.
423 This base value can be altered by a detection rule
424 if the finding meets the criteria specified by the
425 rule. Defaults to `VERY_LIKELY` if not specified.
426 Possible values: LIKELIHOOD_UNSPECIFIED, VERY_UNLIKELY,
427 UNLIKELY, POSSIBLE, LIKELY, VERY_LIKELY'
428 type: string
429 regex:
430 description: Regular expression based CustomInfoType.
431 properties:
432 groupIndexes:
433 description: The index of the submatch to extract
434 as findings. When not specified, the entire match
435 is returned. No more than 3 may be included.
436 items:
437 format: int64
438 type: integer
439 type: array
440 pattern:
441 description: Pattern defining the regular expression.
442 Its syntax (https://github.com/google/re2/wiki/Syntax)
443 can be found under the google/re2 repository on
444 GitHub.
445 type: string
446 type: object
447 storedType:
448 description: Load an existing `StoredInfoType` resource
449 for use in `InspectDataSource`. Not currently supported
450 in `InspectContent`.
451 properties:
452 createTime:
453 description: Timestamp indicating when the version
454 of the `StoredInfoType` used for inspection was
455 created. Output-only field, populated by the system.
456 format: date-time
457 type: string
458 nameRef:
459 oneOf:
460 - not:
461 required:
462 - external
463 required:
464 - name
465 - not:
466 anyOf:
467 - required:
468 - name
469 - required:
470 - namespace
471 required:
472 - external
473 properties:
474 external:
475 description: |-
476 Resource name of the requested `StoredInfoType`, for example `organizations/433245324/storedInfoTypes/432452342` or `projects/project-id/storedInfoTypes/432452342`.
477
478 Allowed value: The Google Cloud resource name of a `DLPStoredInfoType` resource (format: `{{parent}}/storedInfoTypes/{{name}}`).
479 type: string
480 name:
481 description: 'Name of the referent. More info:
482 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
483 type: string
484 namespace:
485 description: 'Namespace of the referent. More
486 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
487 type: string
488 type: object
489 type: object
490 surrogateType:
491 description: Message for detecting output from deidentification
492 transformations that support reversing.
493 type: object
494 x-kubernetes-preserve-unknown-fields: true
495 type: object
496 type: array
497 excludeInfoTypes:
498 description: When true, excludes type information of the findings.
499 This is not used for data profiling.
500 type: boolean
501 includeQuote:
502 description: When true, a contextual quote from the data that
503 triggered a finding is included in the response; see Finding.quote.
504 This is not used for data profiling.
505 type: boolean
506 infoTypes:
507 description: Restricts what info_types to look for. The values
508 must correspond to InfoType values returned by ListInfoTypes
509 or listed at https://cloud.google.com/dlp/docs/infotypes-reference.
510 When no InfoTypes or CustomInfoTypes are specified in a
511 request, the system may automatically choose what detectors
512 to run. By default this may be all types, but may change
513 over time as detectors are updated. If you need precise
514 control and predictability as to what detectors are run
515 you should specify specific InfoTypes listed in the reference,
516 otherwise a default list will be used, which may change
517 over time.
518 items:
519 properties:
520 name:
521 description: Name of the information type. Either a
522 name of your choosing when creating a CustomInfoType,
523 or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference
524 when specifying a built-in type. When sending Cloud
525 DLP results to Data Catalog, infoType names should
526 conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
527 type: string
528 type: object
529 type: array
530 limits:
531 description: Configuration to control the number of findings
532 returned. This is not used for data profiling.
533 properties:
534 maxFindingsPerInfoType:
535 description: Configuration of findings limit given for
536 specified infoTypes.
537 items:
538 properties:
539 infoType:
540 description: Type of information the findings limit
541 applies to. Only one limit per info_type should
542 be provided. If InfoTypeLimit does not have an
543 info_type, the DLP API applies the limit against
544 all info_types that are found but not specified
545 in another InfoTypeLimit.
546 properties:
547 name:
548 description: Name of the information type. Either
549 a name of your choosing when creating a CustomInfoType,
550 or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference
551 when specifying a built-in type. When sending
552 Cloud DLP results to Data Catalog, infoType
553 names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
554 type: string
555 version:
556 description: Optional version name for this
557 InfoType.
558 type: string
559 type: object
560 maxFindings:
561 description: Max findings limit for the given infoType.
562 format: int64
563 type: integer
564 type: object
565 type: array
566 maxFindingsPerItem:
567 description: Max number of findings that will be returned
568 for each item scanned. When set within `InspectJobConfig`,
569 the maximum returned is 2000 regardless if this is set
570 higher. When set within `InspectContentRequest`, this
571 field is ignored.
572 format: int64
573 type: integer
574 maxFindingsPerRequest:
575 description: Max number of findings that will be returned
576 per request/job. When set within `InspectContentRequest`,
577 the maximum returned is 2000 regardless if this is set
578 higher.
579 format: int64
580 type: integer
581 type: object
582 minLikelihood:
583 description: 'Only returns findings equal or above this threshold.
584 The default is POSSIBLE. See https://cloud.google.com/dlp/docs/likelihood
585 to learn more. Possible values: LIKELIHOOD_UNSPECIFIED,
586 VERY_UNLIKELY, UNLIKELY, POSSIBLE, LIKELY, VERY_LIKELY'
587 type: string
588 ruleSet:
589 description: Set of rules to apply to the findings for this
590 InspectConfig. Exclusion rules, contained in the set are
591 executed in the end, other rules are executed in the order
592 they are specified for each info type.
593 items:
594 properties:
595 infoTypes:
596 description: List of infoTypes this rule set is applied
597 to.
598 items:
599 properties:
600 name:
601 description: Name of the information type. Either
602 a name of your choosing when creating a CustomInfoType,
603 or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference
604 when specifying a built-in type. When sending
605 Cloud DLP results to Data Catalog, infoType
606 names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
607 type: string
608 version:
609 description: Optional version name for this InfoType.
610 type: string
611 type: object
612 type: array
613 rules:
614 description: Set of rules to be applied to infoTypes.
615 The rules are applied in order.
616 items:
617 properties:
618 exclusionRule:
619 description: Exclusion rule.
620 properties:
621 dictionary:
622 description: Dictionary which defines the
623 rule.
624 properties:
625 cloudStoragePath:
626 description: Newline-delimited file of
627 words in Cloud Storage. Only a single
628 file is accepted.
629 properties:
630 path:
631 description: 'A url representing a
632 file or path (no wildcards) in Cloud
633 Storage. Example: gs://[BUCKET_NAME]/dictionary.txt'
634 type: string
635 type: object
636 wordList:
637 description: List of words or phrases
638 to search for.
639 properties:
640 words:
641 description: Words or phrases defining
642 the dictionary. The dictionary must
643 contain at least one phrase and
644 every phrase must contain at least
645 2 characters that are letters or
646 digits. [required]
647 items:
648 type: string
649 type: array
650 type: object
651 type: object
652 excludeInfoTypes:
653 description: Set of infoTypes for which findings
654 would affect this rule.
655 properties:
656 infoTypes:
657 description: InfoType list in ExclusionRule
658 rule drops a finding when it overlaps
659 or contained within with a finding of
660 an infoType from this list. For example,
661 for `InspectionRuleSet.info_types` containing
662 "PHONE_NUMBER"` and `exclusion_rule`
663 containing `exclude_info_types.info_types`
664 with "EMAIL_ADDRESS" the phone number
665 findings are dropped if they overlap
666 with EMAIL_ADDRESS finding. That leads
667 to "555-222-2222@example.org" to generate
668 only a single finding, namely email
669 address.
670 items:
671 properties:
672 name:
673 description: Name of the information
674 type. Either a name of your choosing
675 when creating a CustomInfoType,
676 or one of the names listed at
677 https://cloud.google.com/dlp/docs/infotypes-reference
678 when specifying a built-in type.
679 When sending Cloud DLP results
680 to Data Catalog, infoType names
681 should conform to the pattern
682 `[A-Za-z0-9$-_]{1,64}`.
683 type: string
684 version:
685 description: Optional version name
686 for this InfoType.
687 type: string
688 type: object
689 type: array
690 type: object
691 matchingType:
692 description: 'How the rule is applied, see
693 MatchingType documentation for details.
694 Possible values: MATCHING_TYPE_UNSPECIFIED,
695 MATCHING_TYPE_FULL_MATCH, MATCHING_TYPE_PARTIAL_MATCH,
696 MATCHING_TYPE_INVERSE_MATCH'
697 type: string
698 regex:
699 description: Regular expression which defines
700 the rule.
701 properties:
702 groupIndexes:
703 description: The index of the submatch
704 to extract as findings. When not specified,
705 the entire match is returned. No more
706 than 3 may be included.
707 items:
708 format: int64
709 type: integer
710 type: array
711 pattern:
712 description: Pattern defining the regular
713 expression. Its syntax (https://github.com/google/re2/wiki/Syntax)
714 can be found under the google/re2 repository
715 on GitHub.
716 type: string
717 type: object
718 type: object
719 hotwordRule:
720 properties:
721 hotwordRegex:
722 description: Regular expression pattern defining
723 what qualifies as a hotword.
724 properties:
725 groupIndexes:
726 description: The index of the submatch
727 to extract as findings. When not specified,
728 the entire match is returned. No more
729 than 3 may be included.
730 items:
731 format: int64
732 type: integer
733 type: array
734 pattern:
735 description: Pattern defining the regular
736 expression. Its syntax (https://github.com/google/re2/wiki/Syntax)
737 can be found under the google/re2 repository
738 on GitHub.
739 type: string
740 type: object
741 likelihoodAdjustment:
742 description: Likelihood adjustment to apply
743 to all matching findings.
744 properties:
745 fixedLikelihood:
746 description: 'Set the likelihood of a
747 finding to a fixed value. Possible values:
748 LIKELIHOOD_UNSPECIFIED, VERY_UNLIKELY,
749 UNLIKELY, POSSIBLE, LIKELY, VERY_LIKELY'
750 type: string
751 relativeLikelihood:
752 description: Increase or decrease the
753 likelihood by the specified number of
754 levels. For example, if a finding would
755 be `POSSIBLE` without the detection
756 rule and `relative_likelihood` is 1,
757 then it is upgraded to `LIKELY`, while
758 a value of -1 would downgrade it to
759 `UNLIKELY`. Likelihood may never drop
760 below `VERY_UNLIKELY` or exceed `VERY_LIKELY`,
761 so applying an adjustment of 1 followed
762 by an adjustment of -1 when base likelihood
763 is `VERY_LIKELY` will result in a final
764 likelihood of `LIKELY`.
765 format: int64
766 type: integer
767 type: object
768 proximity:
769 description: Proximity of the finding within
770 which the entire hotword must reside. The
771 total length of the window cannot exceed
772 1000 characters. Note that the finding itself
773 will be included in the window, so that
774 hotwords may be used to match substrings
775 of the finding itself. For example, the
776 certainty of a phone number regex "(d{3})
777 d{3}-d{4}" could be adjusted upwards if
778 the area code is known to be the local area
779 code of a company office using the hotword
780 regex "(xxx)", where "xxx" is the area code
781 in question.
782 properties:
783 windowAfter:
784 description: Number of characters after
785 the finding to consider.
786 format: int64
787 type: integer
788 windowBefore:
789 description: Number of characters before
790 the finding to consider.
791 format: int64
792 type: integer
793 type: object
794 type: object
795 type: object
796 type: array
797 type: object
798 type: array
799 type: object
800 inspectTemplateRef:
801 oneOf:
802 - not:
803 required:
804 - external
805 required:
806 - name
807 - not:
808 anyOf:
809 - required:
810 - name
811 - required:
812 - namespace
813 required:
814 - external
815 properties:
816 external:
817 description: |-
818 If provided, will be used as the default for all values in InspectConfig. `inspect_config` will be merged into the values persisted as part of the template.
819
820 Allowed value: The Google Cloud resource name of a `DLPInspectTemplate` resource (format: `{{parent}}/inspectTemplates/{{name}}`).
821 type: string
822 name:
823 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
824 type: string
825 namespace:
826 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
827 type: string
828 type: object
829 storageConfig:
830 description: The data to scan.
831 properties:
832 bigQueryOptions:
833 description: BigQuery options.
834 properties:
835 excludedFields:
836 description: References to fields excluded from scanning.
837 This allows you to skip inspection of entire columns
838 which you know have no findings.
839 items:
840 properties:
841 name:
842 description: Name describing the field.
843 type: string
844 type: object
845 type: array
846 identifyingFields:
847 description: Table fields that may uniquely identify a
848 row within the table. When `actions.saveFindings.outputConfig.table`
849 is specified, the values of columns specified here are
850 available in the output table under `location.content_locations.record_location.record_key.id_values`.
851 Nested fields such as `person.birthdate.year` are allowed.
852 items:
853 properties:
854 name:
855 description: Name describing the field.
856 type: string
857 type: object
858 type: array
859 includedFields:
860 description: Limit scanning only to these fields.
861 items:
862 properties:
863 name:
864 description: Name describing the field.
865 type: string
866 type: object
867 type: array
868 rowsLimit:
869 description: Max number of rows to scan. If the table
870 has more rows than this value, the rest of the rows
871 are omitted. If not set, or if set to 0, all rows will
872 be scanned. Only one of rows_limit and rows_limit_percent
873 can be specified. Cannot be used in conjunction with
874 TimespanConfig.
875 format: int64
876 type: integer
877 rowsLimitPercent:
878 description: Max percentage of rows to scan. The rest
879 are omitted. The number of rows scanned is rounded down.
880 Must be between 0 and 100, inclusively. Both 0 and 100
881 means no limit. Defaults to 0. Only one of rows_limit
882 and rows_limit_percent can be specified. Cannot be used
883 in conjunction with TimespanConfig.
884 format: int64
885 type: integer
886 sampleMethod:
887 description: ' Possible values: SAMPLE_METHOD_UNSPECIFIED,
888 TOP, RANDOM_START'
889 type: string
890 tableReference:
891 description: Complete BigQuery table reference.
892 properties:
893 datasetRef:
894 oneOf:
895 - not:
896 required:
897 - external
898 required:
899 - name
900 - not:
901 anyOf:
902 - required:
903 - name
904 - required:
905 - namespace
906 required:
907 - external
908 properties:
909 external:
910 description: |-
911 Dataset ID of the table.
912
913 Allowed value: The Google Cloud resource name of a `BigQueryDataset` resource (format: `projects/{{project}}/datasets/{{name}}`).
914 type: string
915 name:
916 description: 'Name of the referent. More info:
917 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
918 type: string
919 namespace:
920 description: 'Namespace of the referent. More
921 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
922 type: string
923 type: object
924 projectRef:
925 oneOf:
926 - not:
927 required:
928 - external
929 required:
930 - name
931 - not:
932 anyOf:
933 - required:
934 - name
935 - required:
936 - namespace
937 required:
938 - external
939 properties:
940 external:
941 description: |-
942 The Google Cloud Platform project ID of the project containing the table. If omitted, project ID is inferred from the API call.
943
944 Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).
945 type: string
946 name:
947 description: 'Name of the referent. More info:
948 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
949 type: string
950 namespace:
951 description: 'Namespace of the referent. More
952 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
953 type: string
954 type: object
955 tableRef:
956 oneOf:
957 - not:
958 required:
959 - external
960 required:
961 - name
962 - not:
963 anyOf:
964 - required:
965 - name
966 - required:
967 - namespace
968 required:
969 - external
970 properties:
971 external:
972 description: |-
973 Name of the table.
974
975 Allowed value: The Google Cloud resource name of a `BigQueryTable` resource (format: `projects/{{project}}/datasets/{{dataset_id}}/tables/{{name}}`).
976 type: string
977 name:
978 description: 'Name of the referent. More info:
979 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
980 type: string
981 namespace:
982 description: 'Namespace of the referent. More
983 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
984 type: string
985 type: object
986 type: object
987 required:
988 - tableReference
989 type: object
990 cloudStorageOptions:
991 description: Google Cloud Storage options.
992 properties:
993 bytesLimitPerFile:
994 description: Max number of bytes to scan from a file.
995 If a scanned file's size is bigger than this value then
996 the rest of the bytes are omitted. Only one of bytes_limit_per_file
997 and bytes_limit_per_file_percent can be specified. Cannot
998 be set if de-identification is requested.
999 format: int64
1000 type: integer
1001 bytesLimitPerFilePercent:
1002 description: Max percentage of bytes to scan from a file.
1003 The rest are omitted. The number of bytes scanned is
1004 rounded down. Must be between 0 and 100, inclusively.
1005 Both 0 and 100 means no limit. Defaults to 0. Only one
1006 of bytes_limit_per_file and bytes_limit_per_file_percent
1007 can be specified. Cannot be set if de-identification
1008 is requested.
1009 format: int64
1010 type: integer
1011 fileSet:
1012 description: The set of one or more files to scan.
1013 properties:
1014 regexFileSet:
1015 description: The regex-filtered set of files to scan.
1016 Exactly one of `url` or `regex_file_set` must be
1017 set.
1018 properties:
1019 bucketRef:
1020 oneOf:
1021 - not:
1022 required:
1023 - external
1024 required:
1025 - name
1026 - not:
1027 anyOf:
1028 - required:
1029 - name
1030 - required:
1031 - namespace
1032 required:
1033 - external
1034 properties:
1035 external:
1036 description: |-
1037 The name of a Cloud Storage bucket. Required.
1038
1039 Allowed value: The Google Cloud resource name of a `StorageBucket` resource (format: `{{name}}`).
1040 type: string
1041 name:
1042 description: 'Name of the referent. More info:
1043 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1044 type: string
1045 namespace:
1046 description: 'Namespace of the referent. More
1047 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
1048 type: string
1049 type: object
1050 excludeRegex:
1051 description: A list of regular expressions matching
1052 file paths to exclude. All files in the bucket
1053 that match at least one of these regular expressions
1054 will be excluded from the scan. Regular expressions
1055 use RE2 [syntax](https://github.com/google/re2/wiki/Syntax);
1056 a guide can be found under the google/re2 repository
1057 on GitHub.
1058 items:
1059 type: string
1060 type: array
1061 includeRegex:
1062 description: A list of regular expressions matching
1063 file paths to include. All files in the bucket
1064 that match at least one of these regular expressions
1065 will be included in the set of files, except
1066 for those that also match an item in `exclude_regex`.
1067 Leaving this field empty will match all files
1068 by default (this is equivalent to including
1069 `.*` in the list). Regular expressions use RE2
1070 [syntax](https://github.com/google/re2/wiki/Syntax);
1071 a guide can be found under the google/re2 repository
1072 on GitHub.
1073 items:
1074 type: string
1075 type: array
1076 required:
1077 - bucketRef
1078 type: object
1079 url:
1080 description: The Cloud Storage url of the file(s)
1081 to scan, in the format `gs:///`. Trailing wildcard
1082 in the path is allowed. If the url ends in a trailing
1083 slash, the bucket or directory represented by the
1084 url will be scanned non-recursively (content in
1085 sub-directories will not be scanned). This means
1086 that `gs://mybucket/` is equivalent to `gs://mybucket/*`,
1087 and `gs://mybucket/directory/` is equivalent to
1088 `gs://mybucket/directory/*`. Exactly one of `url`
1089 or `regex_file_set` must be set.
1090 type: string
1091 type: object
1092 fileTypes:
1093 description: List of file type groups to include in the
1094 scan. If empty, all files are scanned and available
1095 data format processors are applied. In addition, the
1096 binary content of the selected files is always scanned
1097 as well. Images are scanned only as binary if the specified
1098 region does not support image inspection and no file_types
1099 were specified. Image inspection is restricted to 'global',
1100 'us', 'asia', and 'europe'.
1101 items:
1102 type: string
1103 type: array
1104 filesLimitPercent:
1105 description: Limits the number of files to scan to this
1106 percentage of the input FileSet. Number of files scanned
1107 is rounded down. Must be between 0 and 100, inclusively.
1108 Both 0 and 100 means no limit. Defaults to 0.
1109 format: int64
1110 type: integer
1111 sampleMethod:
1112 description: ' Possible values: SAMPLE_METHOD_UNSPECIFIED,
1113 TOP, RANDOM_START'
1114 type: string
1115 type: object
1116 datastoreOptions:
1117 description: Google Cloud Datastore options.
1118 properties:
1119 kind:
1120 description: The kind to process.
1121 properties:
1122 name:
1123 description: The name of the kind.
1124 type: string
1125 type: object
1126 partitionId:
1127 description: A partition ID identifies a grouping of entities.
1128 The grouping is always by project namespace ID may be
1129 empty.
1130 properties:
1131 namespaceId:
1132 description: If not empty, the ID of the namespace
1133 to which the entities belong.
1134 type: string
1135 projectRef:
1136 oneOf:
1137 - not:
1138 required:
1139 - external
1140 required:
1141 - name
1142 - not:
1143 anyOf:
1144 - required:
1145 - name
1146 - required:
1147 - namespace
1148 required:
1149 - external
1150 properties:
1151 external:
1152 description: |-
1153 The ID of the project to which the entities belong.
1154
1155 Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).
1156 type: string
1157 name:
1158 description: 'Name of the referent. More info:
1159 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1160 type: string
1161 namespace:
1162 description: 'Namespace of the referent. More
1163 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
1164 type: string
1165 type: object
1166 type: object
1167 type: object
1168 hybridOptions:
1169 description: Hybrid inspection options.
1170 properties:
1171 description:
1172 description: A short description of where the data is
1173 coming from. Will be stored once in the job. 256 max
1174 length.
1175 type: string
1176 labels:
1177 additionalProperties:
1178 type: string
1179 description: 'To organize findings, these labels will
1180 be added to each finding. Label keys must be between
1181 1 and 63 characters long and must conform to the following
1182 regular expression: `[a-z]([-a-z0-9]*[a-z0-9])?`. Label
1183 values must be between 0 and 63 characters long and
1184 must conform to the regular expression `([a-z]([-a-z0-9]*[a-z0-9])?)?`.
1185 No more than 10 labels can be associated with a given
1186 finding. Examples: * `"environment" : "production"`
1187 * `"pipeline" : "etl"`'
1188 type: object
1189 requiredFindingLabelKeys:
1190 description: 'These are labels that each inspection request
1191 must include within their ''finding_labels'' map. Request
1192 may contain others, but any missing one of these will
1193 be rejected. Label keys must be between 1 and 63 characters
1194 long and must conform to the following regular expression:
1195 `[a-z]([-a-z0-9]*[a-z0-9])?`. No more than 10 keys can
1196 be required.'
1197 items:
1198 type: string
1199 type: array
1200 tableOptions:
1201 description: If the container is a table, additional information
1202 to make findings meaningful such as the columns that
1203 are primary keys.
1204 properties:
1205 identifyingFields:
1206 description: The columns that are the primary keys
1207 for table objects included in ContentItem. A copy
1208 of this cell's value will stored alongside alongside
1209 each finding so that the finding can be traced to
1210 the specific row it came from. No more than 3 may
1211 be provided.
1212 items:
1213 properties:
1214 name:
1215 description: Name describing the field.
1216 type: string
1217 type: object
1218 type: array
1219 type: object
1220 type: object
1221 timespanConfig:
1222 properties:
1223 enableAutoPopulationOfTimespanConfig:
1224 description: When the job is started by a JobTrigger we
1225 will automatically figure out a valid start_time to
1226 avoid scanning files that have not been modified since
1227 the last time the JobTrigger executed. This will be
1228 based on the time of the execution of the last run of
1229 the JobTrigger.
1230 type: boolean
1231 endTime:
1232 description: Exclude files, tables, or rows newer than
1233 this value. If not set, no upper time limit is applied.
1234 format: date-time
1235 type: string
1236 startTime:
1237 description: Exclude files, tables, or rows older than
1238 this value. If not set, no lower time limit is applied.
1239 format: date-time
1240 type: string
1241 timestampField:
1242 description: 'Specification of the field containing the
1243 timestamp of scanned items. Used for data sources like
1244 Datastore and BigQuery. For BigQuery: If this value
1245 is not specified and the table was modified between
1246 the given start and end times, the entire table will
1247 be scanned. If this value is specified, then rows are
1248 filtered based on the given start and end times. Rows
1249 with a `NULL` value in the provided BigQuery column
1250 are skipped. Valid data types of the provided BigQuery
1251 column are: `INTEGER`, `DATE`, `TIMESTAMP`, and `DATETIME`.
1252 For Datastore: If this value is specified, then entities
1253 are filtered based on the given start and end times.
1254 If an entity does not contain the provided timestamp
1255 property or contains empty or invalid values, then it
1256 is included. Valid data types of the provided timestamp
1257 property are: `TIMESTAMP`.'
1258 properties:
1259 name:
1260 description: Name describing the field.
1261 type: string
1262 type: object
1263 type: object
1264 type: object
1265 required:
1266 - storageConfig
1267 type: object
1268 location:
1269 description: Immutable. The location of the resource
1270 type: string
1271 projectRef:
1272 description: Immutable. The Project that this resource belongs to.
1273 Only one of [projectRef] may be specified.
1274 oneOf:
1275 - not:
1276 required:
1277 - external
1278 required:
1279 - name
1280 - not:
1281 anyOf:
1282 - required:
1283 - name
1284 - required:
1285 - namespace
1286 required:
1287 - external
1288 properties:
1289 external:
1290 description: 'Allowed value: The Google Cloud resource name of
1291 a `Project` resource (format: `projects/{{name}}`).'
1292 type: string
1293 name:
1294 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1295 type: string
1296 namespace:
1297 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
1298 type: string
1299 type: object
1300 resourceID:
1301 description: Immutable. Optional. The service-generated name of the
1302 resource. Used for acquisition only. Leave unset to create a new
1303 resource.
1304 type: string
1305 status:
1306 description: 'Immutable. Required. A status for this trigger. Possible
1307 values: STATUS_UNSPECIFIED, HEALTHY, PAUSED, CANCELLED'
1308 type: string
1309 triggers:
1310 description: A list of triggers which will be OR'ed together. Only
1311 one in the list needs to trigger for a job to be started. The list
1312 may contain only a single Schedule trigger and must have at least
1313 one object.
1314 items:
1315 properties:
1316 manual:
1317 description: For use with hybrid jobs. Jobs must be manually
1318 created and finished.
1319 type: object
1320 x-kubernetes-preserve-unknown-fields: true
1321 schedule:
1322 description: Create a job on a repeating basis based on the
1323 elapse of time.
1324 properties:
1325 recurrencePeriodDuration:
1326 description: 'With this option a job is started a regular
1327 periodic basis. For example: every day (86400 seconds).
1328 A scheduled start time will be skipped if the previous
1329 execution has not ended when its scheduled time occurs.
1330 This value must be set to a time duration greater than
1331 or equal to 1 day and can be no longer than 60 days.'
1332 type: string
1333 type: object
1334 type: object
1335 type: array
1336 required:
1337 - inspectJob
1338 - projectRef
1339 - status
1340 - triggers
1341 type: object
1342 status:
1343 properties:
1344 conditions:
1345 description: Conditions represent the latest available observation
1346 of the resource's current state.
1347 items:
1348 properties:
1349 lastTransitionTime:
1350 description: Last time the condition transitioned from one status
1351 to another.
1352 type: string
1353 message:
1354 description: Human-readable message indicating details about
1355 last transition.
1356 type: string
1357 reason:
1358 description: Unique, one-word, CamelCase reason for the condition's
1359 last transition.
1360 type: string
1361 status:
1362 description: Status is the status of the condition. Can be True,
1363 False, Unknown.
1364 type: string
1365 type:
1366 description: Type is the type of the condition.
1367 type: string
1368 type: object
1369 type: array
1370 createTime:
1371 description: Output only. The creation timestamp of a triggeredJob.
1372 format: date-time
1373 type: string
1374 errors:
1375 description: Output only. A stream of errors encountered when the
1376 trigger was activated. Repeated errors may result in the JobTrigger
1377 automatically being paused. Will return the last 100 errors. Whenever
1378 the JobTrigger is modified this list will be cleared.
1379 items:
1380 properties:
1381 details:
1382 description: Detailed error codes and messages.
1383 properties:
1384 code:
1385 description: The status code, which should be an enum value
1386 of google.rpc.Code.
1387 format: int64
1388 type: integer
1389 details:
1390 description: A list of messages that carry the error details.
1391 There is a common set of message types for APIs to use.
1392 items:
1393 properties:
1394 typeUrl:
1395 description: 'A URL/resource name that uniquely identifies
1396 the type of the serialized protocol buffer message.
1397 This string must contain at least one "/" character.
1398 The last segment of the URL''s path must represent
1399 the fully qualified name of the type (as in `path/google.protobuf.Duration`).
1400 The name should be in a canonical form (e.g., leading
1401 "." is not accepted). In practice, teams usually
1402 precompile into the binary all types that they expect
1403 it to use in the context of Any. However, for URLs
1404 which use the scheme `http`, `https`, or no scheme,
1405 one can optionally set up a type server that maps
1406 type URLs to message definitions as follows: * If
1407 no scheme is provided, `https` is assumed. * An
1408 HTTP GET on the URL must yield a google.protobuf.Type
1409 value in binary format, or produce an error. * Applications
1410 are allowed to cache lookup results based on the
1411 URL, or have them precompiled into a binary to avoid
1412 any lookup. Therefore, binary compatibility needs
1413 to be preserved on changes to types. (Use versioned
1414 type names to manage breaking changes.) Note: this
1415 functionality is not currently available in the
1416 official protobuf release, and it is not used for
1417 type URLs beginning with type.googleapis.com. Schemes
1418 other than `http`, `https` (or the empty scheme)
1419 might be used with implementation specific semantics.'
1420 type: string
1421 value:
1422 description: Must be a valid serialized protocol buffer
1423 of the above specified type.
1424 type: string
1425 type: object
1426 type: array
1427 message:
1428 description: A developer-facing error message, which should
1429 be in English. Any user-facing error message should be
1430 localized and sent in the google.rpc.Status.details field,
1431 or localized by the client.
1432 type: string
1433 type: object
1434 timestamps:
1435 description: The times the error occurred.
1436 items:
1437 format: date-time
1438 type: string
1439 type: array
1440 type: object
1441 type: array
1442 lastRunTime:
1443 description: Output only. The timestamp of the last time this trigger
1444 executed.
1445 format: date-time
1446 type: string
1447 locationId:
1448 description: Output only. The geographic location where this resource
1449 is stored.
1450 type: string
1451 observedGeneration:
1452 description: ObservedGeneration is the generation of the resource
1453 that was most recently observed by the Config Connector controller.
1454 If this is equal to metadata.generation, then that means that the
1455 current reported status reflects the most recent desired state of
1456 the resource.
1457 type: integer
1458 updateTime:
1459 description: Output only. The last update timestamp of a triggeredJob.
1460 format: date-time
1461 type: string
1462 type: object
1463 required:
1464 - spec
1465 type: object
1466 served: true
1467 storage: true
1468 subresources:
1469 status: {}
1470status:
1471 acceptedNames:
1472 kind: ""
1473 plural: ""
1474 conditions: []
1475 storedVersions: []
View as plain text