1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: apiextensions.k8s.io/v1
16kind: CustomResourceDefinition
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 creationTimestamp: null
21 labels:
22 cnrm.cloud.google.com/dcl2crd: "true"
23 cnrm.cloud.google.com/managed-by-kcc: "true"
24 cnrm.cloud.google.com/stability-level: stable
25 cnrm.cloud.google.com/system: "true"
26 name: dlpjobtriggers.dlp.cnrm.cloud.google.com
27spec:
28 group: dlp.cnrm.cloud.google.com
29 names:
30 categories:
31 - gcp
32 kind: DLPJobTrigger
33 plural: dlpjobtriggers
34 shortNames:
35 - gcpdlpjobtrigger
36 - gcpdlpjobtriggers
37 singular: dlpjobtrigger
38 scope: Namespaced
39 versions:
40 - additionalPrinterColumns:
41 - jsonPath: .metadata.creationTimestamp
42 name: Age
43 type: date
44 - description: When 'True', the most recent reconcile of the resource succeeded
45 jsonPath: .status.conditions[?(@.type=='Ready')].status
46 name: Ready
47 type: string
48 - description: The reason for the value in 'Ready'
49 jsonPath: .status.conditions[?(@.type=='Ready')].reason
50 name: Status
51 type: string
52 - description: The last transition time for the value in 'Status'
53 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
54 name: Status Age
55 type: date
56 name: v1beta1
57 schema:
58 openAPIV3Schema:
59 properties:
60 apiVersion:
61 description: 'apiVersion defines the versioned schema of this representation
62 of an object. Servers should convert recognized schemas to the latest
63 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
64 type: string
65 kind:
66 description: 'kind is a string value representing the REST resource this
67 object represents. Servers may infer this from the endpoint the client
68 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
69 type: string
70 metadata:
71 type: object
72 spec:
73 properties:
74 description:
75 description: User provided description (max 256 chars)
76 type: string
77 displayName:
78 description: Display name (max 100 chars)
79 type: string
80 inspectJob:
81 description: For inspect jobs, a snapshot of the configuration.
82 properties:
83 actions:
84 description: Actions to execute at the completion of the job.
85 items:
86 properties:
87 jobNotificationEmails:
88 description: Enable email notification for project owners
89 and editors on job's completion/failure.
90 type: object
91 x-kubernetes-preserve-unknown-fields: true
92 pubSub:
93 description: Publish a notification to a pubsub topic.
94 properties:
95 topicRef:
96 oneOf:
97 - not:
98 required:
99 - external
100 required:
101 - name
102 - not:
103 anyOf:
104 - required:
105 - name
106 - required:
107 - namespace
108 required:
109 - external
110 properties:
111 external:
112 description: |-
113 Cloud Pub/Sub topic to send notifications to. The topic must have given publishing access rights to the DLP API service account executing the long running DlpJob sending the notifications. Format is projects/{project}/topics/{topic}.
114
115 Allowed value: The Google Cloud resource name of a `PubSubTopic` resource (format: `projects/{{project}}/topics/{{name}}`).
116 type: string
117 name:
118 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
119 type: string
120 namespace:
121 description: 'Namespace of the referent. More info:
122 https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
123 type: string
124 type: object
125 type: object
126 publishFindingsToCloudDataCatalog:
127 description: Publish findings to Cloud Datahub.
128 type: object
129 x-kubernetes-preserve-unknown-fields: true
130 publishSummaryToCscc:
131 description: Publish summary to Cloud Security Command Center
132 (Alpha).
133 type: object
134 x-kubernetes-preserve-unknown-fields: true
135 publishToStackdriver:
136 description: Enable Stackdriver metric dlp.googleapis.com/finding_count.
137 type: object
138 x-kubernetes-preserve-unknown-fields: true
139 saveFindings:
140 description: Save resulting findings in a provided location.
141 properties:
142 outputConfig:
143 description: Location to store findings outside of DLP.
144 properties:
145 dlpStorage:
146 description: Store findings directly to DLP. If
147 neither this or bigquery is chosen only summary
148 stats of total infotype count will be stored.
149 Quotes will not be stored to dlp findings. If
150 quotes are needed, store to BigQuery. Currently
151 only for inspect jobs.
152 type: object
153 x-kubernetes-preserve-unknown-fields: true
154 outputSchema:
155 description: 'Schema used for writing the findings
156 for Inspect jobs. This field is only used for
157 Inspect and must be unspecified for Risk jobs.
158 Columns are derived from the `Finding` object.
159 If appending to an existing table, any columns
160 from the predefined schema that are missing will
161 be added. No columns in the existing table will
162 be deleted. If unspecified, then all available
163 columns will be used for a new table or an (existing)
164 table with no schema, and no changes will be made
165 to an existing table that has a schema. Only for
166 use with external storage. Possible values: OUTPUT_SCHEMA_UNSPECIFIED,
167 BASIC_COLUMNS, GCS_COLUMNS, DATASTORE_COLUMNS,
168 BIG_QUERY_COLUMNS, ALL_COLUMNS'
169 type: string
170 table:
171 description: 'Store findings in an existing table
172 or a new table in an existing dataset. If table_id
173 is not set a new one will be generated for you
174 with the following format: dlp_googleapis_yyyy_mm_dd_[dlp_job_id].
175 Pacific timezone will be used for generating the
176 date details. For Inspect, each column in an existing
177 output table must have the same name, type, and
178 mode of a field in the `Finding` object. For Risk,
179 an existing output table should be the output
180 of a previous Risk analysis job run on the same
181 source table, with the same privacy metric and
182 quasi-identifiers. Risk jobs that analyze the
183 same table but compute a different privacy metric,
184 or use different sets of quasi-identifiers, cannot
185 store their results in the same table.'
186 properties:
187 datasetRef:
188 oneOf:
189 - not:
190 required:
191 - external
192 required:
193 - name
194 - not:
195 anyOf:
196 - required:
197 - name
198 - required:
199 - namespace
200 required:
201 - external
202 properties:
203 external:
204 description: |-
205 Dataset ID of the table.
206
207 Allowed value: The Google Cloud resource name of a `BigQueryDataset` resource (format: `projects/{{project}}/datasets/{{name}}`).
208 type: string
209 name:
210 description: 'Name of the referent. More
211 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
212 type: string
213 namespace:
214 description: 'Namespace of the referent.
215 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
216 type: string
217 type: object
218 projectRef:
219 oneOf:
220 - not:
221 required:
222 - external
223 required:
224 - name
225 - not:
226 anyOf:
227 - required:
228 - name
229 - required:
230 - namespace
231 required:
232 - external
233 properties:
234 external:
235 description: |-
236 The Google Cloud Platform project ID of the project containing the table. If omitted, project ID is inferred from the API call.
237
238 Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).
239 type: string
240 name:
241 description: 'Name of the referent. More
242 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
243 type: string
244 namespace:
245 description: 'Namespace of the referent.
246 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
247 type: string
248 type: object
249 tableRef:
250 oneOf:
251 - not:
252 required:
253 - external
254 required:
255 - name
256 - not:
257 anyOf:
258 - required:
259 - name
260 - required:
261 - namespace
262 required:
263 - external
264 properties:
265 external:
266 description: |-
267 Name of the table.
268
269 Allowed value: The Google Cloud resource name of a `BigQueryTable` resource (format: `projects/{{project}}/datasets/{{dataset_id}}/tables/{{name}}`).
270 type: string
271 name:
272 description: 'Name of the referent. More
273 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
274 type: string
275 namespace:
276 description: 'Namespace of the referent.
277 More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
278 type: string
279 type: object
280 type: object
281 type: object
282 type: object
283 type: object
284 type: array
285 inspectConfig:
286 description: How and what to scan for.
287 properties:
288 customInfoTypes:
289 description: CustomInfoTypes provided by the user. See https://cloud.google.com/dlp/docs/creating-custom-infotypes
290 to learn more.
291 items:
292 properties:
293 detectionRules:
294 description: Set of detection rules to apply to all
295 findings of this CustomInfoType. Rules are applied
296 in order that they are specified. Not supported for
297 the `surrogate_type` CustomInfoType.
298 items:
299 properties:
300 hotwordRule:
301 description: Hotword-based detection rule.
302 properties:
303 hotwordRegex:
304 description: Regular expression pattern defining
305 what qualifies as a hotword.
306 properties:
307 groupIndexes:
308 description: The index of the submatch
309 to extract as findings. When not specified,
310 the entire match is returned. No more
311 than 3 may be included.
312 items:
313 format: int64
314 type: integer
315 type: array
316 pattern:
317 description: Pattern defining the regular
318 expression. Its syntax (https://github.com/google/re2/wiki/Syntax)
319 can be found under the google/re2 repository
320 on GitHub.
321 type: string
322 type: object
323 likelihoodAdjustment:
324 description: Likelihood adjustment to apply
325 to all matching findings.
326 properties:
327 fixedLikelihood:
328 description: 'Set the likelihood of a
329 finding to a fixed value. Possible values:
330 LIKELIHOOD_UNSPECIFIED, VERY_UNLIKELY,
331 UNLIKELY, POSSIBLE, LIKELY, VERY_LIKELY'
332 type: string
333 relativeLikelihood:
334 description: Increase or decrease the
335 likelihood by the specified number of
336 levels. For example, if a finding would
337 be `POSSIBLE` without the detection
338 rule and `relative_likelihood` is 1,
339 then it is upgraded to `LIKELY`, while
340 a value of -1 would downgrade it to
341 `UNLIKELY`. Likelihood may never drop
342 below `VERY_UNLIKELY` or exceed `VERY_LIKELY`,
343 so applying an adjustment of 1 followed
344 by an adjustment of -1 when base likelihood
345 is `VERY_LIKELY` will result in a final
346 likelihood of `LIKELY`.
347 format: int64
348 type: integer
349 type: object
350 proximity:
351 description: Proximity of the finding within
352 which the entire hotword must reside. The
353 total length of the window cannot exceed
354 1000 characters. Note that the finding itself
355 will be included in the window, so that
356 hotwords may be used to match substrings
357 of the finding itself. For example, the
358 certainty of a phone number regex "(d{3})
359 d{3}-d{4}" could be adjusted upwards if
360 the area code is known to be the local area
361 code of a company office using the hotword
362 regex "(xxx)", where "xxx" is the area code
363 in question.
364 properties:
365 windowAfter:
366 description: Number of characters after
367 the finding to consider.
368 format: int64
369 type: integer
370 windowBefore:
371 description: Number of characters before
372 the finding to consider.
373 format: int64
374 type: integer
375 type: object
376 type: object
377 type: object
378 type: array
379 dictionary:
380 description: A list of phrases to detect as a CustomInfoType.
381 properties:
382 cloudStoragePath:
383 description: Newline-delimited file of words in
384 Cloud Storage. Only a single file is accepted.
385 properties:
386 path:
387 description: 'A url representing a file or path
388 (no wildcards) in Cloud Storage. Example:
389 gs://[BUCKET_NAME]/dictionary.txt'
390 type: string
391 type: object
392 wordList:
393 description: List of words or phrases to search
394 for.
395 properties:
396 words:
397 description: Words or phrases defining the dictionary.
398 The dictionary must contain at least one phrase
399 and every phrase must contain at least 2 characters
400 that are letters or digits. [required]
401 items:
402 type: string
403 type: array
404 type: object
405 type: object
406 exclusionType:
407 description: 'If set to EXCLUSION_TYPE_EXCLUDE this
408 infoType will not cause a finding to be returned.
409 It still can be used for rules matching. Possible
410 values: EXCLUSION_TYPE_UNSPECIFIED, EXCLUSION_TYPE_EXCLUDE'
411 type: string
412 infoType:
413 description: CustomInfoType can either be a new infoType,
414 or an extension of built-in infoType, when the name
415 matches one of existing infoTypes and that infoType
416 is specified in `InspectContent.info_types` field.
417 Specifying the latter adds findings to the one detected
418 by the system. If built-in info type is not specified
419 in `InspectContent.info_types` list then the name
420 is treated as a custom info type.
421 properties:
422 name:
423 description: Name of the information type. Either
424 a name of your choosing when creating a CustomInfoType,
425 or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference
426 when specifying a built-in type. When sending
427 Cloud DLP results to Data Catalog, infoType names
428 should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
429 type: string
430 version:
431 description: Optional version name for this InfoType.
432 type: string
433 type: object
434 likelihood:
435 description: 'Likelihood to return for this CustomInfoType.
436 This base value can be altered by a detection rule
437 if the finding meets the criteria specified by the
438 rule. Defaults to `VERY_LIKELY` if not specified.
439 Possible values: LIKELIHOOD_UNSPECIFIED, VERY_UNLIKELY,
440 UNLIKELY, POSSIBLE, LIKELY, VERY_LIKELY'
441 type: string
442 regex:
443 description: Regular expression based CustomInfoType.
444 properties:
445 groupIndexes:
446 description: The index of the submatch to extract
447 as findings. When not specified, the entire match
448 is returned. No more than 3 may be included.
449 items:
450 format: int64
451 type: integer
452 type: array
453 pattern:
454 description: Pattern defining the regular expression.
455 Its syntax (https://github.com/google/re2/wiki/Syntax)
456 can be found under the google/re2 repository on
457 GitHub.
458 type: string
459 type: object
460 storedType:
461 description: Load an existing `StoredInfoType` resource
462 for use in `InspectDataSource`. Not currently supported
463 in `InspectContent`.
464 properties:
465 createTime:
466 description: Timestamp indicating when the version
467 of the `StoredInfoType` used for inspection was
468 created. Output-only field, populated by the system.
469 format: date-time
470 type: string
471 nameRef:
472 oneOf:
473 - not:
474 required:
475 - external
476 required:
477 - name
478 - not:
479 anyOf:
480 - required:
481 - name
482 - required:
483 - namespace
484 required:
485 - external
486 properties:
487 external:
488 description: |-
489 Resource name of the requested `StoredInfoType`, for example `organizations/433245324/storedInfoTypes/432452342` or `projects/project-id/storedInfoTypes/432452342`.
490
491 Allowed value: The Google Cloud resource name of a `DLPStoredInfoType` resource (format: `{{parent}}/storedInfoTypes/{{name}}`).
492 type: string
493 name:
494 description: 'Name of the referent. More info:
495 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
496 type: string
497 namespace:
498 description: 'Namespace of the referent. More
499 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
500 type: string
501 type: object
502 type: object
503 surrogateType:
504 description: Message for detecting output from deidentification
505 transformations that support reversing.
506 type: object
507 x-kubernetes-preserve-unknown-fields: true
508 type: object
509 type: array
510 excludeInfoTypes:
511 description: When true, excludes type information of the findings.
512 This is not used for data profiling.
513 type: boolean
514 includeQuote:
515 description: When true, a contextual quote from the data that
516 triggered a finding is included in the response; see Finding.quote.
517 This is not used for data profiling.
518 type: boolean
519 infoTypes:
520 description: Restricts what info_types to look for. The values
521 must correspond to InfoType values returned by ListInfoTypes
522 or listed at https://cloud.google.com/dlp/docs/infotypes-reference.
523 When no InfoTypes or CustomInfoTypes are specified in a
524 request, the system may automatically choose what detectors
525 to run. By default this may be all types, but may change
526 over time as detectors are updated. If you need precise
527 control and predictability as to what detectors are run
528 you should specify specific InfoTypes listed in the reference,
529 otherwise a default list will be used, which may change
530 over time.
531 items:
532 properties:
533 name:
534 description: Name of the information type. Either a
535 name of your choosing when creating a CustomInfoType,
536 or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference
537 when specifying a built-in type. When sending Cloud
538 DLP results to Data Catalog, infoType names should
539 conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
540 type: string
541 type: object
542 type: array
543 limits:
544 description: Configuration to control the number of findings
545 returned. This is not used for data profiling.
546 properties:
547 maxFindingsPerInfoType:
548 description: Configuration of findings limit given for
549 specified infoTypes.
550 items:
551 properties:
552 infoType:
553 description: Type of information the findings limit
554 applies to. Only one limit per info_type should
555 be provided. If InfoTypeLimit does not have an
556 info_type, the DLP API applies the limit against
557 all info_types that are found but not specified
558 in another InfoTypeLimit.
559 properties:
560 name:
561 description: Name of the information type. Either
562 a name of your choosing when creating a CustomInfoType,
563 or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference
564 when specifying a built-in type. When sending
565 Cloud DLP results to Data Catalog, infoType
566 names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
567 type: string
568 version:
569 description: Optional version name for this
570 InfoType.
571 type: string
572 type: object
573 maxFindings:
574 description: Max findings limit for the given infoType.
575 format: int64
576 type: integer
577 type: object
578 type: array
579 maxFindingsPerItem:
580 description: Max number of findings that will be returned
581 for each item scanned. When set within `InspectJobConfig`,
582 the maximum returned is 2000 regardless if this is set
583 higher. When set within `InspectContentRequest`, this
584 field is ignored.
585 format: int64
586 type: integer
587 maxFindingsPerRequest:
588 description: Max number of findings that will be returned
589 per request/job. When set within `InspectContentRequest`,
590 the maximum returned is 2000 regardless if this is set
591 higher.
592 format: int64
593 type: integer
594 type: object
595 minLikelihood:
596 description: 'Only returns findings equal or above this threshold.
597 The default is POSSIBLE. See https://cloud.google.com/dlp/docs/likelihood
598 to learn more. Possible values: LIKELIHOOD_UNSPECIFIED,
599 VERY_UNLIKELY, UNLIKELY, POSSIBLE, LIKELY, VERY_LIKELY'
600 type: string
601 ruleSet:
602 description: Set of rules to apply to the findings for this
603 InspectConfig. Exclusion rules, contained in the set are
604 executed in the end, other rules are executed in the order
605 they are specified for each info type.
606 items:
607 properties:
608 infoTypes:
609 description: List of infoTypes this rule set is applied
610 to.
611 items:
612 properties:
613 name:
614 description: Name of the information type. Either
615 a name of your choosing when creating a CustomInfoType,
616 or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference
617 when specifying a built-in type. When sending
618 Cloud DLP results to Data Catalog, infoType
619 names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
620 type: string
621 version:
622 description: Optional version name for this InfoType.
623 type: string
624 type: object
625 type: array
626 rules:
627 description: Set of rules to be applied to infoTypes.
628 The rules are applied in order.
629 items:
630 properties:
631 exclusionRule:
632 description: Exclusion rule.
633 properties:
634 dictionary:
635 description: Dictionary which defines the
636 rule.
637 properties:
638 cloudStoragePath:
639 description: Newline-delimited file of
640 words in Cloud Storage. Only a single
641 file is accepted.
642 properties:
643 path:
644 description: 'A url representing a
645 file or path (no wildcards) in Cloud
646 Storage. Example: gs://[BUCKET_NAME]/dictionary.txt'
647 type: string
648 type: object
649 wordList:
650 description: List of words or phrases
651 to search for.
652 properties:
653 words:
654 description: Words or phrases defining
655 the dictionary. The dictionary must
656 contain at least one phrase and
657 every phrase must contain at least
658 2 characters that are letters or
659 digits. [required]
660 items:
661 type: string
662 type: array
663 type: object
664 type: object
665 excludeInfoTypes:
666 description: Set of infoTypes for which findings
667 would affect this rule.
668 properties:
669 infoTypes:
670 description: InfoType list in ExclusionRule
671 rule drops a finding when it overlaps
672 or contained within with a finding of
673 an infoType from this list. For example,
674 for `InspectionRuleSet.info_types` containing
675 "PHONE_NUMBER"` and `exclusion_rule`
676 containing `exclude_info_types.info_types`
677 with "EMAIL_ADDRESS" the phone number
678 findings are dropped if they overlap
679 with EMAIL_ADDRESS finding. That leads
680 to "555-222-2222@example.org" to generate
681 only a single finding, namely email
682 address.
683 items:
684 properties:
685 name:
686 description: Name of the information
687 type. Either a name of your choosing
688 when creating a CustomInfoType,
689 or one of the names listed at
690 https://cloud.google.com/dlp/docs/infotypes-reference
691 when specifying a built-in type.
692 When sending Cloud DLP results
693 to Data Catalog, infoType names
694 should conform to the pattern
695 `[A-Za-z0-9$-_]{1,64}`.
696 type: string
697 version:
698 description: Optional version name
699 for this InfoType.
700 type: string
701 type: object
702 type: array
703 type: object
704 matchingType:
705 description: 'How the rule is applied, see
706 MatchingType documentation for details.
707 Possible values: MATCHING_TYPE_UNSPECIFIED,
708 MATCHING_TYPE_FULL_MATCH, MATCHING_TYPE_PARTIAL_MATCH,
709 MATCHING_TYPE_INVERSE_MATCH'
710 type: string
711 regex:
712 description: Regular expression which defines
713 the rule.
714 properties:
715 groupIndexes:
716 description: The index of the submatch
717 to extract as findings. When not specified,
718 the entire match is returned. No more
719 than 3 may be included.
720 items:
721 format: int64
722 type: integer
723 type: array
724 pattern:
725 description: Pattern defining the regular
726 expression. Its syntax (https://github.com/google/re2/wiki/Syntax)
727 can be found under the google/re2 repository
728 on GitHub.
729 type: string
730 type: object
731 type: object
732 hotwordRule:
733 properties:
734 hotwordRegex:
735 description: Regular expression pattern defining
736 what qualifies as a hotword.
737 properties:
738 groupIndexes:
739 description: The index of the submatch
740 to extract as findings. When not specified,
741 the entire match is returned. No more
742 than 3 may be included.
743 items:
744 format: int64
745 type: integer
746 type: array
747 pattern:
748 description: Pattern defining the regular
749 expression. Its syntax (https://github.com/google/re2/wiki/Syntax)
750 can be found under the google/re2 repository
751 on GitHub.
752 type: string
753 type: object
754 likelihoodAdjustment:
755 description: Likelihood adjustment to apply
756 to all matching findings.
757 properties:
758 fixedLikelihood:
759 description: 'Set the likelihood of a
760 finding to a fixed value. Possible values:
761 LIKELIHOOD_UNSPECIFIED, VERY_UNLIKELY,
762 UNLIKELY, POSSIBLE, LIKELY, VERY_LIKELY'
763 type: string
764 relativeLikelihood:
765 description: Increase or decrease the
766 likelihood by the specified number of
767 levels. For example, if a finding would
768 be `POSSIBLE` without the detection
769 rule and `relative_likelihood` is 1,
770 then it is upgraded to `LIKELY`, while
771 a value of -1 would downgrade it to
772 `UNLIKELY`. Likelihood may never drop
773 below `VERY_UNLIKELY` or exceed `VERY_LIKELY`,
774 so applying an adjustment of 1 followed
775 by an adjustment of -1 when base likelihood
776 is `VERY_LIKELY` will result in a final
777 likelihood of `LIKELY`.
778 format: int64
779 type: integer
780 type: object
781 proximity:
782 description: Proximity of the finding within
783 which the entire hotword must reside. The
784 total length of the window cannot exceed
785 1000 characters. Note that the finding itself
786 will be included in the window, so that
787 hotwords may be used to match substrings
788 of the finding itself. For example, the
789 certainty of a phone number regex "(d{3})
790 d{3}-d{4}" could be adjusted upwards if
791 the area code is known to be the local area
792 code of a company office using the hotword
793 regex "(xxx)", where "xxx" is the area code
794 in question.
795 properties:
796 windowAfter:
797 description: Number of characters after
798 the finding to consider.
799 format: int64
800 type: integer
801 windowBefore:
802 description: Number of characters before
803 the finding to consider.
804 format: int64
805 type: integer
806 type: object
807 type: object
808 type: object
809 type: array
810 type: object
811 type: array
812 type: object
813 inspectTemplateRef:
814 oneOf:
815 - not:
816 required:
817 - external
818 required:
819 - name
820 - not:
821 anyOf:
822 - required:
823 - name
824 - required:
825 - namespace
826 required:
827 - external
828 properties:
829 external:
830 description: |-
831 If provided, will be used as the default for all values in InspectConfig. `inspect_config` will be merged into the values persisted as part of the template.
832
833 Allowed value: The Google Cloud resource name of a `DLPInspectTemplate` resource (format: `{{parent}}/inspectTemplates/{{name}}`).
834 type: string
835 name:
836 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
837 type: string
838 namespace:
839 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
840 type: string
841 type: object
842 storageConfig:
843 description: The data to scan.
844 properties:
845 bigQueryOptions:
846 description: BigQuery options.
847 properties:
848 excludedFields:
849 description: References to fields excluded from scanning.
850 This allows you to skip inspection of entire columns
851 which you know have no findings.
852 items:
853 properties:
854 name:
855 description: Name describing the field.
856 type: string
857 type: object
858 type: array
859 identifyingFields:
860 description: Table fields that may uniquely identify a
861 row within the table. When `actions.saveFindings.outputConfig.table`
862 is specified, the values of columns specified here are
863 available in the output table under `location.content_locations.record_location.record_key.id_values`.
864 Nested fields such as `person.birthdate.year` are allowed.
865 items:
866 properties:
867 name:
868 description: Name describing the field.
869 type: string
870 type: object
871 type: array
872 includedFields:
873 description: Limit scanning only to these fields.
874 items:
875 properties:
876 name:
877 description: Name describing the field.
878 type: string
879 type: object
880 type: array
881 rowsLimit:
882 description: Max number of rows to scan. If the table
883 has more rows than this value, the rest of the rows
884 are omitted. If not set, or if set to 0, all rows will
885 be scanned. Only one of rows_limit and rows_limit_percent
886 can be specified. Cannot be used in conjunction with
887 TimespanConfig.
888 format: int64
889 type: integer
890 rowsLimitPercent:
891 description: Max percentage of rows to scan. The rest
892 are omitted. The number of rows scanned is rounded down.
893 Must be between 0 and 100, inclusively. Both 0 and 100
894 means no limit. Defaults to 0. Only one of rows_limit
895 and rows_limit_percent can be specified. Cannot be used
896 in conjunction with TimespanConfig.
897 format: int64
898 type: integer
899 sampleMethod:
900 description: ' Possible values: SAMPLE_METHOD_UNSPECIFIED,
901 TOP, RANDOM_START'
902 type: string
903 tableReference:
904 description: Complete BigQuery table reference.
905 properties:
906 datasetRef:
907 oneOf:
908 - not:
909 required:
910 - external
911 required:
912 - name
913 - not:
914 anyOf:
915 - required:
916 - name
917 - required:
918 - namespace
919 required:
920 - external
921 properties:
922 external:
923 description: |-
924 Dataset ID of the table.
925
926 Allowed value: The Google Cloud resource name of a `BigQueryDataset` resource (format: `projects/{{project}}/datasets/{{name}}`).
927 type: string
928 name:
929 description: 'Name of the referent. More info:
930 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
931 type: string
932 namespace:
933 description: 'Namespace of the referent. More
934 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
935 type: string
936 type: object
937 projectRef:
938 oneOf:
939 - not:
940 required:
941 - external
942 required:
943 - name
944 - not:
945 anyOf:
946 - required:
947 - name
948 - required:
949 - namespace
950 required:
951 - external
952 properties:
953 external:
954 description: |-
955 The Google Cloud Platform project ID of the project containing the table. If omitted, project ID is inferred from the API call.
956
957 Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).
958 type: string
959 name:
960 description: 'Name of the referent. More info:
961 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
962 type: string
963 namespace:
964 description: 'Namespace of the referent. More
965 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
966 type: string
967 type: object
968 tableRef:
969 oneOf:
970 - not:
971 required:
972 - external
973 required:
974 - name
975 - not:
976 anyOf:
977 - required:
978 - name
979 - required:
980 - namespace
981 required:
982 - external
983 properties:
984 external:
985 description: |-
986 Name of the table.
987
988 Allowed value: The Google Cloud resource name of a `BigQueryTable` resource (format: `projects/{{project}}/datasets/{{dataset_id}}/tables/{{name}}`).
989 type: string
990 name:
991 description: 'Name of the referent. More info:
992 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
993 type: string
994 namespace:
995 description: 'Namespace of the referent. More
996 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
997 type: string
998 type: object
999 type: object
1000 required:
1001 - tableReference
1002 type: object
1003 cloudStorageOptions:
1004 description: Google Cloud Storage options.
1005 properties:
1006 bytesLimitPerFile:
1007 description: Max number of bytes to scan from a file.
1008 If a scanned file's size is bigger than this value then
1009 the rest of the bytes are omitted. Only one of bytes_limit_per_file
1010 and bytes_limit_per_file_percent can be specified. Cannot
1011 be set if de-identification is requested.
1012 format: int64
1013 type: integer
1014 bytesLimitPerFilePercent:
1015 description: Max percentage of bytes to scan from a file.
1016 The rest are omitted. The number of bytes scanned is
1017 rounded down. Must be between 0 and 100, inclusively.
1018 Both 0 and 100 means no limit. Defaults to 0. Only one
1019 of bytes_limit_per_file and bytes_limit_per_file_percent
1020 can be specified. Cannot be set if de-identification
1021 is requested.
1022 format: int64
1023 type: integer
1024 fileSet:
1025 description: The set of one or more files to scan.
1026 properties:
1027 regexFileSet:
1028 description: The regex-filtered set of files to scan.
1029 Exactly one of `url` or `regex_file_set` must be
1030 set.
1031 properties:
1032 bucketRef:
1033 oneOf:
1034 - not:
1035 required:
1036 - external
1037 required:
1038 - name
1039 - not:
1040 anyOf:
1041 - required:
1042 - name
1043 - required:
1044 - namespace
1045 required:
1046 - external
1047 properties:
1048 external:
1049 description: |-
1050 The name of a Cloud Storage bucket. Required.
1051
1052 Allowed value: The Google Cloud resource name of a `StorageBucket` resource (format: `{{name}}`).
1053 type: string
1054 name:
1055 description: 'Name of the referent. More info:
1056 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1057 type: string
1058 namespace:
1059 description: 'Namespace of the referent. More
1060 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
1061 type: string
1062 type: object
1063 excludeRegex:
1064 description: A list of regular expressions matching
1065 file paths to exclude. All files in the bucket
1066 that match at least one of these regular expressions
1067 will be excluded from the scan. Regular expressions
1068 use RE2 [syntax](https://github.com/google/re2/wiki/Syntax);
1069 a guide can be found under the google/re2 repository
1070 on GitHub.
1071 items:
1072 type: string
1073 type: array
1074 includeRegex:
1075 description: A list of regular expressions matching
1076 file paths to include. All files in the bucket
1077 that match at least one of these regular expressions
1078 will be included in the set of files, except
1079 for those that also match an item in `exclude_regex`.
1080 Leaving this field empty will match all files
1081 by default (this is equivalent to including
1082 `.*` in the list). Regular expressions use RE2
1083 [syntax](https://github.com/google/re2/wiki/Syntax);
1084 a guide can be found under the google/re2 repository
1085 on GitHub.
1086 items:
1087 type: string
1088 type: array
1089 required:
1090 - bucketRef
1091 type: object
1092 url:
1093 description: The Cloud Storage url of the file(s)
1094 to scan, in the format `gs:///`. Trailing wildcard
1095 in the path is allowed. If the url ends in a trailing
1096 slash, the bucket or directory represented by the
1097 url will be scanned non-recursively (content in
1098 sub-directories will not be scanned). This means
1099 that `gs://mybucket/` is equivalent to `gs://mybucket/*`,
1100 and `gs://mybucket/directory/` is equivalent to
1101 `gs://mybucket/directory/*`. Exactly one of `url`
1102 or `regex_file_set` must be set.
1103 type: string
1104 type: object
1105 fileTypes:
1106 description: List of file type groups to include in the
1107 scan. If empty, all files are scanned and available
1108 data format processors are applied. In addition, the
1109 binary content of the selected files is always scanned
1110 as well. Images are scanned only as binary if the specified
1111 region does not support image inspection and no file_types
1112 were specified. Image inspection is restricted to 'global',
1113 'us', 'asia', and 'europe'.
1114 items:
1115 type: string
1116 type: array
1117 filesLimitPercent:
1118 description: Limits the number of files to scan to this
1119 percentage of the input FileSet. Number of files scanned
1120 is rounded down. Must be between 0 and 100, inclusively.
1121 Both 0 and 100 means no limit. Defaults to 0.
1122 format: int64
1123 type: integer
1124 sampleMethod:
1125 description: ' Possible values: SAMPLE_METHOD_UNSPECIFIED,
1126 TOP, RANDOM_START'
1127 type: string
1128 type: object
1129 datastoreOptions:
1130 description: Google Cloud Datastore options.
1131 properties:
1132 kind:
1133 description: The kind to process.
1134 properties:
1135 name:
1136 description: The name of the kind.
1137 type: string
1138 type: object
1139 partitionId:
1140 description: A partition ID identifies a grouping of entities.
1141 The grouping is always by project namespace ID may be
1142 empty.
1143 properties:
1144 namespaceId:
1145 description: If not empty, the ID of the namespace
1146 to which the entities belong.
1147 type: string
1148 projectRef:
1149 oneOf:
1150 - not:
1151 required:
1152 - external
1153 required:
1154 - name
1155 - not:
1156 anyOf:
1157 - required:
1158 - name
1159 - required:
1160 - namespace
1161 required:
1162 - external
1163 properties:
1164 external:
1165 description: |-
1166 The ID of the project to which the entities belong.
1167
1168 Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).
1169 type: string
1170 name:
1171 description: 'Name of the referent. More info:
1172 https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1173 type: string
1174 namespace:
1175 description: 'Namespace of the referent. More
1176 info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
1177 type: string
1178 type: object
1179 type: object
1180 type: object
1181 hybridOptions:
1182 description: Hybrid inspection options.
1183 properties:
1184 description:
1185 description: A short description of where the data is
1186 coming from. Will be stored once in the job. 256 max
1187 length.
1188 type: string
1189 labels:
1190 additionalProperties:
1191 type: string
1192 description: 'To organize findings, these labels will
1193 be added to each finding. Label keys must be between
1194 1 and 63 characters long and must conform to the following
1195 regular expression: `[a-z]([-a-z0-9]*[a-z0-9])?`. Label
1196 values must be between 0 and 63 characters long and
1197 must conform to the regular expression `([a-z]([-a-z0-9]*[a-z0-9])?)?`.
1198 No more than 10 labels can be associated with a given
1199 finding. Examples: * `"environment" : "production"`
1200 * `"pipeline" : "etl"`'
1201 type: object
1202 requiredFindingLabelKeys:
1203 description: 'These are labels that each inspection request
1204 must include within their ''finding_labels'' map. Request
1205 may contain others, but any missing one of these will
1206 be rejected. Label keys must be between 1 and 63 characters
1207 long and must conform to the following regular expression:
1208 `[a-z]([-a-z0-9]*[a-z0-9])?`. No more than 10 keys can
1209 be required.'
1210 items:
1211 type: string
1212 type: array
1213 tableOptions:
1214 description: If the container is a table, additional information
1215 to make findings meaningful such as the columns that
1216 are primary keys.
1217 properties:
1218 identifyingFields:
1219 description: The columns that are the primary keys
1220 for table objects included in ContentItem. A copy
1221 of this cell's value will stored alongside alongside
1222 each finding so that the finding can be traced to
1223 the specific row it came from. No more than 3 may
1224 be provided.
1225 items:
1226 properties:
1227 name:
1228 description: Name describing the field.
1229 type: string
1230 type: object
1231 type: array
1232 type: object
1233 type: object
1234 timespanConfig:
1235 properties:
1236 enableAutoPopulationOfTimespanConfig:
1237 description: When the job is started by a JobTrigger we
1238 will automatically figure out a valid start_time to
1239 avoid scanning files that have not been modified since
1240 the last time the JobTrigger executed. This will be
1241 based on the time of the execution of the last run of
1242 the JobTrigger.
1243 type: boolean
1244 endTime:
1245 description: Exclude files, tables, or rows newer than
1246 this value. If not set, no upper time limit is applied.
1247 format: date-time
1248 type: string
1249 startTime:
1250 description: Exclude files, tables, or rows older than
1251 this value. If not set, no lower time limit is applied.
1252 format: date-time
1253 type: string
1254 timestampField:
1255 description: 'Specification of the field containing the
1256 timestamp of scanned items. Used for data sources like
1257 Datastore and BigQuery. For BigQuery: If this value
1258 is not specified and the table was modified between
1259 the given start and end times, the entire table will
1260 be scanned. If this value is specified, then rows are
1261 filtered based on the given start and end times. Rows
1262 with a `NULL` value in the provided BigQuery column
1263 are skipped. Valid data types of the provided BigQuery
1264 column are: `INTEGER`, `DATE`, `TIMESTAMP`, and `DATETIME`.
1265 For Datastore: If this value is specified, then entities
1266 are filtered based on the given start and end times.
1267 If an entity does not contain the provided timestamp
1268 property or contains empty or invalid values, then it
1269 is included. Valid data types of the provided timestamp
1270 property are: `TIMESTAMP`.'
1271 properties:
1272 name:
1273 description: Name describing the field.
1274 type: string
1275 type: object
1276 type: object
1277 type: object
1278 required:
1279 - storageConfig
1280 type: object
1281 location:
1282 description: Immutable. The location of the resource
1283 type: string
1284 projectRef:
1285 description: Immutable. The Project that this resource belongs to.
1286 Only one of [projectRef] may be specified.
1287 oneOf:
1288 - not:
1289 required:
1290 - external
1291 required:
1292 - name
1293 - not:
1294 anyOf:
1295 - required:
1296 - name
1297 - required:
1298 - namespace
1299 required:
1300 - external
1301 properties:
1302 external:
1303 description: 'Allowed value: The Google Cloud resource name of
1304 a `Project` resource (format: `projects/{{name}}`).'
1305 type: string
1306 name:
1307 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
1308 type: string
1309 namespace:
1310 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
1311 type: string
1312 type: object
1313 resourceID:
1314 description: Immutable. Optional. The service-generated name of the
1315 resource. Used for acquisition only. Leave unset to create a new
1316 resource.
1317 type: string
1318 status:
1319 description: 'Immutable. Required. A status for this trigger. Possible
1320 values: STATUS_UNSPECIFIED, HEALTHY, PAUSED, CANCELLED'
1321 type: string
1322 triggers:
1323 description: A list of triggers which will be OR'ed together. Only
1324 one in the list needs to trigger for a job to be started. The list
1325 may contain only a single Schedule trigger and must have at least
1326 one object.
1327 items:
1328 properties:
1329 manual:
1330 description: For use with hybrid jobs. Jobs must be manually
1331 created and finished.
1332 type: object
1333 x-kubernetes-preserve-unknown-fields: true
1334 schedule:
1335 description: Create a job on a repeating basis based on the
1336 elapse of time.
1337 properties:
1338 recurrencePeriodDuration:
1339 description: 'With this option a job is started a regular
1340 periodic basis. For example: every day (86400 seconds).
1341 A scheduled start time will be skipped if the previous
1342 execution has not ended when its scheduled time occurs.
1343 This value must be set to a time duration greater than
1344 or equal to 1 day and can be no longer than 60 days.'
1345 type: string
1346 type: object
1347 type: object
1348 type: array
1349 required:
1350 - inspectJob
1351 - projectRef
1352 - status
1353 - triggers
1354 type: object
1355 status:
1356 properties:
1357 conditions:
1358 description: Conditions represent the latest available observation
1359 of the resource's current state.
1360 items:
1361 properties:
1362 lastTransitionTime:
1363 description: Last time the condition transitioned from one status
1364 to another.
1365 type: string
1366 message:
1367 description: Human-readable message indicating details about
1368 last transition.
1369 type: string
1370 reason:
1371 description: Unique, one-word, CamelCase reason for the condition's
1372 last transition.
1373 type: string
1374 status:
1375 description: Status is the status of the condition. Can be True,
1376 False, Unknown.
1377 type: string
1378 type:
1379 description: Type is the type of the condition.
1380 type: string
1381 type: object
1382 type: array
1383 createTime:
1384 description: Output only. The creation timestamp of a triggeredJob.
1385 format: date-time
1386 type: string
1387 errors:
1388 description: Output only. A stream of errors encountered when the
1389 trigger was activated. Repeated errors may result in the JobTrigger
1390 automatically being paused. Will return the last 100 errors. Whenever
1391 the JobTrigger is modified this list will be cleared.
1392 items:
1393 properties:
1394 details:
1395 description: Detailed error codes and messages.
1396 properties:
1397 code:
1398 description: The status code, which should be an enum value
1399 of google.rpc.Code.
1400 format: int64
1401 type: integer
1402 details:
1403 description: A list of messages that carry the error details.
1404 There is a common set of message types for APIs to use.
1405 items:
1406 properties:
1407 typeUrl:
1408 description: 'A URL/resource name that uniquely identifies
1409 the type of the serialized protocol buffer message.
1410 This string must contain at least one "/" character.
1411 The last segment of the URL''s path must represent
1412 the fully qualified name of the type (as in `path/google.protobuf.Duration`).
1413 The name should be in a canonical form (e.g., leading
1414 "." is not accepted). In practice, teams usually
1415 precompile into the binary all types that they expect
1416 it to use in the context of Any. However, for URLs
1417 which use the scheme `http`, `https`, or no scheme,
1418 one can optionally set up a type server that maps
1419 type URLs to message definitions as follows: * If
1420 no scheme is provided, `https` is assumed. * An
1421 HTTP GET on the URL must yield a google.protobuf.Type
1422 value in binary format, or produce an error. * Applications
1423 are allowed to cache lookup results based on the
1424 URL, or have them precompiled into a binary to avoid
1425 any lookup. Therefore, binary compatibility needs
1426 to be preserved on changes to types. (Use versioned
1427 type names to manage breaking changes.) Note: this
1428 functionality is not currently available in the
1429 official protobuf release, and it is not used for
1430 type URLs beginning with type.googleapis.com. Schemes
1431 other than `http`, `https` (or the empty scheme)
1432 might be used with implementation specific semantics.'
1433 type: string
1434 value:
1435 description: Must be a valid serialized protocol buffer
1436 of the above specified type.
1437 type: string
1438 type: object
1439 type: array
1440 message:
1441 description: A developer-facing error message, which should
1442 be in English. Any user-facing error message should be
1443 localized and sent in the google.rpc.Status.details field,
1444 or localized by the client.
1445 type: string
1446 type: object
1447 timestamps:
1448 description: The times the error occurred.
1449 items:
1450 format: date-time
1451 type: string
1452 type: array
1453 type: object
1454 type: array
1455 lastRunTime:
1456 description: Output only. The timestamp of the last time this trigger
1457 executed.
1458 format: date-time
1459 type: string
1460 locationId:
1461 description: Output only. The geographic location where this resource
1462 is stored.
1463 type: string
1464 observedGeneration:
1465 description: ObservedGeneration is the generation of the resource
1466 that was most recently observed by the Config Connector controller.
1467 If this is equal to metadata.generation, then that means that the
1468 current reported status reflects the most recent desired state of
1469 the resource.
1470 type: integer
1471 updateTime:
1472 description: Output only. The last update timestamp of a triggeredJob.
1473 format: date-time
1474 type: string
1475 type: object
1476 required:
1477 - spec
1478 type: object
1479 served: true
1480 storage: true
1481 subresources:
1482 status: {}
1483status:
1484 acceptedNames:
1485 kind: ""
1486 plural: ""
1487 conditions: []
1488 storedVersions: []
View as plain text