# Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 creationTimestamp: null labels: cnrm.cloud.google.com/dcl2crd: "true" cnrm.cloud.google.com/managed-by-kcc: "true" cnrm.cloud.google.com/stability-level: stable cnrm.cloud.google.com/system: "true" name: dlpjobtriggers.dlp.cnrm.cloud.google.com spec: group: dlp.cnrm.cloud.google.com names: categories: - gcp kind: DLPJobTrigger plural: dlpjobtriggers shortNames: - gcpdlpjobtrigger - gcpdlpjobtriggers singular: dlpjobtrigger scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date - description: When 'True', the most recent reconcile of the resource succeeded jsonPath: .status.conditions[?(@.type=='Ready')].status name: Ready type: string - description: The reason for the value in 'Ready' jsonPath: .status.conditions[?(@.type=='Ready')].reason name: Status type: string - description: The last transition time for the value in 'Status' jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime name: Status Age type: date name: v1beta1 schema: openAPIV3Schema: properties: apiVersion: description: 'apiVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources' type: string kind: description: 'kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds' type: string metadata: type: object spec: properties: description: description: User provided description (max 256 chars) type: string displayName: description: Display name (max 100 chars) type: string inspectJob: description: For inspect jobs, a snapshot of the configuration. properties: actions: description: Actions to execute at the completion of the job. items: properties: jobNotificationEmails: description: Enable email notification for project owners and editors on job's completion/failure. type: object x-kubernetes-preserve-unknown-fields: true pubSub: description: Publish a notification to a pubsub topic. properties: topicRef: oneOf: - not: required: - external required: - name - not: anyOf: - required: - name - required: - namespace required: - external properties: external: description: |- Cloud Pub/Sub topic to send notifications to. The topic must have given publishing access rights to the DLP API service account executing the long running DlpJob sending the notifications. Format is projects/{project}/topics/{topic}. Allowed value: The Google Cloud resource name of a `PubSubTopic` resource (format: `projects/{{project}}/topics/{{name}}`). type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string type: object type: object publishFindingsToCloudDataCatalog: description: Publish findings to Cloud Datahub. type: object x-kubernetes-preserve-unknown-fields: true publishSummaryToCscc: description: Publish summary to Cloud Security Command Center (Alpha). type: object x-kubernetes-preserve-unknown-fields: true publishToStackdriver: description: Enable Stackdriver metric dlp.googleapis.com/finding_count. type: object x-kubernetes-preserve-unknown-fields: true saveFindings: description: Save resulting findings in a provided location. properties: outputConfig: description: Location to store findings outside of DLP. properties: dlpStorage: description: Store findings directly to DLP. If neither this or bigquery is chosen only summary stats of total infotype count will be stored. Quotes will not be stored to dlp findings. If quotes are needed, store to BigQuery. Currently only for inspect jobs. type: object x-kubernetes-preserve-unknown-fields: true outputSchema: description: 'Schema used for writing the findings for Inspect jobs. This field is only used for Inspect and must be unspecified for Risk jobs. Columns are derived from the `Finding` object. If appending to an existing table, any columns from the predefined schema that are missing will be added. No columns in the existing table will be deleted. If unspecified, then all available columns will be used for a new table or an (existing) table with no schema, and no changes will be made to an existing table that has a schema. Only for use with external storage. Possible values: OUTPUT_SCHEMA_UNSPECIFIED, BASIC_COLUMNS, GCS_COLUMNS, DATASTORE_COLUMNS, BIG_QUERY_COLUMNS, ALL_COLUMNS' type: string table: description: 'Store findings in an existing table or a new table in an existing dataset. If table_id is not set a new one will be generated for you with the following format: dlp_googleapis_yyyy_mm_dd_[dlp_job_id]. Pacific timezone will be used for generating the date details. For Inspect, each column in an existing output table must have the same name, type, and mode of a field in the `Finding` object. For Risk, an existing output table should be the output of a previous Risk analysis job run on the same source table, with the same privacy metric and quasi-identifiers. Risk jobs that analyze the same table but compute a different privacy metric, or use different sets of quasi-identifiers, cannot store their results in the same table.' properties: datasetRef: oneOf: - not: required: - external required: - name - not: anyOf: - required: - name - required: - namespace required: - external properties: external: description: |- Dataset ID of the table. Allowed value: The Google Cloud resource name of a `BigQueryDataset` resource (format: `projects/{{project}}/datasets/{{name}}`). type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string type: object projectRef: oneOf: - not: required: - external required: - name - not: anyOf: - required: - name - required: - namespace required: - external properties: external: description: |- The Google Cloud Platform project ID of the project containing the table. If omitted, project ID is inferred from the API call. Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`). type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string type: object tableRef: oneOf: - not: required: - external required: - name - not: anyOf: - required: - name - required: - namespace required: - external properties: external: description: |- Name of the table. Allowed value: The Google Cloud resource name of a `BigQueryTable` resource (format: `projects/{{project}}/datasets/{{dataset_id}}/tables/{{name}}`). type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string type: object type: object type: object type: object type: object type: array inspectConfig: description: How and what to scan for. properties: customInfoTypes: description: CustomInfoTypes provided by the user. See https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more. items: properties: detectionRules: description: Set of detection rules to apply to all findings of this CustomInfoType. Rules are applied in order that they are specified. Not supported for the `surrogate_type` CustomInfoType. items: properties: hotwordRule: description: Hotword-based detection rule. properties: hotwordRegex: description: Regular expression pattern defining what qualifies as a hotword. properties: groupIndexes: description: The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included. items: format: int64 type: integer type: array pattern: description: Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub. type: string type: object likelihoodAdjustment: description: Likelihood adjustment to apply to all matching findings. properties: fixedLikelihood: description: 'Set the likelihood of a finding to a fixed value. Possible values: LIKELIHOOD_UNSPECIFIED, VERY_UNLIKELY, UNLIKELY, POSSIBLE, LIKELY, VERY_LIKELY' type: string relativeLikelihood: description: Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`. format: int64 type: integer type: object proximity: description: Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "(d{3}) d{3}-d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "(xxx)", where "xxx" is the area code in question. properties: windowAfter: description: Number of characters after the finding to consider. format: int64 type: integer windowBefore: description: Number of characters before the finding to consider. format: int64 type: integer type: object type: object type: object type: array dictionary: description: A list of phrases to detect as a CustomInfoType. properties: cloudStoragePath: description: Newline-delimited file of words in Cloud Storage. Only a single file is accepted. properties: path: description: 'A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt' type: string type: object wordList: description: List of words or phrases to search for. properties: words: description: Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required] items: type: string type: array type: object type: object exclusionType: description: 'If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding to be returned. It still can be used for rules matching. Possible values: EXCLUSION_TYPE_UNSPECIFIED, EXCLUSION_TYPE_EXCLUDE' type: string infoType: description: CustomInfoType can either be a new infoType, or an extension of built-in infoType, when the name matches one of existing infoTypes and that infoType is specified in `InspectContent.info_types` field. Specifying the latter adds findings to the one detected by the system. If built-in info type is not specified in `InspectContent.info_types` list then the name is treated as a custom info type. properties: name: description: Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. type: string version: description: Optional version name for this InfoType. type: string type: object likelihood: description: 'Likelihood to return for this CustomInfoType. This base value can be altered by a detection rule if the finding meets the criteria specified by the rule. Defaults to `VERY_LIKELY` if not specified. Possible values: LIKELIHOOD_UNSPECIFIED, VERY_UNLIKELY, UNLIKELY, POSSIBLE, LIKELY, VERY_LIKELY' type: string regex: description: Regular expression based CustomInfoType. properties: groupIndexes: description: The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included. items: format: int64 type: integer type: array pattern: description: Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub. type: string type: object storedType: description: Load an existing `StoredInfoType` resource for use in `InspectDataSource`. Not currently supported in `InspectContent`. properties: createTime: description: Timestamp indicating when the version of the `StoredInfoType` used for inspection was created. Output-only field, populated by the system. format: date-time type: string nameRef: oneOf: - not: required: - external required: - name - not: anyOf: - required: - name - required: - namespace required: - external properties: external: description: |- Resource name of the requested `StoredInfoType`, for example `organizations/433245324/storedInfoTypes/432452342` or `projects/project-id/storedInfoTypes/432452342`. Allowed value: The Google Cloud resource name of a `DLPStoredInfoType` resource (format: `{{parent}}/storedInfoTypes/{{name}}`). type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string type: object type: object surrogateType: description: Message for detecting output from deidentification transformations that support reversing. type: object x-kubernetes-preserve-unknown-fields: true type: object type: array excludeInfoTypes: description: When true, excludes type information of the findings. This is not used for data profiling. type: boolean includeQuote: description: When true, a contextual quote from the data that triggered a finding is included in the response; see Finding.quote. This is not used for data profiling. type: boolean infoTypes: description: Restricts what info_types to look for. The values must correspond to InfoType values returned by ListInfoTypes or listed at https://cloud.google.com/dlp/docs/infotypes-reference. When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. If you need precise control and predictability as to what detectors are run you should specify specific InfoTypes listed in the reference, otherwise a default list will be used, which may change over time. items: properties: name: description: Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. type: string type: object type: array limits: description: Configuration to control the number of findings returned. This is not used for data profiling. properties: maxFindingsPerInfoType: description: Configuration of findings limit given for specified infoTypes. items: properties: infoType: description: Type of information the findings limit applies to. Only one limit per info_type should be provided. If InfoTypeLimit does not have an info_type, the DLP API applies the limit against all info_types that are found but not specified in another InfoTypeLimit. properties: name: description: Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. type: string version: description: Optional version name for this InfoType. type: string type: object maxFindings: description: Max findings limit for the given infoType. format: int64 type: integer type: object type: array maxFindingsPerItem: description: Max number of findings that will be returned for each item scanned. When set within `InspectJobConfig`, the maximum returned is 2000 regardless if this is set higher. When set within `InspectContentRequest`, this field is ignored. format: int64 type: integer maxFindingsPerRequest: description: Max number of findings that will be returned per request/job. When set within `InspectContentRequest`, the maximum returned is 2000 regardless if this is set higher. format: int64 type: integer type: object minLikelihood: description: 'Only returns findings equal or above this threshold. The default is POSSIBLE. See https://cloud.google.com/dlp/docs/likelihood to learn more. Possible values: LIKELIHOOD_UNSPECIFIED, VERY_UNLIKELY, UNLIKELY, POSSIBLE, LIKELY, VERY_LIKELY' type: string ruleSet: description: Set of rules to apply to the findings for this InspectConfig. Exclusion rules, contained in the set are executed in the end, other rules are executed in the order they are specified for each info type. items: properties: infoTypes: description: List of infoTypes this rule set is applied to. items: properties: name: description: Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. type: string version: description: Optional version name for this InfoType. type: string type: object type: array rules: description: Set of rules to be applied to infoTypes. The rules are applied in order. items: properties: exclusionRule: description: Exclusion rule. properties: dictionary: description: Dictionary which defines the rule. properties: cloudStoragePath: description: Newline-delimited file of words in Cloud Storage. Only a single file is accepted. properties: path: description: 'A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt' type: string type: object wordList: description: List of words or phrases to search for. properties: words: description: Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required] items: type: string type: array type: object type: object excludeInfoTypes: description: Set of infoTypes for which findings would affect this rule. properties: infoTypes: description: InfoType list in ExclusionRule rule drops a finding when it overlaps or contained within with a finding of an infoType from this list. For example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and `exclusion_rule` containing `exclude_info_types.info_types` with "EMAIL_ADDRESS" the phone number findings are dropped if they overlap with EMAIL_ADDRESS finding. That leads to "555-222-2222@example.org" to generate only a single finding, namely email address. items: properties: name: description: Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`. type: string version: description: Optional version name for this InfoType. type: string type: object type: array type: object matchingType: description: 'How the rule is applied, see MatchingType documentation for details. Possible values: MATCHING_TYPE_UNSPECIFIED, MATCHING_TYPE_FULL_MATCH, MATCHING_TYPE_PARTIAL_MATCH, MATCHING_TYPE_INVERSE_MATCH' type: string regex: description: Regular expression which defines the rule. properties: groupIndexes: description: The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included. items: format: int64 type: integer type: array pattern: description: Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub. type: string type: object type: object hotwordRule: properties: hotwordRegex: description: Regular expression pattern defining what qualifies as a hotword. properties: groupIndexes: description: The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included. items: format: int64 type: integer type: array pattern: description: Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub. type: string type: object likelihoodAdjustment: description: Likelihood adjustment to apply to all matching findings. properties: fixedLikelihood: description: 'Set the likelihood of a finding to a fixed value. Possible values: LIKELIHOOD_UNSPECIFIED, VERY_UNLIKELY, UNLIKELY, POSSIBLE, LIKELY, VERY_LIKELY' type: string relativeLikelihood: description: Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`. format: int64 type: integer type: object proximity: description: Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "(d{3}) d{3}-d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "(xxx)", where "xxx" is the area code in question. properties: windowAfter: description: Number of characters after the finding to consider. format: int64 type: integer windowBefore: description: Number of characters before the finding to consider. format: int64 type: integer type: object type: object type: object type: array type: object type: array type: object inspectTemplateRef: oneOf: - not: required: - external required: - name - not: anyOf: - required: - name - required: - namespace required: - external properties: external: description: |- If provided, will be used as the default for all values in InspectConfig. `inspect_config` will be merged into the values persisted as part of the template. Allowed value: The Google Cloud resource name of a `DLPInspectTemplate` resource (format: `{{parent}}/inspectTemplates/{{name}}`). type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string type: object storageConfig: description: The data to scan. properties: bigQueryOptions: description: BigQuery options. properties: excludedFields: description: References to fields excluded from scanning. This allows you to skip inspection of entire columns which you know have no findings. items: properties: name: description: Name describing the field. type: string type: object type: array identifyingFields: description: Table fields that may uniquely identify a row within the table. When `actions.saveFindings.outputConfig.table` is specified, the values of columns specified here are available in the output table under `location.content_locations.record_location.record_key.id_values`. Nested fields such as `person.birthdate.year` are allowed. items: properties: name: description: Name describing the field. type: string type: object type: array includedFields: description: Limit scanning only to these fields. items: properties: name: description: Name describing the field. type: string type: object type: array rowsLimit: description: Max number of rows to scan. If the table has more rows than this value, the rest of the rows are omitted. If not set, or if set to 0, all rows will be scanned. Only one of rows_limit and rows_limit_percent can be specified. Cannot be used in conjunction with TimespanConfig. format: int64 type: integer rowsLimitPercent: description: Max percentage of rows to scan. The rest are omitted. The number of rows scanned is rounded down. Must be between 0 and 100, inclusively. Both 0 and 100 means no limit. Defaults to 0. Only one of rows_limit and rows_limit_percent can be specified. Cannot be used in conjunction with TimespanConfig. format: int64 type: integer sampleMethod: description: ' Possible values: SAMPLE_METHOD_UNSPECIFIED, TOP, RANDOM_START' type: string tableReference: description: Complete BigQuery table reference. properties: datasetRef: oneOf: - not: required: - external required: - name - not: anyOf: - required: - name - required: - namespace required: - external properties: external: description: |- Dataset ID of the table. Allowed value: The Google Cloud resource name of a `BigQueryDataset` resource (format: `projects/{{project}}/datasets/{{name}}`). type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string type: object projectRef: oneOf: - not: required: - external required: - name - not: anyOf: - required: - name - required: - namespace required: - external properties: external: description: |- The Google Cloud Platform project ID of the project containing the table. If omitted, project ID is inferred from the API call. Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`). type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string type: object tableRef: oneOf: - not: required: - external required: - name - not: anyOf: - required: - name - required: - namespace required: - external properties: external: description: |- Name of the table. Allowed value: The Google Cloud resource name of a `BigQueryTable` resource (format: `projects/{{project}}/datasets/{{dataset_id}}/tables/{{name}}`). type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string type: object type: object required: - tableReference type: object cloudStorageOptions: description: Google Cloud Storage options. properties: bytesLimitPerFile: description: Max number of bytes to scan from a file. If a scanned file's size is bigger than this value then the rest of the bytes are omitted. Only one of bytes_limit_per_file and bytes_limit_per_file_percent can be specified. Cannot be set if de-identification is requested. format: int64 type: integer bytesLimitPerFilePercent: description: Max percentage of bytes to scan from a file. The rest are omitted. The number of bytes scanned is rounded down. Must be between 0 and 100, inclusively. Both 0 and 100 means no limit. Defaults to 0. Only one of bytes_limit_per_file and bytes_limit_per_file_percent can be specified. Cannot be set if de-identification is requested. format: int64 type: integer fileSet: description: The set of one or more files to scan. properties: regexFileSet: description: The regex-filtered set of files to scan. Exactly one of `url` or `regex_file_set` must be set. properties: bucketRef: oneOf: - not: required: - external required: - name - not: anyOf: - required: - name - required: - namespace required: - external properties: external: description: |- The name of a Cloud Storage bucket. Required. Allowed value: The Google Cloud resource name of a `StorageBucket` resource (format: `{{name}}`). type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string type: object excludeRegex: description: A list of regular expressions matching file paths to exclude. All files in the bucket that match at least one of these regular expressions will be excluded from the scan. Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub. items: type: string type: array includeRegex: description: A list of regular expressions matching file paths to include. All files in the bucket that match at least one of these regular expressions will be included in the set of files, except for those that also match an item in `exclude_regex`. Leaving this field empty will match all files by default (this is equivalent to including `.*` in the list). Regular expressions use RE2 [syntax](https://github.com/google/re2/wiki/Syntax); a guide can be found under the google/re2 repository on GitHub. items: type: string type: array required: - bucketRef type: object url: description: The Cloud Storage url of the file(s) to scan, in the format `gs:///`. Trailing wildcard in the path is allowed. If the url ends in a trailing slash, the bucket or directory represented by the url will be scanned non-recursively (content in sub-directories will not be scanned). This means that `gs://mybucket/` is equivalent to `gs://mybucket/*`, and `gs://mybucket/directory/` is equivalent to `gs://mybucket/directory/*`. Exactly one of `url` or `regex_file_set` must be set. type: string type: object fileTypes: description: List of file type groups to include in the scan. If empty, all files are scanned and available data format processors are applied. In addition, the binary content of the selected files is always scanned as well. Images are scanned only as binary if the specified region does not support image inspection and no file_types were specified. Image inspection is restricted to 'global', 'us', 'asia', and 'europe'. items: type: string type: array filesLimitPercent: description: Limits the number of files to scan to this percentage of the input FileSet. Number of files scanned is rounded down. Must be between 0 and 100, inclusively. Both 0 and 100 means no limit. Defaults to 0. format: int64 type: integer sampleMethod: description: ' Possible values: SAMPLE_METHOD_UNSPECIFIED, TOP, RANDOM_START' type: string type: object datastoreOptions: description: Google Cloud Datastore options. properties: kind: description: The kind to process. properties: name: description: The name of the kind. type: string type: object partitionId: description: A partition ID identifies a grouping of entities. The grouping is always by project namespace ID may be empty. properties: namespaceId: description: If not empty, the ID of the namespace to which the entities belong. type: string projectRef: oneOf: - not: required: - external required: - name - not: anyOf: - required: - name - required: - namespace required: - external properties: external: description: |- The ID of the project to which the entities belong. Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`). type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string type: object type: object type: object hybridOptions: description: Hybrid inspection options. properties: description: description: A short description of where the data is coming from. Will be stored once in the job. 256 max length. type: string labels: additionalProperties: type: string description: 'To organize findings, these labels will be added to each finding. Label keys must be between 1 and 63 characters long and must conform to the following regular expression: `[a-z]([-a-z0-9]*[a-z0-9])?`. Label values must be between 0 and 63 characters long and must conform to the regular expression `([a-z]([-a-z0-9]*[a-z0-9])?)?`. No more than 10 labels can be associated with a given finding. Examples: * `"environment" : "production"` * `"pipeline" : "etl"`' type: object requiredFindingLabelKeys: description: 'These are labels that each inspection request must include within their ''finding_labels'' map. Request may contain others, but any missing one of these will be rejected. Label keys must be between 1 and 63 characters long and must conform to the following regular expression: `[a-z]([-a-z0-9]*[a-z0-9])?`. No more than 10 keys can be required.' items: type: string type: array tableOptions: description: If the container is a table, additional information to make findings meaningful such as the columns that are primary keys. properties: identifyingFields: description: The columns that are the primary keys for table objects included in ContentItem. A copy of this cell's value will stored alongside alongside each finding so that the finding can be traced to the specific row it came from. No more than 3 may be provided. items: properties: name: description: Name describing the field. type: string type: object type: array type: object type: object timespanConfig: properties: enableAutoPopulationOfTimespanConfig: description: When the job is started by a JobTrigger we will automatically figure out a valid start_time to avoid scanning files that have not been modified since the last time the JobTrigger executed. This will be based on the time of the execution of the last run of the JobTrigger. type: boolean endTime: description: Exclude files, tables, or rows newer than this value. If not set, no upper time limit is applied. format: date-time type: string startTime: description: Exclude files, tables, or rows older than this value. If not set, no lower time limit is applied. format: date-time type: string timestampField: description: 'Specification of the field containing the timestamp of scanned items. Used for data sources like Datastore and BigQuery. For BigQuery: If this value is not specified and the table was modified between the given start and end times, the entire table will be scanned. If this value is specified, then rows are filtered based on the given start and end times. Rows with a `NULL` value in the provided BigQuery column are skipped. Valid data types of the provided BigQuery column are: `INTEGER`, `DATE`, `TIMESTAMP`, and `DATETIME`. For Datastore: If this value is specified, then entities are filtered based on the given start and end times. If an entity does not contain the provided timestamp property or contains empty or invalid values, then it is included. Valid data types of the provided timestamp property are: `TIMESTAMP`.' properties: name: description: Name describing the field. type: string type: object type: object type: object required: - storageConfig type: object location: description: Immutable. The location of the resource type: string projectRef: description: Immutable. The Project that this resource belongs to. Only one of [projectRef] may be specified. oneOf: - not: required: - external required: - name - not: anyOf: - required: - name - required: - namespace required: - external properties: external: description: 'Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).' type: string name: description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string namespace: description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' type: string type: object resourceID: description: Immutable. Optional. The service-generated name of the resource. Used for acquisition only. Leave unset to create a new resource. type: string status: description: 'Immutable. Required. A status for this trigger. Possible values: STATUS_UNSPECIFIED, HEALTHY, PAUSED, CANCELLED' type: string triggers: description: A list of triggers which will be OR'ed together. Only one in the list needs to trigger for a job to be started. The list may contain only a single Schedule trigger and must have at least one object. items: properties: manual: description: For use with hybrid jobs. Jobs must be manually created and finished. type: object x-kubernetes-preserve-unknown-fields: true schedule: description: Create a job on a repeating basis based on the elapse of time. properties: recurrencePeriodDuration: description: 'With this option a job is started a regular periodic basis. For example: every day (86400 seconds). A scheduled start time will be skipped if the previous execution has not ended when its scheduled time occurs. This value must be set to a time duration greater than or equal to 1 day and can be no longer than 60 days.' type: string type: object type: object type: array required: - inspectJob - projectRef - status - triggers type: object status: properties: conditions: description: Conditions represent the latest available observation of the resource's current state. items: properties: lastTransitionTime: description: Last time the condition transitioned from one status to another. type: string message: description: Human-readable message indicating details about last transition. type: string reason: description: Unique, one-word, CamelCase reason for the condition's last transition. type: string status: description: Status is the status of the condition. Can be True, False, Unknown. type: string type: description: Type is the type of the condition. type: string type: object type: array createTime: description: Output only. The creation timestamp of a triggeredJob. format: date-time type: string errors: description: Output only. A stream of errors encountered when the trigger was activated. Repeated errors may result in the JobTrigger automatically being paused. Will return the last 100 errors. Whenever the JobTrigger is modified this list will be cleared. items: properties: details: description: Detailed error codes and messages. properties: code: description: The status code, which should be an enum value of google.rpc.Code. format: int64 type: integer details: description: A list of messages that carry the error details. There is a common set of message types for APIs to use. items: properties: typeUrl: description: 'A URL/resource name that uniquely identifies the type of the serialized protocol buffer message. This string must contain at least one "/" character. The last segment of the URL''s path must represent the fully qualified name of the type (as in `path/google.protobuf.Duration`). The name should be in a canonical form (e.g., leading "." is not accepted). In practice, teams usually precompile into the binary all types that they expect it to use in the context of Any. However, for URLs which use the scheme `http`, `https`, or no scheme, one can optionally set up a type server that maps type URLs to message definitions as follows: * If no scheme is provided, `https` is assumed. * An HTTP GET on the URL must yield a google.protobuf.Type value in binary format, or produce an error. * Applications are allowed to cache lookup results based on the URL, or have them precompiled into a binary to avoid any lookup. Therefore, binary compatibility needs to be preserved on changes to types. (Use versioned type names to manage breaking changes.) Note: this functionality is not currently available in the official protobuf release, and it is not used for type URLs beginning with type.googleapis.com. Schemes other than `http`, `https` (or the empty scheme) might be used with implementation specific semantics.' type: string value: description: Must be a valid serialized protocol buffer of the above specified type. type: string type: object type: array message: description: A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. type: string type: object timestamps: description: The times the error occurred. items: format: date-time type: string type: array type: object type: array lastRunTime: description: Output only. The timestamp of the last time this trigger executed. format: date-time type: string locationId: description: Output only. The geographic location where this resource is stored. type: string observedGeneration: description: ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. type: integer updateTime: description: Output only. The last update timestamp of a triggeredJob. format: date-time type: string type: object required: - spec type: object served: true storage: true subresources: status: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: []