Spring Boot on GCP
  • Introduction
  • Getting Started
    • Google Cloud Platform
    • Cloud Shell
    • gcloud CLI
    • Hello World!
      • Cloud Shell
      • App Engine
      • Cloud Run
      • Kubernetes Engine
      • Compute Engine
      • Cloud Functions
  • Application Development
    • Development Tools
    • Spring Cloud GCP
    • Cloud Services
      • Databases
        • Cloud SQL
        • Cloud Spanner
        • Cloud Firestore
          • Datastore Mode
          • Native Mode
      • Messaging
        • Cloud Pub/Sub
        • Kafka
      • Secret Management
      • Storage
      • Cache
        • Memorystore Redis
        • Memorystore Memcached (beta)
      • Other Services
    • Observability
      • Trace
      • Logging
      • Metrics
      • Profiling
      • Debugging
    • DevOps
      • Artifact Repository
  • Deployment
    • Runtime Environments
    • Container
      • Container Image
      • Secure Container Image
      • Container Awareness
      • Vulnerability Scanning
      • Attestation
    • Kubernetes
      • Kubernetes Cluster
      • Deployment
      • Resources
      • Service
      • Health Checks
      • Load Balancing
        • External Load Balancing
        • Internal Load Balancing
      • Scheduling
      • Workload Identity
      • Binary Authorization
    • Istio
      • Getting Started
      • Sidecar Proxy
  • Additional Resources
    • Code Labs
    • Presentations / Videos
    • Cheat Sheets
Powered by GitBook
On this page
  • Enforce Attestation
  • Enable Policy
  • Unattested Container Image
  • Attested Container Image
  • Allow List

Was this helpful?

  1. Deployment
  2. Kubernetes

Binary Authorization

PreviousWorkload IdentityNextIstio

Last updated 4 years ago

Was this helpful?

This section continues from the previous section - make sure you do the tutorial in sequence.

Enforce Attestation

Binary Authorization allows you to enforce container image attestation, so that only attested container images can run.

Before you can turn this on, you must have .

Enable Policy

First, export the existing Binary Authorization policy:

gcloud container binauthz policy export > $HOME/binauthz-policy.yaml

Edit the binauthz-policy.yaml and enable attestation policy:

binauthz-policy.yaml
admissionWhitelistPatterns:
- namePattern: gcr.io/google_containers/*
- namePattern: gcr.io/google-containers/*
- namePattern: k8s.gcr.io/*
- namePattern: gke.gcr.io/*
- namePattern: gcr.io/stackdriver-agents/*
defaultAdmissionRule:
  enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
  # Change evaluationMode to require attestation
  evaluationMode: REQUIRE_ATTESTATION
  # Add the policy, and reference the `default-attestor` created from
  # Attestation section.
  # Replace PROJECT_ID with your Project ID.
  requireAttestationsBy:
  - projects/PROJECT_ID/attestors/default-attestor
globalPolicyEvaluationMode: ENABLE
name: projects/PROJECT_ID/policy

Import the Policy File:

gcloud container binauthz policy import $HOME/binauthz-policy.yaml

Unattested Container Image

You can verify that the policy is being enforced by deploying an unattested container image:

kubectl create deployment unattested-nginx --image=nginx

While this should have created a new deployment for nginx and running a Pod, you can validate that no Pod is running:

kubectl get pods -lapp=unattested-nginx

In addition, you can verify the Kubernetes events stream:

kubectl get event

Observe the event where the container image was denied by the attestor:

... Error creating: pods "..." is forbidden: image policy webhook backend denied one or more images: Denied by default admission rule. Denied by Attestor. ...

Delete the deployment:

kubectl delete deployment unattested-nginx

Attested Container Image

PROJECT_ID=$(gcloud config get-value project)
IMAGE=$(gcloud container images describe gcr.io/$PROJECT_ID/helloworld \
  --format='value(image_summary.fully_qualified_digest)')

kubectl create deployment attested-helloworld --image=$IMAGE

Verify that the Pod is up and running:

kubectl get pods -lapp=attested-helloworld

Allow List

It may be impossible to attest every single container image you want to run. For example, you may trust certain images from open source projects. You can add these images into an allow list.

For example, to be able to deploy the nginx container image from Dockerhub without attestation, you need to add it to the policy.

First, export the existing Binary Authorization policy:

gcloud container binauthz policy export > $HOME/binauthz-policy.yaml

Edit the binauthz-policy.yaml and enable attestation policy:

binauthz-policy.yaml
admissionWhitelistPatterns:
- namePattern: gcr.io/google_containers/*
- namePattern: gcr.io/google-containers/*
- namePattern: k8s.gcr.io/*
- namePattern: gke.gcr.io/*
- namePattern: gcr.io/stackdriver-agents/*
# Add nginx to the allow list
- namePattern: nginx
defaultAdmissionRule:
  enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
  evaluationMode: REQUIRE_ATTESTATION
  requireAttestationsBy:
  - projects/PROJECT_ID/attestors/default-attestor
globalPolicyEvaluationMode: ENABLE
name: projects/PROJECT_ID/policy

Import the Policy File:

gcloud container binauthz policy import $HOME/binauthz-policy.yaml

Deploy nginx again:

kubectl create deployment unattested-nginx --image=nginx

Verify that the Pod is up and running due to the allow list:

kubectl get pods -lapp=unattested-nginx

If you trust every container image from a particular Project:

binauthz-policy.yaml
admissionWhitelistPatterns:
- namePattern: gcr.io/google_containers/*
- namePattern: gcr.io/google-containers/*
- namePattern: k8s.gcr.io/*
- namePattern: gke.gcr.io/*
- namePattern: gcr.io/stackdriver-agents/*
# Add the container registry from a project to the allow list.
# Replace PROJECT_ID.
- namePattern: gcr.io/PROJECT_ID/*
defaultAdmissionRule:
  enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
  evaluationMode: REQUIRE_ATTESTATION
  requireAttestationsBy:
  - projects/PROJECT_ID/attestors/default-attestor
globalPolicyEvaluationMode: ENABLE
name: projects/PROJECT_ID/policy

Deploy a from the section.

Deployment
Attestation
attested a container image
Container Image Attestation
previously attested container image