Binary Authorization
This section continues from the previous section - make sure you do the tutorial in sequence.

Enforce Attestation

Binary Authorization allows you to enforce container image attestation, so that only attested container images can run.
Before you can turn this on, you must have attested a container image.

Enable Policy

First, export the existing Binary Authorization policy:
1
gcloud container binauthz policy export > $HOME/binauthz-policy.yaml
Copied!
Edit the binauthz-policy.yaml and enable attestation policy:
binauthz-policy.yaml
1
admissionWhitelistPatterns:
2
- namePattern: gcr.io/google_containers/*
3
- namePattern: gcr.io/google-containers/*
4
- namePattern: k8s.gcr.io/*
5
- namePattern: gke.gcr.io/*
6
- namePattern: gcr.io/stackdriver-agents/*
7
defaultAdmissionRule:
8
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
9
# Change evaluationMode to require attestation
10
evaluationMode: REQUIRE_ATTESTATION
11
# Add the policy, and reference the `default-attestor` created from
12
# Attestation section.
13
# Replace PROJECT_ID with your Project ID.
14
requireAttestationsBy:
15
- projects/PROJECT_ID/attestors/default-attestor
16
globalPolicyEvaluationMode: ENABLE
17
name: projects/PROJECT_ID/policy
Copied!
Import the Policy File:
1
gcloud container binauthz policy import $HOME/binauthz-policy.yaml
Copied!

Unattested Container Image

You can verify that the policy is being enforced by deploying an unattested container image:
1
kubectl create deployment unattested-nginx --image=nginx
Copied!
While this should have created a new deployment for nginx and running a Pod, you can validate that no Pod is running:
1
kubectl get pods -lapp=unattested-nginx
Copied!
In addition, you can verify the Kubernetes events stream:
1
kubectl get event
Copied!
Observe the event where the container image was denied by the attestor:
1
... Error creating: pods "..." is forbidden: image policy webhook backend denied one or more images: Denied by default admission rule. Denied by Attestor. ...
Copied!
Delete the deployment:
1
kubectl delete deployment unattested-nginx
Copied!

Attested Container Image

1
PROJECT_ID=$(gcloud config get-value project)
2
IMAGE=$(gcloud container images describe gcr.io/$PROJECT_ID/helloworld \
3
--format='value(image_summary.fully_qualified_digest)')
4
5
kubectl create deployment attested-helloworld --image=$IMAGE
Copied!
Verify that the Pod is up and running:
1
kubectl get pods -lapp=attested-helloworld
Copied!

Allow List

It may be impossible to attest every single container image you want to run. For example, you may trust certain images from open source projects. You can add these images into an allow list.
For example, to be able to deploy the nginx container image from Dockerhub without attestation, you need to add it to the policy.
First, export the existing Binary Authorization policy:
1
gcloud container binauthz policy export > $HOME/binauthz-policy.yaml
Copied!
Edit the binauthz-policy.yaml and enable attestation policy:
binauthz-policy.yaml
1
admissionWhitelistPatterns:
2
- namePattern: gcr.io/google_containers/*
3
- namePattern: gcr.io/google-containers/*
4
- namePattern: k8s.gcr.io/*
5
- namePattern: gke.gcr.io/*
6
- namePattern: gcr.io/stackdriver-agents/*
7
# Add nginx to the allow list
8
- namePattern: nginx
9
defaultAdmissionRule:
10
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
11
evaluationMode: REQUIRE_ATTESTATION
12
requireAttestationsBy:
13
- projects/PROJECT_ID/attestors/default-attestor
14
globalPolicyEvaluationMode: ENABLE
15
name: projects/PROJECT_ID/policy
Copied!
Import the Policy File:
1
gcloud container binauthz policy import $HOME/binauthz-policy.yaml
Copied!
Deploy nginx again:
1
kubectl create deployment unattested-nginx --image=nginx
Copied!
Verify that the Pod is up and running due to the allow list:
1
kubectl get pods -lapp=unattested-nginx
Copied!
If you trust every container image from a particular Project:
binauthz-policy.yaml
1
admissionWhitelistPatterns:
2
- namePattern: gcr.io/google_containers/*
3
- namePattern: gcr.io/google-containers/*
4
- namePattern: k8s.gcr.io/*
5
- namePattern: gke.gcr.io/*
6
- namePattern: gcr.io/stackdriver-agents/*
7
# Add the container registry from a project to the allow list.
8
# Replace PROJECT_ID.
9
- namePattern: gcr.io/PROJECT_ID/*
10
defaultAdmissionRule:
11
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
12
evaluationMode: REQUIRE_ATTESTATION
13
requireAttestationsBy:
14
- projects/PROJECT_ID/attestors/default-attestor
15
globalPolicyEvaluationMode: ENABLE
16
name: projects/PROJECT_ID/policy
Copied!
Last modified 1yr ago