Edit the binauthz-policy.yaml and enable attestation policy:
binauthz-policy.yaml
admissionWhitelistPatterns:-namePattern:gcr.io/google_containers/*-namePattern:gcr.io/google-containers/*-namePattern:k8s.gcr.io/*-namePattern:gke.gcr.io/*-namePattern:gcr.io/stackdriver-agents/*defaultAdmissionRule:enforcementMode:ENFORCED_BLOCK_AND_AUDIT_LOG # Change evaluationMode to require attestationevaluationMode:REQUIRE_ATTESTATION # Add the policy, and reference the `default-attestor` created from # Attestation section. # Replace PROJECT_ID with your Project ID.requireAttestationsBy:-projects/PROJECT_ID/attestors/default-attestorglobalPolicyEvaluationMode:ENABLEname:projects/PROJECT_ID/policy
Import the Policy File:
Unattested Container Image
You can verify that the policy is being enforced by deploying an unattested container image:
While this should have created a new deployment for nginx and running a Pod, you can validate that no Pod is running:
In addition, you can verify the Kubernetes events stream:
Observe the event where the container image was denied by the attestor:
It may be impossible to attest every single container image you want to run. For example, you may trust certain images from open source projects. You can add these images into an allow list.
For example, to be able to deploy the nginx container image from Dockerhub without attestation, you need to add it to the policy.
First, export the existing Binary Authorization policy:
Edit the binauthz-policy.yaml and enable attestation policy:
Import the Policy File:
Deploy nginx again:
Verify that the Pod is up and running due to the allow list:
If you trust every container image from a particular Project:
... Error creating: pods "..." is forbidden: image policy webhook backend denied one or more images: Denied by default admission rule. Denied by Attestor. ...
