This section continues from the previous section - make sure you do the tutorial in sequence.
Binary Authorization allows you to enforce container image attestation, so that only attested container images can run.
Before you can turn this on, you must have attested a container image.
First, export the existing Binary Authorization policy:
gcloud container binauthz policy export > $HOME/binauthz-policy.yaml
Edit the binauthz-policy.yaml
and enable attestation policy:
binauthz-policy.yamladmissionWhitelistPatterns:- namePattern: gcr.io/google_containers/*- namePattern: gcr.io/google-containers/*- namePattern: k8s.gcr.io/*- namePattern: gke.gcr.io/*- namePattern: gcr.io/stackdriver-agents/*defaultAdmissionRule:enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG# Change evaluationMode to require attestationevaluationMode: REQUIRE_ATTESTATION# Add the policy, and reference the `default-attestor` created from# Attestation section.# Replace PROJECT_ID with your Project ID.requireAttestationsBy:- projects/PROJECT_ID/attestors/default-attestorglobalPolicyEvaluationMode: ENABLEname: projects/PROJECT_ID/policy
Import the Policy File:
gcloud container binauthz policy import $HOME/binauthz-policy.yaml
You can verify that the policy is being enforced by deploying an unattested container image:
kubectl create deployment unattested-nginx --image=nginx
While this should have created a new deployment for nginx
and running a Pod, you can validate that no Pod is running:
kubectl get pods -lapp=unattested-nginx
In addition, you can verify the Kubernetes events stream:
kubectl get event
Observe the event where the container image was denied by the attestor:
... Error creating: pods "..." is forbidden: image policy webhook backend denied one or more images: Denied by default admission rule. Denied by Attestor. ...
Delete the deployment:
kubectl delete deployment unattested-nginx
Deploy a previously attested container image from the Container Image Attestation section.
PROJECT_ID=$(gcloud config get-value project)IMAGE=$(gcloud container images describe gcr.io/$PROJECT_ID/helloworld \--format='value(image_summary.fully_qualified_digest)')​kubectl create deployment attested-helloworld --image=$IMAGE
Verify that the Pod is up and running:
kubectl get pods -lapp=attested-helloworld
It may be impossible to attest every single container image you want to run. For example, you may trust certain images from open source projects. You can add these images into an allow list.
For example, to be able to deploy the nginx
container image from Dockerhub without attestation, you need to add it to the policy.
First, export the existing Binary Authorization policy:
gcloud container binauthz policy export > $HOME/binauthz-policy.yaml
Edit the binauthz-policy.yaml
and enable attestation policy:
binauthz-policy.yamladmissionWhitelistPatterns:- namePattern: gcr.io/google_containers/*- namePattern: gcr.io/google-containers/*- namePattern: k8s.gcr.io/*- namePattern: gke.gcr.io/*- namePattern: gcr.io/stackdriver-agents/*# Add nginx to the allow list- namePattern: nginxdefaultAdmissionRule:enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOGevaluationMode: REQUIRE_ATTESTATIONrequireAttestationsBy:- projects/PROJECT_ID/attestors/default-attestorglobalPolicyEvaluationMode: ENABLEname: projects/PROJECT_ID/policy
Import the Policy File:
gcloud container binauthz policy import $HOME/binauthz-policy.yaml
Deploy nginx
again:
kubectl create deployment unattested-nginx --image=nginx
Verify that the Pod is up and running due to the allow list:
kubectl get pods -lapp=unattested-nginx
If you trust every container image from a particular Project:
binauthz-policy.yamladmissionWhitelistPatterns:- namePattern: gcr.io/google_containers/*- namePattern: gcr.io/google-containers/*- namePattern: k8s.gcr.io/*- namePattern: gke.gcr.io/*- namePattern: gcr.io/stackdriver-agents/*# Add the container registry from a project to the allow list.# Replace PROJECT_ID.- namePattern: gcr.io/PROJECT_ID/*defaultAdmissionRule:enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOGevaluationMode: REQUIRE_ATTESTATIONrequireAttestationsBy:- projects/PROJECT_ID/attestors/default-attestorglobalPolicyEvaluationMode: ENABLEname: projects/PROJECT_ID/policy