This page provides instructions for configuring a Binary Authorization policy using the command-line tool. As an alternative, you can also perform these tasks using Google Cloud Console or the REST API. This step is part of setting up Binary Authorization.
To configure a policy using the command-line tool, you export the existing policy as a YAML file. After you modify the file, you can import it to update the policy, as described later in this guide. For more information on the policy YAML format, see Policy YAML Reference.
Before you begin
- Enable Binary Authorization.
- Create a cluster.
- If you intend to use attestations, we recommend that you create attestors before configuring the policy. You can create attestors using a command-line tool or through the Cloud Console.
Set the project ID to the project in which you enabled Binary Authorization:
PROJECT_ID=PROJECT_ID gcloud config set project ${PROJECT_ID}
Export the policy YAML file
To update the policy, first export it to a local YAML file, as follows:
gcloud container binauthz policy export > /tmp/policy.yaml
By default, the file contents look similar to the following:
admissionWhitelistPatterns: - namePattern: gcr.io/google_containers/* - namePattern: gcr.io/google-containers/* - namePattern: k8s.gcr.io/* - namePattern: gke.gcr.io/* - namePattern: gcr.io/stackdriver-agents/* globalPolicyEvaluationMode: ENABLE defaultAdmissionRule: evaluationMode: EVALUATION_MODE enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG name: projects/PROJECT_ID/policy
To modify the policy, edit the file and add or update sections, as described later in this guide. After you save the file, you can import the policy.
Set the default rule
A rule is the part of a policy that defines constraints that container images must satisfy before they can be deployed. The default rule defines constraints that apply to all non-exempt images that don't have their own cluster-specific rule. Every policy must have a default rule.
The default rule is defined in the
defaultAdmissionRule node in
the policy YAML file. For more information on the parts of this rule, see
ADMISSION_RULE in the Policy YAML
Reference. For examples of default rules, see
Example Policies.
To set the default rule, edit the defaultAdmissionRule node in the
policy.yaml file as required:
defaultAdmissionRule: evaluationMode: EVALUATION_MODE enforcementMode: ENFORCEMENT_MODE requireAttestationsBy: - ATTESTOR - ...
Replace the following:
EVALUATION_MODE: The evaluation mode specifies the type of constraint that the Binary Authorization enforcer enforces at deploy time. Replace EVALUATION_MODE with one of the following options:
ALWAYS_ALLOW: allows all images to be deployed.ALWAYS_DENY: disallows all images from being deployed.REQUIRE_ATTESTATION: allows an image to be deployed if the image has an associated attestation. At deploy time, the enforcer verifies the attestation using the attestors you add to the ATTESTOR list in this rule. To learn about creating attestors, see Creating attestors. If you specifyREQUIRE_ATTESTATION, you must also add arequireAttestationsByblock containing at least one attestor. To learn about creating attestors, see Creating attestors.
ENFORCEMENT_MODE: The enforcement mode specifies how the enforcer responds when an image violates a rule. Replace ENFORCEMENT_MODE with one of the following:
ENFORCED_BLOCK_AND_AUDIT_LOG: block images that violate the rule and log information about the violation to Cloud Audit Logs (default).DRYRUN_AUDIT_LOG_ONLY: allow all images to deploy but log enforcement information, including information about violations, to Cloud Audit Logs.
ATTESTOR: If you set
EVALUATION_MODEtoREQUIRE_ATTESTATION, you must also add a requireAttesationsBy block. In the block, you list one or more attestors, by resource ID. The resource ID has the format:projects/PROJECT_ID/attestors/ATTESTOR_NAME.To learn more about creating attestors, see Creating attestors.
Manage exempt images
An exempt image is an image that is exempt from policy rules. Binary Authorization always allows exempt images to be deployed.
You specify exempt images by listing their registry paths in
admissionWhitelistPatterns. The path refers to
Container Registry or another image registry. At
deploy time, Binary Authorization exempts the list of images specified by
admissionWhitelistPatterns after the images specified by the
system policy.
To add an exempt image, add a namePattern node under an
admissionWhitelistPatterns
list in the policy.yaml file:
admissionWhitelistPatterns: - namePattern: MATCHING_PATTERN
Replace MATCHING_PATTERN with the path to a single image in your
registry by exact match, or to any images matching a pattern using the wildcard
symbol (*).
System policy evaluation mode
System policy evaluation mode is a policy setting that causes Binary Authorization to evaluate a system policy before evaluating the policy that you configure. Google manages the system policy, which exempts a list of Google-maintained system images that GKE uses. Images listed in the system policy are not blocked by policy enforcement. If you do not enable the setting, you must manage the list of exempt images yourself. Learn how to Manage exempt images.
You can view the contents of the system policy using the following command:
gcloud container binauthz policy export --project=DEPLOYER_PROJECT
Replace DEPLOYER_PROJECT with the project in which Binary Authorization is enabled.
To enable system policy evaluation mode, add the following line to
the policy.yaml file:
globalPolicyEvaluationMode: ENABLE
To disable system policy evaluation mode, add the following:
globalPolicyEvaluationMode: DISABLE
You can export the system policy associated with a specific region as follows:
gcloud container binauthz policy export-system-policy \
--location=REGION > /tmp/policy.yaml
Replace REGION with the region associated with the system
policy that you want to export (or "global"). Examples include: asia-east1,
europe-west1, us-central1.
If you omit --location or specify --location=global, the command outputs a
system policy from a region in the last group of regions to receive
updates. Since most changes to the system policy are additions, the output
shows the set of system images that are currently allowed in all regions.
Set cluster-specific rules (optional)
A cluster can also have one or more cluster-specific rules. This type of rule applies to images that are to be deployed to specific GKE clusters only. Cluster-specific rules are an optional part of a policy.
Cluster-specific rules are defined in
clusterAdmissionRules nodes in
the policy YAML file. For more information on the parts of this rule, see
ADMISSION_RULE in the Policy YAML
Reference. For an example, see
Use a cluster-specific rule
in Example Policies.
To add a cluster-specific rule:
In the policy.yaml file, add a clusterAdmissionRules node:
clusterAdmissionRules:
CLUSTER_SPECIFIER:
evaluationMode: EVALUATION_MODE
enforcementMode: ENFORCEMENT_MODE
requireAttestationsBy:
- ATTESTOR
- ...
Replace the following:
CLUSTER_SPECIFIER: the resource ID of the cluster to which the rule applies in the format
LOCATION.NAME. Other properties are as described in Set the default rule earlier in this guide. See Example Policies for an example of a cluster-specific rule.EVALUATION_MODE: The evaluation mode specifies the type of constraint that the Binary Authorization enforcer enforces at deploy time. Replace EVALUATION_MODE with one of the following options:
ALWAYS_ALLOW: allows all images to be deployed.ALWAYS_DENY: disallows all images from being deployed.REQUIRE_ATTESTATION: allows an image to be deployed if the image has an associated attestation. At deploy time, the enforcer verifies the attestation using the attestors you add to the ATTESTOR list in this rule. To learn about creating attestors, see Creating attestors. If you specifyREQUIRE_ATTESTATION, you must also add arequireAttestationsByblock containing at least one attestor. To learn about creating attestors, see Creating attestors.
ENFORCEMENT_MODE: The enforcement mode specifies how the enforcer responds when an image violates a rule. Replace ENFORCEMENT_MODE with one of the following:
ENFORCED_BLOCK_AND_AUDIT_LOG: block images that violate the rule and log information about the violation to Cloud Audit Logs (default).DRYRUN_AUDIT_LOG_ONLY: allow all images to deploy but log enforcement information, including information about violations, to Cloud Audit Logs.
ATTESTOR: If you set
EVALUATION_MODEtoREQUIRE_ATTESTATION, you must also add a requireAttesationsBy block. In the block, you list one or more attestors, by resource ID. The resource ID has the format:projects/PROJECT_ID/attestors/ATTESTOR_NAME.To learn more about creating attestors, see Creating attestors.
Set specific rules (optional)
Anthos Service Mesh users can create rules that are scoped to either a mesh service identity, a Kubernetes service account, or a Kubernetes namespace.
Set a rule for an Anthos Service Mesh service identity
To set a rule for an Anthos Service Mesh service identity, edit your
policy.yaml file and add a istioServiceIdentityAdmissionRules block, for
example:
defaultAdmissionRule:
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
evaluationMode: ALWAYS_DENY
globalPolicyEvaluationMode: ENABLE
istioServiceIdentityAdmissionRules:
SERVICE_IDENTITY_ID:
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
evaluationMode: ENFORCEMENT_MODE
requireAttestationsBy:
- <var>ATTESTOR</var>
- ...
name: projects/PROJECT_ID/policy
Replace the following:
SERVICE_IDENTITY_ID: the Anthos Service Mesh service identity to scope this rule to. The service identity has the following format: PROJECT_ID.svc.id.goog/ns/NAMESPACE/sa/SERVICE_ACCOUNT. In the service identity ID, replace the following:
- PROJECT_ID: the project ID in which you define your Kubernetes resources.
- NAMESPACE: the Kubernetes namespace.
- SERVICE_ACCOUNT: the service account.
EVALUATION_MODE: The evaluation mode specifies the type of constraint that the Binary Authorization enforcer enforces at deploy time. Replace EVALUATION_MODE with one of the following options:
ALWAYS_ALLOW: allows all images to be deployed.ALWAYS_DENY: disallows all images from being deployed.REQUIRE_ATTESTATION: allows an image to be deployed if the image has an associated attestation. At deploy time, the enforcer verifies the attestation using the attestors you add to the ATTESTOR list in this rule. To learn about creating attestors, see Creating attestors. If you specifyREQUIRE_ATTESTATION, you must also add arequireAttestationsByblock containing at least one attestor. To learn about creating attestors, see Creating attestors.
ENFORCEMENT_MODE: The enforcement mode specifies how the enforcer responds when an image violates a rule. Replace ENFORCEMENT_MODE with one of the following:
ENFORCED_BLOCK_AND_AUDIT_LOG: block images that violate the rule and log information about the violation to Cloud Audit Logs (default).DRYRUN_AUDIT_LOG_ONLY: allow all images to deploy but log enforcement information, including information about violations, to Cloud Audit Logs.
ATTESTOR: If you set
EVALUATION_MODEtoREQUIRE_ATTESTATION, you must also add a requireAttesationsBy block. In the block, you list one or more attestors, by resource ID. The resource ID has the format:projects/PROJECT_ID/attestors/ATTESTOR_NAME.To learn more about creating attestors, see Creating attestors.
Set a rule for a Kubernetes service account
To set a rule for a Kubernetes service account, edit your policy.yaml file and
add a kubernetesServiceAccountAdmissionRules block, for example:
defaultAdmissionRule:
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
evaluationMode: ALWAYS_DENY
globalPolicyEvaluationMode: ENABLE
kubernetesServiceAccountAdmissionRules:
KUBERNETES_SERVICE_ACCOUNT_ID:
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
evaluationMode: ENFORCEMENT_MODE
requireAttestationsBy:
- <var>ATTESTOR</var>
- ...
name: projects/PROJECT_ID/policy
Replace the following:
KUBERNETES_SERVICE_ACCOUNT_ID: The Kubernetes service account to scope the rule to. This service account ID has the format: NAMESPACE:SERVICE_ACCOUNT. In the service account ID, replace the following:
- NAMESPACE: the Kubernetes namespace.
- SERVICE_ACCOUNT: the service account name.
EVALUATION_MODE: The evaluation mode specifies the type of constraint that the Binary Authorization enforcer enforces at deploy time. Replace EVALUATION_MODE with one of the following options:
ALWAYS_ALLOW: allows all images to be deployed.ALWAYS_DENY: disallows all images from being deployed.REQUIRE_ATTESTATION: allows an image to be deployed if the image has an associated attestation. At deploy time, the enforcer verifies the attestation using the attestors you add to the ATTESTOR list in this rule. To learn about creating attestors, see Creating attestors. If you specifyREQUIRE_ATTESTATION, you must also add arequireAttestationsByblock containing at least one attestor. To learn about creating attestors, see Creating attestors.
ENFORCEMENT_MODE: The enforcement mode specifies how the enforcer responds when an image violates a rule. Replace ENFORCEMENT_MODE with one of the following:
ENFORCED_BLOCK_AND_AUDIT_LOG: block images that violate the rule and log information about the violation to Cloud Audit Logs (default).DRYRUN_AUDIT_LOG_ONLY: allow all images to deploy but log enforcement information, including information about violations, to Cloud Audit Logs.
ATTESTOR: If you set
EVALUATION_MODEtoREQUIRE_ATTESTATION, you must also add a requireAttesationsBy block. In the block, you list one or more attestors, by resource ID. The resource ID has the format:projects/PROJECT_ID/attestors/ATTESTOR_NAME.To learn more about creating attestors, see Creating attestors.
Set a rule for a Kubernetes namespace
To set a rule for a Kubernetes namespace, edit your policy.yaml file and add a
kubernetesNamespaceAdmissionRules block, for example:
defaultAdmissionRule:
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
evaluationMode: ALWAYS_DENY
globalPolicyEvaluationMode: ENABLE
kubernetesNamespaceAdmissionRules:
KUBERNETES_NAMESPACE:
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
evaluationMode: EVALUATION_MODE
requireAttestationsBy:
- <var>ATTESTOR</var>
- ...
name: projects/PROJECT_ID/policy
Replace the following:
KUBERNETES_NAMESPACE: The Kubernetes namespace to scope this rule to.
EVALUATION_MODE: The evaluation mode specifies the type of constraint that the Binary Authorization enforcer enforces at deploy time. Replace EVALUATION_MODE with one of the following options:
ALWAYS_ALLOW: allows all images to be deployed.ALWAYS_DENY: disallows all images from being deployed.REQUIRE_ATTESTATION: allows an image to be deployed if the image has an associated attestation. At deploy time, the enforcer verifies the attestation using the attestors you add to the ATTESTOR list in this rule. To learn about creating attestors, see Creating attestors. If you specifyREQUIRE_ATTESTATION, you must also add arequireAttestationsByblock containing at least one attestor. To learn about creating attestors, see Creating attestors.
ENFORCEMENT_MODE: The enforcement mode specifies how the enforcer responds when an image violates a rule. Replace ENFORCEMENT_MODE with one of the following:
ENFORCED_BLOCK_AND_AUDIT_LOG: block images that violate the rule and log information about the violation to Cloud Audit Logs (default).DRYRUN_AUDIT_LOG_ONLY: allow all images to deploy but log enforcement information, including information about violations, to Cloud Audit Logs.
ATTESTOR: If you set
EVALUATION_MODEtoREQUIRE_ATTESTATION, you must also add a requireAttesationsBy block. In the block, you list one or more attestors, by resource ID. The resource ID has the format:projects/PROJECT_ID/attestors/ATTESTOR_NAME.To learn more about creating attestors, see Creating attestors.
Import the policy YAML file
Import the policy YAML file back into Binary Authorization by entering the following:
gcloud container binauthz policy import /tmp/policy.yaml