Configuring a policy using the Console

This page provides instructions for configuring a Binary Authorization policy using Google Cloud Platform Console. As an alternative, you can also perform these tasks using gcloud commands at the command line. This step is part of setting up Binary Authorization.

Overview

A policy is a set of rules that govern the deployment of one or more container images. When you configure a policy, you:

  • Set the default rule
  • Add any cluster-specific rules (optional)
  • Add any additional exempt images (optional)

Most policies check to see whether all the required attestors have verified that a container image is ready to be deployed. In this case, you must also create attestors when you configure the policy.

Set the default rule

A rule is the part of a policy that defines constraints that container images must pass before they can be deployed. The default rule defines constraints that apply to all non-exempt container images, with the exception of those that have their own cluster-specific rule. Every policy must have a default rule.

To set the default rule:

  1. Go to the Binary Authorization page in the Google Cloud Platform Console.

    Go to the Binary Authorization page

  2. In the Policy tab, click Edit Policy.

    Screenshot of policy tab showing default rule

  3. Select the evaluation mode for the default rule that specifies the type of constraint that Binary Authorization enforces for the rule.

    Screenshot of the option to choose a default rule type

    The options are:

    • Allow All Images
    • Deny All Images
    • Allow Only Images That Have Been Approved By the Following Attestors
  4. If you selected Allow Only Images That Have Been Approved By the Following Attestors, click Add Attestors to add attestors to your project.

    Screenshot of the option to choose a default rule type

  5. Enter the fully-qualified attestor name in the Attestor Name field. The name has the format projects/PROJECT_ID/attestors/ATTESTOR_NAME.

  6. Click Add Attestor(s).

  7. If you want the use the policy in dryrun mode, select Audit Log But Do Not Block.

    Dryrun mode is an enforcement mode in a policy that allows non-conformant images to be deployed, but writes details about the deployment to the audit log. Dryrun mode allows you to test a policy in your production environment before it goes into effect.

  8. Click Save Policy.

Set cluster specific rules (optional)

A cluster may also have one or more cluster-specific rules. This type of rule applies to container images that are to be deployed to specific Google Kubernetes Engine (GKE) clusters only. Cluster rules are an optional part of a policy.

To add a cluster-specific rule:

  1. Return to the Policy tab in the Binary Authorization page in the Google Cloud Platform Console.

  2. In the Policy tab, click Edit Policy.

  3. Click Add Cluster-Specific Rule.

    Screenshot of cluster-specific rule configuration

  4. Enter a name for the rule in the Cluster Name field.

    Screenshot of add cluster-specific rule window

  5. As with the default rule above, select an evaluation mode for the rule from the options presented:

    • Allow All Images
    • Deny All Images
    • Allow Only Images That Have Been Approved By the Following Attestors
  6. If you selected Allow Only Images That Have Been Approved By the Following Attestors, click Add Attestors to add attestors to your project.

    Screenshot of the option to choose a default rule type

  7. Enter the fully-qualified attestor name in the Attestor Name field. The name has the format projects/PROJECT_ID/attestors/ATTESTOR_NAME.

  8. Click Add Attestor(s).

  9. If you want the use the policy in dryrun mode, select Dry Run Mode.

    Dryrun mode is an enforcement mode in a policy that allows non-conformant images to be deployed, but writes details about the policy violation and deployment to the audit log. Dryrun mode allows you to test a policy in your production environment before it goes into effect.

  10. Click Save Policy.

Manage exempt images

An exempt image is a container image that is exempt from policy rules. Binary Authorization always allows exempt images to be deployed.

Binary Authorization allows you to exempt images in two ways: using an exempt images whitelist and/or global policy evaluation mode. You can combine both means in the same policy.

Each policy can have a whitelist of exempt images specified by their path either in Container Registry or another container image registry. This whitelist is in addition to those images exempted by global policy evaluation mode, if enabled.

Global policy evaluation mode is a policy setting that causes Binary Authorization to evaluate a global policy before evaluating the policy that you configure as a user. The global policy is provided by Google and exempts a list of Google-provided system images from further policy evaluation. When you have this setting enabled, images that are required by Google Kubernetes Engine are not blocked by policy enforcement. The global policy is evaluated prior to and in addition to user policy evaluation.

To manage exempt images:

  1. Return to the Policy tab in the Binary Authorization page in the Google Cloud Platform Console.

  2. To enable global policy evaluation mode, select Trust All Google-Provided System Images.

    Screenshot of exempt images list

    Click View Details to view the registry paths that are exempted when you select this option.

  3. To manually specify additional exempt images, click the Images Exempt from Deployment Rules drop-down list.

    Then, click Add Image Path and enter the registry path to any additional image you want to exempt.

  4. Click Save Policy.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Binary Authorization Documentation