Configure a policy using the Google Cloud console

This page provides instructions for configuring a Binary Authorization policy by using the Google Cloud console. As an alternative, you can perform these tasks by using the Google Cloud CLI or the REST API. This step is part of setting up Binary Authorization.

A policy is a set of rules that govern the deployment of one or more container images.

Before you begin

  1. Enable Binary Authorization.

  2. Enable Binary Authorization for your platform:

  3. If you intend to use attestations, we recommend that you create attestors before configuring the policy. You can create attestors using the Google Cloud console or through a command-line tool.

  4. Select the project ID for the project in which you enabled Binary Authorization.

Set the default rule

This section applies to GKE, GKE clusters, Cloud Run, and Anthos Service Mesh.

A rule is the part of a policy that defines constraints that images must satisfy before they can be deployed. The default rule defines constraints that apply to all non-exempt container images that don't have their own cluster-specific rules. Every policy has a default rule.

To set the default rule, do the following:

  1. In the Google Cloud console, go to the Binary Authorization page.

    Go to the Binary Authorization page

  2. Click the Policy tab.

  3. Click Edit Policy.

  4. Set the evaluation mode for the default rule.

    The evaluation mode specifies the type of constraint that Binary Authorization enforces at deploy time. To set the evaluation mode, select one of the following options:

    • Allow all images: Allows all images to be deployed.
    • Deny all images: Disallows all images from being deployed.
    • Allow only images that have been approved by the following attestors: Allows an image to be deployed if the image has one or more attestations that can be verified by all of the attestors that you add to this rule. To learn about creating attestors, see Creating attestors.

    If you selected Allow only images that have been approved by the following attestors:

    1. Get the name or resource ID of your attestor.

      In the Google Cloud console, on the Attestors page, you can view your existing attestors, or create a new one.

      Go to the Binary Authorization Attestors page

    2. Click Add Attestors.

    3. Select one of the following options:

      • Add by project and attestor name

        The project refers to the project ID of the project that stores your attestors. An example of an attestor name is build-qa.

      • Add by attestor resource ID

        A resource ID has the format:

        projects/PROJECT_ID/attestors/ATTESTOR_NAME
        
    4. Under Attestors, enter appropriate value(s) for the option you selected.

    5. Click Add Another Attestor if you want to add additional attestors.

    6. Click Add Attestor(s) to save the rule.

If you want to enable dry run mode, do the following:

  1. Select Dry Run Mode.

  2. Click Save Policy.

Set cluster-specific rules (optional)

This section applies to GKE, GKE clusters, and Anthos Service Mesh.

A policy can also have one or more cluster-specific rules. This type of rule applies to container images that are to be deployed to specific Google Kubernetes Engine (GKE) clusters only. Cluster-specific rules are an optional part of a policy.

Add a cluster-specific rule (GKE)

This section applies to GKE and GKE clusters.

To add a cluster-specific rule for a GKE cluster, do the following:

  1. In the Google Cloud console, go to the Binary Authorization page.

    Go to the Binary Authorization page

  2. Click the Policy tab.

  3. Click Edit Policy.

  4. Expand the Additional settings for GKE and GKE Enterprise deployments section.

  5. If no specific rule type is set, click Create Specific Rules.

    1. To select the rule type, click Specific Rule Type.

    2. To change the rule type, click Change.

  6. Click Add Specific Rule.

  7. In the Cluster resource ID field, enter the resource ID for the cluster.

    The resource ID for the cluster has the format LOCATION.NAME, for example, us-central1-a.test-cluster.

  8. Set the evaluation mode for the default rule.

    The evaluation mode specifies the type of constraint that Binary Authorization enforces at deploy time. To set the evaluation mode, select one of the following options:

    • Allow all images: Allows all images to be deployed.
    • Deny all images: Disallows all images from being deployed.
    • Allow only images that have been approved by the following attestors: Allows an image to be deployed if the image has one or more attestations that can be verified by all of the attestors that you add to this rule. To learn about creating attestors, see Creating attestors.

    If you selected Allow only images that have been approved by the following attestors:

    1. Get the name or resource ID of your attestor.

      In the Google Cloud console, on the Attestors page, you can view your existing attestors, or create a new one.

      Go to the Binary Authorization Attestors page

    2. Click Add Attestors.

    3. Select one of the following options:

      • Add by project and attestor name

        The project refers to the project ID of the project that stores your attestors. An example of an attestor name is build-qa.

      • Add by attestor resource ID

        A resource ID has the format:

        projects/PROJECT_ID/attestors/ATTESTOR_NAME
        
    4. Under Attestors, enter appropriate value(s) for the option you selected.

    5. Click Add Another Attestor if you want to add additional attestors.

    6. Click Add Attestor(s) to save the rule.

  9. Click Add to add the cluster-specific rule.

    You might see a message that reads, "It looks like this cluster doesn't exist. This rule will still take effect if this cluster becomes available in GKE in the future." If so, click Add again to save the rule.

  10. If you want to enable dry run mode, select Dry Run Mode.

  11. Click Save Policy.

Add a cluster-specific rule (GKE clusters)

This section applies to GKE clusters.

To add a cluster-specific rule for an GKE cluster, do the following:

  1. In the Google Cloud console, go to the Binary Authorization page.

    Go to the Binary Authorization page

  2. Click the Policy tab.

  3. Click Edit Policy.

  4. Expand the Additional settings for GKE and GKE Enterprise deployments section.

  5. If no specific rule type is set, click Create Specific Rules.

    1. To select the rule type, click Specific Rule Type.

    2. To update the rule type, click Change.

  6. Click Add Specific Rule.

  7. In the Cluster resource ID field, enter the resource ID for the cluster.

    • For GKE attached clusters, and GKE on AWS, the format is CLUSTER_LOCATION.CLUSTER_NAME—for example, us-central1-a.test-cluster.
    • For GKE on Bare Metal and GKE on VMware, the format is FLEET_MEMBERSHIP_LOCATION.FLEET_MEMBERSHIP_ID—for example, global.test-membership.
  8. Set the evaluation mode for the default rule.

    The evaluation mode specifies the type of constraint that Binary Authorization enforces at deploy time. To set the evaluation mode, select one of the following options:

    • Allow all images: Allows all images to be deployed.
    • Deny all images: Disallows all images from being deployed.
    • Allow only images that have been approved by the following attestors: Allows an image to be deployed if the image has one or more attestations that can be verified by all of the attestors that you add to this rule. To learn about creating attestors, see Creating attestors.

    If you selected Allow only images that have been approved by the following attestors:

    1. Get the name or resource ID of your attestor.

      In the Google Cloud console, on the Attestors page, you can view your existing attestors, or create a new one.

      Go to the Binary Authorization Attestors page

    2. Click Add Attestors.

    3. Select one of the following options:

      • Add by project and attestor name

        The project refers to the project ID of the project that stores your attestors. An example of an attestor name is build-qa.

      • Add by attestor resource ID

        A resource ID has the format:

        projects/PROJECT_ID/attestors/ATTESTOR_NAME
        
    4. Under Attestors, enter appropriate value(s) for the option you selected.

    5. Click Add Another Attestor if you want to add additional attestors.

    6. Click Add Attestor(s) to save the rule.

  9. Click Add to save the rule.

    You might see a message that reads "It looks like this cluster doesn't exist. This rule still takes effect if the specified cluster becomes available in GKE in the future." In this case, click Add again to save the rule.

  10. If you want to enable dry run mode, select Dry Run Mode.

  11. Click Save Policy.

Add specific rules

You can create rules that are scoped to either a mesh service identity, a Kubernetes service account, or a Kubernetes namespace. You can add or modify a specific rule as follows:

  1. In the Google Cloud console, go to the Binary Authorization page.

    Go to the Binary Authorization page

  2. Click the Policy tab.

  3. Click Edit Policy.

  4. Expand the Additional settings for GKE and Anthos deployments section.

  5. If no specific rule type is set, click Create Specific Rules.

    1. Click Specific Rule Type to select the rule type.

    2. Click Change to update the rule type.

  6. If the specific rule type exists, you can change the rule type by clicking Edit Type.

  7. To add a specific rule, click Add Specific Rule. Depending on the rule type you choose, you enter an ID, as follows:

    • ASM Service Identity: Enter your ASM service identity, which has the following format: PROJECT_ID.svc.id.goog/ns/NAMESPACE/sa/SERVICE_ACCOUNT
    • Kubernetes Service Account: Enter your Kubernetes service account, which has the following format: NAMESPACE:SERVICE_ACCOUNT.
    • Kubernetes Namespace: Enter your Kubernetes namespace, which has the following format: NAMESPACE

    Replace the following, as required, depending on the rule type:

    • PROJECT_ID: the project ID in which you define your Kubernetes resources.
    • NAMESPACE: the Kubernetes namespace.
    • SERVICE_ACCOUNT: the service account.
  8. Set the evaluation mode for the default rule.

    The evaluation mode specifies the type of constraint that Binary Authorization enforces at deploy time. To set the evaluation mode, select one of the following options:

    • Allow all images: Allows all images to be deployed.
    • Deny all images: Disallows all images from being deployed.
    • Allow only images that have been approved by the following attestors: Allows an image to be deployed if the image has one or more attestations that can be verified by all of the attestors that you add to this rule. To learn about creating attestors, see Creating attestors.

    If you selected Allow only images that have been approved by the following attestors:

    1. Get the name or resource ID of your attestor.

      In the Google Cloud console, on the Attestors page, you can view your existing attestors, or create a new one.

      Go to the Binary Authorization Attestors page

    2. Click Add Attestors.

    3. Select one of the following options:

      • Add by project and attestor name

        The project refers to the project ID of the project that stores your attestors. An example of an attestor name is build-qa.

      • Add by attestor resource ID

        A resource ID has the format:

        projects/PROJECT_ID/attestors/ATTESTOR_NAME
        
    4. Under Attestors, enter appropriate value(s) for the option you selected.

    5. Click Add Another Attestor if you want to add additional attestors.

    6. Click Add Attestor(s) to save the rule.

  9. Click Dry run mode to enable dry run mode.

  10. Click Add to save the specific rule.

  11. Click Save Policy.

Manage exempt images

This section applies to GKE, GKE clusters, Cloud Run, and Anthos Service Mesh.

An exempt image is an image, specified by a path, that is exempt from policy rules. Binary Authorization always allows exempt images to be deployed.

This path can specify a location either in Container Registry or another container image registry.

Cloud Run

This section applies to Cloud Run.

You cannot directly specify image names that contain a tag. For example, you cannot specify IMAGE_PATH:latest.

If you want to specify image names that contain tags, you must specify the image name using a wildcard as follows:

  • * for all versions of a single image; for example, us-docker.pkg.dev/myproject/container/hello@*
  • ** for all images in a project; for example, us-docker.pkg.dev/myproject/**

You can use path names to specify a digest in the format IMAGE_PATH@DIGEST.

Enable the system policy

This section applies to GKE and GKE clusters.

Trust all Google-provided system images is a policy setting that enables the Binary Authorization system policy. When this setting is enabled at deploy time, Binary Authorization exempts a list of Google-maintained system images that are required by GKE from further policy evaluation. The system policy is evaluated before any of your other policy settings.

To enable the system policy, do the following:

  1. Go to the Binary Authorization page in Google Cloud console.

    Go to Binary Authorization

  2. Click Edit Policy.

  3. Expand the Additional settings for GKE and Anthos deployments section.

  4. Select Trust all Google provided system images in the Google system image exemption section.

    To view the images exempted by the system policy, click View Details.

  5. To manually specify additional exempt images, expand the Custom exemption rules section under Images exempt from this policy.

    Then, click Add Image Pattern and enter the registry path to any additional image you want to exempt.

  6. Click Save Policy.

What's next