Configuring a policy using the Console

This page provides instructions for configuring a Binary Authorization policy using Google Cloud Console. As an alternative, you can also perform these tasks using gcloud commands at the command line or using the REST API. This step is part of setting up Binary Authorization.

Overview

A policy is a set of rules that govern the deployment of one or more container images. When you configure a policy, you:

  • Set the default rule
  • Add any cluster-specific rules (optional)
  • Add any additional exempt images (optional)

Most policies check to see whether all required attestors have verified that a container image is ready to be deployed. In this case, you must also create attestors when you configure the policy.

Set the default rule

A rule is the part of a policy that defines constraints that container images must pass before they can be deployed. The default rule defines constraints that apply to all non-exempt container images, with the exception of those that have their own cluster-specific rule. Every policy has a default rule.

To set the default rule:

  1. Go to the Binary Authorization page in the Google Cloud Console.

    Go to the Binary Authorization page

  2. Click Edit Policy.

    Screenshot of policy tab showing default rule

  3. Select the evaluation mode for the default rule. This specifies the type of constraint that Binary Authorization enforces for the rule.

    Screenshot of the option to choose a default rule type

    The options are:

    • Allow All Images
    • Deny All Images
    • Allow Only Images That Have Been Approved By the Following Attestors

  4. If you selected Allow Only Images That Have Been Approved By the Following Attestors, click Add Attestors to add attestors to your project.

    Screenshot of the option to choose a default rule type

  5. Enter the fully-qualified attestor name in the Attestor Name field. The name has the format projects/PROJECT_ID/attestors/ATTESTOR_NAME.

  6. Click Add Attestor(s).

  7. If you want the use the policy in dry run mode, select Dry Run Mode.

    Dry run mode is an enforcement mode in a policy that allows non-conformant images to be deployed, but writes details about the deployment to the audit log in Cloud Logging. Dry run mode allows you to test a policy in your production environment before it goes into effect.

  8. Click Save Policy.

Set cluster specific rules (optional)

A cluster may also have one or more cluster-specific rules. This type of rule applies to container images that are to be deployed to specific Google Kubernetes Engine (GKE) clusters only. Cluster-specific rules are an optional part of a policy.

To add a cluster-specific rule:

  1. Go to the Binary Authorization page in the Google Cloud Console.

    Go to the Binary Authorization page

  2. Click Edit Policy.

  3. Expand the Rules section under Cluster-Specific Rules.

    Screenshot of cluster-specific rule configuration

  4. Click Add Rule.

  5. In the Cluster resource ID field, enter the resource ID for the cluster.

    • Google Kubernetes Engine (GKE):

      The resource ID for the cluster has the format LOCATION.NAME, for example, us-central1-a.test-cluster.

    • Anthos clusters on VMware (GKE on-prem):

      The resource ID has the format: global.CLUSTER_ID. Learn how to get the cluster resource ID for an Anthos clusters on VMware cluster.

    Add cluster-specific rule.

  6. As with the default rule above, select an evaluation mode for the rule from the options presented:

    • Allow All Images
    • Deny All Images
    • Allow Only Images That Have Been Approved By the Following Attestors

  7. If you selected Allow Only Images That Have Been Approved By the Following Attestors, click Add Attestors to add attestors to your project.

    Screenshot of the option to choose a default rule type

  8. Enter the fully-qualified attestor name in the Attestor Name field. The name has the format:

    projects/PROJECT_ID/attestors/ATTESTOR_NAME

  9. Click Add Attestor(s).

  10. Click Add to add the cluster-specific rule.

    You might see a message that reads, "It looks like this cluster doesn't exist. This rule will still take effect if this cluster becomes available in GKE in the future." If so, click Add again to save the rule.

  11. If you want the use the policy in dry run mode, select Dry Run Mode.

    Dry run mode is an enforcement mode in a policy that allows non-conformant images to be deployed, but writes details about the deployment to the audit log in Cloud Logging. Dry run mode allows you to test a policy in your production environment before it goes into effect.

  12. Click Save Policy.

Manage exempt images

An exempt image is a container image that is exempt from policy rules. Binary Authorization always allows exempt images to be deployed.

Each policy can have an allowlist of exempt images specified by their registry path. This path can be a location either in Container Registry or another container image registry. This allowlist is in addition to those images exempted by global policy evaluation mode, if enabled.

Trust all Google-maintained system images is a policy setting that causes Binary Authorization to exempt a list of Google-maintained system images from further policy evaluation. When you have this setting enabled, images that are required by GKE are not blocked by policy enforcement. This setting is evaluated prior to your other policy settings.

To exempt all Google-maintained images from enforcement by Binary Authorization:

  1. Go to the Binary Authorization page in the Google Cloud Console.

    Go to the Binary Authorization page

  2. Click Edit Policy.

  3. Select Trust All Google-Provided System Images in the Images Exempt from Deployment Rules section.

    Screenshot of exempt images list

  4. To manually specify additional exempt images, expand the Images Paths section.

    Then, click Add Image Path and enter the registry path to any additional image you want to exempt.

  5. Click Save Policy.

What's next