Configuring a policy using the Console

This page provides instructions for configuring a Binary Authorization policy using Google Cloud Platform Console. As an alternative, you can also perform these tasks using gcloud commands at the command line or using the REST API. This step is part of setting up Binary Authorization.

Overview

A policy is a set of rules that govern the deployment of one or more container images. When you configure a policy, you:

  • Set the default rule
  • Add any cluster-specific rules (optional)
  • Add any additional exempt images (optional)

Most policies check to see whether all required attestors have verified that a container image is ready to be deployed. In this case, you must also create attestors when you configure the policy.

Set the default rule

A rule is the part of a policy that defines constraints that container images must pass before they can be deployed. The default rule defines constraints that apply to all non-exempt container images, with the exception of those that have their own cluster-specific rule. Every policy has a default rule.

To set the default rule:

  1. Go to the Binary Authorization page in the Google Cloud Platform Console.

    Go to the Binary Authorization page

  2. Click Edit Policy.

    Screenshot of policy tab showing default rule

  3. Select the evaluation mode for the default rule. This specifies the type of constraint that Binary Authorization enforces for the rule.

    Screenshot of the option to choose a default rule type

    The options are:

    • Allow All Images
    • Deny All Images
    • Allow Only Images That Have Been Approved By the Following Attestors
  4. If you selected Allow Only Images That Have Been Approved By the Following Attestors, click Add Attestors to add attestors to your project.

    Screenshot of the option to choose a default rule type

  5. Enter the fully-qualified attestor name in the Attestor Name field. The name has the format projects/PROJECT_ID/attestors/ATTESTOR_NAME.

  6. Click Add Attestor(s).

  7. If you want the use the policy in dryrun mode, select Dry Run Mode.

    Dryrun mode is an enforcement mode in a policy that allows non-conformant images to be deployed, but writes details about the deployment to the audit log in Stackdriver Logging. Dryrun mode allows you to test a policy in your production environment before it goes into effect.

  8. Click Save Policy.

Set cluster specific rules (optional)

A cluster may also have one or more cluster-specific rules. This type of rule applies to container images that are to be deployed to specific Google Kubernetes Engine (GKE) clusters only. Cluster-specific rules are an optional part of a policy.

To add a cluster-specific rule:

  1. Go to the Binary Authorization page in the Google Cloud Platform Console.

    Go to the Binary Authorization page

  2. Click Edit Policy.

  3. Expand the Rules section under Cluster-Specific Rules.

    Screenshot of cluster-specific rule configuration

  4. Enter the resource ID for the cluster in the Cluster Resource ID field. This is the identifier for the cluster in the format location.name (for example, us-central1-a.test-cluster).

    Screenshot of add cluster-specific rule window

  5. As with the default rule above, select an evaluation mode for the rule from the options presented:

    • Allow All Images
    • Deny All Images
    • Allow Only Images That Have Been Approved By the Following Attestors
  6. If you selected Allow Only Images That Have Been Approved By the Following Attestors, click Add Attestors to add attestors to your project.

    Screenshot of the option to choose a default rule type

  7. Enter the fully-qualified attestor name in the Attestor Name field. The name has the format projects/PROJECT_ID/attestors/ATTESTOR_NAME.

  8. Click Add Attestor(s).

  9. If you want the use the policy in dryrun mode, select Dry Run Mode.

    Dryrun mode is an enforcement mode in a policy that allows non-conformant images to be deployed, but writes details about the deployment to the audit log in Stackdriver Logging. Dryrun mode allows you to test a policy in your production environment before it goes into effect.

  10. Click Save Policy.

Manage exempt images

An exempt image is a container image that is exempt from policy rules. Binary Authorization always allows exempt images to be deployed.

Each policy can have a whitelist of exempt images specified by their registry path. This path can be a location either in Container Registry or another container image registry. This whitelist is in addition to those images exempted by global policy evaluation mode, if enabled.

Global policy evaluation mode is a policy setting that causes Binary Authorization to evaluate a global policy before evaluating the policy that you configure as a user. The global policy is provided by Google and exempts a list of Google-provided system images from further policy evaluation. When you have this setting enabled, images that are required by GKE are not blocked by policy enforcement. The global policy is evaluated prior to and in addition to user policy evaluation.

To manage exempt images:

  1. Go to the Binary Authorization page in the Google Cloud Platform Console.

    Go to the Binary Authorization page

  2. Click Edit Policy.

  3. To enable global policy evaluation mode, select Trust All Google-Provided System Images in the Images Exempt from Deployment Rules section.

    Screenshot of exempt images list

    Click View Details to view the registry paths that are exempted when you select this option.

  4. To manually specify additional exempt images, expand the Images Paths section.

    Then, click Add Image Path and enter the registry path to any additional image you want to exempt.

  5. Click Save Policy.

What's next

Bu sayfayı yararlı buldunuz mu? Lütfen görüşünüzü bildirin:

Şunun hakkında geri bildirim gönderin...

Binary Authorization Documentation