Configure a policy using the REST API

This page provides instructions for configuring a Binary Authorization policy by using the REST API. As an alternative, you can also perform these tasks by using the Google Cloud CLI or the Google Cloud console. This step is part of setting up Binary Authorization.

Overview

A policy is a set of rules that govern the deployment of one or more container images.

When you configure a policy using the REST API, you populate values in a JSON format whose structure is identical to the YAML structure used in gcloud interactions with the service. For more information, see Policy YAML Reference.

Configuring a policy requires you to:

  • Export a policy JSON file
  • Add any additional exempt images (optional)
  • Set the default rule
  • Add any cluster-specific rules (optional)
  • Import the policy JSON file

Most real-world policies check to see whether all required attestors have verified that a container image is ready to be deployed. In this case, you must also create attestors when you configure the policy.

Set the default project

Set the default Google Cloud project if you have not already done so:

PROJECT_ID=PROJECT_ID
gcloud config set project ${PROJECT_ID}

where PROJECT_ID is the ID of your project.

Export the policy

This section applies to GKE, GKE clusters, Cloud Run, and Anthos Service Mesh.

Export the policy to a JSON file on your local system:

curl \
    -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
    -H "x-goog-user-project: ${PROJECT_ID}" \
    "https://binaryauthorization.googleapis.com/v1/projects/${PROJECT_ID}/policy" \
    -o "/tmp/policy.json"

By default, the file has the following contents:

{
  "name": "projects/PROJECT_ID/policy",
  "admissionWhitelistPatterns": [
    {
      "namePattern": "gcr.io/google_containers/*"
    },
    {
      "namePattern": "gcr.io/google-containers/*"
    },
    {
      "namePattern": "k8s.gcr.io/**"
    },
    {
      "namePattern": "gcr.io/stackdriver-agents/*"
    }
  ],
  "globalPolicyEvaluationMode": "ENABLE",
  "defaultAdmissionRule": {
    "evaluationMode": "ALWAYS_ALLOW",
    "enforcementMode": "ENFORCED_BLOCK_AND_AUDIT_LOG"
  }
}

The default admissionWhitelistPatterns list in your policy export might display different image paths from those shown in this guide.

Manage exempt images

This section applies to GKE, GKE clusters, Cloud Run, and Anthos Service Mesh.

An exempt image is a container image that is exempt from policy rules. Binary Authorization always allows exempt images to be deployed.

You specify exempt images by listing their registry paths in admissionWhitelistPatterns. The path can refer to Container Registry or another image registry. The enforcer processes exempt images in admissionWhitelistPatterns after images exempted by system policy evaluation mode.

To add an exempt image, add a namePattern node under an admissionWhitelistPatterns list in the policy JSON file:

{
  "name": "projects/PROJECT_ID/policy",
  "admissionWhitelistPatterns": [
    {
      "namePattern": "MATCHING_PATTERN"
    }
  ],
  ...
}

where MATCHING_PATTERN is the path to a single image in your registry by exact match, or to any images matching a pattern using the wildcard symbol (*, **).

Cloud Run

This section applies to Cloud Run.

You cannot directly specify image names that contain a tag. For example, you cannot specify IMAGE_PATH:latest.

If you want to specify image names that contain tags, you must specify the image name using a wildcard as follows:

  • * for all versions of a single image; for example, us-docker.pkg.dev/myproject/container/hello@*
  • ** for all images in a project; for example, us-docker.pkg.dev/myproject/**

You can use path names to specify a digest in the format IMAGE_PATH@DIGEST.

System policy evaluation mode

This section applies to GKE and GKE clusters.

System policy evaluation mode is a policy setting that causes Binary Authorization to evaluate a system policy before evaluating the policy that you configure. Google manages the system policy, which exempts a list of Google-maintained system images that GKE uses. Images listed in the system policy are not blocked by policy enforcement. If you do not enable the setting, you must manage the list of exempt images yourself. Learn how to Manage exempt images.

You can view the contents of the system policy using the following command:

gcloud alpha container binauthz policy export-system-policy

To enable system policy evaluation mode, add the following top-level node to the policy JSON file:

"globalPolicyEvaluationMode": "ENABLE"

To disable system policy evaluation mode, add the following:

"globalPolicyEvaluationMode": "DISABLE"

You can export the system policy associated with a specific region, as follows:

gcloud alpha container binauthz policy export-system-policy \
  --location=REGION > /tmp/policy.yaml

Replace REGION with the region associated with the system policy that you want to export (or "global"). Examples include: asia-east1, europe-west1, us-central1.

If you omit --location or specify --location=global, the command outputs a system policy from a region in the last group of regions to receive updates. Since most changes to the system policy are additions, the output shows the set of system images that are currently allowed in all regions.

Set the default rule

This section applies to GKE, GKE clusters, Cloud Run, and Anthos Service Mesh.

A rule is the part of a policy that defines constraints that container images must pass before they can be deployed. Every admission request has an associated GKE cluster. If a request doesn't match a cluster-specific rule, the default rule is used.

The default rule is defined in the defaultAdmissionRule node in the policy. For more information on the parts of this rule, see ADMISSION_RULE in the Policy YAML Reference. For examples of default rules, see Example Policies.

To set the default rule, edit the defaultAdmissionRule node in the policy JSON file as required:

  "defaultAdmissionRule": {
    "evaluationMode": "EVAL_MODE",
    "enforcementMode": "ENFORCEMENT_MODE"
    requireAttestationsBy: [
      ATTESTOR,
      ...
    ]
  }

where:

  • EVAL_MODE specifies the type of constraint that Binary Authorization evaluates before allowing a container image to be deployed.
  • ENFORCEMENT_MODE specifies the action that is taken if a container image does not conform to the constraints defined in the rule.
  • ATTESTOR specifies the attestors (if required) that must sign a container image before it can be deployed. Use the fully-qualified path to the attestor in the format projects/PROJECT_ID/attestors/ATTESTOR_NAME.

If your rule checks to see whether all required attestors have signed a container image, you must create attestors before completing this step.

Set cluster-specific rules (optional)

This section applies to GKE and GKE clusters.

A cluster can also have one or more cluster-specific rules. This type of rule applies only to the specified GKE cluster. If a cluster has no rule of its own, the default rule is used. Cluster-specific rules are an optional part of a policy.

Cluster-specific rules are defined in clusterAdmissionRules nodes in the policy JSON file. For more information on the parts of this rule, see ADMISSION_RULE in the Policy YAML Reference. For an example, see Use a cluster-specific rule in Example Policies.

To add a cluster-specific rule:

In the policy JSON file, add a clusterAdmissionRules node:

"clusterAdmissionRules": {
    "us-central1-a.test-cluster": {
      "evaluationMode": "REQUIRE_ATTESTATION",
      "requireAttestationsBy": [
        "ATTESTOR",
        ...
      ],
      "enforcementMode": "ENFORCED_BLOCK_AND_AUDIT_LOG"
    }
  },

where CLUSTER_SPECIFIER is the resource ID of the cluster to which the rule applies.

  • For GKE, GKE attached clusters, and GKE on AWS, the format is CLUSTER_LOCATION.CLUSTER_NAME—for example, us-central1-a.test-cluster.
  • For GKE on Bare Metal and GKE on VMware, the format is FLEET_MEMBERSHIP_LOCATION.FLEET_MEMBERSHIP_ID—for example, global.test-membership.

The other properties are as described in Set the default rule , earlier in this guide. See Example Policies for an example of a cluster-specific rule.

If your rule checks to see whether all required attestors have signed a container image, you must create attestors before completing this step.

Import the policy JSON file

This section applies to GKE, GKE clusters, Cloud Run, and Anthos Service Mesh.

Import the policy JSON file back into Binary Authorization by entering the following:

curl -X PUT \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
    -H "x-goog-user-project: ${PROJECT_ID}" \
    --data-binary @/tmp/policy.json  \
    "https://binaryauthorization.googleapis.com/v1/projects/${PROJECT_ID}/policy"

What's next