Deploying containers

This page explains how to deploy a container image to a Google Kubernetes Engine (GKE) cluster where Binary Authorization is enabled. The commands you use for deployment are the same as the ones you use to deploy images to clusters that do not use Binary Authorization.

Before you begin

Install kubectl for interacting with GKE.

Configure kubectl

You must update the local kubeconfig file for your kubectl installation. This provides the credentials and endpoint information required to access the cluster in GKE.

To configure kubectl:

gcloud container clusters get-credentials \
    --zone ZONE \
    CLUSTER_NAME

where:

  • ZONE is the name of the GKE zone where the cluster is running (for example, us-central1-a1)
  • CLUSTER_NAME is the name of the cluster

Deploy the container image

You can deploy your image using the kubectl run command.

You must deploy the image using the digest rather than a tag like 1.0 or latest, as Binary Authorization will use both the image path and digest to look up attestations.

To deploy the image:

kubectl run ${DEPLOYMENT_NAME} \
    --image ${IMAGE_PATH}@${IMAGE_DIGEST} --port 8080

where:

  • DEPLOYMENT_NAME is the name you want to use for the GKE workload
  • IMAGE_PATH:IMAGE_DIGEST is the path and digest of the image in Container Registry or another registry (for example, gcr.io/google-samples/hello-app@sha256:c62ead5b8c15c231f9e786250b07909daf6c266d0fcddd93fea882eb722c3be4)

Override a policy

Binary Authorization supports a feature known as break-glass that lets you override an authorization policy when you deploy a container image. This feature is implemented in way consistent with recommendations in the Kubernetes admission controller specification.

The following example shows how to create a GKE pod using break-glass to override a policy:

  1. Create a configuration file in YAML format. This file contains the break-glass annotation as well as other information required to create the pod:

    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-name
      annotations:
        alpha.image-policy.k8s.io/break-glass: "true"
    spec:
      containers:
      - name: container-name
        image: gcr.io/google-samples/hello-app@sha256:c62ead5b8c15c231f9e786250b07909daf6c266d0fcddd93fea882eb722c3be4
    

    GKE also allows you to specify a configuration for new resources using JSON format if you so choose.

  2. Create the pod using kubectl:

    kubectl create -f YAML_file
    

Verify that an image is running

To verify that the image is running, enter the following:

kubectl get pods

The command prints a message similar to the following, which indicates that deployment was successful:

NAME                            READY     STATUS    RESTARTS   AGE
hello-server-579859fb5b-h2k8s   1/1       Running   0          1m

View audit logs

For more information on viewing enforcement status and deployment messages in Stackdriver Logging, see Viewing audit logs.

Was this page helpful? Let us know how we did:

Send feedback about...

Binary Authorization Documentation