The Google Cloud Platform Terms of Service (section 1.4(d), "Discontinuation of Services") defines the deprecation policy that applies to Binary Authorization. The deprecation policy only applies to the services, features, or products listed therein.
After a service, feature, or product is officially deprecated, it continues to be available for at least the period of time defined in the Terms of Service. After this period of time, the service is scheduled for shutdown.
Binary Authorization is ending support for legacy continuous validation (legacy CV) with project-singleton policies for GKE.
- As of April 15, 2024, you can't enable legacy CV for Google Kubernetes Engine (GKE) on new projects.
- Legacy CV will continue monitoring your GKE Pods through project-singleton policies for existing projects for which it is already enabled until May 1, 2025. After May 1, 2025, legacy CV will no longer monitor your Pods, and Cloud Logging entries will no longer be produced for Pod images that don't conform to the project-singleton Binary Authorization policy.
Replacement: Continuous validation (CV) with check-based platform policies
Monitor your Pods using continuous validation (CV) with check-based platform policies.
In addition to support for attestations, check-based platform policies let you monitor the metadata of container images associated with your Pods to help you mitigate potential security issues. CV check-based policies provide checks that include the following:
- Vulnerability check: The image is checked for security vulnerabilities that are at a level of severity that you define.
- Sigstore check: The image has attestations that are signed by sigstore.
- SLSA check: The image was built from source in a trusted directory and by a trusted builder.
- Trusted directory check: The image must reside in a trusted directory within a trusted image repository.
Like legacy continuous validation, CV with check-based policies also logs Pods with non-conformant images to Logging.
If you use legacy continuous validation (legacy CV), see Migration.
For more information on how to use CV with check-based platform policies, see Continuous validation overview.
Migration
To migrate from a legacy CV project-singleton policy to an equivalent check-based platform policy, do the following:
- For an
ALWAYS_ALLOWproject-singleton policy, create a check-based platform policy without anycheckSetblock. - For an
ALWAYS_DENYproject-singleton policy, create a check-based platform policy with a singlecheckSetblock that has analwaysDenycheck. - For a project-singleton policy that requires attestations, create a single check-based policy, and for each attestor in the project-singleton policy, add one SimpleSigningAttestationCheck to the check-based policy. By using the same key pair, the check continues to work with your existing attestations, and logs only Pod images that don't have valid attestations.
Check-based platform policies are scoped to a GKE cluster, rather than a Google Cloud project. After you create a check-based platform policy, you can apply that policy to one or more clusters.
To enable CV with check-based platform policies on a cluster, the cluster's Binary Authorization settings must be configured during the cluster creation or update process.