Enabling the service with Anthos Config Management

This guide describes how to enable Binary Authorization using Anthos Config Management. It assumes you have Anthos Config Management and the Config Management Operator installed and configured, and know how to configure the Operator using a YAML file.

Alternatively, you can enable Binary Authorization through Google Kubernetes Engine.

Before you begin

• You must have an Anthos entitlement.
• You must have Anthos Config Management installed and the Operator configured.

Enable Binary Authorization in the Operator

The following steps configure Anthos Config Management to enable Binary Authorization on one or more clusters.

1. Update the Operator.

   In this step you edit the Operator configuration file as follows:

   1. Add the binauthz block to the spec block:

      binauthz:
        enabled: true
        # Information needed to determine which policy to enforce
        policyRef:
          gkeCluster:
            # The name (or ID) of the GCP project containing the cluster
            project: project-id
            # Location of this cluster
            location: zone
            # The name of the cluster.
            name: cluster-name
      

   2. Update the fields as follows:

      • Set enabled to true.
      • Set project to the project ID.
      • Set location to the zone in which this cluster runs, for example us-central1-c.

      • Set name to the name of the cluster, which can be found in the Google Kubernetes Engine menu.

        Visit the Google Kubernetes Engine menu

      The top of the config-management.yaml should like:

      apiVersion: configmanagement.gke.io/v1
      kind: ConfigManagement
      metadata:
        name: config-management
      spec:
        # Set to true to install and enable Binary Authorization
        binauthz:
          enabled: true
          # Information needed to determine which policy to enforce
          policyRef:
            gkeCluster:
              # The name (or ID) of the GCP project containing the cluster
              project: my-project
              # Location of this cluster
              location: us-central1-c
              # The name of the cluster.
              name: my-gke-cluster
      

2. Update the Operator object:

   kubectl apply -f config-management.yaml
   

   At this point, Binary Authorization should start to enforce the policy.

3. Verify the installation.

   To verify that Anthos Config Management enabled Binary Authorization, check that ValidatingWebhookConfiguration is running by entering the following command:

   kubectl get validatingwebhookconfigurations binauthz
   

   The output is similar to the following:

   NAME       CREATED AT
   binauthz   yyyy-mm-dd-xxxx
   

Uninstalling Binary Authorization

To uninstall Binary Authorization, edit the Operator configuration in config-management.yaml as follows:

1. Set binauthz.enabled to false.

2. Update the Operator object:

   kubectl apply -f config-management.yaml
   

After the Operator removes the Binary Authorization ValidatingWebhookConfiguration, uninstallation is complete.

What's next

• Configure the Binary Authorization policy with Google Cloud Console or the command-line interface.
• Create an attestor.
• Create an attestation.
• Deploy a container image.
• To fully uninstall Anthos Config Management, see Uninstalling the Operator from a cluster.