This guide describes how to enable Binary Authorization using Anthos Config Management. It assumes you have Anthos Config Management and the Config Management Operator installed and configured, and know how to configure the Operator using a YAML file.
Alternatively, you can enable Binary Authorization through Google Kubernetes Engine.
Before you begin
- You must have an Anthos entitlement.
- You must have Anthos Config Management installed and the Operator configured.
Enable Binary Authorization in the Operator
The following steps configure Anthos Config Management to enable Binary Authorization on one or more clusters.
Update the Operator.
In this step you edit the Operator configuration file as follows:
Add the
binauthz
block to thespec
block:binauthz: enabled: true # Information needed to determine which policy to enforce policyRef: gkeCluster: # The name (or ID) of the GCP project containing the cluster project: project-id # Location of this cluster location: zone # The name of the cluster. name: cluster-name
Update the fields as follows:
- Set
enabled
totrue
. - Set
project
to the project ID. - Set
location
to the zone in which this cluster runs, for exampleus-central1-c
. Set
name
to the name of the cluster, which can be found in the Google Kubernetes Engine menu.
The top of the
config-management.yaml
should like:apiVersion: configmanagement.gke.io/v1 kind: ConfigManagement metadata: name: config-management spec: # Set to true to install and enable Binary Authorization binauthz: enabled: true # Information needed to determine which policy to enforce policyRef: gkeCluster: # The name (or ID) of the GCP project containing the cluster project: my-project # Location of this cluster location: us-central1-c # The name of the cluster. name: my-gke-cluster
- Set
Update the Operator object:
kubectl apply -f config-management.yaml
At this point, Binary Authorization should start to enforce the policy.
Verify the installation.
To verify that Anthos Config Management enabled Binary Authorization, check that
ValidatingWebhookConfiguration
is running by entering the following command:kubectl get validatingwebhookconfigurations binauthz
The output is similar to the following:
NAME CREATED AT binauthz yyyy-mm-dd-xxxx
Uninstalling Binary Authorization
To uninstall Binary Authorization, edit the Operator configuration in
config-management.yaml
as follows:
Set
binauthz.enabled
tofalse
.Update the Operator object:
kubectl apply -f config-management.yaml
After the Operator removes the Binary Authorization ValidatingWebhookConfiguration
,
uninstallation is complete.
What's next
- Configure the Binary Authorization policy with Google Cloud Console or the command-line interface.
- Create an attestor.
- Create an attestation.
- Deploy a container image.
- To fully uninstall Anthos Config Management, see Uninstalling the Operator from a cluster.