Enabling dry run mode

Overview

This document explains how to enable dry run mode. With dry run mode enabled, Binary Authorization checks policy compliance at Pod creation time without actually blocking the Pod from being created. Instead, policy compliance status messages are logged to Cloud Logging. With this information you can determine if any container images would have been unintentionally blocked from being deployed and correct the policy. When the policy enforces compliance as intended, you can disable dry run mode.

Before you begin

This guide assumes that you have Binary Authorization set up. For a simple setup, see the quickstart.

For a complete, attestation-based, end-to-end tutorial, see Getting started using the CLI or Getting started using the Console.

Enable dry run

To enable dry run, you do the following:

gcloud

  1. Export the default Binary Authorization policy:

    gcloud container binauthz policy export  > /tmp/policy.yaml
    
  2. In a text editor, set the enforcementMode to DRYRUN_AUDIT_LOG_ONLY.

    The policy YAML file should look like this:

    admissionWhitelistPatterns:
    - namePattern: gcr.io/google_containers/*
    - namePattern: gcr.io/google-containers/*
    - namePattern: k8s.gcr.io/*
    - namePattern: gke.gcr.io/*
    - namePattern: gcr.io/stackdriver-agents/*
    defaultAdmissionRule:
      evaluationMode: ALWAYS_DENY
      enforcementMode: DRYRUN_AUDIT_LOG_ONLY
    name: projects/PROJECT_ID/policy
    
  3. Import the policy YAML file back into Binary Authorization:

    gcloud container binauthz policy import /tmp/policy.yaml
    
  4. Update the local kubeconfig file:

    gcloud container clusters get-credentials \
    --zone us-central1-a \
    CLUSTER_NAME
    

    Where CLUSTER_NAME is the name of your GKE cluster.

Console

  1. Go to the Binary Authorization page in the Google Cloud Console.

    Go to the Binary Authorization page

  2. Click Configure Policy or, if a policy exists, Edit Policy.

  3. In the policy, change the evaluationMode from ALWAYS_ALLOW to ALWAYS_DENY, and set the enforcementMode to DRYRUN_AUDIT_LOG_ONLY.

    The policy YAML file could appear as follows:

    admissionWhitelistPatterns:
    - namePattern: gcr.io/google_containers/*
    - namePattern: gcr.io/google-containers/*
    - namePattern: k8s.gcr.io/*
    - namePattern: gke.gcr.io/*
    - namePattern: gcr.io/stackdriver-agents/*
    defaultAdmissionRule:
      evaluationMode: ALWAYS_DENY
      enforcementMode: DRYRUN_AUDIT_LOG_ONLY
    name: projects/PROJECT_ID/policy
    
  4. Click Save Policy.

Deploy a container

  1. Deploy the container image

    1. [Optional]: Create a pod.yaml file that looks like the following:

      apiVersion: v1
      kind: Pod
      metadata:
        name: test-pod
      spec:
        containers:
        - name: test-container
          image: gcr.io/google-samples/hello-app@sha256:c62ead5b8c15c231f9e786250b07909daf6c266d0fcddd93fea882eb722c3be4
      
    2. Deploy the container image:

      kubectl apply -f pod.yaml
      
  2. Confirm the pod is running

    The pod should be running. To confirm, run:

    kubectl get pods
    

    You should see that test-pod is running.

  3. Check the audit log:

    To view dry run audit log entries in Cloud Logging, see Dry run events in Cloud Logging.

    An example dry run audit log looks like the following:

    {
     insertId: "f87d1ef8-fa7b-4079-be90-d0638e7983ba"
     labels: {
      authorization.k8s.io/decision: "allow"
      authorization.k8s.io/reason: ""
      imagepolicywebhook.image-policy.k8s.io/dry-run: "true"
      imagepolicywebhook.image-policy.k8s.io/overridden-verification-result: "'gcr.io/google-samples/hello-app@sha256:c62ead5b8c15c231f9e786250b07909daf6c266d0fcddd93fea882eb722c3be4': Denied by an ALWAYS_DENY admission rule
    "
     }
     logName: "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity"
     operation: {…}
     protoPayload: {…}
     receiveTimestamp: "2020-06-10T15:59:23.857650559Z"
     resource: {…}
     timestamp: "2020-06-10T15:59:00.185878Z"
    }
    

    Where PROJECT_ID is your project ID.

Clean up

Delete the pod

kubectl delete -f /tmp/pod.yaml

Disable dry run mode

Make sure to disable dry run mode by altering enforcementMode in the defaultAdmissionRule in your Binary Authorization policy. For example:

   enforcementMode: ALWAYS_ALLOW