Enabling dry run mode

Overview

This document explains how to enable dry run mode. With dry run mode enabled, Binary Authorization checks policy compliance at Pod creation time without actually blocking the Pod from being created. Instead, policy compliance status messages are logged to Cloud Logging. With this information you can determine if any container images would have been unintentionally blocked from being deployed and correct the policy. When the policy enforces compliance as intended, you can disable dry run mode.

Before you begin

This guide assumes that you have Binary Authorization set up. For a simple setup, see the quickstart.

For a complete, attestation-based, end-to-end tutorial, see Getting started using the CLI or Getting started using the Console.

Enable dry run

To enable dry run, you do the following:

gcloud

Export the default Binary Authorization policy:

gcloud container binauthz policy export  > /tmp/policy.yaml

In a text editor, set the enforcementMode to DRYRUN_AUDIT_LOG_ONLY.

The policy YAML file should look like this:

admissionWhitelistPatterns:
- namePattern: gcr.io/google_containers/*
- namePattern: gcr.io/google-containers/*
- namePattern: k8s.gcr.io/*
- namePattern: gke.gcr.io/*
- namePattern: gcr.io/stackdriver-agents/*
defaultAdmissionRule:
  evaluationMode: ALWAYS_DENY
  enforcementMode: DRYRUN_AUDIT_LOG_ONLY
name: projects/PROJECT_ID/policy

Import the policy YAML file back into Binary Authorization:
```
gcloud container binauthz policy import /tmp/policy.yaml
```

Update the local kubeconfig file:

gcloud container clusters get-credentials \
--zone us-central1-a \
CLUSTER_NAME

Where CLUSTER_NAME is the name of your GKE cluster.

Console

Go to the Binary Authorization page in the Google Cloud Console.

Go to the Binary Authorization page
Click Configure Policy or, if a policy exists, Edit Policy.

In the policy, change the evaluationMode from ALWAYS_ALLOW to ALWAYS_DENY, and set the enforcementMode to DRYRUN_AUDIT_LOG_ONLY.

The policy YAML file could appear as follows:

admissionWhitelistPatterns:
- namePattern: gcr.io/google_containers/*
- namePattern: gcr.io/google-containers/*
- namePattern: k8s.gcr.io/*
- namePattern: gke.gcr.io/*
- namePattern: gcr.io/stackdriver-agents/*
defaultAdmissionRule:
  evaluationMode: ALWAYS_DENY
  enforcementMode: DRYRUN_AUDIT_LOG_ONLY
name: projects/PROJECT_ID/policy

Click Save Policy.

Deploy a container

Deploy the container image

[Optional]: Create a pod.yaml file that looks like the following:

apiVersion: v1
kind: Pod
metadata:
  name: test-pod
spec:
  containers:
  - name: test-container
    image: gcr.io/google-samples/hello-app@sha256:c62ead5b8c15c231f9e786250b07909daf6c266d0fcddd93fea882eb722c3be4

Deploy the container image:
```
kubectl apply -f pod.yaml
```

Confirm the pod is running

The pod should be running. To confirm, run:
```
kubectl get pods
```
You should see that test-pod is running.

Check the audit log:

To view dry run audit log entries in Cloud Logging, see Dry run events in Cloud Logging.

An example dry run audit log looks like the following:

{
 insertId: "f87d1ef8-fa7b-4079-be90-d0638e7983ba"
 labels: {
  authorization.k8s.io/decision: "allow"
  authorization.k8s.io/reason: ""
  imagepolicywebhook.image-policy.k8s.io/dry-run: "true"
  imagepolicywebhook.image-policy.k8s.io/overridden-verification-result: "'gcr.io/google-samples/hello-app@sha256:c62ead5b8c15c231f9e786250b07909daf6c266d0fcddd93fea882eb722c3be4': Denied by an ALWAYS_DENY admission rule
"
 }
 logName: "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity"
 operation: {…}
 protoPayload: {…}
 receiveTimestamp: "2020-06-10T15:59:23.857650559Z"
 resource: {…}
 timestamp: "2020-06-10T15:59:00.185878Z"
}

Where PROJECT_ID is your project ID.

Clean up

Delete the pod

kubectl delete -f /tmp/pod.yaml

Disable dry run mode

Make sure to disable dry run mode by altering enforcementMode in the defaultAdmissionRule in your Binary Authorization policy. For example:

   enforcementMode: ALWAYS_ALLOW