This page contains example policies for Binary Authorization specified in YAML format. For instructions on configuring policies in Binary Authorization, see Configure a policy using the Google Cloud CLI or Configure a policy using the Google Cloud console.
Allow all deployments
The following example shows how to allow all container images to be deployed with no constraints.
name: projects/example-project/policy defaultAdmissionRule: evaluationMode: ALWAYS_ALLOW enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
Here, the default rule has an
evaluationMode
of ALWAYS_ALLOW
,
which causes Binary Authorization to allow deployment of all container images. The
default enforcementMode
is set to
ENFORCED_BLOCK_AND_AUDIT_LOG
, but as all deployments are allowed, this action
is never taken.
Block (almost) all deployments
The following example shows how to block all container images from being deployed, while allowing Google-maintained system images. These container images are required for most Google Kubernetes Engine (GKE) clusters to start successfully.
name: projects/example-project/policy globalPolicyEvaluationMode: ENABLE defaultAdmissionRule: evaluationMode: ALWAYS_DENY enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
Here, globalPolicyEvaluationMode
is enabled so that images that are required by GKE are
not blocked by policy enforcement.
The default rule has an
evaluationMode
of ALWAYS_DENY
, which
causes Binary Authorization to deny deployment of all container images. The
enforcementMode
is set to
ENFORCED_BLOCK_AND_AUDIT_LOG
, which causes Binary Authorization to block
deployment and write to the audit log.
Require attestors to sign before deployment
The following example shows how to require attestors to authorize a release before a container image can be deployed. The deployment is blocked if all attestors have not signed.
name: projects/example-project/policy globalPolicyEvaluationMode: ENABLE defaultAdmissionRule: evaluationMode: REQUIRE_ATTESTATION enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG requireAttestationsBy: - projects/example-project/attestors/secure-build
Here, the default rule has an evaluationMode
of REQUIRE_ATTESTATION
, which
causes Binary Authorization to allow deployment of only those images which have
been authorized by the required attestors in
requireAttestationsBy
.
Allow deployments in dry run mode
Dry run mode is an enforcement mode in a policy that allows non-conformant images to be deployed, but writes details about the policy violation and deployment to the audit log. Dry run mode allows you to test a policy in your production environment before it goes into effect.
The following example shows how to allow all non-conformant images to be deployed in dry run mode.
name: projects/example-project/policy globalPolicyEvaluationMode: ENABLE defaultAdmissionRule: evaluationMode: REQUIRE_ATTESTATION enforcementMode: DRYRUN_AUDIT_LOG_ONLY requireAttestationsBy: - projects/example-project/attestors/secure-build
Here, the default rule has an
enforcementMode
of
DRYRUN_AUDIT_LOG_ONLY
, which allows deployment of images that have not been
authorized by the specified attestor to be deployed, but writes information
about the non-conformant deployment to the audit log.
Use a cluster-specific rule
The following examples shows a cluster-specific rule that only allows those container images to be deployed which have been authorized by the specified attestors:
name: projects/example-project/policy globalPolicyEvaluationMode: ENABLE defaultAdmissionRule: evaluationMode: ALWAYS_DENY enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG clusterAdmissionRules: us-east1-a.prod-cluster: evaluationMode: REQUIRE_ATTESTATION enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG requireAttestationsBy: - projects/example-project/attestors/secure-build - projects/example-project/attestors/prod-qualified
Here, the cluster-specific rule only applies to those container images deployed
to us-east1-a.prod-cluster
. The rule requires attestation by two attestors
before an image can be deployed.
Add exempt images
The following example shows how to add additional paths in Container Registry or another registry to the list of images exempt from the policy:
name: projects/example-project/policy globalPolicyEvaluationMode: ENABLE admissionWhitelistPatterns: - namePattern: gcr.io/example-project-1/* - namePattern: gcr.io/example-project-2/my-app defaultAdmissionRule: evaluationMode: ALWAYS_DENY enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
Here, the matching patterns for additional exempt images are
gcr.io/example-project-1/*
and gcr.io/example-project-2/my-app
.