Example policies

This page contains example policies for Binary Authorization specified in YAML format. For instructions on configuring policies in Binary Authorization, see Configuring a Policy Using the CLI or Configuring a Policy Using the Console.

Allow all deployments

The following example shows how to allow all container images to be deployed with no constraints.

name: projects/example-project/policy
admissionWhitelistPatterns:
- namePattern: gcr.io/google_containers/*
- namePattern: gcr.io/google-containers/*
- namePattern: k8s.gcr.io/*
- namePattern: gcr.io/stackdriver-agents/*
defaultAdmissionRule:
  evaluationMode: ALWAYS_ALLOW
  enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG

Here, the default rule has an evaluationMode of ALWAYS_ALLOW, which causes Binary Authorization to allow deployment of all container images. The default enforcementMode is set to ENFORCED_BLOCK_AND_AUDIT_LOG, but as all deployments are allowed, this action is never taken.

Block (almost) all deployments

The following example shows how to block all container images from being deployed, with the exception of those located in the specified paths. These paths contains container images required for most Google Kubernetes Engine (GKE) clusters to start successfully.

name: projects/example-project/policy
admissionWhitelistPatterns:
- namePattern: gcr.io/google_containers/*
- namePattern: gcr.io/google-containers/*
- namePattern: k8s.gcr.io/*
- namePattern: gcr.io/stackdriver-agents/*
defaultAdmissionRule:
  evaluationMode: ALWAYS_DENY
  enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG

Here, the default rule has an evaluationMode of ALWAYS_DENY, which causes Binary Authorization to deny deployment of all container images. The enforcementMode is set to ENFORCED_BLOCK_AND_AUDIT_LOG, which causes Binary Authorization to block deployment and write to the audit log.

Require attestors to sign before deployment

The following example shows how to require attestors to authorize a release before a container image can be deployed. The deployment is blocked if all attestors have not signed.

name: projects/example-project/policy
admissionWhitelistPatterns:
- namePattern: gcr.io/google_containers/*
- namePattern: gcr.io/google-containers/*
- namePattern: k8s.gcr.io/*
- namePattern: gcr.io/stackdriver-agents/*
defaultAdmissionRule:
  evaluationMode: REQUIRE_ATTESTATION
  enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
  requireAttestationsBy:
  - projects/example-project/attestors/secure-build

Here, the default rule has an evaluationMode of REQUIRE_ATTESTATION, which causes Binary Authorization to allow deployment of only those images which have been authorized by the required attestors in requireAttestationsBy.

Allow deployments in dryrun mode

Dryrun mode is an enforcement mode in a policy that allows non-conformant images to be deployed, but writes details about the policy violation and deployment to the audit log. Dryrun mode allows you to test a policy in your production environment before it goes into effect.

The following example shows how to allow all non-conformant images to be deployed in dryrun mode.

name: projects/example-project/policy
admissionWhitelistPatterns:
- namePattern: gcr.io/google_containers/*
- namePattern: gcr.io/google-containers/*
- namePattern: k8s.gcr.io/*
- namePattern: gcr.io/stackdriver-agents/*
defaultAdmissionRule:
  evaluationMode: REQUIRE_ATTESTATION
  enforcementMode: DRYRUN_AUDIT_LOG_ONLY
  requireAttestationsBy:
  - projects/example-project/attestors/secure-build

Here, the default rule has an enforcementMode of DRYRUN_AUDIT_LOG_ONLY, which allows deployment of images that have not been authorized by the specified attestor to be deployed, but writes information about the non-conformant deployment to the audit log.

Use a cluster-specific rule

The following examples shows a cluster-specific rule that only allows those container images to be deployed which have been authorized by the specified attestors:

name: projects/example-project/policy
admissionWhitelistPatterns:
- namePattern: gcr.io/google_containers/*
- namePattern: gcr.io/google-containers/*
- namePattern: k8s.gcr.io/*
- namePattern: gcr.io/stackdriver-agents/*
defaultAdmissionRule:
  evaluationMode: ALWAYS_ALLOW
  enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
clusterAdmissionRules:
  us-east1-a.prod-cluster:
    evaluationMode: REQUIRE_ATTESTATION
    enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
    requireAttestationsBy:
    - projects/example-project/attestors/secure-build
    - projects/example-project/attestors/prod-qualified

Here, the cluster-specific rule only applies to those container images deployed to us-east1-a.prod-cluster. The rule requires attestation by two attestors before an image can be deployed.

Add exempt images

The following example shows how to add additional paths in Container Registry or another registry to the list of images exempt from the policy:

name: projects/example-project/policy
admissionWhitelistPatterns:
- namePattern: grc.io/example-project-1/*
- namePattern: grc.io/example-project-2/my-app
- namePattern: gcr.io/google_containers/*
- namePattern: gcr.io/google-containers/*
- namePattern: k8s.gcr.io/*
- namePattern: gcr.io/stackdriver-agents/*
defaultAdmissionRule:
  evaluationMode: ALWAYS_DENY
  enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG

Here, the matching patterns for additional exempt images are grc.io/example-project-1/* and grc.io/example-project-2/my-app.

Enable global policy evaluation mode

Global policy evaluation mode is a policy setting that causes Binary Authorization to evaluate a global policy before evaluating the policy that you configure as a user. The global policy is provided by Google and exempts a list of Google-provided system images from further policy evaluation. When you have this setting enabled, images that are required by GKE are not blocked by policy enforcement. The global policy is evaluated prior to and in addition to user policy evaluation.

The following example shows how to enable global policy evaluation mode:

name: projects/example-project/policy
admissionWhitelistPatterns:
- namePattern: grc.io/example-project-1/*
- namePattern: grc.io/example-project-2/my-app
globalPolicyEvaluationMode: ENABLE
defaultAdmissionRule:
  evaluationMode: ALWAYS_DENY
  enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
هل كانت هذه الصفحة مفيدة؟ يرجى تقييم أدائنا:

إرسال تعليقات حول...

Binary Authorization Documentation