Overview of Continuous Validation

Overview

Continuous Validation (CV) is a feature of Binary Authorization that regularly checks container images associated with Pods running on Google Kubernetes Engine (GKE) for continued conformance with the Binary Authorization policy.

While Binary Authorization provides one-time validation at deploy time, CV extends validation to the post-deploy environment. With both Binary Authorization and CV enabled, policy conformance is validated throughout the entire Pod lifecycle. CV is useful in the following scenarios:

  • Changing the Binary Authorization policy after deploying a container image. Policy changes don't affect running Pods. The Pods continue to run even if the updated policy now blocks the same container image from being deployed. CV informs you of running Pods that violate the newly updated policy.

  • Dry run: With dry run and CV enabled, Binary Authorization guarantees that a container image is deployed but regularly logs policy conformance.

  • Breakglass: If a Pod is deployed with breakglass, it bypasses policy enforcement. At deploy time, Binary Authorization logs one event to Cloud Audit Logs. CV, however, continues to regularly log policy-violating Pods, including those Pods deployed with breakglass.

You enable CV on projects that run GKE. CV then checks all Pods running on all clusters in the project, including clusters for which Binary Authorization is not enabled.

The check occurs at least every 24 hours. During the check, CV retrieves a list of images associated with each Pod that ran in the interval since the previous check. CV then verifies that the container image information associated with the Pod satisfies the Binary Authorization policy. CV then logs violations and other findings to Cloud Logging.

CV continues to log policy violations for non-conformant Pods until the Pod terminates. Pods terminated during the interval between checks are logged during the next check.

What's next