This document describes Binary Authorization for on-premises clusters created as part of Google Distributed Cloud. To get started installing and using the product, see Set up Binary Authorization for on-premises clusters. Binary Authorization supports the following environments:
- Google Distributed Cloud (software only) on bare metal 1.14 or later.
- Google Distributed Cloud (software only) on VMware 1.4 or later.
Binary Authorization for on-premises clusters is a Google Cloud product that extends Binary Authorization's hosted, deploy-time enforcement to Google Distributed Cloud.
Architecture
Binary Authorization for on-premises clusters connects clusters to the Binary Authorization enforcer, running on Google Cloud. It works by relaying requests to run container images from on-premises clusters to the Binary Authorization enforcement API.
Binary Authorization installs the Binary Authorization Module, which runs as a Kubernetes validating admission webhook in your cluster.
When the Kubernetes API server for the cluster processes a request to run a Pod, it sends an admission request, through the control plane, to the Binary Authorization Module.
The module then forwards the admission request to the hosted Binary Authorization API.
On Google Cloud, the API receives the request and forwards it to the Binary Authorization enforcer. The enforcer then checks that the request satisfies the Binary Authorization policy. If it does, the Binary Authorization API returns an "allow" response. Otherwise the API returns a "reject" response.
On premises, the Binary Authorization Module receives the response. If the Binary Authorization Module and all of the other admission webhooks allow the deploy request, the container image is allowed to deploy.
For more information about validating admission webhooks, see Using Admission Controllers.
Webhook failure policy
When a failure prevents communication with Binary Authorization, a webhook-specific failure policy determines if the container is allowed to deploy. Configuring the failure policy to allow the container image to deploy is known as fail open. Configuring the failure policy to deny the container image from deploying is known as fail close.
To configure the Binary Authorization Module for fail close, modify the
manifest.yaml file and change the failurePolicy from
Ignore to Fail, then deploy the manifest file.
You can update the failure policy in the Binary Authorization Module.
What's next
- To learn how to set up Binary Authorization for on-premises clusters, see Set up Binary Authorization for on-premises clusters.
- To learn more about Google Distributed Cloud, see the Google Distributed Cloud overview.
- To learn more about Binary Authorization, see Binary Authorization overview.