Overview of Binary Authorization for Anthos clusters on VMware

This document describes Binary Authorization for Anthos clusters on VMware. To get started installing and using the product, see Setting up Binary Authorization for Anthos clusters on VMware.

Overview

Binary Authorization for Anthos clusters on VMware is a Google Cloud product that extends Binary Authorization's hosted, deploy-time enforcement to Anthos clusters on VMware.

Architecture

Binary Authorization for Anthos clusters on VMware connects on-premises user clusters to the Binary Authorization enforcer, running on Google Cloud. Binary Authorization for Anthos clusters on VMware works by relaying requests to run container images from Anthos clusters on VMware clusters to the Binary Authorization enforcement API.

Binary Authorization for Anthos clusters on VMware showing
              configuration one user control plane deployed.
Binary Authorization for Anthos clusters on VMware architecture with one user control plane. (Click to enlarge)

On premises, Binary Authorization for Anthos clusters on VMware installs the Binary Authorization Module, which runs as a Kubernetes validating admission webhook in your user cluster.

When the Kubernetes API server for the user cluster processes a request to run a Pod, it sends an admission request, through the user control plane, to the Binary Authorization Module.

The module then forwards the admission request to the hosted Binary Authorization API.

On Google Cloud, the API receives the request and forwards it to the Binary Authorization enforcer. The enforcer then checks that the request satisfies the Binary Authorization policy. If it does, the Binary Authorization API returns an "allow" response. Otherwise the API returns a "reject" response.

On premises, the Binary Authorization Module receives the response. If the Binary Authorization Module and all of the other admission webhooks allow the deploy request, the container image is allowed to deploy.

For more information about validating admission webhooks, see Using Admission Controllers.

Webhook failure policy

When a failure prevents communication with Binary Authorization, a webhook-specific failure policy determines if the container is allowed to deploy. Configuring the failure policy to allow the container image to deploy is known as fail open. Configuring the failure policy to deny the container image from deploying is known as fail close.

To learn how to modify the failure policy, see Failure policy.

What's next