Quickstart: Monitor Pod security with continuous validation

Create a platform policy

To set up a CV GKE platform policy, do the following:

1. Create the platform policy YAML file:

   cat << EOF > /tmp/my-policy.yaml
   gkePolicy:
     checkSets:
     - checks:
       - trustedDirectoryCheck:
           trustedDirPatterns:
           - us-central1-docker.pkg.dev/my-project/my-directory
         displayName: My trusted directory check
       - imageFreshnessCheck:
           maxUploadAgeDays: 30
         displayName: My image freshness check
       displayName: My trusted directory and image freshness check set
   EOF
   

   This policy checks for the following conditions:

   • The Pods' images are stored in the Artifact Registry repository named us-central1-docker.pkg.dev/my-project/my-directory.

   • The Pods' images were uploaded to the Artifact Registry or Container Registry repositories within the last 30 days.

2. Create the platform policy:

   gcloud beta container binauthz policy create POLICY_ID \
       --platform=gke \
       --policy-file=/tmp/my-policy.yaml \
       --project=POLICY_PROJECT_ID
   

   Replace the following:

   • POLICY_ID: an ID of your choice
   • POLICY_PROJECT_ID: the policy project ID

Create or update a cluster

To enable CV on a cluster you can create a new cluster or update an existing cluster.

• To create a cluster with the check-based platform policy enabled, run the following command:

  gcloud beta container clusters create CLUSTER_NAME \
      --location=LOCATION \
      --binauthz-evaluation-mode=POLICY_BINDINGS \
      --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID \
      --project=CLUSTER_PROJECT_ID
  

  Replace the following:

  • CLUSTER_NAME: the name of the cluster
  • LOCATION: the location—for example: us-central1 or asia-south1
  • POLICY_PROJECT_ID: the ID of the project where the policy is stored
  • POLICY_ID: the policy ID
  • CLUSTER_PROJECT_ID: the cluster project ID

  Wait for the cluster to be created.

• To update an existing cluster with check-based policies enabled, run the following command.

  gcloud beta container clusters update CLUSTER_NAME \
      --location=LOCATION \
      --binauthz-evaluation-mode=POLICY_BINDINGS \
      --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID \
      --project=CLUSTER_PROJECT_ID
  

  Replace the following:

  • CLUSTER_NAME: the name of the cluster
  • LOCATION: the location—for example: us-central1 or asia-south1
  • POLICY_PROJECT_ID: the ID of the project where the policy is stored
  • POLICY_ID: the policy ID
  • CLUSTER_PROJECT_ID: the cluster project ID

  Wait for the cluster to be updated.

Deploy an image

1. Get the credential for kubectl:

   gcloud container clusters get-credentials CLUSTER_NAME
   

2. Deploy an image:

   kubectl run hello-app \
       --image=us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0
   

   The image us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0 satisfies the freshness check because it was uploaded to the repository within the last 30 days. But the image doesn't satisfy the trusted directory check because it's not in us-central1-docker.pkg.dev/my-project/my-directory. As a result, CV produces TrustedDirectoryCheck log entries in Cloud Logging.

View the logs

The log entry appears in Cloud Logging within 24 hours after the Pod is deployed, but it can appear in as few as a couple of hours.

To view the log in Cloud Logging, use the following filter:

logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation"
"policyName"

The log for the hello-app Pod is similar to the one below. Some fields might be different depending on your project ID, cluster name, etc.

{
  "insertId": "637c2de7-0000-2b64-b671-24058876bb74",
  "jsonPayload": {
    "podEvent": {
      "endTime": "2022-11-22T01:14:30.430151Z",
      "policyName": "projects/1234567890/platforms/gke/policies/my-policy",
      "images": [
        {
          "result": "DENY",
          "checkResults": [
            {
              "explanation": "TrustedDirectoryCheck at index 0 with display name \"My trusted directory check\" has verdict NOT_CONFORMANT. Image is not in a trusted directory",
              "checkSetName": "Default check set",
              "checkSetIndex": "0",
              "checkName": "My trusted directory check",
              "verdict": "NON_CONFORMANT",
              "checkType": "TrustedDirectoryCheck",
              "checkIndex": "0"
            }
          ],
          "image": "us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0"
        }
      ],
      "verdict": "VIOLATES_POLICY",
      "podNamespace": "default",
      "deployTime": "2022-11-22T01:06:53Z",
      "pod": "hello-app"
    },
    "@type": "type.googleapis.com/google.cloud.binaryauthorization.v1beta1.ContinuousValidationEvent"
  },
  "resource": {
    "type": "k8s_cluster",
    "labels": {
      "project_id": "my-project",
      "location": "us-central1-a",
      "cluster_name": "my-cluster"
    }
  },
  "timestamp": "2022-11-22T01:44:28.729881832Z",
  "severity": "WARNING",
  "logName": "projects/my-project/logs/binaryauthorization.googleapis.com%2Fcontinuous_validation",
  "receiveTimestamp": "2022-11-22T03:35:47.171905337Z"
}

The log entry shows information about the policy violation, including the following fields:

• policyName: a platform policy that CV was using when it identified the violation

• checkResults: a block of results that includes the following fields:

  • explanation: an error message
  • checkSetName: the displayName value for the check set
  • checkSetIndex: the index of the check set in the policy
  • checkName: the name of the check
  • checkIndex: the index of the check in the check set
  • verdict: the verdict that resulted in the log entry, in this case NOT_CONFORMANT because the check wasn't satisfied.

Some checks can include additional information that can help you understand why the check was not satisfied.

Because the image satisfied the freshness check, the freshness check does not appear in the log.