Configure a Binary Authorization policy with GKE
This quickstart shows how to configure and test a basic rule in a Binary Authorization policy.
In this quickstart, you view and configure the default rule in the policy. The default rule allows all images to be deployed. You test this by deploying a container image on a Google Kubernetes Engine (GKE) cluster. You then set the default rule to disallow all images from being deployed and attempt to deploy an image.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Artifact Registry, Binary Authorization APIs.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init -
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Artifact Registry, Binary Authorization APIs.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init - Install
kubectl.
Create a cluster with Binary Authorization enforcement enabled
Now, you create a GKE cluster with Binary Authorization enabled. This is the cluster where you want your deployed container images to run.
Binary Authorization works with Autopilot or Standard clusters.
Google Cloud console
The following steps configure an Autopilot cluster.
In the Google Cloud console, go to the GKE Kubernetes clusters page:
Click Create.
In Create an Autopilot cluster, do the following:
In the Name field, enter
test-cluster.In the Region menu, select
us-central1.Expand the Advanced settings section.
Click the Security link to reveal the Security panel.
In the Security panel, select the Enable Binary Authorization checkbox.
Select Enforce-only.
Click Next and then click Next:Review and Create.
To begin creating the cluster, click Create.
gcloud
Run gcloud container clusters create with the --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE
flag enabled.
gcloud container clusters create \
--binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE \
--zone us-central1-a \
test-cluster
Creating a cluster can take several minutes.
Default policy
By default, your Binary Authorization policy is configured to allow all container images to be deployed.
Google Cloud console
To view the default policy, do the following:
Go to the Binary Authorization page in the Google Cloud console.
The console displays details about the policy.
Click Edit Policy.
In Project Default Rule, the option Allow All Images is selected.
gcloud
To view the default policy, export the policy YAML file as follows:
gcloud container binauthz policy export
By default, the file has the following contents:
globalPolicyEvaluationMode: ENABLE defaultAdmissionRule: evaluationMode: ALWAYS_ALLOW enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG name: projects/PROJECT_ID/policy
REST API
To view the default policy, retrieve it in JSON format as follows:
curl \
-H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
-H "x-goog-user-project: ${PROJECT_ID}" \
"https://binaryauthorization.googleapis.com/v1/projects/${PROJECT_ID}/policy"
The command produces the following output:
{
"name": "projects/PROJECT_ID/policy",
"globalPolicyEvaluationMode": "ENABLE",
"defaultAdmissionRule": {
"evaluationMode": "ALWAYS_ALLOW",
"enforcementMode": "ENFORCED_BLOCK_AND_AUDIT_LOG"
}
}
Test the enforcement policy
You can test the enforcement policy by trying to deploy a sample container image to the cluster.
For this quickstart, you use the sample container image located at the path
gcr.io/google-samples/hello-app in Container Registry. This is a public
container image created by Google that contains a "Hello, World!" sample
application.
Google Cloud console
To test the policy, do the following:
Go to the GKE Clusters page in the Google Cloud console.
Click Deploy.
The console prompts you to enter details about the deployment.
Select Existing Container Image.
Enter
gcr.io/google-samples/hello-app:1.0as the container image path.Click Continue.
Enter
hello-serverin the Application Name field.Click Deploy.
kubectl
To test the policy, do the following:
Update the local
kubeconfigfile:gcloud container clusters get-credentials \ --zone us-central1-a \ test-clusterThis provides the credentials and endpoint information required to access the cluster in GKE.
Deploy the image:
kubectl run hello-server --image gcr.io/google-samples/hello-app:1.0 --port 8080
Now, verify that the deployment was allowed by Binary Authorization.
Google Cloud console
To verify that the image was deployed, go to the GKE Workloads page in Google Cloud console.
A workload for the deployment appears with a green icon that indicates that the image was deployed successfully.
kubectl
To verify that the image was deployed, do the following:
kubectl get pods
The command prints a message similar to the following, which indicates that deployment was successful:
NAME READY STATUS RESTARTS AGE hello-server-579859fb5b-h2k8s 1/1 Running 0 1m
Make sure to delete the deployment so you can continue to the next step:
Google Cloud console
To delete the deployment, do the following:
Return to the GKE Workloads page in Google Cloud console.
Select the
hello-serverworkload.Click Delete.
kubectl
To delete the deployment, do the following:
kubectl delete deployment hello-server
Configure the enforcement policy to disallow all images
Now, modify the policy to block instead of allow all images to be deployed.
Google Cloud console
To modify the policy, do the following:
Return to the Binary Authorization page in the Google Cloud console.
Click Edit Policy.
Select Disallow All Images.
Click Save Policy.
gcloud
To modify the policy, do the following:
Export the policy YAML file:
gcloud container binauthz policy export > /tmp/policy.yaml
In a text editor, change the
evaluationModefromALWAYS_ALLOWtoALWAYS_DENY.The policy YAML file should appear as follows:
globalPolicyEvaluationMode: ENABLE defaultAdmissionRule: evaluationMode: ALWAYS_DENY enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG name: projects/PROJECT_ID/policy
Import the policy YAML file back into Binary Authorization:
gcloud container binauthz policy import /tmp/policy.yaml
REST API
To modify the policy, do the following:
Create a text file with the updated policy in JSON format:
cat > /tmp/policy.json << EOM { "name": "projects/${PROJECT_ID}/policy", "globalPolicyEvaluationMode": "ENABLE", "defaultAdmissionRule": { "evaluationMode": "ALWAYS_DENY", "enforcementMode": "ENFORCED_BLOCK_AND_AUDIT_LOG" } } EOMSend the updated policy to the REST API:
curl -X PUT \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ -H "x-goog-user-project: ${PROJECT_ID}" \ --data-binary @/tmp/policy.json \ "https://binaryauthorization.googleapis.com/v1/projects/${PROJECT_ID}/policy"
Retest the policy
Again, test the policy by deploying a sample container image to the cluster. This time, Binary Authorization blocks the image from being deployed.
Google Cloud console
Deploy the image:
Go to the GKE Clusters page in the Google Cloud console.
Click Deploy.
The console prompts you to enter details about the deployment.
Select Existing Container Image.
Enter
gcr.io/google-samples/hello-app:1.0as the container image path.Click Continue.
Enter
hello-serverin the Application Name field.Click Deploy.
kubectl
Deploy the image:
kubectl run hello-server --image gcr.io/google-samples/hello-app:1.0 --port 8080
You can now verify that the policy was blocked:
Google Cloud console
To verify that the image was not deployed, do the following:
Return to the GKE Workloads page in Google Cloud console.
The workload for the container image appears with a red icon that indicates that the image failed to be deployed.
kubectl
To verify that the image was not deployed, execute the following command:
kubectl get pods
The command prints the following message, which indicates that the image was not deployed:
No resources found.
You can get further details about the deployment:
kubectl get event --template \
'{{range.items}}{{"\033[0;36m"}}{{.reason}}:{{"\033[0m"}}{{.message}}{{"\n"}}{{end}}'
You see a response that resembles the following:
FailedCreate: Error creating: pods POD_NAME is forbidden: admission webhook "imagepolicywebhook.image-policy.k8s.io" denied the request: Image IMAGE_NAME denied by Binary Authorization default admission rule. Denied by always_deny admission rule
In this output:
- POD_NAME: the name of the Pod.
- IMAGE_NAME: the name of the image.
- ATTESTOR_NAME: the name of the attestor.
Clean up
To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.
Delete the cluster you created in GKE:
Console
To delete the cluster, do the following:
Go to the GKE Clusters page in the Google Cloud console.
Select the
test-clustercluster and click Delete.
gcloud
To delete the cluster, do the following:
gcloud container clusters delete \
--zone=us-central1-a \
test-cluster
What's next
- Use the
built-by-cloud-buildattestor to deploy only images built by Cloud Build (Preview). - For an end-to-end tutorial about requiring attestations, see:
- Read our resources about DevOps and explore the DevOps Research and Assessment (DORA) research program.