Quickstart: Allow all and disallow all

This quickstart shows how to configure and test a basic rule in a Binary Authorization policy.

In this quickstart, you view and configure the default rule in the policy. The default rule allows all images to be deployed. You test this by deploying a container image on a Google Kubernetes Engine (GKE) cluster. You then set the default rule to disallow all images from being deployed and attempt to deploy an image.

Before you begin

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

Go to project selector
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
Enable the Artifact Registry, Binary Authorization APIs.
Enable the APIs

Install and initialize the Cloud SDK.
Install kubectl.

Create a cluster with Binary Authorization enabled

Now, create a GKE cluster with Binary Authorization enabled. This is the cluster where you want your deployed container images to run.

Google Cloud Console

Go to the GKE Clusters page in the Cloud Console.

Go to GKE

The console displays a list of GKE clusters in your Google Cloud project.
Click Create Cluster.
Enter test-cluster in the Name field.
Select Zonal in the Location Type options.
Select us-central1-a from the Zone drop-down list.
Click the Security link to reveal the Security panel.
In the Security panel, select the Enable Binary Authorization checkbox.
Click Create.

gcloud

Run gcloud container clusters create with the --enable-binauthz flag enabled.

gcloud container clusters create \
    --enable-binauthz \
    --zone us-central1-a \
    test-cluster

Default policy

By default, your Binary Authorization policy is configured to allow all container images to be deployed.

Cloud Console

To view the default policy, do the following:

Go to the Binary Authorization page in the Cloud Console.

Go to Binary Authorization

The console displays details about the policy.
Click Configure Policy or, if a policy exists, Edit Policy.
In Project Default Rule, the option Allow All Images is selected.

gcloud

To view the default policy, export the policy YAML file as follows:

gcloud container binauthz policy export

By default, the file has the following contents:

admissionWhitelistPatterns:
- namePattern: gcr.io/google_containers/*
- namePattern: gcr.io/google-containers/*
- namePattern: k8s.gcr.io/*
- namePattern: gke.gcr.io/*
- namePattern: gcr.io/stackdriver-agents/*
globalPolicyEvaluationMode: ENABLE
defaultAdmissionRule:
  evaluationMode: ALWAYS_ALLOW
  enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
name: projects/PROJECT_ID/policy

REST API

To view the default policy, retrieve it in JSON format as follows:

curl \
    -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
    -H "x-goog-user-project: ${PROJECT_ID}" \
    "https://binaryauthorization.googleapis.com/v1/projects/${PROJECT_ID}/policy"

The REST API returns the following:

{
  "name": "projects/PROJECT_ID/policy",
  "admissionWhitelistPatterns": [
    {
      "namePattern": "gcr.io/google_containers/*"
    },
    {
      "namePattern": "gcr.io/google-containers/*"
    },
    {
      "namePattern": "k8s.gcr.io/*"
    },
    {
      "namePattern": "gke.gcr.io/*"
    },
    {
      "namePattern": "gcr.io/stackdriver-agents/*"
    }
  ],
  "globalPolicyEvaluationMode": "ENABLE",
  "defaultAdmissionRule": {
    "evaluationMode": "ALWAYS_ALLOW",
    "enforcementMode": "ENFORCED_BLOCK_AND_AUDIT_LOG"
  }
}

Test the policy

You can test the policy by trying to deploy a sample container image to the cluster.

For this quickstart, you use the sample container image located at the path gcr.io/google-samples/hello-app in Container Registry. This is a public container image created by Google that contains a "Hello, World!" sample application.

Cloud Console

To test the policy, do the following:

Go to the GKE Clusters page in the Cloud Console.

Go to GKE
Click Deploy.

The console prompts you to enter details about the deployment.
Select Existing Container Image.
Enter gcr.io/google-samples/hello-app:1.0 as the container image path.
Click Continue.
Enter hello-server in the Application Name field.
Click Deploy.

kubectl

To test the policy, do the following:

Update the local kubeconfig file:
```
gcloud container clusters get-credentials \
    --zone us-central1-a \
    test-cluster
```
This provides the credentials and endpoint information required to access the cluster in GKE.

Deploy the image:

kubectl run hello-server --image gcr.io/google-samples/hello-app:1.0 --port 8080

Now, verify that the deployment was allowed by Binary Authorization.

Cloud Console

To verify that the image was deployed, go to the GKE Workloads page in Cloud Console.

Go to GKE

A workload for the deployment appears with a green icon that indicates that the image was deployed successfully.

Screenshot of a successful deployment message

kubectl

To verify that the image was deployed, do the following:

kubectl get pods

The command prints a message similar to the following, which indicates that deployment was successful:

NAME                            READY     STATUS    RESTARTS   AGE
hello-server-579859fb5b-h2k8s   1/1       Running   0          1m

Make sure to delete the deployment so you can continue to the next step:

Cloud Console

To delete the deployment, do the following:

Return to the GKE Workloads page in Cloud Console.

Go to GKE
Select the test-server workload.
Click Delete.

kubectl

To delete the deployment, do the following:

kubectl delete deployment hello-server

Configure the policy to disallow all images

Now, modify the policy to block instead of allow all images to be deployed.

Cloud Console

To modify the policy, do the following:

Return to the Binary Authorization page in the Cloud Console.

Go to Binary Authorization
Click Edit Policy.
Select Disallow All Images.
Click Save Policy.

gcloud

To modify the policy, do the following:

Export the policy YAML file:

gcloud container binauthz policy export  > /tmp/policy.yaml

In a text editor, change the evaluationMode from ALWAYS_ALLOW to ALWAYS_DENY.

The policy YAML file should appear as follows:

globalPolicyEvaluationMode: ENABLE
defaultAdmissionRule:
  evaluationMode: ALWAYS_DENY
  enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
name: projects/PROJECT_ID/policy

Import the policy YAML file back into Binary Authorization:
```
gcloud container binauthz policy import /tmp/policy.yaml
```

REST API

To modify the policy, do the following:

Create a text file with the updated policy in JSON format:

cat > /tmp/policy.json << EOM
{
  "name": "projects/${PROJECT_ID}/policy",
  "globalPolicyEvaluationMode": "ENABLE",
  "defaultAdmissionRule": {
    "evaluationMode": "ALWAYS_DENY",
    "enforcementMode": "ENFORCED_BLOCK_AND_AUDIT_LOG"
  }
}
EOM

Send the updated policy to the REST API:

curl -X PUT \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \
    -H "x-goog-user-project: ${PROJECT_ID}" \
    --data-binary @/tmp/policy.json  \
    "https://binaryauthorization.googleapis.com/v1/projects/${PROJECT_ID}/policy"

Retest the policy

Again, test the policy by deploying a sample container image to the cluster. This time, Binary Authorization blocks the image from being deployed.

Cloud Console

Deploy the image:

Go to the GKE Clusters page in the Cloud Console.

Go to GKE
Click Deploy.

The console prompts you to enter details about the deployment.
Select Existing Container Image.
Enter gcr.io/google-samples/hello-app:1.0 as the container image path.
Click Continue.
Enter hello-server in the Application Name field.
Click Deploy.

kubectl

Deploy the image:

kubectl run hello-server --image gcr.io/google-samples/hello-app:1.0 --port 8080

You can now verify that the policy was blocked:

Cloud Console

To verify that the image was not deployed, do the following:

Return to the GKE Workloads page in Cloud Console.

Go to GKE

A workload for the container image appears with a red icon that indicates that the image failed to be deployed.

Screenshot of a failed deployment message

kubectl

To verify that the image was not deployed, execute the following command:

kubectl get pods

The command prints the following message, which indicates that the image was not deployed:

No resources found.

You can get further details about the deployment:

kubectl get event --template \
'{{range.items}}{{"\033[0;36m"}}{{.reason}}:{{"\033[0m"}}{{.message}}{{"\n"}}{{end}}'

You see a response that resembles the following:

FailedCreate: Error creating: pods POD_NAME is forbidden: admission webhook "imagepolicywebhook.image-policy.k8s.io" denied the request: Image IMAGE_NAME denied by Binary Authorization default admission rule. Denied by always_deny admission rule

In this output:

POD_NAME: the name of the Pod.
IMAGE_NAME: the name of the image.
ATTESTOR_NAME: the name of the attestor.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this quickstart, follow these steps.

Delete the cluster you created in GKE:

Cloud Console

To delete the cluster, do the following:

Go to the GKE Clusters page in the Cloud Console.

Go to GKE
Select the test-cluster cluster and click Delete.

gcloud

To delete the cluster, do the following:

gcloud container clusters delete \
    --zone=us-central1-a \
    test-cluster

What's next

Learn how to set up and enforce a policy with required attestations. See:
- Getting started using the CLI
- Getting started using Cloud Console
Read our resources about DevOps and explore our research program.