This quickstart shows how to configure and test a basic rule in a Binary Authorization policy.
In this quickstart, you view and configure the default rule in the policy. The default rule allows all images to be deployed. You test this by deploying a container image on a Google Kubernetes Engine (GKE) cluster. You then set the default rule to disallow all images from being deployed and attempt to deploy an image.
Before you begin
-
Sign in to your Google Account.
If you don't already have one, sign up for a new account.
-
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
- Install and initialize the Cloud SDK.
- Install
kubectl
.
Enable required APIs
Enable the APIs for GKE, Container Analysis, and Binary Authorization:
gcloud
Set the default Google Cloud project used by
gcloud
commands:PROJECT_ID=PROJECT_ID gcloud config set project ${PROJECT_ID}
where PROJECT_ID is the name of your project.
Enable the required APIs:
gcloud services enable \ container.googleapis.com \ containeranalysis.googleapis.com \ binaryauthorization.googleapis.com
console
Enable the required APIs:
It can take a few minutes for this operation to complete.
Create a cluster with Binary Authorization enabled
Now, create a GKE cluster with Binary Authorization enabled. This is the cluster where you want your deployed container images to run:
gcloud
Run gcloud container clusters create
with the --enable-binauthz
flag enabled.
gcloud container clusters create \ --enable-binauthz \ --zone us-central1-a \ test-cluster
console
Go to the GKE Clusters page in the Cloud Console.
The console displays a list of GKE clusters in your Google Cloud project.
Click Create Cluster.
Enter
test-cluster
in the Name field.Select Zonal in the Location Type options.
Select
us-central1-a
from the Zone drop-down list.Click Availability, Networking, Security, and Additional Features.
In the Security section, select Enable Binary Authorization.
Click Create.
Default policy
By default, your Binary Authorization policy is configured to allow all container images to be deployed.
gcloud
To view the default policy, export the policy YAML file:
gcloud container binauthz policy export
By default, the file has the following contents:
admissionWhitelistPatterns: - namePattern: gcr.io/google_containers/* - namePattern: gcr.io/google-containers/* - namePattern: k8s.gcr.io/* - namePattern: gke.gcr.io/* - namePattern: gcr.io/stackdriver-agents/* globalPolicyEvaluationMode: ENABLE defaultAdmissionRule: evaluationMode: ALWAYS_ALLOW enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG name: projects/PROJECT_ID/policy
REST API
To view the default policy, retrieve it in JSON format:
curl \ -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ -H "x-goog-user-project: ${PROJECT_ID}" \ "https://binaryauthorization.googleapis.com/v1/projects/${PROJECT_ID}/policy"
The REST API returns the following:
{ "name": "projects/PROJECT_ID/policy", "admissionWhitelistPatterns": [ { "namePattern": "gcr.io/google_containers/*" }, { "namePattern": "gcr.io/google-containers/*" }, { "namePattern": "k8s.gcr.io/*" }, { "namePattern": "gke.gcr.io/*" }, { "namePattern": "gcr.io/stackdriver-agents/*" } ], "globalPolicyEvaluationMode": "ENABLE", "defaultAdmissionRule": { "evaluationMode": "ALWAYS_ALLOW", "enforcementMode": "ENFORCED_BLOCK_AND_AUDIT_LOG" } }
console
To view the default policy:
Go to the Binary Authorization page in the Google Cloud Console.
Go to the Binary Authorization page
The console displays details about the policy.
Click Configure Policy or, if a policy exists, Edit Policy.
In Project Default Rule, the option Allow All Images is selected.
Test the policy
You can test the policy by trying to deploy a sample container image to the cluster.
For this quickstart, you use the sample container image located at the path
gcr.io/google-samples/hello-app
in Container Registry. This is a public
container image created by Google that contains a Hello, World! sample
application.
kubectl
To test the policy:
Update the local
kubeconfig
file:gcloud container clusters get-credentials \ --zone us-central1-a \ test-cluster
This provides the credentials and endpoint information required to access the cluster in GKE.
Deploy the image:
kubectl run hello-server --image gcr.io/google-samples/hello-app:1.0 --port 8080
console
To test the policy:
Go to the GKE Clusters page in the Cloud Console.
Click Deploy.
The console prompts you to enter details about the deployment.
Select Existing Container Image.
Enter
gcr.io/google-samples/hello-app:1.0
as the container image path.Click Continue.
Enter
hello-server
in the Application Name field.Click Deploy.
Now, verify that the deployment was allowed by Binary Authorization.
kubectl
To verify that the image was deployed:
kubectl get pods
The command prints a message similar to the following, which indicates that deployment was successful:
NAME READY STATUS RESTARTS AGE hello-server-579859fb5b-h2k8s 1/1 Running 0 1m
console
To verify that the image was deployed, go to the GKE Workloads page in Google Cloud Console.
A workload for the deployment appears with a green icon that indicates that the image was deployed successfully.
Make sure to delete the deployment so you can continue to the next step:
kubectl
To delete the deployment:
kubectl delete deployment hello-server
console
To delete the deployment:
Return to the GKE Workloads page in Google Cloud Console.
Select the
test-server
workload.Click Delete.
Configure the policy to disallow all images
Now, modify the policy to block instead of allow all images to be deployed.
gcloud
To modify the policy:
Export the policy YAML file:
gcloud container binauthz policy export > /tmp/policy.yaml
In a text editor, change the
evaluationMode
fromALWAYS_ALLOW
toALWAYS_DENY
.The policy YAML file should appear as follows:
globalPolicyEvaluationMode: ENABLE defaultAdmissionRule: evaluationMode: ALWAYS_DENY enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG name: projects/PROJECT_ID/policy
Import the policy YAML file back into Binary Authorization:
gcloud container binauthz policy import /tmp/policy.yaml
REST API
To modify the policy:
Create a text file with the updated policy in JSON format:
cat > /tmp/policy.json << EOM { "name": "projects/${PROJECT_ID}/policy", "globalPolicyEvaluationMode": "ENABLE", "defaultAdmissionRule": { "evaluationMode": "ALWAYS_DENY", "enforcementMode": "ENFORCED_BLOCK_AND_AUDIT_LOG" } } EOM
Send the updated policy to the REST API:
curl -X PUT \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $(gcloud auth application-default print-access-token)" \ -H "x-goog-user-project: ${PROJECT_ID}" \ --data-binary @/tmp/policy.json \ "https://binaryauthorization.googleapis.com/v1/projects/${PROJECT_ID}/policy"
console
To modify the policy:
Return to the Binary Authorization page in the Google Cloud Console.
Click Edit Policy.
Select Disallow All Images.
Click Save Policy.
Retest the policy
Again, test the policy by deploying a sample container image to the cluster. This time, Binary Authorization blocks the image from being deployed.
kubectl
Deploy the image:
kubectl run hello-server --image gcr.io/google-samples/hello-app:1.0 --port 8080
console
Deploy the image:
Go to the GKE Clusters page in the Cloud Console.
Click Deploy.
The console prompts you to enter details about the deployment.
Select Existing Container Image.
Enter
gcr.io/google-samples/hello-app:1.0
as the container image path.Click Continue.
Enter
hello-server
in the Application Name field.Click Deploy.
You can now verify that the policy was blocked:
kubectl
To verify that the image was not deployed:
kubectl get pods
The command prints the following message, which indicates that the image was not deployed:
No resources found.
You can get further details about the deployment:
kubectl get event --template \ '{{range.items}}{{"\033[0;36m"}}{{.reason}}:{{"\033[0m"}}{{.message}}{{"\n"}}{{end}}'
which shows that the deployment was disallowed by the policy:
FailedCreate:Error creating: pods "hello-server-579859fb5b-lvfgd" is forbidden: image policy webhook backend denied one or more images: Denied by default admission rule. Overridden by evaluation mode
console
To verify that the image was not deployed:
Return to the GKE Workloads page in Google Cloud Console.
A workload for the container image appears with a red icon that indicates that the image failed to be deployed.
Clean up
To avoid incurring charges to your Google Cloud account for the resources used in this quickstart, follow these steps.
Delete the cluster you created in GKE:
gcloud
To delete the cluster:
gcloud container clusters delete \ --zone=us-central1-a \ test-cluster
console
To delete the cluster:
Go to the GKE Clusters page in the Cloud Console.
Select the
test-cluster
cluster and click Delete.
What's next
- Learn how to set up and enforce a policy with required attestations. See:
- Read our resources about DevOps and explore our research program.