Mantenha tudo organizado com as coleções
Salve e categorize o conteúdo com base nas suas preferências.
Nesta página, você encontrará informações gerais sobre como configurar a autorização binária no seu
ambiente para uso com o Google Kubernetes Engine (GKE). É possível configurar a autorização binária usando o Console do Google Cloud ou a Google Cloud CLI.
Você também pode executar algumas etapas de configuração usando a
API REST de autorização binária.
A ativação da API Binary Authorization também permite verificar problemas com a execução
de imagens de contêiner na página Postura de segurança do GKE no
Console do Google Cloud, sem ativar recursos em clusters individuais.
Para mais detalhes, consulte
Sobre o painel de postura de segurança
na documentação do GKE.
Opcional: se você tiver diferentes projetos do Google Cloud que sejam proprietários da sua política ou dos seus repositórios do Container Registry, conceda os papéis do IAM necessários para o acesso entre projetos. Para instruções, acesse
Configurar o acesso entre projetos para autorização binária no GKE.
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2024-12-21 UTC."],[[["\u003cp\u003eThis guide explains how to set up Binary Authorization enforcement for Google Kubernetes Engine (GKE) using the Google Cloud console, Google Cloud CLI, or the Binary Authorization REST API.\u003c/p\u003e\n"],["\u003cp\u003eSetting up Binary Authorization involves enabling the service, creating or modifying a cluster, and configuring the Binary Authorization policy with options for default rules, cluster-specific rules, and exempt images.\u003c/p\u003e\n"],["\u003cp\u003eOptional configurations include granting cross-project access, using the \u003ccode\u003ebuilt-by-cloud-build\u003c/code\u003e attestor for Cloud Build images, and utilizing attestations.\u003c/p\u003e\n"],["\u003cp\u003eThe process includes steps for deploying container images and viewing events in Cloud Audit Logs.\u003c/p\u003e\n"],["\u003cp\u003eBinary Authorization does not enforce init containers.\u003c/p\u003e\n"]]],[],null,["# Set up for GKE\n\nThis page provides an overview of how to set up Binary Authorization enforcement in your\nenvironment for use with Google Kubernetes Engine (GKE). You can set up\nBinary Authorization by using the Google Cloud console or the Google Cloud CLI.\nYou can also perform some setup steps by using the Binary Authorization\n[REST API](/binary-authorization/docs/reference/rest).\n\nFor an end-to-end tutorial that includes the following setup steps, see\n[Get started using the Google Cloud CLI](/binary-authorization/docs/getting-started-cli)\nor\n[Get started using the Google Cloud console](/binary-authorization/docs/getting-started-console).\n\nTo set up Binary Authorization, perform the following steps:\n\n1. [Enable Binary Authorization](/binary-authorization/docs/enabling).\n\n2. [Create a cluster](/binary-authorization/docs/creating-cluster)\n with Binary Authorization enabled or\n [enable Binary Authorization on an existing cluster](/binary-authorization/docs/enable-cluster).\n\n | **Note:** Binary Authorization doesn't enforce init containers.\n3. Configure your Binary Authorization policy.\n\n | **Note:** Skip this step if you want to use attestations.\n\n You can configure the following features in your policy:\n - [Default rule](/binary-authorization/docs/configuring-policy-console#default-rule).\n - [Cluster-specific rules](/binary-authorization/docs/configuring-policy-console#set_cluster_specific_rules).\n - [Specific rules for your Kubernetes service identity or namespace](/binary-authorization/docs/configuring-policy-console#add-specific-rules-asm).\n - [Exempt images](/binary-authorization/docs/configuring-policy-console#exempt_images). [Learn more about exempt images](/binary-authorization/docs/key-concepts#exempt_images).\n4. Optional: If you have different Google Cloud projects that own your\n policy or your Container Registry repositories, grant the IAM\n roles required for cross-project access. For instructions, see\n [Configure cross-project access for Binary Authorization in GKE](/binary-authorization/docs/cross-project-access-gke).\n\n5. Optional: Use the `built-by-cloud-build` attestor to [deploy only images built by Cloud Build](/binary-authorization/docs/deploy-cloud-build).\n\n6. Optional: [Use attestations](/binary-authorization/docs/attestations).\n\n7. [Deploy container images](/binary-authorization/docs/deploying-containers).\n\n8. [View events in Cloud Audit Logs](/binary-authorization/docs/viewing-audit-logs)."]]