Using breakglass

This page provides instructions on using breakglass with Binary Authorization.

Overview

Binary Authorization provides software supply chain security by managing whether GKE can deploy a container image. Occasionally, you need to force a container image to be deployed that the Binary Authorization enforcer would ordinarily block. In these cases, Binary Authorization provides a feature known as breakglass. To bypass the policy constraints and allow image deployments, you annotate the pod definition with a break-glass policy flag.

Breakglass provides an emergency escape hatch that enables you to override Binary Authorization policy enforcement and allow a container image to be deployed, including container images that would be disallowed by the policy.

Finally, breakglass automatically logs the breakglass event to Cloud Logging. In Cloud Logging, you can manually audit or automatically trigger an alert or other downstream event.

Demonstrate a breakglass event

Update the Binary Authorization policy to reject all requests to deploy

While breakglass is specific to Binary Authorization, it requires updating the annotation on a pod spec.

To update the policy to reject all requests to deploy a container image, perform the following steps:

  1. Go to the Binary Authorization page in the Google Cloud Console.

    Go to the Binary Authorization page

  2. Click Edit Policy.

  3. Set the project default rule to Deny All:

In the Edit Policy page, in Project Default Rule, click Disallow all images.

  1. Click Save Policy.

Attempt to deploy a container image

  1. Create a configuration file in YAML format. This file contains the basic information required to create the pod:

    cat > /tmp/create_pod.yaml << EOM
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-name
    spec:
      containers:
      - name: container-name
        image: gcr.io/google-samples/hello-app@sha256:c62ead5b8c15c231f9e786250b07909daf6c266d0fcddd93fea882eb722c3be4
    EOM
    
  2. Create the pod using kubectl:

    kubectl create -f /tmp/create_pod.yaml
    

    Note the following error: Error from server (Forbidden): error when creating "/tmp/create_pod.yaml": pods "pod-name" is forbidden: image policy webhook backend denied one or more images: Denied by default admission rule. Overridden by evaluation mode.

Enable breakglass and deploy again

  1. Create a configuration file in YAML format. This file now contains the break-glass annotation as well as other information required to create the pod:

    cat > /tmp/create_pod.yaml << EOM
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-name
      annotations:
        alpha.image-policy.k8s.io/break-glass: "true"
    spec:
      containers:
      - name: container-name
        image: gcr.io/google-samples/hello-app@sha256:c62ead5b8c15c231f9e786250b07909daf6c266d0fcddd93fea882eb722c3be4
    EOM
    
  2. Create the pod using kubectl:

    kubectl create -f /tmp/create_pod.yaml
    

    Note the output: pod/pod-name created

Find the breakglass log entry in Cloud Logging

  1. Go to the Cloud Logging viewer page:

    Go to the Logs Viewer page

  2. Select Kubernetes Cluster from the Resources list.

  3. Select the time range from the time-range selector.

  4. Copy the following then paste and enter it into the search-query box:

    imagepolicywebhook.image-policy.k8s.io/break-glass
    

    Returned records may be expanded to reveal information about the breakglass deploy event.

Clean up by deleting the pod:

kubectl delete -f /tmp/create_pod.yaml

and verify you received output like this: pod "pod-name" deleted