Shape the future of software security and make your voice heard by taking the 2021 State of DevOps survey.

Using breakglass

This page provides instructions on using breakglass with Binary Authorization.

Before you begin

This guide assumes you have set up Binary Authorization.

Overview

You use breakglass to deploy a container image that Binary Authorization would ordinarily block.

Breakglass provides an emergency escape hatch that enables you to override Binary Authorization policy enforcement and allow a container image to be deployed, including container images that would be disallowed by the policy.

When you use breakglass to deploy an image, a breakglass event is automatically logged to Cloud Audit Logs. In Cloud Audit Logs, you can manually audit or automatically trigger an alert or other downstream event.

To enable breakglass, you add a label to the podspec with a break-glass policy flag.

Demonstrate a breakglass event

Update the Binary Authorization policy to reject all requests to deploy

While breakglass is specific to Binary Authorization, it requires updating the label on a pod spec.

To update the policy to reject all requests to deploy a container image, perform the following steps:

Google Cloud Console

  1. Go to the Binary Authorization page in the Google Cloud Console.

    Go to the Binary Authorization page

  2. Click Edit Policy.

  3. In the Edit Policy page, in Project Default Rule, click Disallow all images.

  4. Click Save Policy.

gcloud

  1. Save your existing policy.

    gcloud container binauthz policy export > /tmp/policy_save.yaml
    
  2. Create a policy file:

    cat > /tmp/policy.yaml << EOM
    admissionWhitelistPatterns:
    defaultAdmissionRule:
     enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
     evaluationMode: ALWAYS_DENY
    globalPolicyEvaluationMode: DISABLE
    EOM
    
  3. Import the policy:

    gcloud container binauthz policy import /tmp/policy.yaml
    

Attempt to deploy a container image

  1. Create a configuration file in YAML format. This file contains the basic information required to create the pod:

    cat > /tmp/create_pod.yaml << EOM
    apiVersion: v1
    kind: Pod
    metadata:
      name: breakglass-pod
    spec:
      containers:
      - name: container-name
        image: gcr.io/google-samples/hello-app@sha256:c62ead5b8c15c231f9e786250b07909daf6c266d0fcddd93fea882eb722c3be4
    EOM
    
  2. Create the Pod using kubectl:

    kubectl create -f /tmp/create_pod.yaml
    

    Note the following error: Error from server (Forbidden): error when creating "/tmp/create_pod.yaml": pods "breakglass-pod" is forbidden: image policy webhook backend denied one or more images: Denied by default admission rule. Overridden by evaluation mode.

Enable breakglass and deploy again

  1. Create a configuration file in YAML format.

    The following command creates the file containing the break-glass label and other information required to create the pod:

    cat > /tmp/create_pod.yaml << EOM
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-name
      labels:
        image-policy.k8s.io/break-glass: "true"
    spec:
      containers:
      - name: container-name
        image: gcr.io/google-samples/hello-app@sha256:c62ead5b8c15c231f9e786250b07909daf6c266d0fcddd93fea882eb722c3be4
    EOM
    

    For all earlier Kubernetes master versions, you enable breakglass by adding alpha.image-policy.k8s.io/break-glass to the annotations node, as follows:

    cat > /tmp/create_pod.yaml << EOM
    apiVersion: v1
    kind: Pod
    metadata:
      name: pod-name
      annotations:
         alpha.image-policy.k8s.io/break-glass: "true"
    spec:
      containers:
      - name: container-name
        image: gcr.io/google-samples/hello-app@sha256:c62ead5b8c15c231f9e786250b07909daf6c266d0fcddd93fea882eb722c3be4
    EOM
    
  2. Create the pod using kubectl:

    kubectl create -f /tmp/create_pod.yaml
    

    Note the output: pod/pod-name created

Find the breakglass log entry in Cloud Audit Logs

View breakglass events in Cloud Audit Logs.

Clean up:

  1. Delete the Pod:

      kubectl delete -f /tmp/create_pod.yaml
      

    Verify you received output like this: pod "pod-name" deleted.

  2. Reimport your original policy.

      gcloud container binauthz policy import /tmp/policy_save.yaml