Use Continuous Validation

This page shows you how to use Continuous Validation (CV) with Binary Authorization.

Continuous Validation is a feature of Binary Authorization that periodically checks container images associated with running Pods for continued policy conformance. CV logs findings to Cloud Logging.

Before you begin

  1. You must have set up Binary Authorization for Google Kubernetes Engine.

  2. Select the project ID for the project where you installed Binary Authorization. CV logs policy conformance events from Pods in all clusters in the project.

Set IAM roles for CV

Identity and Access Management (IAM) roles include permissions and can be assigned to users, groups, and service accounts. The following roles include the listed permissions for CV:

Role name CV permissions Description
roles/binaryauthorization.policyEditor binaryauthorization.continuousValidationConfig.update Enable and disable CV.

Enable CV

Console

To enable CV by using the Cloud Console, do the following:

  1. In the Cloud Console, go to the Binary Authorization Policy page.

    Go to Binary Authorization Policy

  2. Click the Policy tab.

  3. Click Edit Policy.

  4. Select the Continuous Validation checkbox.

  5. Click Save Policy.

REST API

To enable CV using the REST API, do the following:

  1. Store your project ID:

    DEPLOYER_PROJECT_ID=DEPLOYER_PROJECT_ID
    

    Replace DEPLOYER_PROJECT_ID with the ID of the project where you run GKE.

  2. Get the OAuth token for GCP.

    BEARER_TOKEN=$(gcloud auth print-access-token)
    

    The token is only valid for a short time.

  3. Enable CV:

    curl "https://binaryauthorization.googleapis.com/v1alpha2/projects/${DEPLOYER_PROJECT_ID}/continuousValidationConfig" -X PUT -H "authorization: Bearer $BEARER_TOKEN" -H "Content-Type: application/json" --data '{"enforcementPolicyConfig": {"enabled": "true"}}'
    

CV is now configured to log events.

The Logging log entry is similar to the following example:

{
  "insertId": "6054e143-0000-2562-aa64-883d24f57e70",
  "jsonPayload": {
    "@type": "type.googleapis.com/google.cloud.binaryauthorization.v1beta1.ContinuousValidationEvent",
    "podEvent": {
      "images": [
        {
          "description": "Image <var>IMAGE_NAME@IMAGE_DIGEST</var> denied by
           attestor projects/<var>ATTESTOR_PROJECT_ID</var>/attestors/<var>ATTESTOR_NAME</var>:
           No attestations found that were valid and signed by a key trusted by
           the attestor",
          "image": "<var>IMAGE_NAME@IMAGE_DIGEST</var>",
          "result": "DENY"
        }
      ],
      "verdict": "VIOLATES_POLICY",
      "deployTime": "2021-03-19T17:00:08Z",
      "pod": "<var>POD_NAME</var>"
    }
  },
  "resource": {
    "type": "k8s_cluster",
    "labels": {
      "cluster_name": "<var>CLUSTER_NAME</var>",
      "location": "<var>CLUSTER_LOCATION</var>",
      "project_id": "<var>DEPLOYER_PROJECT_ID</var>"
    }
  },
  "timestamp": "2021-03-19T17:15:43.872702342Z",
  "severity": "WARNING",
  "logName": "projects/<var>DEPLOYER_PROJECY_ID</var>/logs/binaryauthorization.googleapis.com%2Fcontinuous_validation",
  "receiveTimestamp": "2021-03-19T17:57:00.432116179Z"
}

To learn how to query for CV events, see View CV events on Cloud Logging.

Disable CV

Console

To disable CV by using the Cloud Console, do the following:

  1. In the Cloud Console, go to the Binary Authorization page:

    Go to Binary Authorization Policy

  2. Click the Policy tab.

  3. Click Edit Policy.

  4. Clear the Continuous Validation checkbox.

  5. Click Save Policy.

REST API

To disable CV using the REST API, do the following:

  1. Store your project ID:

    DEPLOYER_PROJECT_ID=DEPLOYER_PROJECT_ID
    

    Replace DEPLOYER_PROJECT_ID with the ID of the project where you run GKE.

  2. Get the OAuth token for GCP.

    BEARER_TOKEN=$(gcloud auth print-access-token)
    

    The token is only valid for a short time.

  3. Disable CV using the following command:

    curl "https://binaryauthorization.googleapis.com/v1alpha2/projects/${DEPLOYER_PROJECT_ID}/continuousValidationConfig" -X PUT -H "authorization: Bearer $BEARER_TOKEN" -H "Content-Type: application/json" --data '{"enforcementPolicyConfig": {"enabled": "false"}}'
    

View CV events in Cloud Logging

After you enable CV, it regularly logs all Pods that violate the Binary Authorization policy to Cloud Logging.

These log entries contain the following log name:

logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation"

Logs Explorer

To view CV events in Cloud Logging using Logs Explorer, do the following:

  1. Go to Logs Explorer.

  2. Select the project ID where you enabled Google Cloud's operations suite.

  3. Enter the following query in the search-query box:

    logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation"
    
  4. Select the time range in the time-range selector.

Legacy Logs Viewer

To view CV events in Cloud Logging using Legacy Logs Viewer, do the following:

  1. Go to Logs Explorer.

  2. Select Go back to the Legacy Logs Viewer from the Options drop-down menu.

  3. Choose the Google Cloud project for in which you set up Google Cloud's operations suite.

  4. Enter the following query into the search-query box:

    logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation"
    
  5. Select the time range in the time-range selector.

gcloud

To view CV events from the past week in Cloud Logging using gcloud, execute the following command:

gcloud logging read --order="desc" --freshness=7d \
  'logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation"'

What's next