Use legacy continuous validation

This page is intended for users of legacy CV.

continuous validation (CV) now supports platform policies with checks. If you're new to CV, we recommend that you instead use CV with platform policies. If you use legacy CV, we recommend that you upgrade your project-singleton policies to platform policies.

CV is a feature of Binary Authorization that periodically checks container images associated with running Pods for continued compliance with your Binary Authorization project-singleton policy. CV logs findings to Cloud Logging.

CV does not terminate running Pods.

Limitations

CV has the following limitations:

  • CV only supports Pods deployed on Google Kubernetes Engine (GKE).
  • CV does not support Binary Authorization policies that specify specific rules for Anthos Service Mesh service identities, Kubernetes service accounts, or Kubernetes namespaces.

Before you begin

  1. Ensure that you have set up Binary Authorization for Google Kubernetes Engine in a project. CV logs policy conformance events from Pods in all clusters in the project.

  2. Ensure that the gcloud CLI is updated to the latest version

Required permissions

Identity and Access Management (IAM) roles include permissions and can be assigned to users, groups, and service accounts. The following roles include the listed permissions for CV:

Role name CV permissions Description
roles/binaryauthorization.policyEditor binaryauthorization.continuousValidationConfig.update Enable and disable CV.

To set the required IAM permissions, run the following commands:

PROJECT_NUMBER=$(gcloud projects list \
  --filter="projectId:ATTESTATION_PROJECT_ID" \
  --format="value(PROJECT_NUMBER)")
SERVICE_ACCOUNT="service-$PROJECT_NUMBER@gcp-sa-binaryauthorization.iam.gserviceaccount.com"
gcloud projects add-iam-policy-binding ATTESTATION_PROJECT_ID \
    --member="serviceAccount:$SERVICE_ACCOUNT" \
    --role='roles/containeranalysis.occurrences.viewer'

Enable legacy CV

Console

To enable CV by using the Google Cloud console, do the following:

  1. In the Google Cloud console, go to the Binary Authorization Policy page.

    Go to Binary Authorization Policy

  2. Click the Policy tab.

  3. Click Edit Policy.

  4. Expand the Additional settings for GKE and Anthos deployments section.

  5. Select the Enable Continuous Validation checkbox.

  6. Click Save Policy.

REST API

To enable CV using the REST API, do the following:

  1. Store your project ID:

    DEPLOYER_PROJECT_ID=DEPLOYER_PROJECT_ID
    

    Replace DEPLOYER_PROJECT_ID with the ID of the project where you run GKE.

  2. Get the OAuth token for Google Cloud.

    BEARER_TOKEN=$(gcloud auth print-access-token)
    

    The token is only valid for a short time.

  3. Enable CV:

    curl "https://binaryauthorization.googleapis.com/v1alpha2/projects/${DEPLOYER_PROJECT_ID}/continuousValidationConfig" -X PUT -H "authorization: Bearer $BEARER_TOKEN" -H "Content-Type: application/json" --data '{"enforcementPolicyConfig": {"enabled": "true"}}'
    

CV is now configured to log events.

The Logging log entry is similar to the following example:

{
"insertId": "6054e143-0000-2562-aa64-883d24f57e70",
"jsonPayload": {
  "@type": "type.googleapis.com/google.cloud.binaryauthorization.v1beta1.ContinuousValidationEvent",
  "podEvent": {
    "images": [
      {
        "description": "Image <var>IMAGE_NAME@IMAGE_DIGEST</var> denied by
        attestor projects/<var>ATTESTOR_PROJECT_ID</var>/attestors/<var>ATTESTOR_NAME</var>:
        No attestations found that were valid and signed by a key trusted by
        the attestor",
        "image": "<var>IMAGE_NAME@IMAGE_DIGEST</var>",
        "result": "DENY"
      }
    ],
    "verdict": "VIOLATES_POLICY",
    "deployTime": "2021-03-19T17:00:08Z",
    "pod": "<var>POD_NAME</var>"
  }
},
"resource": {
  "type": "k8s_cluster",
  "labels": {
    "cluster_name": "<var>CLUSTER_NAME</var>",
    "location": "<var>CLUSTER_LOCATION</var>",
    "project_id": "<var>DEPLOYER_PROJECT_ID</var>"
  }
},
"timestamp": "2021-03-19T17:15:43.872702342Z",
"severity": "WARNING",
"logName": "projects/<var>DEPLOYER_PROJECY_ID</var>/logs/binaryauthorization.googleapis.com%2Fcontinuous_validation",
"receiveTimestamp": "2021-03-19T17:57:00.432116179Z"
}

To learn how to query for CV events, see View CV events on Cloud Logging.

Troubleshooting

CV uses other Google Cloud services, like Cloud Asset Inventory and Pub/Sub. In cases where CV fails, you can check for Cloud Asset Inventory errors in Cloud Logging.

Additionally, CV creates a feed resource called binauthz-cv-cai-feed. Deleting or modifying the feed could cause CV to fail. CV automatically restores missing or altered feeds, but it can fail to log findings until it does so.

Disable CV

Console

To disable CV by using the Google Cloud console, do the following:

  1. In the Google Cloud console, go to the Binary Authorization page:

    Go to Binary Authorization Policy

  2. Click the Policy tab.

  3. Click Edit Policy.

  4. Clear the Enable Continuous Validation checkbox.

  5. Click Save Policy.

REST API

To disable CV using the REST API, do the following:

  1. Store your project ID:

    DEPLOYER_PROJECT_ID=DEPLOYER_PROJECT_ID
    

    Replace DEPLOYER_PROJECT_ID with the ID of the project where you run GKE.

  2. Get the OAuth token for Google Cloud.

    BEARER_TOKEN=$(gcloud auth print-access-token)
    

    The token is only valid for a short time.

  3. Disable CV using the following command:

    curl "https://binaryauthorization.googleapis.com/v1alpha2/projects/${DEPLOYER_PROJECT_ID}/continuousValidationConfig" -X PUT -H "authorization: Bearer $BEARER_TOKEN" -H "Content-Type: application/json" --data '{"enforcementPolicyConfig": {"enabled": "false"}}'
    

View CV events in Cloud Logging

After you enable CV, it regularly logs all Pods that violate the Binary Authorization policy to Cloud Logging.

These log entries contain the following log name:

logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation"

Logs Explorer

To view CV events in Cloud Logging using Logs Explorer, do the following:

  1. Go to Logs Explorer.

  2. Select the project ID where you enabled Google Cloud Observability.

  3. Enter the following query in the search-query box:

    logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation"
    
  4. Select the time range in the time-range selector.

Legacy Logs Viewer

To view CV events in Cloud Logging using the Logs Explorer, do the following:

  1. Go to Logs Explorer.

  2. Select Go back to the Legacy Logs Viewer from the Options drop-down menu.

  3. Choose the Google Cloud project for in which you set up Google Cloud Observability.

  4. Enter the following query into the search-query box:

    logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation"
    
  5. Select the time range in the time-range selector.

gcloud

To view CV events from the past week in Cloud Logging using gcloud, execute the following command:

gcloud logging read --order="desc" --freshness=7d \
  'logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation"'

What's next