This page shows you how to use Continuous Validation (CV) with Binary Authorization.
Continuous Validation is a feature of Binary Authorization that periodically checks container images associated with running Pods for continued policy conformance. CV logs findings to Cloud Logging.
CV does not terminate running Pods.
Limitations
CV has the following limitations:
- CV only supports Pods deployed on Google Kubernetes Engine (GKE).
- CV does not support Binary Authorization policies that specify specific rules for Anthos Service Mesh service identities, Kubernetes service accounts, or Kubernetes namespaces.
Before you begin
You must have set up Binary Authorization for Google Kubernetes Engine.
Select the project ID for the project where you installed Binary Authorization. CV logs policy conformance events from Pods in all clusters in the project.
Set IAM roles for CV
Identity and Access Management (IAM) roles include permissions and can be assigned to users, groups, and service accounts. The following roles include the listed permissions for CV:
| Role name | CV permissions | Description |
|---|---|---|
roles/binaryauthorization.policyEditor |
binaryauthorization.continuousValidationConfig.update |
Enable and disable CV. |
Enable CV
Console
To enable CV by using the Google Cloud console, do the following:
In the Google Cloud console, go to the Binary Authorization Policy page.
Click the Policy tab.
Click Edit Policy.
Expand the Additional settings for GKE and Anthos deployments section.
Select the Enable Continuous Validation checkbox.
Click Save Policy.
REST API
To enable CV using the REST API, do the following:
Store your project ID:
DEPLOYER_PROJECT_ID=DEPLOYER_PROJECT_IDReplace DEPLOYER_PROJECT_ID with the ID of the project where you run GKE.
Get the OAuth token for GCP.
BEARER_TOKEN=$(gcloud auth print-access-token)The token is only valid for a short time.
Enable CV:
curl "https://binaryauthorization.googleapis.com/v1alpha2/projects/${DEPLOYER_PROJECT_ID}/continuousValidationConfig" -X PUT -H "authorization: Bearer $BEARER_TOKEN" -H "Content-Type: application/json" --data '{"enforcementPolicyConfig": {"enabled": "true"}}'
CV is now configured to log events.
The Logging log entry is similar to the following example:
{
"insertId": "6054e143-0000-2562-aa64-883d24f57e70",
"jsonPayload": {
"@type": "type.googleapis.com/google.cloud.binaryauthorization.v1beta1.ContinuousValidationEvent",
"podEvent": {
"images": [
{
"description": "Image <var>IMAGE_NAME@IMAGE_DIGEST</var> denied by
attestor projects/<var>ATTESTOR_PROJECT_ID</var>/attestors/<var>ATTESTOR_NAME</var>:
No attestations found that were valid and signed by a key trusted by
the attestor",
"image": "<var>IMAGE_NAME@IMAGE_DIGEST</var>",
"result": "DENY"
}
],
"verdict": "VIOLATES_POLICY",
"deployTime": "2021-03-19T17:00:08Z",
"pod": "<var>POD_NAME</var>"
}
},
"resource": {
"type": "k8s_cluster",
"labels": {
"cluster_name": "<var>CLUSTER_NAME</var>",
"location": "<var>CLUSTER_LOCATION</var>",
"project_id": "<var>DEPLOYER_PROJECT_ID</var>"
}
},
"timestamp": "2021-03-19T17:15:43.872702342Z",
"severity": "WARNING",
"logName": "projects/<var>DEPLOYER_PROJECY_ID</var>/logs/binaryauthorization.googleapis.com%2Fcontinuous_validation",
"receiveTimestamp": "2021-03-19T17:57:00.432116179Z"
}
To learn how to query for CV events, see View CV events on Cloud Logging.
Troubleshooting
CV uses other Google Cloud services, like Cloud Asset Inventory and Pub/Sub. In cases where CV fails, you can check for Cloud Asset Inventory errors in Cloud Logging.
Additionally, CV creates a feed resource called binauthz-cv-cai-feed. Deleting
or modifying the feed could cause CV to fail. CV automatically restores
missing or altered feeds, but it can fail to log findings until it does so.
Disable CV
Console
To disable CV by using the Google Cloud console, do the following:
In the Google Cloud console, go to the Binary Authorization page:
Click the Policy tab.
Click Edit Policy.
Clear the Enable Continuous Validation checkbox.
Click Save Policy.
REST API
To disable CV using the REST API, do the following:
Store your project ID:
DEPLOYER_PROJECT_ID=DEPLOYER_PROJECT_IDReplace DEPLOYER_PROJECT_ID with the ID of the project where you run GKE.
Get the OAuth token for GCP.
BEARER_TOKEN=$(gcloud auth print-access-token)The token is only valid for a short time.
Disable CV using the following command:
curl "https://binaryauthorization.googleapis.com/v1alpha2/projects/${DEPLOYER_PROJECT_ID}/continuousValidationConfig" -X PUT -H "authorization: Bearer $BEARER_TOKEN" -H "Content-Type: application/json" --data '{"enforcementPolicyConfig": {"enabled": "false"}}'
View CV events in Cloud Logging
After you enable CV, it regularly logs all Pods that violate the Binary Authorization policy to Cloud Logging.
These log entries contain the following log name:
logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation"
Logs Explorer
To view CV events in Cloud Logging using Logs Explorer, do the following:
Select the project ID where you enabled Google Cloud's operations suite.
Enter the following query in the search-query box:
logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation"Select the time range in the time-range selector.
Legacy Logs Viewer
To view CV events in Cloud Logging using the Logs Explorer, do the following:
Select Go back to the Legacy Logs Viewer from the Options drop-down menu.
Choose the Google Cloud project for in which you set up Google Cloud's operations suite.
Enter the following query into the search-query box:
logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation"Select the time range in the time-range selector.
gcloud
To view CV events from the past week in Cloud Logging using
gcloud, execute the following command:
gcloud logging read --order="desc" --freshness=7d \
'logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation"'
What's next
- Use breakglass to deploy a Pod and view breakglass events.
- Enable dry run, deploy a container image, and view dry-run events.