This page is intended for users of legacy CV.
continuous validation (CV) now supports platform policies with checks. If you're new to CV, we recommend that you instead use CV with platform policies. If you use legacy CV, we recommend that you upgrade your project-singleton policies to platform policies.
CV is a feature of Binary Authorization that periodically checks container images associated with running Pods for continued compliance with your Binary Authorization project-singleton policy. CV logs findings to Cloud Logging.
CV does not terminate running Pods.
Limitations
CV has the following limitations:
- CV only supports Pods deployed on Google Kubernetes Engine (GKE).
- CV does not support Binary Authorization policies that specify specific rules for Anthos Service Mesh service identities, Kubernetes service accounts, or Kubernetes namespaces.
Before you begin
Ensure that you have set up Binary Authorization for Google Kubernetes Engine in a project. CV logs policy conformance events from Pods in all clusters in the project.
Ensure that the gcloud CLI is updated to the latest version
Required permissions
Identity and Access Management (IAM) roles include permissions and can be assigned to users, groups, and service accounts. The following roles include the listed permissions for CV:
Role name | CV permissions | Description |
---|---|---|
roles/binaryauthorization.policyEditor |
binaryauthorization.continuousValidationConfig.update |
Enable and disable CV. |
To set the required IAM permissions, run the following commands:
PROJECT_NUMBER=$(gcloud projects list \
--filter="projectId:ATTESTATION_PROJECT_ID" \
--format="value(PROJECT_NUMBER)")
SERVICE_ACCOUNT="service-$PROJECT_NUMBER@gcp-sa-binaryauthorization.iam.gserviceaccount.com"
gcloud projects add-iam-policy-binding ATTESTATION_PROJECT_ID \
--member="serviceAccount:$SERVICE_ACCOUNT" \
--role='roles/containeranalysis.occurrences.viewer'
Enable legacy CV
Console
To enable CV by using the Google Cloud console, do the following:
In the Google Cloud console, go to the Binary Authorization Policy page.
Click the Policy tab.
Click Edit Policy.
Expand the Additional settings for GKE and Anthos deployments section.
Select the Enable Continuous Validation checkbox.
Click Save Policy.
REST API
To enable CV using the REST API, do the following:
Store your project ID:
DEPLOYER_PROJECT_ID=DEPLOYER_PROJECT_ID
Replace
DEPLOYER_PROJECT_ID
with the ID of the project where you run GKE.Get the OAuth token for Google Cloud.
BEARER_TOKEN=$(gcloud auth print-access-token)
The token is only valid for a short time.
Enable CV:
curl "https://binaryauthorization.googleapis.com/v1alpha2/projects/${DEPLOYER_PROJECT_ID}/continuousValidationConfig" -X PUT -H "authorization: Bearer $BEARER_TOKEN" -H "Content-Type: application/json" --data '{"enforcementPolicyConfig": {"enabled": "true"}}'
CV is now configured to log events.
The Logging log entry is similar to the following example:
{
"insertId": "6054e143-0000-2562-aa64-883d24f57e70",
"jsonPayload": {
"@type": "type.googleapis.com/google.cloud.binaryauthorization.v1beta1.ContinuousValidationEvent",
"podEvent": {
"images": [
{
"description": "Image <var>IMAGE_NAME@IMAGE_DIGEST</var> denied by
attestor projects/<var>ATTESTOR_PROJECT_ID</var>/attestors/<var>ATTESTOR_NAME</var>:
No attestations found that were valid and signed by a key trusted by
the attestor",
"image": "<var>IMAGE_NAME@IMAGE_DIGEST</var>",
"result": "DENY"
}
],
"verdict": "VIOLATES_POLICY",
"deployTime": "2021-03-19T17:00:08Z",
"pod": "<var>POD_NAME</var>"
}
},
"resource": {
"type": "k8s_cluster",
"labels": {
"cluster_name": "<var>CLUSTER_NAME</var>",
"location": "<var>CLUSTER_LOCATION</var>",
"project_id": "<var>DEPLOYER_PROJECT_ID</var>"
}
},
"timestamp": "2021-03-19T17:15:43.872702342Z",
"severity": "WARNING",
"logName": "projects/<var>DEPLOYER_PROJECY_ID</var>/logs/binaryauthorization.googleapis.com%2Fcontinuous_validation",
"receiveTimestamp": "2021-03-19T17:57:00.432116179Z"
}
To learn how to query for CV events, see View CV events on Cloud Logging.
Troubleshooting
CV uses other Google Cloud services, like Cloud Asset Inventory and Pub/Sub. In cases where CV fails, you can check for Cloud Asset Inventory errors in Cloud Logging.
Additionally, CV creates a feed resource called binauthz-cv-cai-feed
. Deleting
or modifying the feed could cause CV to fail. CV automatically restores
missing or altered feeds, but it can fail to log findings until it does so.
Disable CV
Console
To disable CV by using the Google Cloud console, do the following:
In the Google Cloud console, go to the Binary Authorization page:
Click the Policy tab.
Click Edit Policy.
Clear the Enable Continuous Validation checkbox.
Click Save Policy.
REST API
To disable CV using the REST API, do the following:
Store your project ID:
DEPLOYER_PROJECT_ID=DEPLOYER_PROJECT_ID
Replace
DEPLOYER_PROJECT_ID
with the ID of the project where you run GKE.Get the OAuth token for Google Cloud.
BEARER_TOKEN=$(gcloud auth print-access-token)
The token is only valid for a short time.
Disable CV using the following command:
curl "https://binaryauthorization.googleapis.com/v1alpha2/projects/${DEPLOYER_PROJECT_ID}/continuousValidationConfig" -X PUT -H "authorization: Bearer $BEARER_TOKEN" -H "Content-Type: application/json" --data '{"enforcementPolicyConfig": {"enabled": "false"}}'
View CV events in Cloud Logging
After you enable CV, it regularly logs all Pods that violate the Binary Authorization policy to Cloud Logging.
These log entries contain the following log name:
logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation"
Logs Explorer
To view CV events in Cloud Logging using Logs Explorer, do the following:
Select the project ID where you enabled Google Cloud Observability.
Enter the following query in the search-query box:
logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation"
Select the time range in the time-range selector.
Legacy Logs Viewer
To view CV events in Cloud Logging using the Logs Explorer, do the following:
Select Go back to the Legacy Logs Viewer from the Options drop-down menu.
Choose the Google Cloud project for in which you set up Google Cloud Observability.
Enter the following query into the search-query box:
logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation"
Select the time range in the time-range selector.
gcloud
To view CV events from the past week in Cloud Logging using
gcloud
, execute the following command:
gcloud logging read --order="desc" --freshness=7d \
'logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation"'
What's next
- Use breakglass to deploy a Pod and view breakglass events.
- Enable dry run, deploy a container image, and view dry-run events.