Binary Authorization for Google Distributed Cloud is a Google Cloud feature that extends the hosted, deploy-time enforcement of Binary Authorization to your on-premises user clusters. The primary use case for Binary Authorization on Google Distributed Cloud is to secure workloads on your user clusters. Follow the steps in this guide to apply the enforcement rules of a Binary Authorization policy configured in your Google Cloud project to your user clusters. For more information about Binary Authorization policies and rules, see Binary Authorizationoverview.
Prerequisites
Before you can enable Binary Authorization policy enforcement for a user cluster, ensure you've met the following prerequisite criteria:
Register the cluster with a fleet: For a cluster created with
gkectl, the cluster is registered to the Google Cloud project that you specify in thegkeConnect.projectIDfield in the cluster configuration file. This project is referred to as the fleet host project. To learn more about fleets, including use cases, best practices, and examples, see the Fleet management documentation.Enable the Binary Authorization API in your Google Cloud project: enable the Binary Authorization service in your fleet host project.
Add the Binary Authorization Policy Evaluator role to your fleet host project: To grant the Binary Authorization Policy Evaluator (
roles/binaryauthorization.policyEvaluator) role to the Kubernetes service account on your fleet host project, run the following command:gcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:PROJECT_ID.svc.id.goog[binauthz-system/binauthz-agent]" \ --role="roles/binaryauthorization.policyEvaluator"If your cluster is running behind a proxy server, make sure the proxy server allows connections to the Binary Authorization API (
binaryauthorization.googleapis.com). This API provides policy-based deployment validation and control for images deployed to your cluster. For more information about, see Proxy and firewall rules proxy.
Once you satisfy the prerequisites, you can enable (or disable) the Binary Authorization policy when you create a new cluster or update an existing cluster.
Enable the Binary Authorization policy during cluster creation
You can enable the Binary Authorization policy enforcement with either gkectl
or gcloud CLI.
gkectl
To enable Binary Authorization when you create a cluster with gkectl:
Before you create your cluster, add
binaryAuthorization.evaluationModeto the user cluster configuration file as shown in the following example:... binaryAuthorization: evaluationMode: "project_singleton_policy_enforce" ...Allowed values for
evaluationModeare:project_singleton_policy_enforce: enforce the rules specified in the Binary Authorization policy, also known as a project-singleton policy, on your Google Cloud project to govern the deployment of container images on your cluster.disabled: disable the use of Binary Authorization for your cluster. This is the default value. If you omitbinaryAuthorization, the feature is disabled.
Make any other changes needed in the cluster configuration file and then run the
gkectl create clustercommand.
For more information about creating clusters, see Google Distributed Cloud installation overview.
Enable or disable the Binary Authorization policy for an existing cluster
If you have an existing version 1.28 or higher cluster, you can enable or
disable Binary Authorization at any time, using gkectl or
gcloud CLI.
gkectl
To enable:
Edit the cluster configuration file to add the
binaryAuthorizationfields:... binaryAuthorization: evaluationMode: "project_singleton_policy_enforce"Update the cluster:
gkectl update cluster \ --kubeconfig ADMIN_CLUSTER_KUBECONFIG \ --config USER_CLUSTER_CONFIG_FILE \ --force
Replace the following:
ADMIN_CLUSTER_KUBECONFIG: the path of the admin cluster kubeconfig fileUSER_CLUSTER_CONFIG_FILE: the path of your user cluster configuration file.
Wait for the Deployment named
binauthz-module-deploymentin thebinauthz-systemnamespace to become ready.When the deployment is ready, Binary Authorization enforces the rules specified in the Binary Authorization policy, also known as a project-singleton policy. This policy is associated with your Google Cloud project and specifies rules to govern the deployment of container images. For more information about using
gkectlto update a cluster, see Update clusters. For more information about Binary Authorization policies and rules, see Binary Authorization overview.
To disable:
Edit the cluster configuration file and either remove the
binaryAuthorizationsection or by setevaluationModetodisabled.... binaryAuthorization: evaluationMode: "disabled"Update the cluster:
gkectl update cluster \ --kubeconfig ADMIN_CLUSTER_KUBECONFIG \ --config USER_CLUSTER_CONFIG_FILE \ --force
After you make this change, wait a few minutes until the Deployment named
binauthz-module-deploymentin thebinauthz-systemnamespace is removed.
Troubleshooting
If you don't complete all of the prerequisites, you may see a message like the following indicates there is a problem with the Binary Authorization configuration:
failed to validate Binary Authorization policy (1) Ensure the Binary Authorization API is enabled for your Google Cloud project: gcloud services enable binaryauthorization.googleapis.com --project=PROJECT_ID (2) Ensure an IAM policy binding is in place granting binaryauthorization.policyEvaluator role to the binauthz-system/binauthz-agent Kubernetes service account: gcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:PROJECT_ID.svc.id.goog[binauthz-system/binauthz-agent]" \ --role=roles/binaryauthorization.policyEvaluator