GCPcloud~7 mins

Binary Authorization for containers in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Binary Authorization helps ensure only trusted container images run on your Google Kubernetes Engine clusters. It blocks unapproved images, protecting your apps from harmful changes.

When you want to prevent unverified container images from running in your production environment.

When you need to enforce security policies on container deployments automatically.

When multiple teams deploy containers and you want to ensure only approved images are used.

When you want to audit and track which container images are allowed to run.

When you want to integrate image signing into your build and deployment process.

Config File - policy.yaml

policy.yaml

apiVersion: binaryauthorization.googleapis.com/v1
kind: Policy
metadata:
  name: my-binauthz-policy
spec:
  admissionWhitelistPatterns:
  - namePattern: "gcr.io/my-project/trusted-image:*"
  clusterAdmissionRules:
    "*":
      evaluationMode: REQUIRE_ATTESTATION
      enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
      attestationAuthority:
        name: projects/my-project/attestationAuthorities/my-attestor
  defaultAdmissionRule:
    evaluationMode: ALWAYS_ALLOW
    enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG

This policy file defines which container images are allowed to run.

admissionWhitelistPatterns lets trusted images run without checks.

clusterAdmissionRules require attestation (signing) for all other images.

defaultAdmissionRule blocks images not meeting rules.

Commands

This command uploads and applies the Binary Authorization policy to your Google Cloud project to enforce image verification.

Terminal

gcloud container binauthz policy import --project=my-project --policy-file=policy.yaml

Expected OutputExpected

Policy imported successfully.

→

--project - Specifies the Google Cloud project to apply the policy.

→

--policy-file - Specifies the local policy file to import.

Creates an attestor resource that will verify container image signatures as part of the policy enforcement.

Terminal

gcloud container binauthz attestors create my-attestor --project=my-project --attestation-authority-note=my-note --attestation-authority-note-project=my-project

Expected OutputExpected

Created attestor [my-attestor].

→

--attestation-authority-note - Links the attestor to a note that defines trusted signers.

→

--attestation-authority-note-project - Specifies the project where the note is stored.

Attempts to deploy a pod using a trusted, signed container image to verify the policy allows it.

Terminal

kubectl run test-pod --image=gcr.io/my-project/trusted-image:v1

Expected OutputExpected

pod/test-pod created

Checks the status of pods to confirm the trusted image pod is running successfully.

Terminal

kubectl get pods

Expected OutputExpected

NAME READY STATUS RESTARTS AGE test-pod 1/1 Running 0 10s

Key Concept

If you remember nothing else from this pattern, remember: Binary Authorization blocks untrusted container images by requiring verified signatures before deployment.

Common Mistakes

Not creating or linking an attestor before applying the policy.

Without an attestor, the policy cannot verify image signatures, causing all deployments to be blocked.

Always create an attestor and link it properly in the policy before enforcing Binary Authorization.

Using unsigned or unapproved container images in deployments.

Binary Authorization will block these images, preventing pods from starting.

Sign container images with a trusted key and ensure they are approved in the policy.

Not importing the updated policy after changes.

Changes to the policy file won't take effect until imported, so enforcement won't match expectations.

Run the policy import command every time you update the policy.yaml file.

Summary

Create a Binary Authorization policy file to define trusted images and enforcement rules.

Import the policy into your Google Cloud project using gcloud commands.

Create an attestor to verify image signatures linked to the policy.

Deploy pods with signed images and verify they run successfully under the policy.