5.10.5 Ensure use of Binary Authorization

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Binary Authorization helps to protect supply-chain security by only allowing images with verifiable cryptographically signed metadata into the cluster.

Rationale:

Binary Authorization provides software supply-chain security for images that you deploy to GKE from Google Container Registry (GCR) or another container image registry.

Binary Authorization requires images to be signed by trusted authorities during the development process. These signatures are then validated at deployment time. By enforcing validation, you can gain tighter control over your container environment by ensuring only verified images are integrated into the build-and-release process.

Impact:

Care must be taken when defining policy in order to prevent inadvertent denial of container image deployments. Depending on policy, attestations for existing container images running within the cluster may need to be created before those images are redeployed or pulled as part of the pod churn.

To prevent key system images from being denied deployment, consider the use of global policy evaluation mode, which uses a global policy provided by Google and exempts a list of Google-provided system images from further policy evaluation.

Solution

Using Google Cloud Console

Go to Binary Authorization by visiting https://console.cloud.google.com/security/binary-authorization

Enable the Binary Authorization API (if disabled)

Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list

Select the Kubernetes cluster for which Binary Authorization is disabled

Click EDIT

Set 'Binary Authorization' to 'Enabled'

Click SAVE

Return to Binary Authorization at https://console.cloud.google.com/security/binary-authorization

Set an appropriate policy for your cluster.

Using Command Line
Update the cluster to enable Binary Authorization:

gcloud container cluster update [CLUSTER_NAME] \
--zone [COMPUTE-ZONE] \
--enable-binauthz

Create a Binary Authorization Policy using the Binary Authorization Policy Reference (https://cloud.google.com/binary-authorization/docs/policy-yaml-reference) for guidance.
Import the policy file into Binary Authorization:

gcloud container binauthz policy import [YAML_POLICY]

Default Value:

By default, Binary Authorization is disabled.

See Also

https://workbench.cisecurity.org/files/4135