Information
Use Binary Authorization to allowlist (whitelist) only approved container registries.
Rationale:
Allowing unrestricted access to external container registries provides the opportunity for malicious or unapproved containers to be deployed into the cluster. Allowlisting only approved container registries reduces this risk.
See also Recommendation 6.10.5.
Impact:
All container images to be deployed to the cluster must be hosted within an approved container image registry. If public registries are not on the allowlist, a process for bringing commonly used container images into an approved private registry and keeping them up to date will be required.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Using Google Cloud Console:
Go to Binary Authorization by visiting https://console.cloud.google.com/security/binary-authorization
Enable Binary Authorization API (if disabled)
Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list
Select Kubernetes cluster for which Binary Authorization is disabled
Click EDIT
Set Binary Authorization to 'Enabled'
Click SAVE
Return to the Binary Authorization by visiting https://console.cloud.google.com/security/binary-authorization
Set an appropriate policy for your cluster and enter the approved container registries under 'Image paths'.
Using Command Line:
Update the cluster to enable Binary Authorization
gcloud container cluster update [CLUSTER_NAME] \
--enable-binauthz
Create a Binary Authorization Policy using the Binary Authorization Policy Reference (https://cloud.google.com/binary-authorization/docs/policy-yaml-reference) for guidance.
Import the policy file into Binary Authorization:
gcloud container binauthz policy import [YAML_POLICY]
Default Value:
By default, Binary Authorization is disabled along with container registry allowlisting.