Ensure only selected container registries are allowed through Google Binary Authorization Policy

MEDIUM

Description

Container platforms within Google Cloud can make use of the Binary Authorization Policy, which would set software-level supply chain security for container images being used. This can help protect environments by reducing the risk of using unauthorized or vulnerable/malicious software. To learn more, see the GCP documentation.
References:
https://cloud.google.com/binary-authorization/docs/overview

Remediation

In GCP Console -

Open the GCP Portal and Go to the Binary Authorization.
Click on Edit policy.
In the Images exempt from this policy, enter a pattern to whitelist.
Click Save Policy.

In Terraform -

In the resource google_binary_authorization_policy, ensure that admission_whitelist_patterns.name_pattern contains any images to exempt.

References:
https://cloud.google.com/binary-authorization/docs/key-concepts#exempt_images
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/binary_authorization_policy#evaluation_mode

Policy Details

Rule Reference ID: AC_GCP_0288

CSP: GCP

Remediation Available: Yes

Domain: Security Best Practices

Resource: google_binary_authorization_policy

Resource Category: Compute

Resource Type: Google Kubernetes Engine (GKE)

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
ISO-27001