lacework-global-792
Minimize Container Registries to only those approved (Automated)
Description
Use Binary Authorization to allowlist (whitelist) only approved container registries.
Remediation
Using Google Cloud Console:
- Go to Binary Authorization by visiting: https://console.cloud.google.com/security/binary-authorization.
- Enable Binary Authorization API (if disabled).
- Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
- Select Kubernetes cluster with Binary Authorization disabled.
- Within the Details pane, under the Security heading, click the pencil icon called Edit binary authorization.
- Select Enable Binary Authorization.
- Click Save Changes.
- Return to the Binary Authorization by visiting: https://console.cloud.google.com/security/binary-authorization.
- Set an appropriate policy for the cluster and enter the approved container registries under Image paths.
Using Command Line:
Update the cluster to enable Binary Authorization:
gcloud container cluster update <cluster_name> --enable-binauthz
Create a Binary Authorization Policy using the Binary Authorization Policy Reference: https://cloud.google.com/binary-authorization/docs/policy-yaml-reference for guidance.
Import the policy file into Binary Authorization:
gcloud container binauthz policy import <yaml_policy>
References
https://cloud.google.com/binary-authorization/docs/policy-yaml-reference
https://cloud.google.com/binary-authorization/docs/setting-up