Skip to main content

lacework-global-792

Minimize Container Registries to only those approved (Automated)

Description

Use Binary Authorization to allowlist (whitelist) only approved container registries.

Remediation

Using Google Cloud Console:

  1. Go to Binary Authorization by visiting: https://console.cloud.google.com/security/binary-authorization.
  2. Enable Binary Authorization API (if disabled).
  3. Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
  4. Select Kubernetes cluster with Binary Authorization disabled.
  5. Within the Details pane, under the Security heading, click the pencil icon called Edit binary authorization.
  6. Select Enable Binary Authorization.
  7. Click Save Changes.
  8. Return to the Binary Authorization by visiting: https://console.cloud.google.com/security/binary-authorization.
  9. Set an appropriate policy for the cluster and enter the approved container registries under Image paths.

Using Command Line:

Update the cluster to enable Binary Authorization:

gcloud container cluster update <cluster_name> --enable-binauthz

Create a Binary Authorization Policy using the Binary Authorization Policy Reference: https://cloud.google.com/binary-authorization/docs/policy-yaml-reference for guidance.

Import the policy file into Binary Authorization:

gcloud container binauthz policy import <yaml_policy>

References

https://cloud.google.com/binary-authorization/docs/policy-yaml-reference
https://cloud.google.com/binary-authorization/docs/setting-up

Last updated on