Skip to main content

lacework-global-803

Ensure use of Binary Authorization (Automated)

Description

Binary Authorization helps to protect supply chain security by only allowing images with verifiable cryptographically signed metadata into the cluster.

Remediation

Using Google Cloud Console:

  1. Go to Binary Authorization by visiting: https://console.cloud.google.com/security/binary-authorization.
  2. Enable the Binary Authorization API (if disabled).
  3. Create an appropriate policy for use with the cluster. See https://cloud.google.com/binary-authorization/docs/policy-yaml-reference for guidance.
  4. Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
  5. Select the cluster with Binary Authorization disabled.
  6. Under the details pane, within the Security section, click the pencil icon named Edit Binary Authorization.
  7. Check the box next to Enable Binary Authorization.
  8. Choose whether to Audit, Enforce or both Audit and Enforce the policy and provide a directory for the policy.
  9. Click Save Changes.

Using Command Line:

Update the cluster to enable Binary Authorization:

gcloud container cluster update <cluster_name> --zone <compute_zone> --binauthz-evaluation-mode=<evaluation_mode>

See: https://cloud.google.com/sdk/gcloud/reference/container/clusters/update#--binauthz-evaluation-mode for more details around the evaluation modes available.

Create a Binary Authorization Policy using the Binary Authorization Policy Reference: https://cloud.google.com/binary-authorization/docs/policy-yaml-reference for guidance.

Import the policy file into Binary Authorization:

gcloud container binauthz policy import <yaml_policy>

References

https://cloud.google.com/binary-authorization/docs/setting-up
https://cloud.google.com/sdk/gcloud/reference/container/clusters/update#--binauthz-evaluation-mode

Last updated on