lacework-global-803
Ensure use of Binary Authorization (Automated)
Description
Binary Authorization helps to protect supply chain security by only allowing images with verifiable cryptographically signed metadata into the cluster.
Remediation
Using Google Cloud Console:
- Go to Binary Authorization by visiting: https://console.cloud.google.com/security/binary-authorization.
- Enable the
Binary Authorization API
(if disabled). - Create an appropriate policy for use with the cluster. See https://cloud.google.com/binary-authorization/docs/policy-yaml-reference for guidance.
- Go to Kubernetes Engine by visiting: https://console.cloud.google.com/kubernetes/list.
- Select the cluster with Binary Authorization disabled.
- Under the
details
pane, within theSecurity
section, click the pencil icon namedEdit Binary Authorization
. - Check the box next to
Enable Binary Authorization
. - Choose whether to
Audit
,Enforce
or bothAudit and Enforce
the policy and provide a directory for the policy. - Click
Save Changes
.
Using Command Line:
Update the cluster to enable Binary Authorization:
gcloud container cluster update <cluster_name> --zone <compute_zone> --binauthz-evaluation-mode=<evaluation_mode>
See: https://cloud.google.com/sdk/gcloud/reference/container/clusters/update#--binauthz-evaluation-mode for more details around the evaluation modes available.
Create a Binary Authorization Policy using the Binary Authorization Policy Reference: https://cloud.google.com/binary-authorization/docs/policy-yaml-reference for guidance.
Import the policy file into Binary Authorization:
gcloud container binauthz policy import <yaml_policy>
References
https://cloud.google.com/binary-authorization/docs/setting-up
https://cloud.google.com/sdk/gcloud/reference/container/clusters/update#--binauthz-evaluation-mode