GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Ensure Use Of Binary Authorization
More Info:
Binary Authorization helps to protect supply-chain security by only allowing images with verifiable cryptographically signed metadata into the cluster.
Risk Level
Medium
Address
Security, Reliability, Operational Excellence, Performance Efficiency
Compliance Standards
CISGKE
Triage and Remediation
Remediation
To remediate the “Ensure Use Of Binary Authorization” misconfiguration in GCP using the GCP console, you can follow the below steps:
-
Open the Google Cloud Console and navigate to the “Binary Authorization” page.
-
Click the “Create Policy” button to create a new policy.
-
In the “Create Policy” dialog box, enter a name for the policy and select the “Enforce for all images” option.
-
In the “Policy” section, click the “Add Rule” button to add a new rule.
-
In the “Add Rule” dialog box, select the “Require Attestation” option and choose the attestation provider you want to use.
-
Click the “Save” button to save the rule.
-
Repeat steps 4-6 to add additional rules as needed.
-
Click the “Create” button to create the policy.
-
Once the policy is created, you can assign it to a cluster or node pool by navigating to the “Cluster” or “Node Pools” page and clicking the “Edit” button for the cluster or node pool you want to assign the policy to.
-
In the “Security” section, select the policy you just created from the “Binary Authorization Policy” dropdown menu.
-
Click the “Save” button to save the changes.
By following these steps, you will be able to remediate the “Ensure Use Of Binary Authorization” misconfiguration in GCP using the GCP console.
To remediate the “Ensure Use of Binary Authorization” misconfiguration on GCP using GCP CLI, follow these steps:
-
Open the Cloud Shell in the GCP console.
-
Run the following command to enable the Binary Authorization API:
gcloud services enable binaryauthorization.googleapis.com
- Create a policy that requires all container images to be signed. You can do this by creating a policy file in YAML format with the following content:
globalPolicyEvaluationMode: REQUIRE_ATTESTATION
defaultAdmissionRule:
enforcementMode: ALWAYS_DENY
evaluationMode: REQUIRE_ATTESTATION
-
Save the policy file to your local machine.
-
Upload the policy file to the Binary Authorization policy library using the following command:
gcloud beta container binauthz policy import <PATH_TO_POLICY_FILE> --project <PROJECT_ID>
Replace <PATH_TO_POLICY_FILE> with the path to the policy file on your local machine, and <PROJECT_ID> with the ID of your GCP project.
- Configure your Kubernetes cluster to use Binary Authorization by adding the following annotation to the pod spec in your deployment YAML file:
annotations:
container.binauthz.io/enabled: "true"
- Apply the updated deployment YAML file to your Kubernetes cluster using the following command:
kubectl apply -f <PATH_TO_DEPLOYMENT_YAML_FILE>
Replace <PATH_TO_DEPLOYMENT_YAML_FILE> with the path to the updated deployment YAML file on your local machine.
- Verify that Binary Authorization is enabled by running the following command:
gcloud beta container binauthz policy export --project <PROJECT_ID>
This command should return the policy file that you uploaded in step 5.
By following these steps, you have remediated the “Ensure Use of Binary Authorization” misconfiguration on GCP using GCP CLI.
To remediate the “Ensure Use of Binary Authorization” misconfiguration in GCP, you can use the following Python code:
- First, you need to enable the Binary Authorization API in your GCP project. You can do this by running the following command:
from google.cloud import services
services.enable('binaryauthorization.googleapis.com')
- Next, you need to create a policy that enforces the use of binary authorization for all container images. You can do this by running the following code:
from google.cloud import binaryauthorization_v1beta1 as binaryauthorization
# Create a policy that requires binary authorization for all container images
policy_client = binaryauthorization.PolicyServiceClient()
policy = policy_client.create_policy(
parent='projects/PROJECT_ID',
policy={
'name': 'projects/PROJECT_ID/policy',
'globalPolicyEvaluationMode': binaryauthorization.enums.GlobalPolicyEvaluationMode.GLOBAL_POLICY_EVALUATION_MODE_ENABLED,
'admissionWhitelistPatterns': [
{
'namePattern': '*',
'versionPattern': '*'
}
],
'defaultAdmissionRule': {
'evaluationMode': binaryauthorization.enums.AdmissionRule.EvaluationMode.REQUIRE_ATTESTATION,
'requireAttestationsBy': [
{
'humanReadableName': 'Google-signed Attestation',
'contentType': binaryauthorization.enums.AttestationAuthority.AttestationContentType.ATTESTATION_CONTENT_TYPE_GOOGLE_BINARY_AUTHORITY_V1_BLOB,
'pgpKeyId': ''
}
]
}
}
)
Note that you will need to replace PROJECT_ID with your actual GCP project ID.
- Finally, you need to configure your Kubernetes Engine cluster to use binary authorization. You can do this by adding the following annotation to your Kubernetes deployment YAML file:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-deployment
annotations:
container.apparmor.security.beta.kubernetes.io/my-container: runtime/default
beta.cloud.google.com/binary-authorization: '{"name":"projects/PROJECT_ID/policy"}'
spec:
replicas: 3
selector:
matchLabels:
app: my-app
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: my-container
image: gcr.io/my-project/my-image:latest
Again, you will need to replace PROJECT_ID with your actual GCP project ID.
Once you have completed these steps, your GCP project will be configured to enforce the use of binary authorization for all container images.