Triage and Remediation
Remediation
Using Console
Using Console
To remediate the “Ensure Use Of Binary Authorization” misconfiguration in GCP using the GCP console, you can follow the below steps:
- Open the Google Cloud Console and navigate to the “Binary Authorization” page.
- Click the “Create Policy” button to create a new policy.
- In the “Create Policy” dialog box, enter a name for the policy and select the “Enforce for all images” option.
- In the “Policy” section, click the “Add Rule” button to add a new rule.
- In the “Add Rule” dialog box, select the “Require Attestation” option and choose the attestation provider you want to use.
- Click the “Save” button to save the rule.
- Repeat steps 4-6 to add additional rules as needed.
- Click the “Create” button to create the policy.
- Once the policy is created, you can assign it to a cluster or node pool by navigating to the “Cluster” or “Node Pools” page and clicking the “Edit” button for the cluster or node pool you want to assign the policy to.
- In the “Security” section, select the policy you just created from the “Binary Authorization Policy” dropdown menu.
- Click the “Save” button to save the changes.
Using CLI
Using CLI
To remediate the “Ensure Use of Binary Authorization” misconfiguration on GCP using GCP CLI, follow these steps:Replace Replace This command should return the policy file that you uploaded in step 5.By following these steps, you have remediated the “Ensure Use of Binary Authorization” misconfiguration on GCP using GCP CLI.
- Open the Cloud Shell in the GCP console.
- Run the following command to enable the Binary Authorization API:
- Create a policy that requires all container images to be signed. You can do this by creating a policy file in YAML format with the following content:
- Save the policy file to your local machine.
- Upload the policy file to the Binary Authorization policy library using the following command:
<PATH_TO_POLICY_FILE> with the path to the policy file on your local machine, and <PROJECT_ID> with the ID of your GCP project.- Configure your Kubernetes cluster to use Binary Authorization by adding the following annotation to the pod spec in your deployment YAML file:
- Apply the updated deployment YAML file to your Kubernetes cluster using the following command:
<PATH_TO_DEPLOYMENT_YAML_FILE> with the path to the updated deployment YAML file on your local machine.- Verify that Binary Authorization is enabled by running the following command:
Using Python
Using Python
To remediate the “Ensure Use of Binary Authorization” misconfiguration in GCP, you can use the following Python code:Note that you will need to replace Again, you will need to replace
- First, you need to enable the Binary Authorization API in your GCP project. You can do this by running the following command:
- Next, you need to create a policy that enforces the use of binary authorization for all container images. You can do this by running the following code:
PROJECT_ID with your actual GCP project ID.- Finally, you need to configure your Kubernetes Engine cluster to use binary authorization. You can do this by adding the following annotation to your Kubernetes deployment YAML file:
PROJECT_ID with your actual GCP project ID.Once you have completed these steps, your GCP project will be configured to enforce the use of binary authorization for all container images.