A Guide to Implement Binary Authorization on GCP

Introduction

Binary Authorization is a security feature offered by GCP that enables organizations to enforce a strong security policy for their container images. Organizations can ensure that only approved container images are deployed in their production environment with binary authorization.

Binary authorization works by verifying that a trusted authority has signed a container image before it can be deployed. This measure helps ensure that unauthorized or malicious container images are not deployed within a production environment, safeguarding against potential security risks.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

How Binary Authorization Works?

Binary Authorization enforces rules for container image deployment in production environments. Based on the Open Policy Agent (OPA) framework, policy files define the criteria for allowed container images. Images are checked against these policies, including criteria like image name, registry, digest, and signer identity. Uploaded to GCP, the policies are enforced by the Binary Authorization service, either allowing or rejecting image deployments based on policy compliance.

Benefits of Binary Authorization

Binary Authorization offers several benefits for organizations looking to secure their cloud environments. Some of the key benefits include:

Ensuring Container Image Security: Binary Authorization guarantees that only approved and signed container images are deployed, minimizing the risk of using unauthorized or malicious images.
Simplifying Compliance: By enforcing a robust security policy for container images, Binary Authorization helps organizations meet compliance requirements of regulations like HIPAA, PCI-DSS, and GDPR.
Enhancing Visibility: Binary Authorization enhances visibility into container images, enabling organizations to identify potential security risks and take necessary mitigation steps proactively.

Container Analysis

Container Analysis is a key feature of Binary Authorization on the Google Cloud Platform, offering vulnerability scanning and metadata management for container images. It enables policy enforcement on container images before deploying them to production environments. Container Analysis automatically scans for vulnerabilities and generates a report when a container image is pushed to a registry. Metadata, including image details and dependencies, is captured for policy enforcement. Binary Authorization leverages Container Analysis to verify image security compliance, preventing deployments that fail verification. Supported image formats include Docker, OCI, and Google Container Registry, while integration with other security tools enhances overall container application security on the platform.

Step-by-Step Guide

Step 1: To assign a value to the PROJECT_ID variable, run the command within Cloud Shell.

$ export PROJECT_ID = $(gcloud config get-value project)

1	$ export PROJECT_ID = $(gcloud config get-value project)

Step 2: Enable the required API services

$$ gcloud --project=${PROJECT_ID} services enable container.googleapis.com containerregistry.googleapis.com artifactregistry.googleapis.com binaryauthorization.googleapis.com

1	$$ gcloud --project=${PROJECT_ID} services enable container.googleapis.com containerregistry.googleapis.com artifactregistry.googleapis.com binaryauthorization.googleapis.com

step2

Step 3: Setting up a cluster

$$ gcloud container clusters create demo-cluster --machine-type n1-standard-2 --num-nodes 1 --zone us-central1-c

1	$$ gcloud container clusters create demo-cluster --machine-type n1-standard-2 --num-nodes 1 --zone us-central1-c

step3

Step 4: Enable binary authorization for the cluster. Clusters >> Security>>Binary authorization>> Edit

step4

Tick the check box and click on Save changes

step4b

Step 5: Configuring an attestor

To create a container analysis note, prepare a JSON file that includes the required data for the Note. Execute the following command to generate a local JSON file representing your Note.

 $ cat > ./create_note_request.json << EOM

{

  "attestation": {

    "hint": {

      "human_readable_name": "This note acts as an authority for certification"

    }

  }

}

EOM

$ cat > ./create_note_request.json << EOM

{

"attestation": {

"hint": {

"human_readable_name": "This note acts as an authority for certification"

}

EOM

step5

Step 6: Use the Container Analysis API to submit the Note to your project.

$$export NOTE_ID=my-attestor-note
$$curl -vvv -X POST \
    -H "Content-Type: application/json"  \
    -H "Authorization: Bearer $(gcloud auth print-access-token)"  \
    --data-binary @./create_note_request.json  \
    "https://containeranalysis.googleapis.com/v1/projects/${PROJECT_ID}/notes/?noteId=${NOTE_ID}"

$$export NOTE_ID=my-attestor-note

$$curl -vvv -X POST \

-H "Content-Type: application/json" \

-H "Authorization: Bearer $(gcloud auth print-access-token)" \

--data-binary @./create_note_request.json \

"https://containeranalysis.googleapis.com/v1/projects/${PROJECT_ID}/notes/?noteId=${NOTE_ID}"

step6

Step 7: Confirm that the note was successfully saved by retrieving it.

$$curl -vvv  \

    -H "Authorization: Bearer $(gcloud auth print-access-token)" \

    "https://containeranalysis.googleapis.com/v1/projects/${PROJECT_ID}/notes/${NOTE_ID}"

$$curl -vvv \

-H "Authorization: Bearer $(gcloud auth print-access-token)" \

"https://containeranalysis.googleapis.com/v1/projects/${PROJECT_ID}/notes/${NOTE_ID}"

step7

Step 8: To utilize your attestor effectively, it is essential to register the note with Binary Authorization.

$$ export ATTESTOR_ID=anilk

1	$$ export ATTESTOR_ID=anilk

step8

$$ gcloud container binauthz attestors create $ATTESTOR_ID --attestation-authority-note=$NOTE_ID --attestation-authority-note-project=${PROJECT_ID}

1	$$ gcloud container binauthz attestors create $ATTESTOR_ID --attestation-authority-note=$NOTE_ID --attestation-authority-note-project=${PROJECT_ID}

step8b

$$ gcloud container binauthz attestors list

1	$$ gcloud container binauthz attestors list

step8c

Step 9: Incorporating a KMS key

Before utilizing this attestor, your authority must generate a cryptographic key pair via Google Cloud Key Management Service (KMS). This key pair will be utilized for signing container images.

To start, add some environment variables to describe the new key:

$ export KEY_LOCATION=global

$ export KEYRING=binaryauthorization-keys 

$ export KEY_NAME=demo-key 

$ export KEY_VERSION=1

$ export KEY_LOCATION=global

$ export KEYRING=binaryauthorization-keys

$ export KEY_NAME=demo-key

$ export KEY_VERSION=1

step9

Create a keyring to hold a set of keys:

$$gcloud kms keyrings create "${KEYRING}" --location="${KEY_LOCATION}"

1	$$gcloud kms keyrings create "${KEYRING}" --location="${KEY_LOCATION}"

step9b

Create a new asymmetric signing key pair for the attestor:

$$ gcloud kms keys create "${KEY_NAME}"  --keyring="${KEYRING}" --location="${KEY_LOCATION}"  --purpose asymmetric-signing  --default-algorithm="ec-sign-p256-sha256"

1	$$ gcloud kms keys create "${KEY_NAME}" --keyring="${KEYRING}" --location="${KEY_LOCATION}" --purpose asymmetric-signing --default-algorithm="ec-sign-p256-sha256"

step9c

Cloud Console by going to Navigation menu > Security > Key Management > Key Rings > Keys

step9d

Step 10: Establish the association between the key and your authority using the gcloud binauthz command.

$ gcloud beta container binauthz attestors public-keys  add   --attestor="${ATTESTOR_ID}"  --keyversion-project= "${PROJECT_ID}"   --keyversion-location="${KEY_LOCATION}"     --keyversion-keyring="${KEYRING}"     --keyversion-key="${KEY_NAME}"      --keyversion="${KEY_VERSION}"

1	$ gcloud beta container binauthz attestors public-keys add --attestor="${ATTESTOR_ID}" --keyversion-project= "${PROJECT_ID}" --keyversion-location="${KEY_LOCATION}" --keyversion-keyring="${KEYRING}" --keyversion-key="${KEY_NAME}" --keyversion="${KEY_VERSION}"

step10

Step 11: Print the list of authorities again:

$$gcloud beta container binauthz attestors list

1	$$gcloud beta container binauthz attestors list

step11

$$ export CONTAINER_PATH=gcr.io/gke-project-380705/anil@sha256:7f527e12aa7c9333fd5ef978ee916f839d4bda77fadfc57131e8b618e9a9546f

$$ export DIGEST=$(gcloud container images describe ${CONTAINER_PATH} --format='get(image_summary.digest)')

$$ export CONTAINER_PATH=gcr.io/gke-project-380705/anil@sha256:7f527e12aa7c9333fd5ef978ee916f839d4bda77fadfc57131e8b618e9a9546f

$$ export DIGEST=$(gcloud container images describe ${CONTAINER_PATH} --format='get(image_summary.digest)')

step11b

Step 12: Using the gcloud command, you can create your attestation by providing the necessary details, such as the signing key and the specific container image you wish to approve.

$  gcloud alpha container binauthz attestations sign-and-create --artifact-url="${CONTAINER_PATH}" --attestor="${ATTESTOR_ID}" --attestor-project="${PROJECT_ID}"  --keyversion-project="${PROJECT_ID}" --keyversion-location="${KEY_LOCATION}" --keyversion-keyring="${KEYRING}" --keyversion-key="${KEY_NAME}" --keyversion="${KEY_VERSION}"

$ gcloud alpha container binauthz attestations sign-and-create --artifact-url="${CONTAINER_PATH}" --attestor="${ATTESTOR_ID}" --attestor-project="${PROJECT_ID}" --keyversion-project="${PROJECT_ID}" --keyversion-location="${KEY_LOCATION}" --keyversion-keyring="${KEYRING}" --keyversion-key="${KEY_NAME}" --keyversion="${KEY_VERSION}"

step12

In the context of Container Analysis, executing this will generate a new occurrence and associate it with the note of your attestor. To verify the successful execution, you can list your attestations.

$  gcloud container binauthz attestations list --attestor=$ATTESTOR_ID --attestor-project=${PROJECT_ID}

1	$ gcloud container binauthz attestations list --attestor=$ATTESTOR_ID --attestor-project=${PROJECT_ID}

step12b

Step 13: Modify the policy to permit any images the attestor verifies.

$  cat << EOF >updated_policy.yaml

    globalPolicyEvaluationMode: ENABLE

    defaultAdmissionRule:

      evaluationMode: REQUIRE_ATTESTATION

      enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG

      requireAttestationsBy:

      - projects/${PROJECT_ID}/attestors/${ATTESTOR_ID}

EOF

 Upload the updated policy to Binary Authorization:

 $  gcloud container binauthz policy import updated_policy.yaml

$ cat << EOF >updated_policy.yaml

globalPolicyEvaluationMode: ENABLE

defaultAdmissionRule:

evaluationMode: REQUIRE_ATTESTATION

enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG

requireAttestationsBy:

- projects/${PROJECT_ID}/attestors/${ATTESTOR_ID}

EOF

Upload the updated policy to Binary Authorization:

$ gcloud container binauthz policy import updated_policy.yaml

step13

Step 14: Execute the given command to launch the verified image and confirm the successful execution of the pod by running the following commands:

$ kubectl create deployment app1-signed --image="${CONTAINER_PATH}"

$ kubectl get pods

$ kubectl create deployment app1-signed --image="${CONTAINER_PATH}"

$ kubectl get pods

step14

Step 15: Testing the deployment with a non-verified image

step15

Deployment has not succeeded, as the Binary Authorization admission rule denies it.

step15b

Conclusion

Binary Authorization is a security feature provided by Google Cloud Platform that helps to enforce deploy-time security controls to ensure only trusted and verified container images are deployed to production environments. It helps to prevent the deployment of unauthorized or unverified images, thus reducing the risk of security breaches and ensuring compliance with industry regulations. Binary Authorization employs digital signatures and attestations to validate container images’ genuineness and integrity before deployment. By leveraging Binary Authorization, organizations can enforce strict controls on their container deployment pipelines, which helps to increase their overall security posture.

Making IT Networks Enterprise-ready – Cloud Management Services

Accelerated cloud migration
End-to-end view of the cloud environment

Get Started

About CloudThat

CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Drop a query if you have any questions regarding Binary Authorization and I will get back to you quickly.

To get started, go through our Consultancy page and Managed Services Package that is CloudThat’s offerings.

FAQs

1. How do I get started with GCP Binary Authorization?

ANS: – Enable the feature in your GCP Console and create policies that determine which container images are allowed to run in your environment.

2. Can I use GCP Binary Authorization with Kubernetes?

ANS: – Yes, GCP Binary Authorization can be used with Kubernetes clusters deployed on Google Kubernetes Engine (GKE).

3. Can GCP Binary Authorization be used with any container platform?

ANS: – No, Binary Authorization is specifically designed to operate with containers deployed exclusively on the Google Cloud Platform.

WRITTEN BY Anil Kumar Y A

Anil Kumar Y A works as a Research Associate at CloudThat. He knows GCP Cloud Services and resources and DevOps tools like Docker, K8s, Ansible, and Terraform, and he is also passionate about improving his skills and learning new tools and technologies.