Cloud Computing, Google Cloud (GCP)

6 Mins Read

A Guide to Implement Binary Authorization on GCP

Introduction

Binary Authorization is a security feature offered by GCP that enables organizations to enforce a strong security policy for their container images. Organizations can ensure that only approved container images are deployed in their production environment with binary authorization.

Binary authorization works by verifying that a trusted authority has signed a container image before it can be deployed. This measure helps ensure that unauthorized or malicious container images are not deployed within a production environment, safeguarding against potential security risks.

How Binary Authorization Works?

Binary Authorization enforces rules for container image deployment in production environments. Based on the Open Policy Agent (OPA) framework, policy files define the criteria for allowed container images. Images are checked against these policies, including criteria like image name, registry, digest, and signer identity. Uploaded to GCP, the policies are enforced by the Binary Authorization service, either allowing or rejecting image deployments based on policy compliance.

Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started

Benefits of Binary Authorization

Binary Authorization offers several benefits for organizations looking to secure their cloud environments. Some of the key benefits include:

  1. Ensuring Container Image Security: Binary Authorization guarantees that only approved and signed container images are deployed, minimizing the risk of using unauthorized or malicious images.
  2. Simplifying Compliance: By enforcing a robust security policy for container images, Binary Authorization helps organizations meet compliance requirements of regulations like HIPAA, PCI-DSS, and GDPR.
  3. Enhancing Visibility: Binary Authorization enhances visibility into container images, enabling organizations to identify potential security risks and take necessary mitigation steps proactively.

Container Analysis

Container Analysis is a key feature of Binary Authorization on the Google Cloud Platform, offering vulnerability scanning and metadata management for container images. It enables policy enforcement on container images before deploying them to production environments. Container Analysis automatically scans for vulnerabilities and generates a report when a container image is pushed to a registry. Metadata, including image details and dependencies, is captured for policy enforcement. Binary Authorization leverages Container Analysis to verify image security compliance, preventing deployments that fail verification. Supported image formats include Docker, OCI, and Google Container Registry, while integration with other security tools enhances overall container application security on the platform.

Step-by-Step Guide

Step 1: To assign a value to the PROJECT_ID variable, run the command within Cloud Shell.

step1

Step 2: Enable the required API services

step2

Step 3: Setting up a cluster

step3

Step 4: Enable binary authorization for the cluster.  Clusters >> Security>>Binary authorization>> Edit

step4

Tick the check box and click on Save changes

step4b

Step 5: Configuring an attestor

To create a container analysis note, prepare a JSON file that includes the required data for the Note. Execute the following command to generate a local JSON file representing your Note.

step5

Step 6: Use the Container Analysis API to submit the Note to your project.

step6

Step 7: Confirm that the note was successfully saved by retrieving it.

step7

Step 8: To utilize your attestor effectively, it is essential to register the note with Binary Authorization.

step8

step8b

step8c

Step 9: Incorporating a KMS key

Before utilizing this attestor, your authority must generate a cryptographic key pair via Google Cloud Key Management Service (KMS). This key pair will be utilized for signing container images.

To start, add some environment variables to describe the new key:

step9

Create a keyring to hold a set of keys:

step9b

Create a new asymmetric signing key pair for the attestor:

step9c

Cloud Console by going to Navigation menu > Security > Key Management > Key Rings > Keys

step9d

Step 10: Establish the association between the key and your authority using the gcloud binauthz command.

step10

Step 11: Print the list of authorities again:

step11

step11b

Step 12: Using the gcloud command, you can create your attestation by providing the necessary details, such as the signing key and the specific container image you wish to approve.

step12

In the context of Container Analysis, executing this will generate a new occurrence and associate it with the note of your attestor. To verify the successful execution, you can list your attestations.

step12b

Step 13: Modify the policy to permit any images the attestor verifies.

step13

Step 14: Execute the given command to launch the verified image and confirm the successful execution of the pod by running the following commands:

step14

Step 15: Testing the deployment with a non-verified image

step15

Deployment has not succeeded, as the Binary Authorization admission rule denies it.

step15b

Conclusion

Binary Authorization is a security feature provided by Google Cloud Platform that helps to enforce deploy-time security controls to ensure only trusted and verified container images are deployed to production environments. It helps to prevent the deployment of unauthorized or unverified images, thus reducing the risk of security breaches and ensuring compliance with industry regulations. Binary Authorization employs digital signatures and attestations to validate container images’ genuineness and integrity before deployment. By leveraging Binary Authorization, organizations can enforce strict controls on their container deployment pipelines, which helps to increase their overall security posture.

Making IT Networks Enterprise-ready – Cloud Management Services

  • Accelerated cloud migration
  • End-to-end view of the cloud environment
Get Started

About CloudThat

CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Drop a query if you have any questions regarding Binary Authorization and I will get back to you quickly.

To get started, go through our Consultancy page and Managed Services Package that is CloudThat’s offerings.

FAQs

1. How do I get started with GCP Binary Authorization?

ANS: – Enable the feature in your GCP Console and create policies that determine which container images are allowed to run in your environment.

2. Can I use GCP Binary Authorization with Kubernetes?

ANS: – Yes, GCP Binary Authorization can be used with Kubernetes clusters deployed on Google Kubernetes Engine (GKE).

3. Can GCP Binary Authorization be used with any container platform?

ANS: – No, Binary Authorization is specifically designed to operate with containers deployed exclusively on the Google Cloud Platform.

WRITTEN BY Anil Kumar Y A

Anil Kumar Y A works as a Research Associate at CloudThat. He knows GCP Cloud Services and resources and DevOps tools like Docker, K8s, Ansible, and Terraform, and he is also passionate about improving his skills and learning new tools and technologies.

Share

Comments

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!