Binary authorization is a security measure used in software supply chains to ensure the deployment of trusted container images. With binary authorization, only approved container images can deployed, providing an additional layer of security. Binary authorization works closely with Google Kubernetes Engine (GKE) to enforce security controls at deployment time. It enables features such as allowing container registries, requiring images to be signed by trusted authorities, and centrally enforcing these policies. By implementing binary authorization, organizations can mitigate security risks and prevent unauthorized or compromised container images from being deployed in their infrastructure.
Steps to Implement Binary Authorization
Step 1. Go to Google Cloud Console and then to Kubernetes Engine.
Step 2. To enable GKE API, click on APIs and then the ENABLE button.
Step 3. To create a cluster, click on the CREATE button and click on the CONFIGURE button against Standard: You manage your cluster.
Step 4. Navigate to the left panel, click Nodes under NODE POOLS, and save the Boot size limit to 20GB. Then click the CREATE button.
Enable binary authorization API
To enable binary authorization, you have to deploy a container image. If there is an existing one, deploy it from the container registry.
Step 1. Navigate to the left panel, click Clusters, and open the created cluster. Then, search for binary authorization, and if you point the edit symbol against Binary authorization, it will ask to enable API, and click on that link.
Step 2. Click on ENABLE under Binary Authorization API.
Enable binary authorization for cluster
Step 1. Again, go to the left panel, click Clusters, and open the created cluster. Then, search for binary authorization and click the edit symbol against Binary authorization.
Step 2. Check the box of Enable binary authorization. Then click the SAVE CHANGES button.
Create policy/rule in binary authorization
Step 1. Navigate to the main menu, click Security, and select Binary Authorization.
Step 2. Go to EDIT POLICY. Select Allow all images.
Step 3. Click the button CREATE SPECIFIC RULES under Additional Settings for GKE.
Step 4. Select the GKE cluster and click on the CHANGE button.
Step 5. Click the ADD SPECIFIC RULE button and select the cluster. Then select Require attestation. Now, it will only allow tested images.
Create a KMS key and attestor
Step 1. Click the CREATE ATTESTOR button. Give a name for the attestor, and click ADD A PKIX PUBLIC KEY.
Step 2. If you do not have a key created, go to Cloud KMS from a duplicate window and create a new key. Go to the main menu, select Security, click Key Management, and then enable KMS API.
Step 3. Click CREATE KEY RING, provide details, and click the CREATE button.
Step 4. Provide the Name and protection level and click the CONTINUE button.
Step 5. Keep the Key material as default and click the CONTINUE button.
Step 6. Select the Asymmetric sign as Purpose and algorithm and click the CONTINUE button.
Step 7. Click the CREATE button.
Step 8. Once the key is created open the key and copy the resource name from the three dots against the version.
Step 9. Go back to the original console and click the IMPORT FROM CLOUD KMS button.
Step 10. Paste the resource name under the Key version resource ID and click the SUBMIT button.
Step 11. Click the DONE button under the New PKIX key. Then click on the CREATE button.
Step 12. Go back to the Edit policy, click the ADD SPECIFIC RULE button, and select the cluster. Then select Require attestation.
Step 13. Click the ADD ATTESTATORS button, provide the project and attestator name, and click on the ADD 1 ATTESTATOR button. Then click the ADD button.
Step 14. Click the SAVE POLICY button.
Sign image
A container image with the status OK can sign and agree that we are okay to deploy this image in production.
Step 1. Copy the GCloud command from the Google document about binary authorization.
Step 2. From the other window of Binary Authorization, click on the symbol for Activate Cloud Shell.
Step 3. Open another window of the Console, click Workspace, then click on the symbol for Activate Cloud Shell, and update the project name in the command.
Step 4. Open the Yalm file, copy the gcr URL from the unsigned image, go to the terminal, type clear, and press enter.
Step 5. Paste the URL in the terminal. Open the Yalm file and check the attestation by copying it and pasting it onto the terminal. If it shows the attestation, then the testing and signing is done.
Step 6. To deploy the signed image, navigate to Cluster, and click DEPLOY.
Step 7. Select the image path, go to CONTAINER REGISTRY, click on the node, and select the image. Then click the DONE button and CONTINUE.
Step 8. Click the DEPLOY button.
This is how to enable binary authorization for the GKE cluster.
Conclusion
Binary authorization plays a crucial role in enhancing container security and maintaining the integrity of software supply chains. By enforcing strict deployment policies and allowing only trusted container images, organizations can mitigate the risk of deploying malicious or compromised software components.
Metclouds Technologies help you to secure your organization’s infrastructure.