Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Binary Authorization

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the Binary Authorization feature is enabled for your Google Kubernetes Engine (GKE) clusters in order to enforce container image security policies. Binary Authorization enhances security by ensuring only trusted container images can be deployed, reducing the risk of deploying vulnerable or unauthorized software.

Security

Binary Authorization aims to mitigate the potential hazards associated with deploying faulty, insecure, or unauthorized software within such environments. With Binary Authorization, you have the capability to block the deployment of images unless they adhere to a policy you establish. While Binary Authorization does not dictate specific internal procedures or endorse any particular best practices, it empowers you to uphold your own established protocols by prohibiting the deployment of images that do not meet your mandatory criteria.


Audit

To determine if Binary Authorization is enabled for your Google Kubernetes Engine (GKE) clusters, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters provisioned for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to examine.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Security section, check the Binary authorization attribute value to determine the feature status. If Binary authorization is set to Disabled, the Binary Authorization security feature is not enabled for the selected Google Kubernetes Engine (GKE) cluster.

08 Repeat steps no. 5 – 7 for each GKE cluster available within the selected GCP project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each GCP project available in your Google Cloud account:

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project IDS:

PROJECT_ID
cc-web-project-123123
cc-dev-project-112233

03 Run container clusters list command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the name and the region of each GKE cluster provisioned for the selected project:

gcloud container clusters list
	--project cc-web-project-123123
	--format="table(NAME,LOCATION)"

04 The command output should return the requested cluster names and their regions:

NAME: cc-gke-backend-cluster
LOCATION: us-central1-a

NAME: cc-gke-frontend-cluster
LOCATION: us-central1-a

05 Run container clusters describe command (Windows/macOS/Linux) with the name of the GKE cluster that you want to examine as the identifier parameter and custom output filters to describe the Binary Authorization feature configuration, available for the selected cluster:

gcloud container clusters describe cc-gke-backend-cluster
	--zone=us-central1-a
	--format="json(binaryAuthorization)"

06 The command output should return the requested feature configuration (including the status of the Binary Authorization policy):

{
	"binaryAuthorization": {
		"evaluationMode": "DISABLED"
	}
}

If the container clusters describe command output returns null or the "evaluationMode" property is set to "DISABLED", as shown in the example above, the Binary Authorization security feature is not enabled for the selected Google Kubernetes Engine (GKE) cluster.

07 Repeat steps no. 5 and 6 for each GKE cluster provisioned for the selected GCP project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable the Binary Authorization feature for your Google Kubernetes Engine (GKE) clusters, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Kubernetes Engine console available at https://console.cloud.google.com/kubernetes.

04 In the left navigation panel, under Resource Management, choose Clusters and select the OVERVIEW tab to access the list of GKE clusters deployed for the selected GCP project.

05 Click on the name (link) of the GKE cluster that you want to configure.

06 Select the DETAILS tab to view the configuration information available for the selected cluster.

07 In the Security section, click on the Edit binary authorization button (i.e., pencil icon) available next to Binary authorization to modify the feature settings.

08 Inside the Edit Binary Authorization configuration box, check the Enable Binary Authorization setting checkbox, and select Enforce-only to enforce the Binary Authorization project-specific policy. Choose SAVE CHANGES to apply the changes. This will enable the Binary Authorization feature for your Google Kubernetes Engine (GKE) cluster.

09 Repeat steps no. 5 – 8 for each GKE cluster that you want to configure, created for the selected GCP project.

10 Repeat steps no. 2 – 9 for each GCP project available in your Google Cloud account.

Using GCP CLI

01 Run container clusters update command (Windows/macOS/Linux) with the name of the Google Kubernetes Engine (GKE) cluster that you want to configure as the identifier parameter, to enable the Binary Authorization security feature for the selected cluster:

gcloud container clusters update cc-gke-backend-cluster
	--zone=us-central1-a
	--binauthz-evaluation-mode=project-singleton-policy-enforce

02 The command output should return the full URL of the modified GKE cluster:

Updating cc-gke-backend-cluster... done.
Updated [https://container.googleapis.com/v1/projects/cc-web-project-123123/zones/us-central1/clusters/cc-gke-backend-cluster].

03 Repeat steps no. 1 and 2 for each GKE cluster that you want to configure, available within the selected GCP project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date Dec 2, 2024