Code360 powered by Coding Ninjas X Naukri.com. Code360 powered by Coding Ninjas X Naukri.com
Table of contents
1.
Introduction
2.
Architecture
3.
Platform that supports Binary Authorization
4.
Reasons to use Binary Authorization
5.
Features of Binary Authorization
6.
Lifecycle 
7.
Attestations
8.
Policies
8.1.
Rules
8.2.
Exempt image
9.
Cryptographic keys
10.
Setup
11.
Authorization
12.
Enforcement
13.
Frequently Asked Questions
13.1.
What types of cryptographic keys does binary authorization support?
13.2.
What is a Signer in Atterstation?
13.3.
How can we verify an attestation in Google cloud?
13.4.
How can we store the metadata in Binary Authorization?
13.5.
What are exempt images?
14.
Conclusion
Last Updated: Mar 27, 2024

Binary Authorization

Leveraging ChatGPT - GenAI as a Microsoft Data Expert
Speaker
Prerita Agarwal
Data Specialist @
23 Jul, 2024 @ 01:30 PM

Introduction

For container-based apps, Google Cloud's Binary Authorization service offers software supply-chain security. 

It allows you to set up a rule that the service will apply whenever a container image deployment attempt is made on one of the supported container-based platforms.

binary authorizaton

Architecture

binary authorization architecture

Explanation:

  • A source repository, such as Cloud Source Repositories, receives the code needed to generate the container image.
     
  • Cloud Build is a continuous integration (CI) tool that creates and validates the container.
     
  • The container image is pushed by the build to Container Registry or similar registry where your built images are kept.
     
  • The container image is signed by the Cloud Key Management Service, which manages keys for the cryptographic key pair. The resulting signature is then saved in an attestation that has just been made.
     
  • Using the public key from the key pair, the attestor confirms the attestation at the time of deployment. By demanding signed attestations before deploying the container image, Binary Authorization enforces the policy.
     
binary authorization
Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job
Bootcamp

Platform that supports Binary Authorization

  • Images are executed in clusters that are hosted on Google Cloud using the Google Kubernetes Engine (GKE).
     
  • Containerized apps are run on a fully managed serverless platform by Cloud Run (Preview).
     
  • Manages a dependable service mesh on-premises or in the Google Cloud, Anthos Service Mesh (Preview).
     
  • VMware-based Anthos clusters run the images in clusters that are housed in-house.

Reasons to use Binary Authorization

  • Registries that store the pictures you intend to deploy include the Artifact Registry, Container Registry, and other registries.
     
  • You can use Container Analysis and Binary Authorization to control deployment by providing information about vulnerabilities. 
    Container Analysis keeps trusted metadata that is utilised in the authorization process in a separate location.
     
  • Utilize the security monitoring dashboard to evaluate the interdependence of all Google Cloud products, including Binary Authorization, and your application's security posture.
     
  • A managed continuous-delivery solution called Google Cloud Deploy automates the delivery of apps to a number of target environments in a predetermined order.
     
  • Binary Authorization itself, which decides whether to permit or prohibit the deployment of images based on the configured policy.

Features of Binary Authorization

features of binary authorization

With Binary Authorization, you can:

  • A policy paradigm that enables you to specify the limitations on image deployment.
     
  • An attestation paradigm that enables you to specify reliable parties who can vouch for or confirm that the necessary procedures in your environment have been finished before deployment.
     
  • A deploy-time enforcer that forbids the deployment of pictures that are against the rules.

Lifecycle 

The following steps can make up an image deployment lifecycle, where passing through one stage is required to proceed to the next:

  1. Unit testing and building
     
  2. Deployment without affecting users into a development environment.
     
  3. Deployment into an environment for testing that only affects internal users.
     
  4. Deployment in a test environment where a small percentage of external users are impacted.
     
  5. Deployment into production.

Attestations

Attestations are among the most frequent use cases for Binary Authorization. An attestation confirms that, as previously said, a particular image has successfully completed a prior stage. 

Before enabling the image to be deployed, the attestation is checked using the Binary Authorization policy that you configure. Binary Authorization just needs to check the attestation at deploy time rather than redoing tasks that were finished previously.
 

Policies

POLICIES

A set of guidelines for container image deployment and validation is known as a binary authorization policy. Following are the components of a policy:

  • Deployment rules
  • List of exempt images

Rules

You specify a policy's rules when configuring it. Rules specify the conditions that images must meet in order to be deployed. Depending on the platform, a policy may contain particular rules in addition to the basic rule.

Every rule has an evaluation mode and an enforcement mode that may be set. For instance, a rule might specify that an image needs a signed attestation before it can be deployed.

Default rule

There is a default rule for every policy. Any deployment request that doesn't match a specific rule is subject to this rule. The default rule is defined in the defaultAdmissionRule node of a policy YAML file.

Specific rules

To a policy, one or more more particular regulations may be introduced. Images that are to be distributed to particular clusters, service accounts, or identities are subject to this kind of restriction. Platform support for particular regulations varies.

Exempt image

Images that are exempt from policy requirements are known as exempt images. Exempt pictures can always be used with Binary Authorization. An allowlist of exempt photos for each project is defined by a registry path. Images in the paths gcr.io/google containers/*, k8s.gcr.io/**, and other paths are by default exempt because they contain resources necessary for GKE to successfully launch a cluster while the default policy is in effect.

The admissionWhitelistPatterns field in the policy YAML file is used to specify the allowlist of exempt pictures.

Cryptographic keys

cryptographic keys

When a Require Attestations rule is present in the policy, Binary Authorization uses digital signatures to validate images at deploy time.

There is a key pair created. The signer signs an image description using their private key. Thus, an attestation is produced.

A witness is then made and saved in the policy. The attestor uploads and attaches the public key that matches to the private key used for signing.

When an attempt is made to deploy an image, Binary Authorization checks the attestations of the image using attestators from the policy. The photograph is released if the attestation can be independently verified.

Setup

You must first enable the service for the Google Cloud projects that make up your pipeline for deployment and authorisation before you can set up Binary Authorization.

The policy that outlines the limitations for the deployment of container images is then defined. If your policy demands attestations ahead of deployment, you must also establish attestors who may confirm attestations before approving the deployment of linked images.

For configuration of binary authorization in different platforms check  out the following links:

Create a Binary Authorization account on GKE.

Configure Binary Authorization on VMware Anthos clusters (Preview)

Configure the Cloud Run's Binary Authorization (Preview)

Authorization

Any required signers must produce an attestation confirming that the image is prepared to proceed to the following deployment stage before an image can be deployed. The attestation is a record that has been digitally signed using the signer's private cryptographic key and contains the registry location and digest of the image.

If you want to know how to sue attestation check out this article from Google documentation

Attestation

Enforcement

Binary Authorization checks the policy before deploying an image and carries out any regulations it discovers.

Binary Authorization permits the image to be deployed if it satisfies the policy's requirements. In the event that it does not, the service prevents deployment and records a warning in Cloud Audit Logs outlining the reasons why the image is not compliant.

See the following tutorials to examine Binary Authorization enforcement events in Cloud Audit Logs:

Analyze audit logs (GKE)

Look at the audit logs (Cloud Run) (Preview)

(Vmware Anthos clusters) View audit logs (Preview)

Frequently Asked Questions

What types of cryptographic keys does binary authorization support?

PKIX and PGP are the two keys supported in Binary Authorization.

What is a Signer in Atterstation?

A signer is a human or an automated process that generates an attestation by using a private key to sign an individual picture descriptor.

How can we verify an attestation in Google cloud?

When an image is deployed, Binary Authorization uses an attestor from the Google Cloud to confirm the attestation.

How can we store the metadata in Binary Authorization?

Container Analysis is utilised by Binary Authorization to store reliable metadata for the authorization process.

What are exempt images?

Images that are exempt from policy requirements are known as exempt images

Conclusion

In this article, we learned about the Binary Authorization service provided by the Google cloud. We have also learned the reason to use it and also the features that comes under the Binary Authorization.

For more cloud related information you can refer to the following articles:

Cloud APIs

Cloud DNS

Google Cloud Console

Cloud Domains

 

Recommended problems -

 

To learn more about DSA, competitive coding and many more knowledgeable topics, please look into the guided paths on Coding Ninjas Studio. Also, you can enroll in our courses and check out the mock test and problems available to you. Please check out our interview experiences and interview bundle for placement preparations.

thank you

 

Please upvote our blog to help other ninjas grow.

Happy Learning

Live masterclass