Use Binary Authorization to allowlist (whitelist) only approved container registries. Rationale: Allowing unrestricted access to external container registries provides the opportunity for malicious or unapproved containers to be deployed into the cluster. Allowlisting only approved container registries reduces this risk. See also Recommendation 6.10.5. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Using Google Cloud Console Go to Binary Authorization by visiting https://console.cloud.google.com/security/binary-authorization Enable Binary Authorization API (if disabled) Go to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list Select Kubernetes cluster for which Binary Authorization is disabled Click EDIT Set Binary Authorization to 'Enabled' Click SAVE Return to the Binary Authorization by visiting https://console.cloud.google.com/security/binary-authorization Set an appropriate policy for your cluster and enter the approved container registries under 'Image paths'. Using Command Line Update the cluster to enable Binary Authorization gcloud container cluster update [CLUSTER_NAME] \ --enable-binauthz Create a Binary Authorization Policy using the Binary Authorization Policy Reference (https://cloud.google.com/binary-authorization/docs/policy-yaml-reference) for guidance. Import the policy file into Binary Authorization: gcloud container binauthz policy import [YAML_POLICY] Impact: All container images to be deployed to the cluster must be hosted within an approved container image registry. If public registries are not on the allowlist, a process for bringing commonly used container images into an approved private registry and keeping them up to date will be required. Default Value: By default, Binary Authorization is disabled along with container registry allowlisting.