Information
Use Binary Authorization to allowlist (whitelist) only approved container registries.
Allowing unrestricted access to external container registries provides the opportunity for malicious or unapproved containers to be deployed into the cluster. Ensuring only trusted container images are used reduces this risk.
Also see recommendation 5.10.4.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Using Google Cloud Console:
- Go to Binary Authorization by visiting:
https://console.cloud.google.com/security/binary-authorization
- Enable Binary Authorization API (if disabled).
- Go to Kubernetes Engine by visiting:
https://console.cloud.google.com/kubernetes/list
.
- Select Kubernetes cluster for which Binary Authorization is disabled.
- Within the Details pane, under the Security heading, click on the pencil icon called Edit binary authorization
- Ensure that Enable Binary Authorization is checked.
- Click SAVE CHANGES
- Return to the Binary Authorization by visiting:
https://console.cloud.google.com/security/binary-authorization
.
- Set an appropriate policy for the cluster and enter the approved container registries under Image paths.
Using Command Line:
Update the cluster to enable Binary Authorization:
gcloud container cluster update <cluster_name> --enable-binauthz
Create a Binary Authorization Policy using the Binary Authorization Policy Reference:
https://cloud.google.com/binary-authorization/docs/policy-yaml-reference
for guidance.
Import the policy file into Binary Authorization:
gcloud container binauthz policy import <yaml_policy>
Impact:
All container images to be deployed to the cluster must be hosted within an approved container image registry. If public registries are not on the allowlist, a process for bringing commonly used container images into an approved private registry and keeping them up to date will be required.