Validating and verifying container images with Binary Authorization
The amount of time I have now spent harping on about containers has probably clued you into the fact that containers may be somewhat important. Containers are, of course, an encapsulation of all the resource requirements and libraries that are specifically needed to run one service in an application. Containers being isolated from each other results in the elimination of conflict between the libraries required to run the services in each container, effectively creating an isolated system for each service in an overall large system or application.
However, this also presents a two-fold vulnerability: complexity and a larger threat vector in some circumstances. Handling all of these containers and the complex underlying libraries that lie within them (thus the need for Kubernetes) can be a difficult task. Managing these complex systems improperly can lead to the creation of structural and informational vulnerabilities in the system. At the same time, if multiple clusters are exposed to a public-facing setting or can be accessed in some way that gives an unauthorized user privileged access to your system, the threat to one container could threaten all the containers present in your system, as well as all your information.
Python’s Docker libraries make sure that you can do this for every layer of your image in an automated manner. Python can also use a number of third-party image verification tools. We will explore one of those tools with Google’s Binary Authorization API and Workflow for Kubernetes. So, let’s see how to verify compliant images with Binary Authorization!
Compliance is an interesting subject, much of it is in the eye of the beholder. The definition of compliance depends on how strict you want to be. In Kubernetes – specifically in Google Kubernetes Engine – there must be some sort of assurance or regulation that defines that the correct image has been used. The mechanic is known as Binary Authorization.
Binary Authorization allows the Docker containers that are deployed in a Kubernetes cluster to be checked according to certain criteria. Authorization can be done either by using a compliance policy or an attestor. A compliance policy creates rules that allow only images that meet a certain criterion. Adding an attestor means adding an individual user in your project who can testify that the image that is going to be used is correct. In Binary Authorization, you can use one or both of these in order to authorize your images for your Kubernetes cluster. Let’s see how to do that:
- We are now going to write a script to create an attestor and assign that attestor to the Kubernetes engine. First, we must install the client libraries for containers and Binary Authorization:
pip install google-cloud-binary-authorization google-cloud-container
2. Now, let’s write the script for the Binary Authorization of the cluster:
from google.cloud import binaryauthorization_v1
def sample_create_attestor():
client = binaryauthorization_v1.BinauthzManagementServiceV1Client()
attestor = binaryauthorization_v1.Attestor()
attestor.name = <Enter_attestor_name>
request = binaryauthorization_v1.CreateAttestorRequest(
parent=<Enter_parent_value_of_attestor>,
attestor_id=<Enter_attestor_id>,
attestor=attestor,
)
client.create_attestor(request=request)
This will create an attestor that can attest your cluster requests.
3. Now, we need to add the Binary Authorization to a cluster that has already been created or is about to be created:
from google.cloud import container_v1
def sample_update_cluster():
client = container_v1.ClusterManagerClient()
request = container_v1.UpdateClusterRequest(
“desired_node_pool_id”: <Node_pool_to_update>,
“update”: {
“desired_binary_authorization”: {
“enabled”: True,
“evaluation_mode”: 2
}
}
)
client.update_cluster(request=request)
This script will update the Kubernetes cluster to start using our Binary Authorization method. That takes care of incidents within your infrastructure.
Now, we will explore a couple of things that could help you with incidents outside of your infrastructure.