Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Binary Authorization

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the Binary Authorization feature is enabled for your Google Cloud Run services. Enabling Binary Authorization for Cloud Run services enhances security by ensuring only trusted container images can be deployed, reducing the risk of deploying vulnerable or unauthorized software.

Security
Cost
optimisation
Operational
excellence

Binary Authorization aims to mitigate the potential hazards associated with deploying faulty, insecure, or unauthorized software within such environments. With Binary Authorization, you have the capability to block the deployment of images unless they adhere to a policy you establish. While Binary Authorization does not dictate specific internal procedures or endorse any particular best practices, it empowers you to uphold your own established protocols by prohibiting the deployment of images that do not meet your mandatory criteria.

Audit

To ensure that Binary Authorization is enabled for Google Cloud Run services, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Run console at https://console.cloud.google.com/run.

04 Click on the name (link) of the Cloud Run managed service that you want to examine.

05 Select the SECURITY tab to access the security features available for the selected Cloud Run service.

06 In the Binary Authorization section, check the Status attribute value. If the Status attribute value is set to Disabled, the Binary Authorization security feature is not enabled for the selected Google Cloud Run service.

07 Repeat step no. 4 – 6 for each Cloud Run managed service created within the selected project.

08 Repeat steps no. 2 – 7 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each Google Cloud Platform (GCP) project available in your cloud account: 

gcloud projects list 
  --format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
cc-web-stack-project-123123
cc-app-stack-project-112233

03 Run services list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the name and region of each Cloud Run managed service created for the selected project: 

gcloud run services list
  --project cc-web-stack-project-123123
  --platform=managed
  --format="table(name,region)"

04 The command output should return the requested resource identification information: 

NAME                      REGION
cc-project5-web-service   us-central1
cc-analytics-app-service  us-central1

05 Run services describe command (Windows/macOS/Linux) using the name and the region of the Cloud Run service that you want to examine as identifier parameters, to determine if Binary Authorization is enabled for the selected service: 

gcloud run services describe cc-project5-web-service 
  --project cc-web-stack-project-123123 
  --region us-central1 
  --format="yaml(metadata.annotations)"

06 The command output should return the metadata annotations available for the selected service: 

metadata:
	annotations:
		run.googleapis.com/client-name: cloud-console
		run.googleapis.com/ingress: all
		run.googleapis.com/ingress-status: all
		run.googleapis.com/operation-id: 1234abcd-1234-abcd-1234-abcd1234abcd
		serving.knative.dev/creator: example@domain.com
		serving.knative.dev/lastModifier: example@domain.com

Check each metadata annotation returned by the services describe command output. If there is no annotation with the following name: run.googleapis.com/binary-authorization, the Binary Authorization security feature is not enabled for the selected Google Cloud Run service.

07 Repeat step no. 5 and 6 for each Cloud Run service available within the selected project.

08 Repeat steps no. 3 – 7 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable and configure Binary Authorization for your Google Cloud Run services, perform the following actions:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Cloud Run console at https://console.cloud.google.com/run.

04 Click on the name (link) of the Cloud Run managed service that you want to examine.

05 Select the SECURITY tab to access the security features available for the selected Cloud Run service.

06 In the Binary Authorization section, choose ENABLE BINARY AUTHORIZATION API to enable the Binary Authorization service API.

07 Select default from the Policy dropdown list and choose Apply to apply the default Binary Authorization policy provided by Google Cloud.

08 Select CONFIGURE POLICY and choose EDIT POLICY to edit your Binary Authorization policy in order to restrict the deployment behaviors for your project.

09 Under Default rule, set the evaluation mode for the default rule. Choose Require attestations: Allow only images that have been verified by the following attestors to create the required attestor. An attestor is a Google Cloud resource that Binary Authorization uses to verify an attestation.

10 Choose CREATE ATTESTORS, provide a name and a description for the attestor, select the public keys required for signature verification, then choose CREATE to deploy your new Binary Authorization attestor.

11 (Optional) Under Images exempt from this policy, you can create exemption rules to exempt images from the default and specific rules.

12 Choose SAVE POLICY to apply the policy changes.

13 Repeat steps no. 4 and 5 for each Cloud Run service that you want to configure, created for the selected project.

14 Repeat steps no. 2 – 6 for each GCP project available within your Google Cloud account.

Using GCP CLI

01 Run services update command (Windows/macOS/Linux) using the name and the region of the Cloud Run managed service that you want to configure as the identifier parameters, to enable Binary Authorization for the selected Cloud Run service and use the default Binary Authorization policy provided by Google Cloud: 

gcloud run services update cc-project5-web-service 
  --region us-central1
  --binary-authorization=default

02 The command output should return the information available for the newly created Cloud Run service revision: 

✓ OK Deploying... Done.
✓ OK Creating Revision...Done.
✓ OK Routing traffic...Done.

Service [cc-project5-web-service] revision [cc-project5-web-service-00002-wvz] has been deployed and is serving 100 percent of traffic.
Service URL: https://cc-project5-web-service-1234abcd1234-uc.a.run.app

03 Run container binauthz policy export command (Windows/macOS/Linux) to export the default Binary Authorization policy to a local YAML file for editing: 

gcloud container binauthz policy export > /tmp/default-policy.yaml

04 Edit the default policy exported at the previous step in order to configure the default rule. A rule is the part of a policy that defines constraints that container images must satisfy before they can be deployed. The following policy allows only images that have been verified by the specified attestor (e.g. "projects/cc-web-stack-project-123123/attestors/cc-project5-attestor"). An attestor is a Google Cloud resource that Binary Authorization uses to verify an attestation: 

defaultAdmissionRule:
	enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
	evaluationMode: REQUIRE_ATTESTATION
	requireAttestationsBy:
	- projects/cc-web-stack-project-123123/attestors/cc-project5-attestor
globalPolicyEvaluationMode: ENABLE
name: projects/cc-web-stack-project-123123/policy

05 Run container binauthz policy import command (Windows/macOS/Linux) to import the modified policy YAML file into Binary Authorization: 

gcloud container binauthz policy import /tmp/default-policy.yaml

06 Repeat steps no. 1 - 5 for each Cloud Run service that you want to configure, deployed in the selected project.

07 Repeat steps no. 1 – 6 for each GCP project created within your Google Cloud account.

References

Publication date Oct 23, 2023

Related CloudRun rules