Implements GCP Binary Authorization to enforce deployment-time security on GKE and Cloud Run, requiring attested container images via policies and KMS keys.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
Binary Authorization(二进制授权)是 Google Cloud 的部署时安全控制,确保只有受信任的容器镜像才能部署到 GKE 或 Cloud Run。它采用基于策略的模型,镜像必须持有加密认证,证明已通过预定义要求,如漏洞扫描、代码审查或构建流水线验证。持续验证(CV)会监控正在运行的 Pod 是否符合策略,并记录违规情况。
Implements GCP Binary Authorization to enforce deploy-time security controls ensuring only trusted, attested container images deploy to GKE and Cloud Run. Includes API enablement, attestor creation, and KMS setup.
Implements GCP Binary Authorization to enforce deploy-time security, ensuring only attested container images deploy to GKE and Cloud Run.
Hardens EKS, AKS, GKE Kubernetes clusters with Pod Security Standards, network policies, workload identities, RBAC, image admission controls, and runtime monitoring. For production hardening and audits.
Share bugs, ideas, or general feedback.
Binary Authorization(二进制授权)是 Google Cloud 的部署时安全控制,确保只有受信任的容器镜像才能部署到 GKE 或 Cloud Run。它采用基于策略的模型,镜像必须持有加密认证,证明已通过预定义要求,如漏洞扫描、代码审查或构建流水线验证。持续验证(CV)会监控正在运行的 Pod 是否符合策略,并记录违规情况。
# 启用所需 API
gcloud services enable binaryauthorization.googleapis.com
gcloud services enable containeranalysis.googleapis.com
gcloud services enable container.googleapis.com
# 在 GKE 集群上启用 Binary Authorization
gcloud container clusters update CLUSTER_NAME \
--enable-binauthz \
--zone us-central1-a
# 创建密钥环
gcloud kms keyrings create binauthz-keyring \
--location global
# 创建签名密钥
gcloud kms keys create attestor-key \
--keyring binauthz-keyring \
--location global \
--algorithm ec-sign-p256-sha256 \
--purpose asymmetric-signing
cat > /tmp/note.json << 'EOF'
{
"attestation": {
"hint": {
"humanReadableName": "Production Build Attestor"
}
}
}
EOF
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://containeranalysis.googleapis.com/v1/projects/PROJECT_ID/notes/?noteId=prod-build-note" \
-d @/tmp/note.json
gcloud container binauthz attestors create prod-build-attestor \
--attestation-authority-note=prod-build-note \
--attestation-authority-note-project=PROJECT_ID
# 将 KMS 密钥添加到认证者
gcloud container binauthz attestors public-keys add \
--attestor=prod-build-attestor \
--keyversion-project=PROJECT_ID \
--keyversion-location=global \
--keyversion-keyring=binauthz-keyring \
--keyversion-key=attestor-key \
--keyversion=1
# binauthz-policy.yaml
admissionWhitelistPatterns:
- namePattern: "gcr.io/google_containers/*"
- namePattern: "gcr.io/google-containers/*"
- namePattern: "k8s.gcr.io/**"
- namePattern: "gke.gcr.io/**"
- namePattern: "gcr.io/stackdriver-agents/*"
defaultAdmissionRule:
evaluationMode: REQUIRE_ATTESTATION
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
requireAttestationsBy:
- projects/PROJECT_ID/attestors/prod-build-attestor
globalPolicyEvaluationMode: ENABLE
gcloud container binauthz policy import binauthz-policy.yaml
admissionWhitelistPatterns:
- namePattern: "gcr.io/google_containers/*"
clusterAdmissionRules:
us-central1-a.production-cluster:
evaluationMode: REQUIRE_ATTESTATION
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
requireAttestationsBy:
- projects/PROJECT_ID/attestors/prod-build-attestor
us-central1-a.staging-cluster:
evaluationMode: ALWAYS_ALLOW
enforcementMode: DRYRUN_AUDIT_LOG_ONLY
defaultAdmissionRule:
evaluationMode: ALWAYS_DENY
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
# 获取镜像摘要
IMAGE_DIGEST=$(gcloud container images describe \
gcr.io/PROJECT_ID/my-app:latest \
--format='get(image_summary.digest)')
# 创建认证
gcloud container binauthz attestations sign-and-create \
--artifact-url="gcr.io/PROJECT_ID/my-app@${IMAGE_DIGEST}" \
--attestor="prod-build-attestor" \
--attestor-project="PROJECT_ID" \
--keyversion-project="PROJECT_ID" \
--keyversion-location="global" \
--keyversion-keyring="binauthz-keyring" \
--keyversion-key="attestor-key" \
--keyversion="1"
# cloudbuild.yaml
steps:
- name: 'gcr.io/cloud-builders/docker'
args: ['build', '-t', 'gcr.io/$PROJECT_ID/my-app:$SHORT_SHA', '.']
- name: 'gcr.io/cloud-builders/docker'
args: ['push', 'gcr.io/$PROJECT_ID/my-app:$SHORT_SHA']
# 漏洞扫描
- name: 'gcr.io/cloud-builders/gcloud'
entrypoint: 'bash'
args:
- '-c'
- |
gcloud artifacts docker images scan \
gcr.io/$PROJECT_ID/my-app:$SHORT_SHA \
--format='value(response.scan)'
# 扫描成功后创建认证
- name: 'gcr.io/cloud-builders/gcloud'
entrypoint: 'bash'
args:
- '-c'
- |
IMAGE_DIGEST=$(gcloud container images describe \
gcr.io/$PROJECT_ID/my-app:$SHORT_SHA \
--format='get(image_summary.digest)')
gcloud container binauthz attestations sign-and-create \
--artifact-url="gcr.io/$PROJECT_ID/my-app@$${IMAGE_DIGEST}" \
--attestor="prod-build-attestor" \
--attestor-project="$PROJECT_ID" \
--keyversion-project="$PROJECT_ID" \
--keyversion-location="global" \
--keyversion-keyring="binauthz-keyring" \
--keyversion-key="attestor-key" \
--keyversion="1"
# 在 GKE 集群上启用持续验证
gcloud container clusters update CLUSTER_NAME \
--enable-binauthz-monitoring \
--zone us-central1-a
resource.type="k8s_cluster"
logName="projects/PROJECT_ID/logs/binaryauthorization.googleapis.com%2Fcontinuous_validation"
# 此操作应被阻断
kubectl run test-unapproved \
--image=docker.io/library/nginx:latest
# 验证 Pod 已被拒绝
kubectl get events --field-selector reason=FailedCreate
gcloud container binauthz attestations list \
--attestor=prod-build-attestor \
--attestor-project=PROJECT_ID
用于紧急部署时绕过 Binary Authorization:
apiVersion: v1
kind: Pod
metadata:
name: emergency-pod
labels:
image-policy.k8s.io/break-glass: "true"
annotations:
alpha.image-policy.k8s.io/break-glass: "Emergency deployment - ticket INC-12345"
spec:
containers:
- name: emergency
image: gcr.io/PROJECT_ID/emergency-fix:latest