本頁說明如何使用二進位授權持續驗證 (CV) 安全漏洞檢查,監控與 CV 啟用 Google Kubernetes Engine (GKE) 叢集上執行的 Pod 相關聯的安全漏洞。
費用
本指南使用下列 Google Cloud 服務:
- Artifact Analysis
- 二進位授權,但 CV 在預先發布版階段免費提供
- GKE
您可以使用 Pricing Calculator 根據預測用量估算費用。
事前準備
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
Install the Google Cloud CLI.
-
若您採用的是外部識別資訊提供者 (IdP),請先使用聯合身分登入 gcloud CLI。
-
執行下列指令,初始化 gcloud CLI:
gcloud init -
Create or select a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_IDwith a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_IDwith your Google Cloud project name.
-
Verify that billing is enabled for your Google Cloud project.
-
Enable the Artifact Analysis, Binary Authorization, Google Kubernetes Engine APIs:
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.gcloud services enable binaryauthorization.googleapis.com
containeranalysis.googleapis.com container.googleapis.com -
Install the Google Cloud CLI.
-
若您採用的是外部識別資訊提供者 (IdP),請先使用聯合身分登入 gcloud CLI。
-
執行下列指令,初始化 gcloud CLI:
gcloud init -
Create or select a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_IDwith a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_IDwith your Google Cloud project name.
-
Verify that billing is enabled for your Google Cloud project.
-
Enable the Artifact Analysis, Binary Authorization, Google Kubernetes Engine APIs:
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission. Learn how to grant roles.gcloud services enable binaryauthorization.googleapis.com
containeranalysis.googleapis.com container.googleapis.com - 確認 gcloud CLI 已更新至最新版本。
- 安裝
kubectl指令列工具。 - 如果二進位授權政策和 GKE 叢集位於不同專案,請務必在這兩個專案中啟用二進位授權。
-
如果叢集專案與政策專案不同:
叢集專案二進位授權服務代理人的二進位授權政策評估者 (
roles/binaryauthorization.policyEvaluator) ,才能存取政策專案 -
如果構件專案與政策專案不同:
政策專案的二進位授權服務代理人必須具備「容器分析例項檢視者」 (
roles/containeranalysis.occurrences.viewer) 角色,才能存取安全性弱點資訊。 如果執行叢集的專案與政策所在的專案不同,您必須授予叢集專案的二進位授權服務代理,存取政策專案中政策的權限。
取得叢集專案的二進位授權服務代理:
PROJECT_NUMBER=$(gcloud projects list \ --filter="projectId:CLUSTER_PROJECT_ID" \ --format="value(PROJECT_NUMBER)") CLUSTER_SERVICE_ACCOUNT="service-$PROJECT_NUMBER@gcp-sa-binaryauthorization.iam.gserviceaccount.com"將
CLUSTER_PROJECT_ID替換為叢集的專案 ID。允許 CV 評估叢集上的政策:
gcloud projects add-iam-policy-binding POLICY_PROJECT_ID \ --member="serviceAccount:$CLUSTER_SERVICE_ACCOUNT" \ --role='roles/binaryauthorization.policyEvaluator'將
POLICY_PROJECT_ID替換為包含政策的專案 ID。
如果 Artifact Analysis 專案與 Binary Authorization 政策專案不同,請按照下列步驟操作:
取得政策專案的二進位授權服務代理:
PROJECT_NUMBER=$(gcloud projects list \ --filter="projectId:POLICY_PROJECT_ID" \ --format="value(PROJECT_NUMBER)") SERVICE_ACCOUNT="service-$PROJECT_NUMBER@gcp-sa-binaryauthorization.iam.gserviceaccount.com"將
POLICY_PROJECT_ID替換為包含政策的專案 ID。授予角色:
gcloud projects add-iam-policy-binding VULNERABILITY_PROJECT_ID \ --member="serviceAccount:$SERVICE_ACCOUNT" \ --role='roles/containeranalysis.occurrences.viewer'將
VULNERABILITY_PROJECT_ID替換為您執行構件分析的專案 ID。
建立平台政策 YAML 檔案:
cat > /tmp/my-policy.yaml <<EOF gkePolicy: checkSets: - checks: - vulnerabilityCheck: maximumFixableSeverity: MEDIUM maximumUnfixableSeverity: HIGH allowedCves: - CVE_ALLOWED blockedCves: - CVE_BLOCKED containerAnalysisVulnerabilityProjects: projects/VULNERABILITY_PROJECT displayName: My vulnerability check displayName: My vulnerability check set EOF建立平台政策。
使用下方的任何指令資料之前,請先替換以下項目:
- POLICY_ID:您選擇的平台政策 ID。如果政策位於其他專案中,可以使用完整資源名稱:
projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID。 - POLICY_PATH:政策檔案的路徑。
- POLICY_PROJECT_ID:政策專案 ID。
執行下列指令:
Linux、macOS 或 Cloud Shell
gcloud beta container binauthz policy create POLICY_ID \ --platform=gke \ --policy-file=POLICY_PATH \ --project=POLICY_PROJECT_ID
Windows (PowerShell)
gcloud beta container binauthz policy create POLICY_ID ` --platform=gke ` --policy-file=POLICY_PATH ` --project=POLICY_PROJECT_ID
Windows (cmd.exe)
gcloud beta container binauthz policy create POLICY_ID ^ --platform=gke ^ --policy-file=POLICY_PATH ^ --project=POLICY_PROJECT_ID
- POLICY_ID:您選擇的平台政策 ID。如果政策位於其他專案中,可以使用完整資源名稱:
CLUSTER_NAME:叢集名稱。LOCATION:位置,例如us-central1或asia-south1。POLICY_PROJECT_ID:儲存政策的專案 ID。POLICY_ID:政策 ID。CLUSTER_PROJECT_ID:叢集專案 ID。CLUSTER_NAME:叢集名稱。LOCATION:位置,例如us-central1或asia-south1。POLICY_PROJECT_ID:儲存政策的專案 ID。POLICY_ID:政策 ID。CLUSTER_PROJECT_ID:叢集專案 ID。CLUSTER_NAME:叢集名稱LOCATION:位置,例如us-central1或asia-south1POLICY_PROJECT_ID:儲存政策的專案 IDPOLICY_ID:政策 IDCLUSTER_PROJECT_ID:叢集專案 IDCLUSTER_NAME:叢集名稱LOCATION:位置,例如us-central1或asia-south1POLICY_PROJECT_ID:儲存政策的專案 IDPOLICY_ID:政策 IDCLUSTER_PROJECT_ID:叢集專案 IDImageFreshnessCheckSigstoreSignatureCheckSimpleSigningAttestationCheckSlsaCheckTrustedDirectoryCheckVulnerabilityCheckCLUSTER_NAME:叢集名稱LOCATION:叢集位置CLUSTER_PROJECT_ID:叢集專案 IDCLUSTER_NAME:叢集名稱LOCATION:叢集位置CLUSTER_PROJECT_ID:叢集專案 IDPOLICY_ID:政策 IDPOLICY_PROJECT_ID:政策專案 ID
必要的角色
本節說明如何為這項檢查設定角色。
總覽
如果您在同一個專案中執行本指南提及的所有產品,則不需要設定任何權限。啟用 Binary Authorization 時,系統會正確設定角色。如果您在不同專案中執行產品,請務必按照本節所述設定角色。
為確保每個專案中的 Binary Authorization 服務代理程式具備評估 CV 漏洞檢查的必要權限,請要求管理員在每個專案中授予 Binary Authorization 服務代理程式下列 IAM 角色:
如要進一步瞭解如何授予角色,請參閱「管理專案、資料夾和組織的存取權」。
管理員或許也能透過自訂角色或其他預先定義的角色,授予每個專案的 Binary Authorization 服務代理人必要權限。
使用 gcloud CLI 授予角色
為確保每個專案中的服務帳戶具備評估這項檢查所需的權限,請將下列 IAM 角色授予每個專案中的服務帳戶:
建立平台政策
如要建立具有安全漏洞檢查功能的 CV 平台政策,請按照下列步驟操作:
啟用 CV
您可以建立新叢集,或更新現有叢集,以使用 CV 監控功能和以檢查為準的平台政策。
建立使用 CV 監控的叢集
在本節中,您將建立叢集,只使用 CV 監控功能和以檢查為準的平台政策。
使用下方的任何指令資料之前,請先替換以下項目:
執行下列指令:
Linux、macOS 或 Cloud Shell
gcloud beta container clusters create CLUSTER_NAME \ --location=LOCATION \ --binauthz-evaluation-mode=POLICY_BINDINGS \ --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID \ --project=CLUSTER_PROJECT_ID
Windows (PowerShell)
gcloud beta container clusters create CLUSTER_NAME ` --location=LOCATION ` --binauthz-evaluation-mode=POLICY_BINDINGS ` --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID ` --project=CLUSTER_PROJECT_ID
Windows (cmd.exe)
gcloud beta container clusters create CLUSTER_NAME ^ --location=LOCATION ^ --binauthz-evaluation-mode=POLICY_BINDINGS ^ --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID ^ --project=CLUSTER_PROJECT_ID
建立使用強制執行和 CV 監控的叢集
在本節中,您將建立叢集,同時使用專案單例政策強制執行和 CV 監控,以及以檢查為基礎的平台政策:
使用下方的任何指令資料之前,請先替換以下項目:
執行下列指令:
Linux、macOS 或 Cloud Shell
gcloud beta container clusters create CLUSTER_NAME \ --location=LOCATION \ --binauthz-evaluation-mode=POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE \ --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID \ --project=CLUSTER_PROJECT_ID
Windows (PowerShell)
gcloud beta container clusters create CLUSTER_NAME ` --location=LOCATION ` --binauthz-evaluation-mode=POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE ` --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID ` --project=CLUSTER_PROJECT_ID
Windows (cmd.exe)
gcloud beta container clusters create CLUSTER_NAME ^ --location=LOCATION ^ --binauthz-evaluation-mode=POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE ^ --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID ^ --project=CLUSTER_PROJECT_ID
更新叢集以使用 CV 監控功能
在本節中,您將更新叢集,只使用以檢查為準的平台政策,監控 CV。如果叢集已啟用專案單例政策強制執行,執行這項指令會停用該政策。建議您更新叢集,並啟用強制執行和 CV 監控功能。
使用下方的任何指令資料之前,請先替換以下項目:
執行下列指令:
Linux、macOS 或 Cloud Shell
gcloud beta container clusters update CLUSTER_NAME \ --location=LOCATION \ --binauthz-evaluation-mode=POLICY_BINDINGS \ --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID \ --project=CLUSTER_PROJECT_ID
Windows (PowerShell)
gcloud beta container clusters update CLUSTER_NAME ` --location=LOCATION ` --binauthz-evaluation-mode=POLICY_BINDINGS ` --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID ` --project=CLUSTER_PROJECT_ID
Windows (cmd.exe)
gcloud beta container clusters update CLUSTER_NAME ^ --location=LOCATION ^ --binauthz-evaluation-mode=POLICY_BINDINGS ^ --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID ^ --project=CLUSTER_PROJECT_ID
更新叢集以使用強制執行和 CV 監控功能
在本節中,您將更新叢集,同時使用專案單例政策強制執行和 CV 監控,以及以檢查為基礎的平台政策。
使用下方的任何指令資料之前,請先替換以下項目:
執行下列指令:
Linux、macOS 或 Cloud Shell
gcloud beta container clusters update CLUSTER_NAME \ --location=LOCATION \ --binauthz-evaluation-mode=POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE \ --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID \ --project=CLUSTER_PROJECT_ID
Windows (PowerShell)
gcloud beta container clusters update CLUSTER_NAME ` --location=LOCATION ` --binauthz-evaluation-mode=POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE ` --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID ` --project=CLUSTER_PROJECT_ID
Windows (cmd.exe)
gcloud beta container clusters update CLUSTER_NAME ^ --location=LOCATION ^ --binauthz-evaluation-mode=POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE ^ --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID ^ --project=CLUSTER_PROJECT_ID
測試安全漏洞檢查
如要測試檢查設定是否正確,請更新政策並變更檢查參數,強制發生違規行為。舉例來說,您可以將特定 CVE 新增至 blockedCves,然後部署含有該安全漏洞的映像檔。
查看履歷表項目的記錄
您可以搜尋 Cloud Logging 項目,找出 CV 設定錯誤和 CV 平台政策驗證違規事項。
CV 會在 24 小時內將錯誤和違規事項記錄至 Cloud Logging。通常幾小時內就會看到記錄。
查看 CV 設定錯誤記錄
如要查看 CV 設定錯誤記錄,請執行下列指令:
gcloud logging read \
--order="desc" \
--freshness=7d \
--project=CLUSTER_PROJECT_ID \
'logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation" "configErrorEvent"'
以下輸出內容顯示設定錯誤,其中找不到 CV 平台政策:
{
"insertId": "141d4f10-72ea-4a43-b3ec-a03da623de42",
"jsonPayload": {
"@type": "type.googleapis.com/google.cloud.binaryauthorization.v1beta1.ContinuousValidationEvent",
"configErrorEvent": {
"description": "Cannot monitor cluster 'us-central1-c.my-cluster': Resource projects/123456789/platforms/gke/policies/my-policy does not exist."
}
},
"resource": {
"type": "k8s_cluster",
"labels": {
"cluster_name": "my-cluster",
"location": "us-central1-c",
"project_id": "my-project"
}
},
"timestamp": "2024-05-28T15:31:03.999566Z",
"severity": "WARNING",
"logName": "projects/my-project/logs/binaryauthorization.googleapis.com%2Fcontinuous_validation",
"receiveTimestamp": "2024-05-28T16:30:56.304108670Z"
}
查看 CV 平台政策驗證違規事項
如果沒有任何圖片違反您啟用的平台政策,記錄檔中就不會顯示任何項目。
如要查看過去 7 天的 CV 記錄項目,請執行下列指令:
gcloud logging read \
--order="desc" \
--freshness=7d \
--project=CLUSTER_PROJECT_ID \
'logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation" "policyName"'
將 CLUSTER_PROJECT_ID 替換為叢集專案 ID。
支票類型
CV 記錄會檢查違規資訊,並將資訊傳送至 checkResults。在項目中,值 checkType 表示檢查。各項檢查的值如下:
記錄範例
以下 CV 記錄項目範例說明違反信任目錄檢查的不符規定圖片:
{
"insertId": "637c2de7-0000-2b64-b671-24058876bb74",
"jsonPayload": {
"podEvent": {
"endTime": "2022-11-22T01:14:30.430151Z",
"policyName": "projects/123456789/platforms/gke/policies/my-policy",
"images": [
{
"result": "DENY",
"checkResults": [
{
"explanation": "TrustedDirectoryCheck at index 0 with display name \"My trusted directory check\" has verdict NOT_CONFORMANT. Image is not in a trusted directory",
"checkSetName": "My check set",
"checkSetIndex": "0",
"checkName": "My trusted directory check",
"verdict": "NON_CONFORMANT",
"checkType": "TrustedDirectoryCheck",
"checkIndex": "0"
}
],
"image": "gcr.io/my-project/hello-app:latest"
}
],
"verdict": "VIOLATES_POLICY",
"podNamespace": "default",
"deployTime": "2022-11-22T01:06:53Z",
"pod": "hello-app"
},
"@type": "type.googleapis.com/google.cloud.binaryauthorization.v1beta1.ContinuousValidationEvent"
},
"resource": {
"type": "k8s_cluster",
"labels": {
"project_id": "my-project",
"location": "us-central1-a",
"cluster_name": "my-test-cluster"
}
},
"timestamp": "2022-11-22T01:44:28.729881832Z",
"severity": "WARNING",
"logName": "projects/my-project/logs/binaryauthorization.googleapis.com%2Fcontinuous_validation",
"receiveTimestamp": "2022-11-22T03:35:47.171905337Z"
}
清除所用資源
本節說明如何清除您在本指南稍早設定的 CV 監控。
您可以在叢集中停用 CV 監控,或同時停用二進位授權和 CV。
在叢集中停用二進位授權
如要在叢集中停用 CV 和二進位授權強制執行功能,請執行下列指令:
gcloud beta container clusters update CLUSTER_NAME \
--binauthz-evaluation-mode=DISABLED \
--location=LOCATION \
--project=CLUSTER_PROJECT_ID
更改下列內容:
在叢集中停用以檢查為準的政策監控功能
如要在叢集中停用以檢查為準的政策,並使用 Binary Authorization 強制執行政策重新啟用強制執行功能,請執行下列指令:
gcloud beta container clusters update CLUSTER_NAME \
--binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE \
--location=LOCATION \
--project="CLUSTER_PROJECT_ID"
更改下列內容:
請注意,--binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE 相當於舊版旗標 --enable-binauthz。
刪除政策
如要刪除政策,請執行下列指令。如要停用以檢查為準的政策稽核功能,不必刪除以檢查為準的平台政策。
gcloud beta container binauthz policy delete POLICY_ID \
--platform=gke \
--project="POLICY_PROJECT_ID"
更改下列內容: