快速入門導覽課程:透過持續驗證監控 Pod 安全性

瞭解如何透過以檢查為準的政策,開始使用二進位授權連續驗證 (CV)。在本快速入門導覽中,您將使用下列 CV 檢查,持續驗證執行中的 Pod 是否符合下列條件:

  • 信任目錄: 檢查與 Pod 相關聯的映像檔是否位於您在政策中指定的一或多個信任目錄。
  • 圖片新鮮度: 檢查 Pod 的圖片是否在政策中指定的天數內上傳。

事前準備

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. Install the Google Cloud CLI.

  3. 如果您使用外部識別資訊提供者 (IdP),請先 使用聯合身分登入 gcloud CLI

  4. 如要初始化 gcloud CLI,請執行下列指令: 

    gcloud init

  5. Create or select a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the Binary Authorization and Google Kubernetes Engine APIs:

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles. 

    gcloud services enable container.googleapis.com binaryauthorization.googleapis.com

  8. Install the Google Cloud CLI.

  9. 如果您使用外部識別資訊提供者 (IdP),請先 使用聯合身分登入 gcloud CLI

  10. 如要初始化 gcloud CLI,請執行下列指令: 

    gcloud init

  11. Create or select a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  12. Verify that billing is enabled for your Google Cloud project.

  13. Enable the Binary Authorization and Google Kubernetes Engine APIs:

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles. 

    gcloud services enable container.googleapis.com binaryauthorization.googleapis.com
  14. 安裝 kubectl 指令列工具。
  15. 如果二進位授權政策和 GKE 叢集位於不同專案,請務必在這兩個專案中啟用二進位授權。

    16. 建立平台政策

    如要設定 CV GKE 平台政策,請按照下列步驟操作:

    1. 建立平台政策 YAML 檔案:

      cat << EOF > /tmp/my-policy.yaml
gkePolicy:
  checkSets:
  - checks:
    - trustedDirectoryCheck:
        trustedDirPatterns:
        - us-central1-docker.pkg.dev/my-project/my-directory
      displayName: My trusted directory check
    - imageFreshnessCheck:
        maxUploadAgeDays: 30
      displayName: My image freshness check
    displayName: My trusted directory and image freshness check set
EOF

      這項政策會檢查下列情況:

      • Pod 的映像檔會儲存在名為 us-central1-docker.pkg.dev/my-project/my-directory 的 Artifact Registry 存放區中。

      • Pod 的映像檔已在過去 30 天內上傳至 Artifact Registry 或 Container Registry 存放區。

    2. 建立平台政策:

      gcloud beta container binauthz policy create POLICY_ID \
    --platform=gke \
    --policy-file=/tmp/my-policy.yaml \
    --project=POLICY_PROJECT_ID

      更改下列內容:

      • POLICY_ID:您選擇的 ID
      • POLICY_PROJECT_ID:政策專案 ID

    建立或更新叢集

    如要在叢集上啟用 CV,您可以建立新叢集或更新現有叢集。

    • 如要建立啟用檢查式平台政策的叢集,請執行下列指令:

      gcloud beta container clusters create CLUSTER_NAME \
    --location=LOCATION \
    --binauthz-evaluation-mode=POLICY_BINDINGS \
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID \
    --project=CLUSTER_PROJECT_ID

      更改下列內容:

      • CLUSTER_NAME:叢集名稱
      • LOCATION:位置,例如: us-central1asia-south1
      • POLICY_PROJECT_ID:儲存政策的專案 ID
      • POLICY_ID:政策 ID
      • CLUSTER_PROJECT_ID:叢集專案 ID

      等待叢集建立完成。

    • 如要更新現有叢集並啟用檢查式政策,請執行下列指令。

      gcloud beta container clusters update CLUSTER_NAME \
    --location=LOCATION \
    --binauthz-evaluation-mode=POLICY_BINDINGS \
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID \
    --project=CLUSTER_PROJECT_ID

      更改下列內容:

      • CLUSTER_NAME:叢集名稱
      • LOCATION:位置,例如: us-central1asia-south1
      • POLICY_PROJECT_ID:儲存政策的專案 ID
      • POLICY_ID:政策 ID
      • CLUSTER_PROJECT_ID:叢集專案 ID

      等待叢集更新完成。

    部署映像檔

    1. 取得 kubectl 的憑證:

      gcloud container clusters get-credentials CLUSTER_NAME

    2. 部署映像檔:

      kubectl run hello-app \
    --image=us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0

      圖片 us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0 在過去 30 天內上傳至存放區,因此通過新鮮度檢查。但由於圖片不在 us-central1-docker.pkg.dev/my-project/my-directory 中,因此無法通過信任目錄檢查。因此,CV 會在 Cloud Logging 中產生 TrustedDirectoryCheck 記錄項目。

    查看記錄

    Pod 部署完成後,記錄項目會在 24 小時內顯示在 Cloud Logging 中,但最快可能只要幾小時就會顯示。

    如要在 Cloud Logging 中查看記錄,請使用下列篩選器:

    logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation"
"policyName"

    hello-app Pod 的記錄檔與下列內容類似。部分欄位可能會因專案 ID、叢集名稱等而異。

    {
  "insertId": "637c2de7-0000-2b64-b671-24058876bb74",
  "jsonPayload": {
    "podEvent": {
      "endTime": "2022-11-22T01:14:30.430151Z",
      "policyName": "projects/1234567890/platforms/gke/policies/my-policy",
      "images": [
        {
          "result": "DENY",
          "checkResults": [
            {
              "explanation": "TrustedDirectoryCheck at index 0 with display name \"My trusted directory check\" has verdict NOT_CONFORMANT. Image is not in a trusted directory",
              "checkSetName": "Default check set",
              "checkSetIndex": "0",
              "checkName": "My trusted directory check",
              "verdict": "NON_CONFORMANT",
              "checkType": "TrustedDirectoryCheck",
              "checkIndex": "0"
            }
          ],
          "image": "us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0"
        }
      ],
      "verdict": "VIOLATES_POLICY",
      "podNamespace": "default",
      "deployTime": "2022-11-22T01:06:53Z",
      "pod": "hello-app"
    },
    "@type": "type.googleapis.com/google.cloud.binaryauthorization.v1beta1.ContinuousValidationEvent"
  },
  "resource": {
    "type": "k8s_cluster",
    "labels": {
      "project_id": "my-project",
      "location": "us-central1-a",
      "cluster_name": "my-cluster"
    }
  },
  "timestamp": "2022-11-22T01:44:28.729881832Z",
  "severity": "WARNING",
  "logName": "projects/my-project/logs/binaryauthorization.googleapis.com%2Fcontinuous_validation",
  "receiveTimestamp": "2022-11-22T03:35:47.171905337Z"
}

    記錄項目會顯示違反政策的相關資訊,包括下列欄位:

    • policyName:CV 偵測到違規行為時所使用的平台政策

    • checkResults:結果區塊,包含下列欄位:

      • explanation:錯誤訊息
      • checkSetName:檢查集的 displayName
      • checkSetIndex:政策中檢查集的索引
      • checkName:檢查的名稱
      • checkIndex:檢查集中的檢查索引
      • verdict:導致記錄項目的結果,在本例中為 NOT_CONFORMANT,因為檢查未通過。

    部分檢查項目會提供額外資訊,協助您瞭解檢查項目未通過的原因。

    由於圖片通過了新鮮度檢查,因此記錄中不會顯示新鮮度檢查。

    清除所用資源

    如要避免系統向您的 Google Cloud 帳戶收取本頁面所用資源的費用,請刪除含有這些資源的 Google Cloud 專案。

    本節說明如何清除您稍早在本指南中設定的 CV 監控。

    您可以在叢集中停用 CV 監控,或同時停用二進位授權和 CV。

    在叢集中停用二進位授權

    如要在叢集中停用 CV 和二進位授權強制執行功能,請執行下列指令:

    gcloud beta container clusters update CLUSTER_NAME \
    --binauthz-evaluation-mode=DISABLED \
    --location=LOCATION \
    --project=CLUSTER_PROJECT_ID

    更改下列內容:

    • CLUSTER_NAME:叢集名稱
    • LOCATION:叢集位置
    • CLUSTER_PROJECT_ID:叢集專案 ID

    在叢集中停用以檢查為準的政策監控功能

    如要在叢集中停用 CV 檢查政策,並使用 Binary Authorization 強制執行政策重新啟用強制執行功能,請執行下列指令:

    gcloud beta container clusters update CLUSTER_NAME  \
    --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE \
    --location=LOCATION \
    --project="CLUSTER_PROJECT_ID"

    更改下列內容:

    • CLUSTER_NAME:叢集名稱
    • LOCATION:叢集位置
    • CLUSTER_PROJECT_ID:叢集專案 ID

    請注意,--binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE 等同於舊版旗標 --enable-binauthz

    刪除政策

    如要刪除政策,請執行下列指令。如要停用以檢查為準的政策稽核功能,不必刪除以檢查為準的平台政策。

    gcloud beta container binauthz policy delete POLICY_ID \
    --platform=gke \
    --project="POLICY_PROJECT_ID"

    更改下列內容:

    • POLICY_ID:政策 ID
    • POLICY_PROJECT_ID:政策專案 ID

    後續步驟