Skip to content

Commit

Permalink
feat: add binary authorization
Browse files Browse the repository at this point in the history
  • Loading branch information
@karanwadhwa @sydrawat01
karanwadhwa authored and sydrawat01 committed Dec 7, 2023
1 parent 5d63239 commit d25ff5d
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 10 deletions.
3 changes: 3 additions & 0 deletions modules/k8s/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,9 @@ resource "google_container_cluster" "pwncorp_cluster" {
master_ipv4_cidr_block = var.master_ipv4_cidr_block
}

binary_authorization {
evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
}
}

# Node pool for Cluster
Expand Down
32 changes: 22 additions & 10 deletions modules/projects/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,26 @@ resource "google_organization_policy" "default_network_policy" {
}
}

# resource "google_binary_authorization_policy" "binary_auth_policy" {
# admission_whitelist_patterns {
# name_pattern = "gcr.io/google_containers/*"
# }

# default_admission_rule {
# evaluation_mode = "ALWAYS_ALLOW"
# enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
# }
# }
resource "google_binary_authorization_policy" "binary_auth_policy" {
admission_whitelist_patterns {
name_pattern = "docker.io/bitnami/*"
}

admission_whitelist_patterns {
name_pattern = "docker.io/istio/*"
}

admission_whitelist_patterns {
name_pattern = "quay.io/pwncorp/*"
}

default_admission_rule {
evaluation_mode = "ALWAYS_DENY"
enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG"
}

global_policy_evaluation_mode = "ENABLE"
project = var.project_id
}


0 comments on commit d25ff5d

Please sign in to comment.