Score:0

Whitelisting URLs for exemption in binary authorization

pe flag

I am testing my binary authorization policies and put an exemption entry to allow nginx .

Following are the entries I tried by adding them under Images exempt from policy

registry.hub.docker.com/library/nginx*
registry.hub.docker.com/library/nginx.latest
docker.io/library/nginx*

but it is failing with below error

 $ kubectl run httpd-server --image=nginx --restart=Never -l app=httpd-server --port 80
 Error from server (VIOLATES_POLICY): admission webhook "imagepolicywebhook.image-policy.k8s.io" denied the request: Image nginx denied by Binary Authorization default admission rule. Denied by always_deny admission rule

If i disable binary authorization and install the nginx package , it shows the following repository is used to pull the image

   image: docker.io/library/nginx:latest

This entry is already there in Images exempt from policy , but the download is still blocked . Sharing the policy definition as requested .

enter image description here

Any suggestions ?

Ismael Clemente Aguirre avatar
ye flag
Can you share the YAML configuration file for your policy?
pe flag
Shared the image of Policy definition
Score:1
ye flag

I successfully reproduced your environment and everything runs as it should be. I configured my policy as in the image. enviorement reproduced

And I was able to create a deployment without any problem. I tried a few times changing between options, but in the end I didn't find a problem.

Please be sure that you're running a cluster with binary Authorization enabled.

To verify that Binary Authorization is enabled for the cluster, do the following:

1 Open the GKE page in the Cloud console.

2 Under Kubernetes clusters, find your cluster.

3 Under Security, verify that Binary Authorization is set to Enabled.

Also, it is important to check that the cluster where you're running your commands is the same cluster where you set the specific rules.

Before creating the deployment, be sure to use:

gcloud container clusters get-credentials NAME [--internal-ip] [--region=REGION     | --zone=ZONE, -z ZONE] [GCLOUD_WIDE_FLAG …]

To get the credentials for the cluster that you need to use.

pe flag
Thanks so much for your response . Binary authorization is enabled on the cluster but the cluster specific rule was for a different cluster
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.