Whitelisting URLs for exemption in binary authorization

Question

I am testing my binary authorization policies and put an exemption entry to allow nginx .

Following are the entries I tried by adding them under Images exempt from policy

registry.hub.docker.com/library/nginx*
registry.hub.docker.com/library/nginx.latest
docker.io/library/nginx*

but it is failing with below error

 $ kubectl run httpd-server --image=nginx --restart=Never -l app=httpd-server --port 80
 Error from server (VIOLATES_POLICY): admission webhook "imagepolicywebhook.image-policy.k8s.io" denied the request: Image nginx denied by Binary Authorization default admission rule. Denied by always_deny admission rule

If i disable binary authorization and install the nginx package , it shows the following repository is used to pull the image

   image: docker.io/library/nginx:latest

This entry is already there in Images exempt from policy , but the download is still blocked . Sharing the policy definition as requested .

Any suggestions ?

Answer 1

I successfully reproduced your environment and everything runs as it should be. I configured my policy as in the image.

And I was able to create a deployment without any problem. I tried a few times changing between options, but in the end I didn't find a problem.

Please be sure that you're running a cluster with binary Authorization enabled.

To verify that Binary Authorization is enabled for the cluster, do the following:

1 Open the GKE page in the Cloud console.

2 Under Kubernetes clusters, find your cluster.

3 Under Security, verify that Binary Authorization is set to Enabled.

Also, it is important to check that the cluster where you're running your commands is the same cluster where you set the specific rules.

Before creating the deployment, be sure to use:

gcloud container clusters get-credentials NAME [--internal-ip] [--region=REGION     | --zone=ZONE, -z ZONE] [GCLOUD_WIDE_FLAG …]

To get the credentials for the cluster that you need to use.