This guide describes how to create and use Binary Authorization attestations. After a container image is built, an attestation can be created to affirm that a required activity was performed on the image such as a regression test, vulnerability scan, or other test. The attestation is created by signing the image's unique digest.
During deployment, instead of repeating the activities, Binary Authorization verifies the attestations using an attestor. If all of the attestations for an image are verified, Binary Authorization allows the image to be deployed.
Before you begin
Set up Binary Authorization with one of the following products:
Cloud Service Mesh users need to only set up the Binary Authorization policy. To do so, see Configure a policy, later in this guide.
Create an attestor
To use attestations, you first create attestors. At deploy time, Binary Authorization uses attestors to verify the attestation associated with the container image.
You can create attestors using the following methods:
- The Google Cloud CLI
- The Google Cloud console
Configure a policy rule to require attestations
This section describes how to configure the policy to require attestations.
GKE
Configure the default rule to require attestations using the following methods:
Configure a cluster-specific rule to require attestations using the following methods:
Cloud Run
Configure the default rule to require attestations using one of the following methods:
Distributed Cloud
- Configure the default rule to require attestations using the following methods:
- Configure a cluster-specific rule to require attestations using the following methods:
Cloud Service Mesh
Cloud Service Mesh users can create rules—including rules that require attestations—that are scoped to either a mesh service identity, a Kubernetes service account, or a Kubernetes namespace.
To configure a specific rule, use the following methods:
Create attestations
Attestations are created by a signer. The process of creating an attestation is also known as signing an image. A signer can be a person who manually creates an attestation. Alternatively, a signer can be an automated service. For instructions that describe different approaches to creating attestations, see the following pages:
- Create attestations manually by signing a container image.
- Create attestations in a Cloud Build pipeline.
- Create attestations based on Artifact Analysis vulnerability findings using Voucher.
- Create attestations based on Artifact Analysis vulnerability findings using Kritis.
Deploy an image
After you create an attestation, you are ready to deploy the associated image.
GKE
Cloud Run
Distributed Cloud
Cloud Service Mesh
Cloud Service Mesh workloads are enforced as soon as the policy is saved.
What's next
- View audit logs
- View Cloud Run breakglass audit logs
- Use breakglass (GKE)
- Use breakglass (Cloud Run)
- Use image digests in Kubernetes manifests