Attestations overview

This guide describes how to create and use Binary Authorization attestations. After a container image is built, an attestation can be created to affirm that a required activity was performed on the image such as a regression test, vulnerability scan, or other test. The attestation is created by signing the image's unique digest.

During deployment, instead of repeating the activities, Binary Authorization verifies the attestations using an attestor. If all of the attestations for an image are verified, Binary Authorization allows the image to be deployed.

Before you begin

  1. Enable Binary Authorization.

  2. Set up Binary Authorization with one of the following products:

Anthos Service Mesh (preview) users need to only set up the Binary Authorization policy. To do so, see Configure a policy, later in this guide.

Create an attestor

To use attestations, you first create attestors. At deploy time, Binary Authorization uses attestors to verify the attestation associated with the container image.

You can create attestors using the following methods:

Configure a policy rule to require attestations

This section describes how to configure the policy to require attestations.

GKE

Cloud Run

Configure the default rule to require attestations using one of the following methods:

GKE clusters

Anthos Service Mesh

Anthos Service Mesh (Preview) users can create rules—including rules that require attestations—that are scoped to either a mesh service identity, a Kubernetes service account, or a Kubernetes namespace.

To configure a specific rule, use the following methods:

Create attestations

Attestations are created by a signer. The process of creating an attestation is also known as signing an image. A signer can be a person who manually creates an attestation. Alternatively, a signer can be an automated service. For instructions that describe different approaches to creating attestations, see the following pages:

Deploy an image

After you create an attestation, you are ready to deploy the associated image.

GKE

Deploy images using GKE.

Cloud Run

Deploy images using Cloud Run.

GKE clusters

Deploy images using GKE clusters.

Anthos Service Mesh

Anthos Service Mesh (Preview) workloads are enforced as soon as the policy is saved.

What's next