Cloud Build integration

This page provides an overview of how to set up Binary Authorization with Cloud Build. This setup helps prevent images built from unknown source code or insecure repositories from running in your deployment environment.


Cloud Build takes source code stored in Cloud Source Repositories or another hosted repository, runs your builds and tests, and stores the resulting software outputs in Container Registry or another storage service on Google Cloud Platform. You can configure Binary Authorization to require attestations based on the location of the source code to prevent container images built from unauthorized source from being deployed.


The following diagram shows the components in a Binary Authorization/Cloud Build setup:

Binary Authorization/Cloud Build architecture

The components are:

  • Cloud Source Repositories or another secure repository that contains the source code used to build a container image

  • Cloud Build, which runs builds and tests, and outputs the container image to Container Registry or another software registry that stores your built images

  • A Kritis signer, an open source component that listens to Pub/Sub notifications from Cloud Build when new image versions are built and makes an attestation if the image was built only from source located in a trusted repository

  • Container Analysis, which stores the attestations for Binary Authorization and the build records from Cloud Build

  • Binary Authorization, which enforces the policy requiring attestations by the Kritis signer before a container image can be deployed

  • Google Kubernetes Engine (GKE), which runs the deployed container images on Google Cloud


To set up Binary Authorization to work with Cloud Build:

  1. Enable Binary Authorization in your project

  2. Create a GKE cluster with Binary Authorization enabled

  3. Create an attestor for the Kritis signer Binary Authorization

  4. Configure the Binary Authorization policy (CLI or Console) to require an attestation from Kritis before an image can be deployed

  5. Configure Pub/Sub notifications in Cloud Build

  6. Set up the Kritis signer and configure it to subscribe to Pub/Sub notifications and make attestations if an image is built only from source code in a trusted repository

Process flow

Upload and scanning

When Cloud Build generates a new container image, it creates a build record that contains information on the image, including the location of source code from which the image was built. You can view this information in the Google Cloud Console.


Cloud Build then makes a Pub/Sub notification available to subscribers that contains the build record. The Kritis signer, which is a subscriber to the Pub/Sub topic, receives the notification.


The Kritis signer examines the contents of the notification to see if the new image version was built only from source in trusted repository locations. For example, you can configure the signer to only authorize images built from source in specific repository in Cloud Source Repositories. If the image passes the signing criteria, Kritis makes an attestation that authorizes the image for deployment.


When you attempt to deploy an image to GKE, Binary Authorization checks to make sure that an attestation from the Kritis signer exists. If it exists, the service allows the image to be deployed. If not, the service blocks deployment and writes to the audit log.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Binary Authorization Documentation