This page provides an overview of how to set up Binary Authorization with Cloud Build. This setup helps prevent images built from unknown source code or insecure repositories from running in your deployment environment.
Cloud Build takes source code stored in Cloud Source Repositories or another hosted repository, runs your builds and tests, and stores the resulting software outputs in Container Registry or another storage service on Google Cloud Platform. You can configure Binary Authorization to require attestations based on the location of the source code to prevent container images built from unauthorized source from being deployed.
The following diagram shows the components in a Binary Authorization/Cloud Build setup:
The components are:
Cloud Source Repositories or another secure repository that contains the source code used to build a container image
Cloud Build, which runs builds and tests, and outputs the container image to Container Registry or another software registry that stores your built images
A Kritis signer, an open source component that listens to Pub/Sub notifications from Cloud Build when new image versions are built and makes an attestation if the image was built only from source located in a trusted repository
Container Analysis, which stores the attestations for Binary Authorization and the build records from Cloud Build
Google Kubernetes Engine (GKE), which runs the deployed container images on Google Cloud
To set up Binary Authorization to work with Cloud Build:
Enable Binary Authorization in your project
Create a GKE cluster with Binary Authorization enabled
Create an attestor for the Kritis signer Binary Authorization
Configure Pub/Sub notifications in Cloud Build
Set up the Kritis signer and configure it to subscribe to Pub/Sub notifications and make attestations if an image is built only from source code in a trusted repository
Upload and scanning
When Cloud Build generates a new container image, it creates a build record that contains information on the image, including the location of source code from which the image was built. You can view this information in the Google Cloud Console.
Cloud Build then makes a Pub/Sub notification available to subscribers that contains the build record. The Kritis signer, which is a subscriber to the Pub/Sub topic, receives the notification.
The Kritis signer examines the contents of the notification to see if the new image version was built only from source in trusted repository locations. For example, you can configure the signer to only authorize images built from source in specific repository in Cloud Source Repositories. If the image passes the signing criteria, Kritis makes an attestation that authorizes the image for deployment.
When you attempt to deploy an image to GKE, Binary Authorization checks to make sure that an attestation from the Kritis signer exists. If it exists, the service allows the image to be deployed. If not, the service blocks deployment and writes to the audit log.