This page describes how to secure your software supply chain by configuring Binary Authorization to allow only container images built by Cloud Build to be deployed.
You configure this deployment control by requiring the built-by-cloud-build
attestor in your Binary Authorization policy. Cloud Build
automatically creates the built-by-cloud-build
attestor in your project when
you run a build that generates images. After images are successfully built,
Cloud Build automatically signs and creates attestations for them. At
deploy time, Binary Authorization verifies the attestations with the
built-by-cloud-build
attestor. Verified images are allowed to be deployed.
Images that fail verification are disallowed from being deployed, and the
failure is logged to Cloud Audit Logs.
For end-to-end guide that describes how to use Cloud Build-recorded metadata and Binary Authorization, see Using signed provenance and Binary Authorization.
Before you begin
To use this feature you must first do the following:
- Set up Binary Authorization for your platform.
Set up Cloud Build and build an image.
Configure the policy
In this section you configure the Binary Authorization policy to require the
built-by-cloud-build
attestor.
To allow only images built by Cloud Build to be deployed, perform the following steps:
Console
Go to the Binary Authorization page in the Google Cloud console:
In the Policy tab, click Edit Policy.
In the Edit Policy dialog, select Allow only images that have been approved by all of the following attestors.
Click Add Attestors.
In the Add attestors dialog box, do the following:
- Select Add by project and attestor name and perform the following
steps:
- In the Project name field, enter the project where you run Cloud Build.
- Click the Attestor name field and note that the
built-by-cloud-build
attestor is available. - Click
built-by-cloud-build
.
Alternatively, select Add by attestor resource ID. In Attestor resource ID, enter
projects/PROJECT_ID/attestors/built-by-cloud-build
Replacing
PROJECT_ID
with the project where you run Cloud Build.
- Select Add by project and attestor name and perform the following
steps:
Click Add 1 attestor.
Click Save Policy.
gcloud
Export your existing policy to a file using the following command:
gcloud container binauthz policy export > /tmp/policy.yaml
Edit your policy file.
Edit one of the following rules:
defaultAdmissionRule
clusterAdmissionRules
istioServiceIdentityAdmissionRules
kubernetesServiceAccountAdmissionRules
Add a
requireAttestationsBy
block to the rule if there isn't one there already.In the
requireAttestationsBy
block, addprojects/PROJECT_ID/attestors/built-by-cloud-build
Replacing
PROJECT_ID
with the project where you run Cloud Build.Save the policy file.
Import the policy file.
gcloud container binauthz policy import /tmp/policy.yaml
The following is an example policy file that contains the reference to the
built-by-cloud-build-attestor
:defaultAdmissionRule: evaluationMode: REQUIRE_ATTESTATION enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG requireAttestationsBy: - projects/PROJECT_ID/attestors/built-by-cloud-build name: projects/PROJECT_ID/policy
Replace
PROJECT_ID
with the project ID where you run Cloud Build.
What's next
- Instead of disallowing images from deploying, you can use dry-run mode to log policy violations.
- View audit log events for disallowed images on Google Kubernetes Engine (GKE) or Cloud Run.