Deploy only images built by Cloud Build

This page describes how to secure your software supply chain by configuring Binary Authorization to allow only container images built by Cloud Build to be deployed.

You configure this deployment control by requiring the built-by-cloud-build attestor in your Binary Authorization policy. Cloud Build automatically creates the built-by-cloud-build attestor in your project when you run a build that generates images. After images are successfully built, Cloud Build automatically signs and creates attestations for them. At deploy time, Binary Authorization verifies the attestations with the built-by-cloud-build attestor. Verified images are allowed to be deployed. Images that fail verification are disallowed from being deployed, and the failure is logged to Cloud Audit Logs.

For end-to-end guide that describes how to use Cloud Build-recorded metadata and Binary Authorization, see Using signed provenance and Binary Authorization.

Before you begin

To use this feature you must first do the following:

Configure the policy

In this section you configure the Binary Authorization policy to require the built-by-cloud-build attestor.

To allow only images built by Cloud Build to be deployed, perform the following steps:

Console

  1. Go to the Binary Authorization page in the Google Cloud console:

    Go to Binary Authorization

  2. In the Policy tab, click Edit Policy.

  3. In the Edit Policy dialog, select Allow only images that have been approved by all of the following attestors.

  4. Click Add Attestors.

  5. In the Add attestors dialog box, do the following:

    1. Select Add by project and attestor name and perform the following steps:
      1. In the Project name field, enter the project where you run Cloud Build.
      2. Click the Attestor name field and note that the built-by-cloud-build attestor is available.
      3. Click built-by-cloud-build.
    2. Alternatively, select Add by attestor resource ID. In Attestor resource ID, enter

      projects/PROJECT_ID/attestors/built-by-cloud-build
      

      Replacing PROJECT_ID with the project where you run Cloud Build.

  6. Click Add 1 attestor.

  7. Click Save Policy.

gcloud

  1. Export your existing policy to a file using the following command:

    gcloud container binauthz policy export > /tmp/policy.yaml
    
  2. Edit your policy file.

  3. Edit one of the following rules:

    • defaultAdmissionRule
    • clusterAdmissionRules
    • istioServiceIdentityAdmissionRules
    • kubernetesServiceAccountAdmissionRules
  4. Add a requireAttestationsBy block to the rule if there isn't one there already.

  5. In the requireAttestationsBy block, add

    projects/PROJECT_ID/attestors/built-by-cloud-build
    

    Replacing PROJECT_ID with the project where you run Cloud Build.

  6. Save the policy file.

  7. Import the policy file.

    gcloud container binauthz policy import /tmp/policy.yaml
    

    The following is an example policy file that contains the reference to the built-by-cloud-build-attestor:

    defaultAdmissionRule:
      evaluationMode: REQUIRE_ATTESTATION
      enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
      requireAttestationsBy:
        - projects/PROJECT_ID/attestors/built-by-cloud-build
    name: projects/PROJECT_ID/policy
    

    Replace PROJECT_ID with the project ID where you run Cloud Build.

What's next