Deploy only images built by Cloud Build

This page describes how to secure your software supply chain by configuring Binary Authorization to allow only container images built by Cloud Build to be deployed.

You configure this deployment control by requiring the built-by-cloud-build attestor in your Binary Authorization policy. Cloud Build automatically creates the built-by-cloud-build attestor in your project when you run a build that generates images. After images are successfully built, Cloud Build automatically signs and creates attestations for them. At deploy time, Binary Authorization verifies the attestations with the built-by-cloud-build attestor. Verified images are allowed to be deployed. Images that fail verification are disallowed from being deployed, and the failure is logged to Cloud Audit Logs.

For end-to-end guide that describes how to use Cloud Build-recorded metadata and Binary Authorization, see Using signed provenance and Binary Authorization.

Before you begin

To use this feature you must first do the following:

Set up Binary Authorization for your platform.
Set up Cloud Build and build an image.

Note: If your build specifies a location, an attestation is only created if you explicitly set requestedVerifyOption(/build/docs/api/reference/rest/v1/projects.builds#verifyoption) to VERIFY_REQUESTED.

Configure the policy

In this section you configure the Binary Authorization policy to require the built-by-cloud-build attestor.

To allow only images built by Cloud Build to be deployed, perform the following steps:

Console

Go to the Binary Authorization page in the Google Cloud console:

Go to Binary Authorization
In the Policy tab, click Edit Policy.
In the Edit Policy dialog, select Allow only images that have been approved by all of the following attestors.
Click Add Attestors.
In the Add attestors dialog box, do the following:
1. Select Add by project and attestor name and perform the following steps:
  1. In the Project name field, enter the project where you run Cloud Build.
  2. Click the Attestor name field and note that the built-by-cloud-build attestor is available.
  3. Click built-by-cloud-build.
2. Alternatively, select Add by attestor resource ID. In Attestor resource ID, enter
```
projects/PROJECT_ID/attestors/built-by-cloud-build
```
  Replacing PROJECT_ID with the project where you run Cloud Build.
Click Add 1 attestor.
Click Save Policy.

gcloud

Export your existing policy to a file using the following command:
```
gcloud container binauthz policy export > /tmp/policy.yaml
```
Edit your policy file.
Edit one of the following rules:
- defaultAdmissionRule
- clusterAdmissionRules
- istioServiceIdentityAdmissionRules
- kubernetesServiceAccountAdmissionRules
Add a requireAttestationsBy block to the rule if there isn't one there already.
In the requireAttestationsBy block, add
```
projects/PROJECT_ID/attestors/built-by-cloud-build
```
Replacing PROJECT_ID with the project where you run Cloud Build.
Save the policy file.

Import the policy file.

gcloud container binauthz policy import /tmp/policy.yaml

The following is an example policy file that contains the reference to the built-by-cloud-build-attestor:

defaultAdmissionRule:
  evaluationMode: REQUIRE_ATTESTATION
  enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
  requireAttestationsBy:
    - projects/PROJECT_ID/attestors/built-by-cloud-build
name: projects/PROJECT_ID/policy

Replace PROJECT_ID with the project ID where you run Cloud Build.

What's next

Instead of disallowing images from deploying, you can use dry-run mode to log policy violations.
View audit log events for disallowed images on Google Kubernetes Engine (GKE) or Cloud Run.