This tutorial shows how to configure and test a Binary Authorization policy that requires attestations. This type of policy secures your container-based software supply chain by verifying that a container image has a signed attestation before allowing deployment of the image.
At deploy time, Binary Authorization uses attestors to verify digital signatures in attestations. The attestations are created by signers, usually as part of a continuous integration (CI) pipeline.
In this tutorial, the GKE cluster, attestations, and attestors are all located in a single project. A single-project configuration is mostly useful for testing or experimenting with the service. For a more real-world example, see multi-project configuration.
The steps below describe tasks that you perform at the command line. To follow these steps using Google Cloud Console, see Getting Started Using the Console.
Objectives
In this tutorial, you learn how to:
- Create a Google Kubernetes Engine (GKE) cluster with Binary Authorization enabled
- Create an attestor that the Binary Authorization enforcer uses to verify the signature on an attestation
- Configure a policy that requires an attestation
- Create a cryptographic key pair to sign attestations and later verify them
- Sign a container image digest, creating a signature
- Create an attestation using the signature
- Test the policy by deploying a container image to GKE
Costs
This tutorial uses billable components of Google Cloud. For more information, see the pricing pages for each component, linked below:
- Artifact Registry or Container Registry
- Binary Authorization
- GKE
- Optional: Cloud Key Management Service
You can also use the Pricing Calculator to generate a cost estimate based on your projected usage.
New Cloud Platform users might be eligible for a free trial.Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
- Install and initialize the Cloud SDK.
- Install
kubectlfor interacting with GKE.
Enable Binary Authorization
Set the default project
The first step is to set the default Google Cloud project used by the
gcloud command:
PROJECT_ID=PROJECT_ID
gcloud config set project ${PROJECT_ID}
where PROJECT_ID is the name of your project.
Enable required APIs
Enable APIs for:
Container Registry
gcloud --project=${PROJECT_ID} \
services enable\
container.googleapis.com\
containerregistry.googleapis.com\
binaryauthorization.googleapis.com
Artifact Registry
gcloud --project=${PROJECT_ID} \
services enable\
container.googleapis.com\
artifactregistry.googleapis.com\
binaryauthorization.googleapis.com
Create a cluster with Binary Authorization enabled
Create the cluster
Create a GKE cluster with Binary Authorization
enabled. This is the cluster where you want your deployed container images to
run. When you create the cluster, you pass the --enable-binauthz flag to the
gcloud container clusters create command.
To create the cluster, follow these steps:
gcloud container clusters create \
--enable-binauthz \
--zone us-central1-a \
test-cluster
Here, you create a cluster named test-cluster in the
GKE zone us-central1-a.
Configure kubectl
You must also update the local kubeconfig file for your kubectl
installation. This provides the credentials and endpoint information required to
access the cluster in GKE.
To update the local kubeconfig file:
gcloud container clusters get-credentials \
--zone us-central1-a \
test-cluster
View the default policy
A policy in Binary Authorization is a set of rules that govern the deployment of container images. You can have one policy per project. By default, the policy is configured to allow all container images to be deployed.
Binary Authorization allows you to export and import a policy file in
YAML format. This format reflects the structure of a policy as it is stored by
the service. When you configure a policy using gcloud commands, you edit this
file.
To view the default policy, export the policy YAML file:
gcloud container binauthz policy export
By default, the file has the following contents:
admissionWhitelistPatterns:
- namePattern: gcr.io/google_containers/*
- namePattern: gcr.io/google-containers/*
- namePattern: k8s.gcr.io/*
- namePattern: gke.gcr.io/*
- namePattern: gcr.io/stackdriver-agents/*
globalPolicyEvaluationMode: ENABLE
defaultAdmissionRule:
evaluationMode: ALWAYS_ALLOW
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
name: projects/${PROJECT_ID}/policy
Here, the default rule is defined in the
defaultAdmissionRule node.
evaluationMode specifies that the
policy allows all attempts at image deployment. In this tutorial, you update
the default rule to require attestations.
For more information on the structure of a policy, see the Policy YAML Reference.
Create an attestor
An attestor is the verification authority that the Binary Authorization enforcer uses at deploy time to decide whether to allow GKE to deploy the corresponding signed container image. The attestor contains the public key and is typically managed by personnel in your organization who are responsible for software supply chain security.
Creating an attestor requires you to:
- Create a note in Container Analysis to store trusted metadata used in the authorization process
- Create the attestor itself in Binary Authorization and associate the note you created
For this tutorial, you have one attestor named test-attestor and a Container
Analysis note named test-attestor-note. In a real-world scenario, you can have
any number of attestors, each one representing a party that participates in the
authorization process for a container image.
Create the Container Analysis note
Set variables that store the name of your attestor and Container Analysis note:
ATTESTOR_NAME=test-attestor NOTE_ID=test-attestor-note
Replace:
- test-attestor: attestor name of your choice.
- attestor-note: attestor note name of your choice.
Create a JSON file in
/tmp/note_payload.jsonthat describes the Container Analysis note:cat > /tmp/note_payload.json << EOM { "name": "projects/${PROJECT_ID}/notes/${NOTE_ID}", "attestation": { "hint": { "human_readable_name": "Attestor Note" } } } EOMCreate the note by sending an HTTP request to the Container Analysis REST API:
curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ --data-binary @/tmp/note_payload.json \ "https://containeranalysis.googleapis.com/v1/projects/${PROJECT_ID}/notes/?noteId=${NOTE_ID}"Verify that the note was created:
curl \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://containeranalysis.googleapis.com/v1/projects/${PROJECT_ID}/notes/${NOTE_ID}"
Create the attestor
Now, you can create the attestor:
Create the attestor in Binary Authorization:
gcloud container binauthz attestors create ${ATTESTOR_NAME} \ --attestation-authority-note=${NOTE_ID} \ --attestation-authority-note-project=${PROJECT_ID}Verify that the attestor was created:
gcloud container binauthz attestors list
The attestor you created is not yet usable without an associated PKIX key pair, which you create below.
Generate a key pair
Binary Authorization uses cryptographic keys to securely verify the identity of signers. This ensures that only authorized container images can be deployed. The key pair consists of a private key and a public key. The signer uses the private key to sign the container image digest, producing a signature that is then stored in an attestation. The public key is stored in the attestor. At deploy time, the Binary Authorization enforcer uses the attestor's public key to verify the signature in the attestation before allowing the container to deploy.
In this tutorial, you use Public-Key Infrastructure (X.509) (PKIX) format for cryptographic keys. This tutorial uses the recommended Elliptic Curve Digital Signing Algorithm (ECDSA) to generate a PKIX key pair. You can also use RSA or PGP keys for signing.
Key purposes and algorithms for more information on signing algorithms.
The keys generated and stored by Cloud Key Management Service (Cloud KMS) are PKIX-compliant. See Creating attestors using the CLI for more information on using PKIX keys and Cloud KMS.
To generate a PKIX key pair, follow these steps:
Create the private key:
PRIVATE_KEY_FILE="/tmp/ec_private.pem" openssl ecparam -genkey -name prime256v1 -noout -out ${PRIVATE_KEY_FILE}Extract the public key from the private key:
PUBLIC_KEY_FILE="/tmp/ec_public.pem" openssl ec -in ${PRIVATE_KEY_FILE} -pubout -out ${PUBLIC_KEY_FILE}Add the ECDSA public key to the attestor.
Now, add the public key you exported to the attestor so that it can be used by Binary Authorization for identity verification:
gcloud --project="${PROJECT_ID}" \ beta container binauthz attestors public-keys add \ --attestor="${ATTESTOR_NAME}" \ --pkix-public-key-file=${PUBLIC_KEY_FILE} \ --pkix-public-key-algorithm=ecdsa-p256-sha256Save the public key ID.
To save the public key ID, you can copy it from the output of
public-keys addabove. To view your attestor's public key ID after adding it to the attestor, usegcloud container binauthz attestors describe ${ATTESTOR_NAME}:PUBLIC_KEY_ID=$(gcloud container binauthz attestors describe ${ATTESTOR_NAME} \ --format='value(userOwnedGrafeasNote.publicKeys[0].id)')
Configure the policy
Now, you can configure your policy. In this step, you export the policy YAML file to your local system and modify the default rule so that it requires an attestation by the attestor you defined above.
To configure the policy, follow these steps:
Create a new policy file that allows Google-maintained system images, sets the
evaluationModetoREQUIRE_ATTESTATION, and adds a node namedrequireAttestationsBythat references the attestor you created:cat > /tmp/policy.yaml << EOM globalPolicyEvaluationMode: ENABLE defaultAdmissionRule: evaluationMode: REQUIRE_ATTESTATION enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG requireAttestationsBy: - projects/${PROJECT_ID}/attestors/${ATTESTOR_NAME} name: projects/${PROJECT_ID}/policy EOMImport the policy YAML file into Binary Authorization:
gcloud container binauthz policy import /tmp/policy.yaml
For more information on configuring a policy, see Configuring a Policy Using the CLI.
Test the policy
You can test the policy you configured above by trying to deploy a sample container image to the cluster. The policy will block deployment because the required attestation has not been made.
For this tutorial, you can use sample images from Container Registry and
Artifact Registry. The image from Container Registry is located at the path
gcr.io/google-samples/hello-app. The image from Artifact Registry is located
at the path us-docker.pkg.dev/google-samples/containers/gke/hello-app. Both
paths contain public image created by Google that contains a Hello, World! sample
application.
First, try to deploy the image:
kubectl run hello-server --image gcr.io/google-samples/hello-app:1.0 --port 8080
Now, verify that the deployment was blocked by Binary Authorization:
kubectl get pods
The command prints the following message, which indicates that the image was not deployed:
No resources found.
You can get further details about the deployment:
kubectl get event --template \
'{{range.items}}{{"\033[0;36m"}}{{.reason}}:{{"\033[0m"}}\{{.message}}{{"\n"}}{{end}}'
which shows that the deployment was disallowed by the policy:
FailedCreate: Error creating: pods "hello-server-579859fb5b-hjvnr" is forbidden: image policy webhook backend denied one or more images: Denied by default admission rule. Denied by Attestation Authority. Image gcr.io/google-samples/hello-app:1.0 denied by projects/example-project/attestors/test-attestor: No attestations found
Make sure to delete the deployment so you can continue to the next step:
kubectl delete deployment hello-server
Create an attestation
An attestation is a digital document created by a signer that certifies that GKE is allowed to deploy the associated container image. The process of creating an attestation is sometimes called "signing an image." A signer can be a person or, more often, an automated process that runs when a container image is built. The signature is created using the private key from a key pair. At deploy time, the Binary Authorization enforcer uses the attestor's public key to verify the signature in the attestation.
In this tutorial, your attestation simply states that you authorize the image for deployment.
To create an attestation, follow these steps:
Set variables that store the registry path and digest of the image:
Container Registry
IMAGE_PATH="gcr.io/google-samples/hello-app" IMAGE_DIGEST="sha256:c62ead5b8c15c231f9e786250b07909daf6c266d0fcddd93fea882eb722c3be4" IMAGE_TO_ATTEST=${IMAGE_PATH}@${IMAGE_DIGEST}Artifact Registry
IMAGE_PATH="us-docker.pkg.dev/google-samples/containers/gke/hello-app" IMAGE_DIGEST="sha256:37e5287945774f27b418ce567cd77f4bbc9ef44a1bcd1a2312369f31f9cce567" IMAGE_TO_ATTEST=${IMAGE_PATH}@${IMAGE_DIGEST}Generate the attestation payload:
gcloud container binauthz create-signature-payload \ --artifact-url=${IMAGE_TO_ATTEST} > /tmp/generated_payload.jsonThe payload JSON file has the following contents:
{ "critical": { "identity": { "docker-reference": "gcr.io/google-samples/hello-app" }, "image": { "docker-manifest-digest": "sha256:c62ead5b8c15c231f9e786250b07909daf6c266d0fcddd93fea 882eb722c3be4" }, "type": "Google cloud binauthz container signature" } }Sign the payload with your PKIX private key and output a signature file:
openssl dgst -sha256 -sign ${PRIVATE_KEY_FILE} /tmp/generated_payload.json > /tmp/ec_signatureThe signature file is a digitally-signed version of the payload JSON file you created above.
Create and validate the attestation:
gcloud container binauthz attestations create \ --project="${PROJECT_ID}" \ --artifact-url="${IMAGE_TO_ATTEST}" \ --attestor="projects/${PROJECT_ID}/attestors/${ATTESTOR_NAME}" \ --signature-file=/tmp/ec_signature \ --public-key-id="${PUBLIC_KEY_ID}" \ --validatewhere
PUBLIC_KEY_IDis the public key id that you found in Generate a PKIX key pair above.The
validateflag checks that the attestation can be verified by the attestor you configured in your policy.Verify that the attestation was created:
gcloud container binauthz attestations list \ --attestor=$ATTESTOR_NAME --attestor-project=$PROJECT_ID
For more information on creating attestations, see Creating Attestations.
Retest the policy
Again, test the policy by deploying a sample container image to the cluster.
This time, you must deploy the image using the digest rather than a tag like
1.0 or latest, as Binary Authorization will use both the image path and
digest to look up attestations. Here, Binary Authorization allows the image to be
deployed because the required attestation has been made.
To deploy the image, follow these steps:
kubectl run hello-server --image ${IMAGE_TO_ATTEST} --port 8080
To verify that the image was deployed:
kubectl get pods
The command prints a message similar to the following, which indicates that deployment was successful:
NAME READY STATUS RESTARTS AGE hello-server-579859fb5b-h2k8s 1/1 Running 0 1m
Cleaning up
To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.
Delete the cluster you created in GKE:
gcloud container clusters delete \
--zone=us-central1-a \
test-cluster