This page provides an overview of how to set up Binary Authorization to work with Container Registry vulnerability scanning. This setup helps prevent images with known security issues from running in your deployment environment.
Container Registry vulnerability scanning is a feature that checks for known vulnerabilities in container images. You can configure Binary Authorization to require attestations based on vulnerability scan results to prevent images with known vulnerabilities beyond a certain level from being deployed.
The following diagram shows the components in a Binary Authorization/vulnerability scanning architecture:
The components are:
Cloud Build or another build system that you can use to build a container image
Container Registry, which stores your images and scans new versions for vulnerabilities when they are uploaded to the service
A Kritis signer, an open source component that listens to Pub/Sub notifications from Container Registry vulnerability scanning when new image versions are uploaded and makes an attestation if an image passes the defined vulnerability threshold
Container Analysis, which stores the attestations for Binary Authorization
Google Kubernetes Engine GKE, which runs the deployed container images on Google Cloud
To set up Binary Authorization to work with vulnerability scanning:
Enable Binary Authorization in your project
Create a GKE cluster with Binary Authorization enabled
Create an attestor for the Kritis signer Binary Authorization
Configure Pub/Sub notifications in Container Registry
Set up the Kritis signer and configure it to subscribe to Pub/Sub notifications and make attestations when an image passes the required vulnerability threshold
Upload and scanning
When you upload a new version of a container image to Container Registry, the service scans it for known vulnerabilities in the software it contains. If a vulnerability is found, Container Registry tags the image with the vulnerability name, description, and severity. You can view this information in the Google Cloud Console.
Container Registry then makes a Pub/Sub notification available to subscribers that describes the new image, as well as any vulnerabilities. The Kritis signer, which is a subscriber to the Pub/Sub topic, receives the notification.
The Kritis signer examines the contents of the notification to see if the new image version passes the defined security vulnerability threshold. For example, you can configure the signer to only authorize images with a vulnerability level of Low. If the image passes the vulnerability threshold, the signer makes an attestation that authorizes the image for deployment.
When you attempt to deploy an image to GKE, Binary Authorization checks to make sure that an attestation from the Kritis signer exists. If it exists, the service allows the image to be deployed. If not, the service blocks deployment and writes to the audit log.