Attestation
To secure your software supply chain, you should consider signing your container images with attestations. Runtime environments like Kubernetes Engine can validate the signature and run only the container images that you have signed/attested with Binary Auth.

Enable API

1
gcloud services enable container.googleapis.com
2
gcloud services enable containeranalysis.googleapis.com
3
gcloud services enable binaryauthorization.googleapis.com
Copied!

Attestor

You need to create an Attestor, which is associated with the metadata of the an asymetric key pair that's used to sign and validate a signature for an image digest.

Create a Note

A Note is a metadata entry in Google Container Analysis and is required when associating with an Attestor. An Attestation ultimately becomes an instance of a Note.
1
PROJECT_ID=$(gcloud config get-value project)
2
cat > $HOME/attestor-note.json << EOF
3
{
4
"name": "projects/${PROJECT_ID}/notes/default-attestor",
5
"attestation": {
6
"hint": {
7
"human_readable_name": "Default Container Image Attestor"
8
}
9
}
10
}
11
EOF
Copied!
Post the Note to Container Analysis service:
1
PROJECT_ID=$(gcloud config get-value project)
2
curl -X POST \
3
-H "Content-Type: application/json" \
4
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
5
-H "x-goog-user-project: $PROJECT_ID" \
6
--data-binary @$HOME/attestor-note.json\
7
https://containeranalysis.googleapis.com/v1/projects/$PROJECT_ID/notes/?noteId=default-attestor
Copied!

Create an Attestor

1
PROJECT_ID=$(gcloud config get-value project)
2
3
gcloud beta container binauthz attestors create default-attestor \
4
--attestation-authority-note=default-attestor \
5
--attestation-authority-note-project=$PROJECT_ID
Copied!

Asymetric Key Pair

You need to create a key pair so that you can sign an attestation with a private key, and later, verify it with a public key. You can create your own key pair, but this guide will use Cloud KMS.

Enable API

1
gcloud services enable cloudkms.googleapis.com
Copied!

Create a Keyring

1
gcloud kms keyrings create attestor-keyring --location global
Copied!

Create a Key

1
gcloud kms keys create default-attestor-key \
2
--location=global \
3
--keyring=attestor-keyring \
4
--purpose=asymmetric-signing \
5
--default-algorithm=ec-sign-p256-sha256
Copied!

Add Key to Attestor

1
PROJECT_ID=$(gcloud config get-value project)
2
3
gcloud alpha container binauthz attestors public-keys add \
4
--attestor=default-attestor \
5
--keyversion-project=$PROJECT_ID \
6
--keyversion-location=global \
7
--keyversion-keyring=attestor-keyring \
8
--keyversion-key=default-attestor-key \
9
--keyversion=1
Copied!

Attestation

You can create an attestation for a container image, but you'll need the full SHA256 container image digest. The easiest way to find this is from Container Registry:
1
PROJECT_ID=$(gcloud config get-value project)
2
3
gcloud container images describe gcr.io/$PROJECT_ID/helloworld
Copied!

Create an Attestation

1
PROJECT_ID=$(gcloud config get-value project)
2
IMAGE=$(gcloud container images describe gcr.io/$PROJECT_ID/helloworld \
3
--format='value(image_summary.fully_qualified_digest)')
4
5
gcloud beta container binauthz attestations sign-and-create \
6
--artifact-url=$IMAGE \
7
--attestor=default-attestor \
8
--attestor-project=$PROJECT_ID \
9
--keyversion-project=$PROJECT_ID \
10
--keyversion-location=global \
11
--keyversion-keyring=attestor-keyring \
12
--keyversion-key=default-attestor-key \
13
--keyversion=1
Copied!

List Attestations

Once created, you can see the attestation:
1
PROJECT_ID=$(gcloud config get-value project)
2
IMAGE=$(gcloud container images describe gcr.io/$PROJECT_ID/helloworld \
3
--format='value(image_summary.fully_qualified_digest)')
4
5
gcloud beta container binauthz attestations list \
6
--artifact-url=$IMAGE \
7
--attestor=default-attestor
Copied!

Binary Authorization

Once the container image has a signed attestation, it can then be used to authorize deployments into a Kubernetes Engine cluster by enabling Binary Authorization.
  1. 1.
    Create a Kubernetes Engine cluster that has Binary Authorization enabled.
  2. 2.
    Enable Binary Authorization policy to enforce attestations.
See Binary Authorization section for more information.