Attestation

To secure your software supply chain, you should consider signing your container images with attestations. Runtime environments like Kubernetes Engine can validate the signature and run only the container images that you have signed/attested with Binary Auth.

Enable API

gcloud services enable container.googleapis.com
gcloud services enable containeranalysis.googleapis.com
gcloud services enable binaryauthorization.googleapis.com

Attestor

You need to create an Attestor, which is associated with the metadata of the an asymetric key pair that's used to sign and validate a signature for an image digest.

Create a Note

A Note is a metadata entry in Google Container Analysis and is required when associating with an Attestor. An Attestation ultimately becomes an instance of a Note.

PROJECT_ID=$(gcloud config get-value project)
cat > $HOME/attestor-note.json << EOF
{
  "name": "projects/${PROJECT_ID}/notes/default-attestor",
  "attestation": {
    "hint": {
      "human_readable_name": "Default Container Image Attestor"
    }
  }
}
EOF

Post the Note to Container Analysis service:

Create an Attestor

Asymetric Key Pair

You need to create a key pair so that you can sign an attestation with a private key, and later, verify it with a public key. You can create your own key pair, but this guide will use Cloud KMS.

Enable API

Create a Keyring

Create a Key

Add Key to Attestor

Attestation

You can create an attestation for a container image, but you'll need the full SHA256 container image digest. The easiest way to find this is from Container Registry:

Create an Attestation

List Attestations

Once created, you can see the attestation:

Binary Authorization

Once the container image has a signed attestation, it can then be used to authorize deployments into a Kubernetes Engine cluster by enabling Binary Authorization.

1. Create a Kubernetes Engine cluster that has Binary Authorization enabled.

2. Enable Binary Authorization policy to enforce attestations.