GCPcloud~30 mins

Binary Authorization for containers in GCP - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Binary Authorization for Containers on Google Cloud

📖 Scenario: You are working on a Google Cloud project where you want to ensure that only trusted container images are deployed to your Kubernetes clusters. To do this, you will set up Binary Authorization, a security feature that enforces image signing policies before deployment.

🎯 Goal: Set up Binary Authorization by creating a policy that requires container images to be signed by a trusted authority before deployment to Google Kubernetes Engine (GKE).

📋 What You'll Learn

Create a Binary Authorization policy with a trusted attestor

Configure the attestor with a public key

Apply the policy to the Google Cloud project

Enable enforcement of the policy on GKE clusters

💡 Why This Matters

🌍 Real World

Binary Authorization helps organizations prevent untrusted or vulnerable container images from running in their Kubernetes clusters, improving security and compliance.

💼 Career

Cloud engineers and security specialists use Binary Authorization to enforce security policies in containerized environments, a critical skill for secure cloud deployments.

Progress0 / 4 steps

Create a Binary Authorization policy JSON file

Create a JSON file named policy.json with the following content exactly: a defaultAdmissionRule that requires attestation with enforcement mode set to ENFORCED_BLOCK_AND_AUDIT_LOG.

GCP

{
  "defaultAdmissionRule": {
    "enforcementMode": "ENFORCED_BLOCK_AND_AUDIT_LOG",
    "requireAttestationsBy": []
  }
}
# Create the policy.json file with the above content

Need a hint?

This JSON defines the default rule that enforces image attestation before deployment.

Add a trusted attestor to the policy

Modify the policy.json file to add a trusted attestor by adding its full resource name projects/my-project/attestors/my-attestor inside the requireAttestationsBy list.

GCP

{
  "defaultAdmissionRule": {
    "enforcementMode": "ENFORCED_BLOCK_AND_AUDIT_LOG",
    "requireAttestationsBy": [
      "projects/my-project/attestors/my-attestor"
    ]
  }
}
# Add the attestor resource name inside requireAttestationsBy

Need a hint?

The attestor resource name must be inside the requireAttestationsBy array.

Create a trusted attestor with a public key

Use the gcloud command to create an attestor named my-attestor in project my-project with a public key file located at public_key.pem. Write the exact command starting with gcloud container binauthz attestors create my-attestor and include the project flag and public key file.

GCP

# Your command here to create the attestor with the public key

Need a hint?

Use the gcloud container binauthz attestors create command with the correct flags.

Apply the Binary Authorization policy to the project

Use the gcloud command to update the Binary Authorization policy for project my-project by applying the policy.json file. Write the exact command starting with gcloud container binauthz policy import policy.json and include the project flag.

GCP

# Your command here to import the policy.json file

Need a hint?

Use the gcloud container binauthz policy import command to apply the policy.