GCPcloud~5 mins

Container supply chain security in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Container supply chain security helps protect your container images from being tampered with or infected by malware before they run. It ensures that only trusted and verified images are used in your cloud environment.

When you want to make sure the container images you deploy are safe and have not been altered by attackers.

When you need to verify the origin and integrity of container images before running them in production.

When you want to automatically scan container images for vulnerabilities before deployment.

When you want to enforce policies that only allow signed and trusted images to run in your Kubernetes clusters.

When you want to track and audit the history of container images used in your cloud projects.

Config File - cloudbuild.yaml

cloudbuild.yaml

steps:
- name: 'gcr.io/cloud-builders/gcloud'
  args: ['container', 'images', 'add-tag', 'gcr.io/my-project/my-app@sha256:abcdef1234567890', 'gcr.io/my-project/my-app:latest']
- name: 'gcr.io/cloud-builders/gcloud'
  args: ['container', 'images', 'sign', 'gcr.io/my-project/my-app:latest']
- name: 'gcr.io/cloud-builders/gcloud'
  args: ['container', 'images', 'describe', 'gcr.io/my-project/my-app:latest']
options:
  logging: CLOUD_LOGGING_ONLY

This Cloud Build configuration file automates tagging, signing, and describing a container image.

steps: Defines the sequence of commands to run.

1. add-tag adds a tag to the image by its digest.

2. sign digitally signs the image to verify its authenticity.

3. describe shows details about the signed image.

options.logging ensures logs go to Cloud Logging for audit and review.

Commands

This command tags a specific container image digest with the 'latest' tag so it can be referenced easily.

Terminal

gcloud container images add-tag gcr.io/my-project/my-app@sha256:abcdef1234567890 gcr.io/my-project/my-app:latest

Expected OutputExpected

Tagging gcr.io/my-project/my-app@sha256:abcdef1234567890 as gcr.io/my-project/my-app:latest

This command digitally signs the container image to prove it comes from a trusted source and has not been changed.

Terminal

gcloud container images sign gcr.io/my-project/my-app:latest

Expected OutputExpected

Image gcr.io/my-project/my-app:latest signed successfully.

This command shows details about the container image, including its signature status and metadata.

Terminal

gcloud container images describe gcr.io/my-project/my-app:latest

Expected OutputExpected

name: gcr.io/my-project/my-app:latest signatures: - keyid: abcdef1234567890 signed: true timestamp: '2024-06-01T12:00:00Z'

Key Concept

If you remember nothing else from this pattern, remember: signing container images ensures only trusted images run in your cloud environment.

Common Mistakes

Not signing the container image before deployment

Unsigned images can be tampered with or replaced by malicious versions without detection.

Always sign your container images after building and before deploying them.

Using image tags without referencing the image digest

Tags like 'latest' can change and may point to different images over time, causing unpredictability.

Use the image digest (sha256) to reference exact image versions when tagging and signing.

Skipping image vulnerability scanning

Unsigned images may still contain vulnerabilities that can be exploited in production.

Integrate vulnerability scanning tools in your build pipeline to check images before signing.

Summary

Tag a container image by its digest to create a stable reference.

Sign the container image to verify its authenticity and integrity.

Describe the image to confirm it is signed and trusted before deployment.