Complete the code to enable Binary Authorization on a GKE cluster.
gcloud container clusters update my-cluster --enable-[1]Enabling binary-authorization activates supply chain security for container images on the cluster.
Complete the command to create a new attestor for Binary Authorization.
gcloud container binauthz attestors create my-attestor --project=my-project --attestation-authority-note=[1]The attestation-authority-note links the attestor to a specific note in Container Analysis.
Fix the error in the policy binding to allow the attestor service account to attest images.
gcloud projects add-iam-policy-binding my-project --member='serviceAccount:[1]' --role='roles/containeranalysis.attestor'
The service account for the attestor must be correctly specified to grant attestation permissions.
Fill both blanks to define a policy that enforces attestation on images from a specific registry.
"apiVersion: binaryauthorization.googleapis.com/v1 kind: Policy metadata: name: default spec: admissionWhitelistPatterns: - namePattern: 'gcr.io/my-project/[1]' clusterAdmissionRules: my-cluster: evaluationMode: [2] enforcementMode: ENFORCED"
The namePattern specifies the container image path, and evaluationMode set to REQUIRE_ATTESTATION enforces attestation checks.
Fill all three blanks to create a container analysis note with a public key for attestation verification.
gcloud container binauthz attestors create my-attestor \ --project=my-project \ --attestation-authority-note=[1] \ --attestation-authority-note-project=my-project \ --public-keys=ascii-armored-pgp-key=[2],id=[3]
The note name, the ASCII armored PGP public key, and the key ID are required to create an attestor for verifying signatures.