Attestations overview (original) (raw)
This guide describes how to create and use Binary Authorizationattestations. After a container image is built, an attestation can be created to affirm that a required activity was performed on the image such as a regression test, vulnerability scan, or other test. The attestation is created by signing the image's unique digest.
During deployment, instead of repeating the activities, Binary Authorization verifies the attestations using an attestor. If all of the attestations for an image are verified, Binary Authorization allows the image to be deployed.
Before you begin
- Enable Binary Authorization.
- Set up Binary Authorization with one of the following products:
Cloud Service Mesh users need to only set up the Binary Authorization policy. To do so, seeConfigure a policy, later in this guide.
Create an attestor
To use attestations, you first create attestors. At deploy time, Binary Authorization uses attestors to verify the attestation associated with the container image.
You can create attestors using the following methods:
- The Google Cloud CLI
- The Google Cloud console
Configure a policy rule to require attestations
This section describes how to configure the policy to require attestations.
Create attestations
Attestations are created by a signer. The process of creating an attestation is also known as signing an image. A signer can be a person who manually creates an attestation. Alternatively, a signer can be an automated service. For instructions that describe different approaches to creating attestations, see the following pages:
- Create attestations manuallyby signing a container image.
- Create attestations in a Cloud Build pipeline.
Deploy an image
After you create an attestation, you are ready to deploy the associated image.