Binary Authorization
A security service that ensures only trusted and verified container images are deployed to production environments on Google Cloud.
| Category | Container & Kubernetes Security |
|---|---|
| This page updated | a month ago |
| Pricing Details | Pricing is based on the number of attestors and the volume of images processed. |
| Target Audience | DevOps teams, security engineers, and cloud architects managing containerized applications. |
Binary Authorization on Google Cloud is designed to ensure only trusted and verified container images are deployed to production environments. This service implements a robust policy model that governs the deployment of container images, particularly on Google Kubernetes Engine (GKE), Cloud Run, and Google Distributed Cloud.
Technically, Binary Authorization relies on a two-pronged approach: policies and attestations. Policies define the rules under which container images can be deployed, specifying the necessary criteria an image must meet before deployment. Attestors, trusted authorities identified by cryptographic public keys, create digitally signed attestations that verify the image has completed all required processes, such as vulnerability scanning and testing.
To set up Binary Authorization, you must enable the relevant APIs, including binaryauthorization.googleapis.com and cloudkms.googleapis.com, and configure a Kubernetes cluster or other supported platform. Attestors are created and registered using the Container Analysis API, which associates signatures with container images. The service uses Google Cloud Key Management Service (KMS) to manage the cryptographic key pairs necessary for signing and verifying attestations.
Operationally, Binary Authorization enforces policy compliance at deploy time, preventing images that do not meet the defined criteria from being deployed. Continuous validation (CV) can also be configured to periodically check the metadata of running container images for ongoing policy conformance. However, this enforcement can introduce latency in the deployment process, and managing multiple attestors and policies can add complexity to the CI/CD pipeline.
Key technical details include the use of ECDSA (Elliptic Curve Digital Signature Algorithm) with the P-256 curve for signing attestations, and the integration with Container Analysis for vulnerability scanning and metadata management. The service logs non-compliant deployments in Cloud Audit Logs, providing visibility into enforcement actions.