Support Binary Authorization for container policy enforcement
Problem to solve
Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Kubernetes Engine. With Binary Authorization, you can require images to be signed by trusted authorities during the development process and then enforce signature validation when deploying. By enforcing validation, you can gain tighter control over your container environment by ensuring only verified images are integrated into the build-and-release process.
GKE has built-in support for binauthz. The feature is currently in
Allow to define and manage Binary Authorization via the GitLab UI in order to secure deployments of apps. We can define multiple policies for
For example, users may require a specific flow for their images to be approved on
production, for example
QA steps should have been completed first.
Steps to use binary authorization on GKE
- enable Binary Authorization API in API and Services > Library
- create an attestor in Security > Binary Authorization
- enable Binary Authorization in the cluster properties
What does success look like, and how can we measure that?
Number of projects using
binauthz for their deployments.