Support Binary Authorization for container policy enforcement
Problem to solve
Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Kubernetes Engine. With Binary Authorization, you can require images to be signed by trusted authorities during the development process and then enforce signature validation when deploying. By enforcing validation, you can gain tighter control over your container environment by ensuring only verified images are integrated into the build-and-release process.
GKE has built-in support for binauthz. The feature is currently in
Allow to define and manage Binary Authorization via the GitLab UI in order to secure deployments of apps. We can define multiple policies for
For example, users may require a specific flow for their images to be approved on
production, for example
QA steps should have been completed first.
The signing (attestation) signature must be very well protected; it must only be available to locked/signing code.
One thing to decide - what do we sign? We recently implemented gitlab-ce#41766 (closed) which introduces a release entity. Is a release the right thing (and right moment) to sign? Or do we sign the output of every pipeline?
Steps to use binary authorization on GKE
- enable Binary Authorization API in API and Services > Library
- create an attestor in Security > Binary Authorization
- ensure attestor signature is used to sign binaries in pipeline or release
- enable Binary Authorization in the cluster properties (#7840)
What does success look like, and how can we measure that?
Number of projects using
binauthz for their deployments.