Binary Authorization PoC
With #7268 we aim to integrate GKE binary authorization within GitLab.
This issue is a product discovery activity aiming for a PoC.
This is a list of goals in priority order
- extending the auto devops
buildjob to sign and upload an image attestation into GCP binauthz https://cloud.google.com/binary-authorization/docs/getting-started-cli#create_an_attestation
- when binauthz is enabled images must use
sha256signature instead of
tag. Figure out the best way to pass this information from
- allow auto-deploy-app helm chart to work with
sha256if present, otherwise fallback on
- figure out the minimum privileges needed to perform image attestation
- figure out the best policy to handle GitLab Clustter Apllications