Binary Authorization PoC

With gitlab-org/gitlab-ee#7268 we aim to integrate GKE binary authorization within GitLab.

This issue is a ~"product discovery" activity aiming for a PoC.

goals

This is a list of goals in priority order

  1. extending the ~"auto devops" build job to sign and upload an image attestation into GCP binauthz https://cloud.google.com/binary-authorization/docs/getting-started-cli#create_an_attestation

    1. Need to pass credentials in variables for runner: Set the variables part of https://medium.com/@davivc/how-to-set-up-gitlab-ci-cd-with-google-cloud-container-registry-and-kubernetes-fa88ab7b1295 and https://gitlab.com/davivc/gitlab-ci-google-cloud-kubernetes/blob/master/.gitlab-ci.yml#L21
    2. Need to modify https://gitlab.com/gitlab-org/cluster-integration/auto-build-image/blob/9649683fa96cd28f5e2c83a2832afa4d28e23217/src/build.sh#L38 to create an attestation

  2. when binauthz is enabled images must use sha256 signature instead of tag. Figure out the best way to pass this information from build to deploy https://cloud.google.com/binary-authorization/docs/getting-started-cli#retest_the_policy not researched

  3. allow auto-deploy-app helm chart to work with sha256 if present, otherwise fallback on tag

    not researched

  4. figure out the minimum privileges needed to perform image attestation

    not researched

  5. figure out the best policy to handle GitLab Clustter Apllications

    current policy:

    admissionWhitelistPatterns:
- namePattern: gcr.io/google_containers/*
- namePattern: gcr.io/google-containers/*
- namePattern: k8s.gcr.io/*
- namePattern: gcr.io/stackdriver-agents/*
- namePattern: docker.io/gitlab/*
- namePattern: registry.gitlab.com/gitlab-org/security-products/*
- namePattern: docker.io/alpine:latest
- namePattern: docker.io/docker:stable-git
- namePattern: docker.io/docker:stable-dind
- namePattern: docker.io/postgres:latest
- namePattern: docker.io/gliderlabs/herokuish:latest
- namePattern: docker.io/docker:stable
defaultAdmissionRule:
  enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
  evaluationMode: REQUIRE_ATTESTATION
  requireAttestationsBy:
  - projects/binauth-test-2/attestors/test-attestor
name: projects/binauth-test-2/policy

/cc @jlenny @darbyfrey

Edited by Vladimir Shushlin