Google Cloud Binary Authorization

Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE) or Cloud Run. With Binary Authorization, users can require images to be signed by trusted authorities during the development process and then enforce signature validation when deploying. By enforcing validation, users can gain tighter control over your container environment by ensuring only verified images are integrated into the build-and-release process.

The Service Features

Define policies at the project and cluster levels based on the security requirements of an organization. Create distinct policies for multiple environments (e.g., production and test) in addition to CI/CD setups.

Enforce policies by using Binary Authorization to verify signatures from vulnerability scanning tools like Container Registry Vulnerability Scanning, third-party solutions, or image signatures generated.

View results for policy violations as part of a single pane of glass for security in Security Command Center. Explore events such as failed deploy attempts due to policy restriction, or breakglass workflow activities.

Maintain a record of all policy violations and failed deployment attempts using Cloud Audit Logs.

Use an asymmetric key managed in Cloud Key Management Service to sign images for signature verification.

Use the open-source Kritis tool to enforce signature verification across both on-premises Kubernetes and cloud GKE deployments.

Test changes to policy in non-enforcing mode before deploying. See results including would-be-blocked deployments in Cloud Audit Logs.

Bypass policy in an emergency using the breakglass workflow to ensure teams aren't impeded from incident response. All breakglass incidents are recorded in Cloud Audit Logs.

Integrate Binary Authorization with container security and CI/CD partners, such as CloudBees, Twistlock (Palo Alto Networks), and Terraform.