implementing-gcp-binary-authorization

# Implementing GCP Binary Authorization ## Overview Binary Authorization is a Google Cloud deploy-time security control that ensures only trusted container images are deployed on GKE or Cloud Run. It works through a policy-based model where images must have cryptographic attestations confirming they passed predefined requirements such as vulnerability scans, code reviews, or build pipeline verification. Continuous validation (CV) monitors running pods against policies and logs violations. ## When to Use - When deploying or configuring implementing gcp binary authorization capabilities in your environment - When establishing security controls aligned to compliance requirements - When building or improving security architecture for this domain - When conducting security assessments that require this implementation ## Prerequisites - GCP project with Binary Authorization API enabled - GKE cluster or Cloud Run service - Container Analysis API enabled - KMS keys for attestation signing - Cloud Build or external CI/CD pipeline ## Enable Binary Authorization ```bash # Enable required APIs gcloud services enable binaryauthorization.googleapis.com gcloud services enable containeranalysis.googleapis.com gcloud services enable container.googleapis.com # Enable Binary Authorization on GKE cluster gcloud container clusters update CLUSTER_NAME \ --enable-binauthz \ --zone us-central1-a ``` ## Create Attestor ### Create a KMS key for signing ```bash # Create keyring gcloud ...