Do you think IIT Guwahati certified course can help you in your career?
Introduction
For container-based apps, Google Cloud's Binary Authorization service offers software supply-chain security.
It allows you to set up a rule that the service will apply whenever a container image deployment attempt is made on one of the supported container-based platforms.
Architecture
Explanation:
A source repository, such as Cloud Source Repositories, receives the code needed to generate the container image.
Cloud Build is a continuous integration (CI) tool that creates and validates the container.
The container image is pushed by the build to Container Registry or similar registry where your built images are kept.
The container image is signed by the Cloud Key Management Service, which manages keys for the cryptographic key pair. The resulting signature is then saved in an attestation that has just been made.
Using the public key from the key pair, the attestor confirms the attestation at the time of deployment. By demanding signed attestations before deploying the container image, Binary Authorization enforces the policy.
Platform that supports Binary Authorization
Images are executed in clusters that are hosted on Google Cloud using the Google Kubernetes Engine (GKE).
Containerized apps are run on a fully managed serverless platform by Cloud Run (Preview).
Manages a dependable service mesh on-premises or in the Google Cloud, Anthos Service Mesh (Preview).
VMware-based Anthos clusters run the images in clusters that are housed in-house.
Reasons to use Binary Authorization
Registries that store the pictures you intend to deploy include the Artifact Registry, Container Registry, and other registries.
You can use Container Analysis and Binary Authorization to control deployment by providing information about vulnerabilities. Container Analysis keeps trusted metadata that is utilised in the authorization process in a separate location.
Utilize the security monitoring dashboard to evaluate the interdependence of all Google Cloud products, including Binary Authorization, and your application's security posture.
A managed continuous-delivery solution called Google Cloud Deploy automates the delivery of apps to a number of target environments in a predetermined order.
Binary Authorization itself, which decides whether to permit or prohibit the deployment of images based on the configured policy.
Features of Binary Authorization
With Binary Authorization, you can:
A policy paradigm that enables you to specify the limitations on image deployment.
An attestation paradigm that enables you to specify reliable parties who can vouch for or confirm that the necessary procedures in your environment have been finished before deployment.
A deploy-time enforcer that forbids the deployment of pictures that are against the rules.
Lifecycle
The following steps can make up an image deployment lifecycle, where passing through one stage is required to proceed to the next:
Unit testing and building
Deployment without affecting users into a development environment.
Deployment into an environment for testing that only affects internal users.
Deployment in a test environment where a small percentage of external users are impacted.
Deployment into production.
Attestations
Attestations are among the most frequent use cases for Binary Authorization. An attestation confirms that, as previously said, a particular image has successfully completed a prior stage.
Before enabling the image to be deployed, the attestation is checked using the Binary Authorization policy that you configure. Binary Authorization just needs to check the attestation at deploy time rather than redoing tasks that were finished previously.
Policies
A set of guidelines for container image deployment and validation is known as a binary authorization policy. Following are the components of a policy:
Deployment rules
List of exempt images
Rules
You specify a policy's rules when configuring it. Rules specify the conditions that images must meet in order to be deployed. Depending on the platform, a policy may contain particular rules in addition to the basic rule.
Every rule has an evaluation mode and an enforcement mode that may be set. For instance, a rule might specify that an image needs a signed attestation before it can be deployed.
Default rule
There is a default rule for every policy. Any deployment request that doesn't match a specific rule is subject to this rule. The default rule is defined in the defaultAdmissionRule node of a policy YAML file.
Specific rules
To a policy, one or more more particular regulations may be introduced. Images that are to be distributed to particular clusters, service accounts, or identities are subject to this kind of restriction. Platform support for particular regulations varies.
Exempt image
Images that are exempt from policy requirements are known as exempt images. Exempt pictures can always be used with Binary Authorization. An allowlist of exempt photos for each project is defined by a registry path. Images in the paths gcr.io/google containers/*, k8s.gcr.io/**, and other paths are by default exempt because they contain resources necessary for GKE to successfully launch a cluster while the default policy is in effect.
The admissionWhitelistPatterns field in the policy YAML file is used to specify the allowlist of exempt pictures.
Cryptographic keys
When a Require Attestations rule is present in the policy, Binary Authorization uses digital signatures to validate images at deploy time.
There is a key pair created. The signer signs an image description using their private key. Thus, an attestation is produced.
A witness is then made and saved in the policy. The attestor uploads and attaches the public key that matches to the private key used for signing.
When an attempt is made to deploy an image, Binary Authorization checks the attestations of the image using attestators from the policy. The photograph is released if the attestation can be independently verified.
Setup
You must first enable the service for the Google Cloud projects that make up your pipeline for deployment and authorisation before you can set up Binary Authorization.
The policy that outlines the limitations for the deployment of container images is then defined. If your policy demands attestations ahead of deployment, you must also establish attestors who may confirm attestations before approving the deployment of linked images.
For configuration of binary authorization in different platforms check out the following links:
Any required signers must produce an attestation confirming that the image is prepared to proceed to the following deployment stage before an image can be deployed. The attestation is a record that has been digitally signed using the signer's private cryptographic key and contains the registry location and digest of the image.
If you want to know how to sue attestation check out this article from Google documentation
Binary Authorization checks the policy before deploying an image and carries out any regulations it discovers.
Binary Authorization permits the image to be deployed if it satisfies the policy's requirements. In the event that it does not, the service prevents deployment and records a warning in Cloud Audit Logs outlining the reasons why the image is not compliant.
See the following tutorials to examine Binary Authorization enforcement events in Cloud Audit Logs:
What types of cryptographic keys does binary authorization support?
PKIX and PGP are the two keys supported in Binary Authorization.
What is a Signer in Atterstation?
A signer is a human or an automated process that generates an attestation by using a private key to sign an individual picture descriptor.
How can we verify an attestation in Google cloud?
When an image is deployed, Binary Authorization uses an attestor from the Google Cloud to confirm the attestation.
How can we store the metadata in Binary Authorization?
Container Analysis is utilised by Binary Authorization to store reliable metadata for the authorization process.
What are exempt images?
Images that are exempt from policy requirements are known as exempt images
Conclusion
In this article, we learned about the Binary Authorization service provided by the Google cloud. We have also learned the reason to use it and also the features that comes under the Binary Authorization.
For more cloud related information you can refer to the following articles:
569+ registered 
