Securing image deployments to Cloud Run and Google Kubernetes Engine

This page provides instructions on how you can secure image deployments toCloud Run and Google Kubernetes Engine using Cloud Build.

Learn how to configureBinary Authorization to check for buildattestations and block deployments of images that are not generated byCloud Build. This process can reduce the risk of deployingunauthorized software.

Before you begin

  1. Enable the Cloud Build, Binary Authorization, and Artifact Registry APIs.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the APIs

  2. To use the command-line examples in this guide, install and configure theGoogle Cloud SDK.

    Note: If you've installed Google Cloud SDK previously, make sure you have thelatest available version by runninggcloud components update.

  3. Set up Binary Authorization for your platform.

Control deployments with Binary Authorization

Apolicy in Binary Authorization is a set of rules that govern thedeployment of images. You can configure a rule to require digitally signedattestations.

Cloud Build generates and signs attestations at build time. WithBinary Authorization, you can use thebuilt-by-cloud-buildattestor toverify the attestations and only deploy images built by Cloud Build.

To create thebuilt-by-cloud-build attestor in your project, run a build inthat project.

To allow only images built by Cloud Build to be deployed, perform thefollowing steps:

Console

  1. Go to theBinary Authorization page in the Google Cloud console:

    Go to Binary Authorization

  2. In thePolicy tab, clickEdit Policy.

  3. In theEdit Policy dialog, selectAllow only images that have beenapproved by all of the following attestors.

  4. ClickAdd Attestors.

  5. In theAdd attestors dialog box, do the following:

    1. SelectAdd by project and attestor name and perform the followingsteps:
      1. In theProject name field, enter the project where you runCloud Build.
      2. Click theAttestor name field and note that thebuilt-by-cloud-build attestor is available.
      3. Clickbuilt-by-cloud-build.

    2. Alternatively, selectAdd by attestor resource ID.InAttestor resource ID, enter

      projects/PROJECT_ID/attestors/built-by-cloud-build

      ReplacingPROJECT_ID with the project where you runCloud Build.

  6. ClickAdd 1 attestor.

  7. ClickSave Policy.

gcloud

  1. Export your existing policy to a file using the following command:

    gcloudcontainerbinauthzpolicyexport >/tmp/policy.yaml

  2. Edit your policy file.

  3. Edit one of the following rules:

    • defaultAdmissionRule
    • clusterAdmissionRules
    • istioServiceIdentityAdmissionRules
    • kubernetesServiceAccountAdmissionRules

  4. Add arequireAttestationsBy block to the rule if there isn't one therealready.

  5. In therequireAttestationsBy block, add

    projects/PROJECT_ID/attestors/built-by-cloud-build

    ReplacingPROJECT_ID with the project where you run Cloud Build.

  6. Save the policy file.

  7. Import the policy file.

    gcloudcontainerbinauthzpolicyimport/tmp/policy.yaml

    The following is an example policy file that contains the reference to thebuilt-by-cloud-build-attestor:

    defaultAdmissionRule:evaluationMode:REQUIRE_ATTESTATIONenforcementMode:ENFORCED_BLOCK_AND_AUDIT_LOGrequireAttestationsBy:-projects/PROJECT_ID/attestors/built-by-cloud-buildname:projects/PROJECT_ID/policy

    ReplacePROJECT_ID with the project ID where you runCloud Build.

You can view policy errors in the Binary Authorization log messages forGKE orCloud Run

Note: Cloud Build does not generate attestations for builds inaprivate pool. You can enable attestations for builds inprivate pools byadding an option to your build file.

Using dry-run mode

In dry-run mode, Binary Authorization checks policy compliance withoutactually blocking the deployment. Instead, policy compliance status messages arelogged to Cloud Logging. You can use these logs to determine if yourblocking policy is working correctly and to identify false positives.

To enable dry run, do the following:

Console

  1. Go to the Binary Authorization page in the Google Cloud console.

    Go to Binary Authorization.

  2. ClickEdit Policy.

  3. InDefault Rule or a specific rule, selectDry-run mode.

    Note: To demonstrate dry-run mode, you can also set the rule toDisallow all images. With this setting, all images violate thepolicy, are disallowed from being deployed, and the violations are logged.

  4. ClickSave Policy.

gcloud

  1. Export the Binary Authorization policy to a YAML file:

    gcloudcontainerbinauthzpolicyexport  >/tmp/policy.yaml

  2. In a text editor, setenforcementMode toDRYRUN_AUDIT_LOG_ONLY andsave the file.

    Note: To demonstrate dry-run mode, you can setevaluationMode toALWAYS_DENY. With this setting, all images violate the policy, aredisallowed from being deployed, and the violations are logged.

  3. To update the policy, import the file by executing the following command:

    gcloudcontainerbinauthzpolicyimport/tmp/policy.yaml
Note: It can take a few minutes for the policy to take effect.

You can view policy errors in the Binary Authorization log messages forGKE orCloud Run

Limitations

  • Cloud Build and Binary Authorization must be in the same project.If you run your deployment platform in anotherproject, configure IAM roles for amulti-project setup,and refer to the Cloud Build project when adding thebuilt-by-cloud-build attestor in Binary Authorization.

  • Cloud Build does not generate attestations when you push imagesto Artifact Registry using an explicitdocker push build step. Make sure you pushto Artifact Registry using theimages field in yourdocker build build step. Formore information onimages, seeDifferent ways of storing images in Artifact Registry.

  • You must use separate build config files for your build pipeline anddeployment pipeline. This is because Cloud Build producesattestations only after the build pipeline completes successfully.Binary Authorization will then check the attestation before deploying theimage.

Enable attestations in private pools

By default, Cloud Build does not generate Binary Authorizationattestations for builds inprivate pools. To generateattestations, add therequestedVerifyOption: VERIFIED option to yourbuild configuration file:

steps:-name:'gcr.io/cloud-builders/docker'args:['build','-t','us-central1-docker.pkg.dev/$PROJECT_ID/quickstart-docker-repo/quickstart-image:tag1','.']images:-'us-central1-docker.pkg.dev/$PROJECT_ID/quickstart-docker-repo/quickstart-image:tag1'options:requestedVerifyOption:VERIFIED

After adding therequestedVerifyOption, Cloud Build enablesattestation generation andprovenance metadata for yourimage.

View attestor metadata

Anattestor is created the first time you run a build in a project. Theattestor ID is of the formprojects/PROJECT_ID/attestors/built-by-cloud-build,wherePROJECT_ID is your project ID.

You can check the build attestor metadata using the following command:

curl-XGET-H"Content-Type: application/json"\-H"Authorization: Bearer$(gcloudauthprint-access-token)"\https://binaryauthorization.googleapis.com/v1beta1/projects/PROJECT_ID/attestors/built-by-cloud-build

ReplacePROJECT_ID with the project where you runCloud Build.

The output contains information about the attestor and the corresponding publickeys. For example:

name": "projects/PROJECT_ID/attestors/built-by-cloud-build",  "userOwnedDrydockNote": {    "noteReference": "projects/PROJECT_ID/notes/built-by-cloud-build",    "publicKeys": [      {        "id": "//cloudkms.googleapis.com/v1/projects/verified-builder/locations/asia/keyRings/attestor/cryptoKeys/builtByGCB/cryptoKeyVersions/1",        "pkixPublicKey": {          "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMMvFxZLgIiWOLIXsaTkjTmOKcaK7\neIZrgpWHpHziTFGg8qyEI4S8O2/2wh1Eru7+sj0Sh1QxytN/KE5j3mTvYA==\n-----END PUBLIC KEY-----\n",          "signatureAlgorithm": "ECDSA_P256_SHA256"        }      },...      }    ],    "delegationServiceAccountEmail": "service-942118413832@gcp-binaryauthorization.iam.gserviceaccount.com"  },  "updateTime": "2021-09-24T15:26:44.808914Z",  "description": "Attestor autogenerated by build ID fab07092-30f4-4f70-caf7-4545cbc404d6"

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.