Lesson 10 · Security, supply chain & operations
Binary authorization & supply chain
Only run images your pipeline built — the "boarding pass" model, and why this repo's is stamped-but-not-checked.
Your win: explain supply-chain security via attestation and admission control, and read this repo's binary-authorization setup — including the honest fact that it's currently audit-only.
The threat: a rogue image runs in prod
Your cluster pulls images by name. What stops someone deploying an image that didn't come from the trusted pipeline — one built on a laptop, or tampered with? Nothing, by default. Binary Authorization is GCP's answer: admission control that only lets images with valid attestations run on GKE.1
This repo's supply chain
gcloud beta container binauthz attestations sign-and-create
(:88-95) against a KMS attestor (stag-deploy or
prod-deploy, keyring binauthz-attestors). So every image the pipeline
builds gets a signed attestation. This is GCP Binary Authorization, not
cosign/Sigstore — worth naming precisely (both do image signing; different tools).
google_binary_authorization_policy with
cluster_admission_rules + require_attestations_by, and GKE clusters
enable it (enable_binary_authorization). You'll meet Terraform properly in
Course 7 — here, note that the policy is code too.
evaluation_mode = "ALWAYS_ALLOW",
enforcement_mode = "DRYRUN_AUDIT_LOG_ONLY"
(terraform/live/stag-manabie/…/terragrunt.hcl:49-50, and the
prod cells). So an image without an attestation would still be admitted — the policy
just logs what it would have done. This is the same "machinery built, enforcement not
turned on" pattern as Istio's mTLS (Course 4 L9). The precise interview line:
"We sign attestations and run Binary Authorization in DRYRUN — auditing, not blocking —
so we can validate the policy before flipping it to enforce." That's exactly the safe way
to roll out an admission gate.
GCP Binary Authorization + SLSA
The attestation/admission model, DRYRUN vs enforce, and the supply-chain framework.
→ cloud.google.com — Binary Authorization overview
→ slsa.dev — Supply-chain Levels for Software Artifacts
Check yourself (from memory)
Q1. An attestation is…
Q2. Binary Authorization enforces at…
Q3. In this repo, Binary Authorization is currently…
DRYRUN_AUDIT_LOG_ONLY — attestations are signed and
logged, but an unattested image is still admitted.
binauthz-sign action runs gcloud … binauthz attestations
sign-and-create (KMS attestor stag/prod-deploy) after build+scan. Policy is in TERRAFORM
(google_binary_authorization_policy, cluster_admission_rules; GKE
enable_binary_authorization). BUT it's AUDIT-ONLY:
enforcement_mode = "DRYRUN_AUDIT_LOG_ONLY", evaluation_mode = "ALWAYS_ALLOW"
→ logs, doesn't block (like Istio mTLS-off). GCP attestors, NOT cosign. This is the SLSA
provenance idea. Safe rollout = DRYRUN first, then enforce.