Build Binary Authorization admission policies with attestor requirements, cluster rules, and image allowlists.
Last verified: May 2026
Build Binary Authorization admission policies with attestor requirements, cluster rules, and image allowlists.
Required Fields
namedefaultAdmissionRule.evaluationModedefaultAdmissionRule.enforcementModeOutput will appear here...Your team is hardening GKE production clusters after a security audit. The builder generates: 2 attestors ('vulnerability-scan-passed' signed by Cloud Build after Container Analysis scan, 'qa-approved' signed by a Cloud Function triggered when QA tickets close), a policy requiring BOTH attestations for prod cluster deploys, dry-run mode initially. After 3 weeks, audit shows zero legitimate workflows blocked. Switch to enforce mode. From that point, no unscanned or unapproved code can land in production — eliminating a class of supply-chain incidents.
Binary Authorization is a deploy-time security control for GKE and Cloud Run that ensures only trusted container images run in your environments. It works by requiring attestations — cryptographic signatures from authorities you define — before a container image is admitted. This builder helps you configure Binary Authorization policies including default rules, cluster-specific rules, attestor definitions, and exemption patterns, generating the policy YAML and gcloud commands needed for enforcement.
The builder constructs Binary Authorization policy YAML definitions: default rule (requireAttestationsBy attestors), per-cluster admission rules with override behaviors (ALWAYS_ALLOW, ALWAYS_DENY, REQUIRE_ATTESTATION), exemption image patterns (e.g., gcr.io/google-containers/* for system images), and global policy evaluation mode (enforce vs dry-run). Plus attestor resources backed by Cloud KMS or PGP keys. Output is YAML for `gcloud container binauthz policy import` and Terraform google_binary_authorization_policy + google_binary_authorization_attestor.
ALWAYS deploy Binary Authorization in DRY-RUN mode first. Setting it to enforced before validating that all your existing deployments would pass is the fastest way to break production. Run dry-run for 1-2 weeks, audit the violations, build attestor pipelines for any unsigned legitimate images, THEN enforce.
Attestation is per-image-DIGEST, not per-tag. This is the security feature: even if someone re-tags a malicious image as `myapp:v1.0`, it won't have a valid attestation for its digest. Tag-based versioning continues to work in your CI/CD pipeline; the security boundary is enforced at the digest level.
Multi-attestor policies (require BOTH 'vulnerability scan passed' AND 'QA approved') are the right pattern for production. Build attestor functions into your CI/CD pipeline that sign attestations only after specific gates pass. The result: you cannot deploy unscanned or unapproved code to production, period.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.