Stats
Actions
Tags
Implements GCP Binary Authorization to enforce deployment-time security on GKE and Cloud Run, requiring attested container images via policies and KMS keys.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:implementing-gcp-binary-authorizationThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Binary Authorization(二进制授权)是 Google Cloud 的部署时安全控制,确保只有受信任的容器镜像才能部署到 GKE 或 Cloud Run。它采用基于策略的模型,镜像必须持有加密认证,证明已通过预定义要求,如漏洞扫描、代码审查或构建流水线验证。持续验证(CV)会监控正在运行的 Pod 是否符合策略,并记录违规情况。
Binary Authorization(二进制授权)是 Google Cloud 的部署时安全控制,确保只有受信任的容器镜像才能部署到 GKE 或 Cloud Run。它采用基于策略的模型,镜像必须持有加密认证,证明已通过预定义要求,如漏洞扫描、代码审查或构建流水线验证。持续验证(CV)会监控正在运行的 Pod 是否符合策略,并记录违规情况。
# 启用所需 API
gcloud services enable binaryauthorization.googleapis.com
gcloud services enable containeranalysis.googleapis.com
gcloud services enable container.googleapis.com
# 在 GKE 集群上启用 Binary Authorization
gcloud container clusters update CLUSTER_NAME \
--enable-binauthz \
--zone us-central1-a
# 创建密钥环
gcloud kms keyrings create binauthz-keyring \
--location global
# 创建签名密钥
gcloud kms keys create attestor-key \
--keyring binauthz-keyring \
--location global \
--algorithm ec-sign-p256-sha256 \
--purpose asymmetric-signing
cat > /tmp/note.json << 'EOF'
{
"attestation": {
"hint": {
"humanReadableName": "Production Build Attestor"
}
}
}
EOF
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://containeranalysis.googleapis.com/v1/projects/PROJECT_ID/notes/?noteId=prod-build-note" \
-d @/tmp/note.json
gcloud container binauthz attestors create prod-build-attestor \
--attestation-authority-note=prod-build-note \
--attestation-authority-note-project=PROJECT_ID
# 将 KMS 密钥添加到认证者
gcloud container binauthz attestors public-keys add \
--attestor=prod-build-attestor \
--keyversion-project=PROJECT_ID \
--keyversion-location=global \
--keyversion-keyring=binauthz-keyring \
--keyversion-key=attestor-key \
--keyversion=1
# binauthz-policy.yaml
admissionWhitelistPatterns:
- namePattern: "gcr.io/google_containers/*"
- namePattern: "gcr.io/google-containers/*"
- namePattern: "k8s.gcr.io/**"
- namePattern: "gke.gcr.io/**"
- namePattern: "gcr.io/stackdriver-agents/*"
defaultAdmissionRule:
evaluationMode: REQUIRE_ATTESTATION
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
requireAttestationsBy:
- projects/PROJECT_ID/attestors/prod-build-attestor
globalPolicyEvaluationMode: ENABLE
gcloud container binauthz policy import binauthz-policy.yaml
admissionWhitelistPatterns:
- namePattern: "gcr.io/google_containers/*"
clusterAdmissionRules:
us-central1-a.production-cluster:
evaluationMode: REQUIRE_ATTESTATION
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
requireAttestationsBy:
- projects/PROJECT_ID/attestors/prod-build-attestor
us-central1-a.staging-cluster:
evaluationMode: ALWAYS_ALLOW
enforcementMode: DRYRUN_AUDIT_LOG_ONLY
defaultAdmissionRule:
evaluationMode: ALWAYS_DENY
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
# 获取镜像摘要
IMAGE_DIGEST=$(gcloud container images describe \
gcr.io/PROJECT_ID/my-app:latest \
--format='get(image_summary.digest)')
# 创建认证
gcloud container binauthz attestations sign-and-create \
--artifact-url="gcr.io/PROJECT_ID/my-app@${IMAGE_DIGEST}" \
--attestor="prod-build-attestor" \
--attestor-project="PROJECT_ID" \
--keyversion-project="PROJECT_ID" \
--keyversion-location="global" \
--keyversion-keyring="binauthz-keyring" \
--keyversion-key="attestor-key" \
--keyversion="1"
# cloudbuild.yaml
steps:
- name: 'gcr.io/cloud-builders/docker'
args: ['build', '-t', 'gcr.io/$PROJECT_ID/my-app:$SHORT_SHA', '.']
- name: 'gcr.io/cloud-builders/docker'
args: ['push', 'gcr.io/$PROJECT_ID/my-app:$SHORT_SHA']
# 漏洞扫描
- name: 'gcr.io/cloud-builders/gcloud'
entrypoint: 'bash'
args:
- '-c'
- |
gcloud artifacts docker images scan \
gcr.io/$PROJECT_ID/my-app:$SHORT_SHA \
--format='value(response.scan)'
# 扫描成功后创建认证
- name: 'gcr.io/cloud-builders/gcloud'
entrypoint: 'bash'
args:
- '-c'
- |
IMAGE_DIGEST=$(gcloud container images describe \
gcr.io/$PROJECT_ID/my-app:$SHORT_SHA \
--format='get(image_summary.digest)')
gcloud container binauthz attestations sign-and-create \
--artifact-url="gcr.io/$PROJECT_ID/my-app@$${IMAGE_DIGEST}" \
--attestor="prod-build-attestor" \
--attestor-project="$PROJECT_ID" \
--keyversion-project="$PROJECT_ID" \
--keyversion-location="global" \
--keyversion-keyring="binauthz-keyring" \
--keyversion-key="attestor-key" \
--keyversion="1"
# 在 GKE 集群上启用持续验证
gcloud container clusters update CLUSTER_NAME \
--enable-binauthz-monitoring \
--zone us-central1-a
resource.type="k8s_cluster"
logName="projects/PROJECT_ID/logs/binaryauthorization.googleapis.com%2Fcontinuous_validation"
# 此操作应被阻断
kubectl run test-unapproved \
--image=docker.io/library/nginx:latest
# 验证 Pod 已被拒绝
kubectl get events --field-selector reason=FailedCreate
gcloud container binauthz attestations list \
--attestor=prod-build-attestor \
--attestor-project=PROJECT_ID
用于紧急部署时绕过 Binary Authorization:
apiVersion: v1
kind: Pod
metadata:
name: emergency-pod
labels:
image-policy.k8s.io/break-glass: "true"
annotations:
alpha.image-policy.k8s.io/break-glass: "Emergency deployment - ticket INC-12345"
spec:
containers:
- name: emergency
image: gcr.io/PROJECT_ID/emergency-fix:latest
npx claudepluginhub killvxk/cybersecurity-skills-zhImplements GCP Binary Authorization to enforce deploy-time security controls ensuring only trusted, attested container images deploy to GKE and Cloud Run. Includes API enablement, attestor creation, and KMS setup.
Implements GCP Binary Authorization to enforce deploy-time security controls ensuring only trusted, attested container images are deployed to GKE and Cloud Run.
Implements GCP Binary Authorization to enforce deploy-time security, ensuring only attested container images deploy to GKE and Cloud Run.