implementing-gcp-binary-authorization
Implement GCP Binary Authorization to enforce deploy-time security controls that ensure only trusted, attested container images are deployed to Google Kubernetes Engine and Cloud Run.
Best use case
implementing-gcp-binary-authorization is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Implement GCP Binary Authorization to enforce deploy-time security controls that ensure only trusted, attested container images are deployed to Google Kubernetes Engine and Cloud Run.
Teams using implementing-gcp-binary-authorization should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/implementing-gcp-binary-authorization/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How implementing-gcp-binary-authorization Compares
| Feature / Agent | implementing-gcp-binary-authorization | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Implement GCP Binary Authorization to enforce deploy-time security controls that ensure only trusted, attested container images are deployed to Google Kubernetes Engine and Cloud Run.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Implementing GCP Binary Authorization
## Overview
Binary Authorization is a Google Cloud deploy-time security control that ensures only trusted container images are deployed on GKE or Cloud Run. It works through a policy-based model where images must have cryptographic attestations confirming they passed predefined requirements such as vulnerability scans, code reviews, or build pipeline verification. Continuous validation (CV) monitors running pods against policies and logs violations.
## When to Use
- When deploying or configuring implementing gcp binary authorization capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
## Prerequisites
- GCP project with Binary Authorization API enabled
- GKE cluster or Cloud Run service
- Container Analysis API enabled
- KMS keys for attestation signing
- Cloud Build or external CI/CD pipeline
## Enable Binary Authorization
```bash
# Enable required APIs
gcloud services enable binaryauthorization.googleapis.com
gcloud services enable containeranalysis.googleapis.com
gcloud services enable container.googleapis.com
# Enable Binary Authorization on GKE cluster
gcloud container clusters update CLUSTER_NAME \
--enable-binauthz \
--zone us-central1-a
```
## Create Attestor
### Create a KMS key for signing
```bash
# Create keyring
gcloud kms keyrings create binauthz-keyring \
--location global
# Create signing key
gcloud kms keys create attestor-key \
--keyring binauthz-keyring \
--location global \
--algorithm ec-sign-p256-sha256 \
--purpose asymmetric-signing
```
### Create Container Analysis note
```bash
cat > /tmp/note.json << 'EOF'
{
"attestation": {
"hint": {
"humanReadableName": "Production Build Attestor"
}
}
}
EOF
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://containeranalysis.googleapis.com/v1/projects/PROJECT_ID/notes/?noteId=prod-build-note" \
-d @/tmp/note.json
```
### Create the attestor
```bash
gcloud container binauthz attestors create prod-build-attestor \
--attestation-authority-note=prod-build-note \
--attestation-authority-note-project=PROJECT_ID
# Add KMS key to attestor
gcloud container binauthz attestors public-keys add \
--attestor=prod-build-attestor \
--keyversion-project=PROJECT_ID \
--keyversion-location=global \
--keyversion-keyring=binauthz-keyring \
--keyversion-key=attestor-key \
--keyversion=1
```
## Configure Policy
### Default deny-all policy
```yaml
# binauthz-policy.yaml
admissionWhitelistPatterns:
- namePattern: "gcr.io/google_containers/*"
- namePattern: "gcr.io/google-containers/*"
- namePattern: "k8s.gcr.io/**"
- namePattern: "gke.gcr.io/**"
- namePattern: "gcr.io/stackdriver-agents/*"
defaultAdmissionRule:
evaluationMode: REQUIRE_ATTESTATION
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
requireAttestationsBy:
- projects/PROJECT_ID/attestors/prod-build-attestor
globalPolicyEvaluationMode: ENABLE
```
```bash
gcloud container binauthz policy import binauthz-policy.yaml
```
### Per-cluster rules
```yaml
admissionWhitelistPatterns:
- namePattern: "gcr.io/google_containers/*"
clusterAdmissionRules:
us-central1-a.production-cluster:
evaluationMode: REQUIRE_ATTESTATION
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
requireAttestationsBy:
- projects/PROJECT_ID/attestors/prod-build-attestor
us-central1-a.staging-cluster:
evaluationMode: ALWAYS_ALLOW
enforcementMode: DRYRUN_AUDIT_LOG_ONLY
defaultAdmissionRule:
evaluationMode: ALWAYS_DENY
enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG
```
## Create Attestations
### Attest an image after successful build
```bash
# Get image digest
IMAGE_DIGEST=$(gcloud container images describe \
gcr.io/PROJECT_ID/my-app:latest \
--format='get(image_summary.digest)')
# Create attestation
gcloud container binauthz attestations sign-and-create \
--artifact-url="gcr.io/PROJECT_ID/my-app@${IMAGE_DIGEST}" \
--attestor="prod-build-attestor" \
--attestor-project="PROJECT_ID" \
--keyversion-project="PROJECT_ID" \
--keyversion-location="global" \
--keyversion-keyring="binauthz-keyring" \
--keyversion-key="attestor-key" \
--keyversion="1"
```
### Cloud Build integration
```yaml
# cloudbuild.yaml
steps:
- name: 'gcr.io/cloud-builders/docker'
args: ['build', '-t', 'gcr.io/$PROJECT_ID/my-app:$SHORT_SHA', '.']
- name: 'gcr.io/cloud-builders/docker'
args: ['push', 'gcr.io/$PROJECT_ID/my-app:$SHORT_SHA']
# Vulnerability scanning
- name: 'gcr.io/cloud-builders/gcloud'
entrypoint: 'bash'
args:
- '-c'
- |
gcloud artifacts docker images scan \
gcr.io/$PROJECT_ID/my-app:$SHORT_SHA \
--format='value(response.scan)'
# Create attestation after successful scan
- name: 'gcr.io/cloud-builders/gcloud'
entrypoint: 'bash'
args:
- '-c'
- |
IMAGE_DIGEST=$(gcloud container images describe \
gcr.io/$PROJECT_ID/my-app:$SHORT_SHA \
--format='get(image_summary.digest)')
gcloud container binauthz attestations sign-and-create \
--artifact-url="gcr.io/$PROJECT_ID/my-app@$${IMAGE_DIGEST}" \
--attestor="prod-build-attestor" \
--attestor-project="$PROJECT_ID" \
--keyversion-project="$PROJECT_ID" \
--keyversion-location="global" \
--keyversion-keyring="binauthz-keyring" \
--keyversion-key="attestor-key" \
--keyversion="1"
```
## Continuous Validation
```bash
# Enable CV on a GKE cluster
gcloud container clusters update CLUSTER_NAME \
--enable-binauthz-monitoring \
--zone us-central1-a
```
### Monitor CV violations in Cloud Logging
```
resource.type="k8s_cluster"
logName="projects/PROJECT_ID/logs/binaryauthorization.googleapis.com%2Fcontinuous_validation"
```
## Verification and Testing
### Test deployment of unattested image
```bash
# This should be blocked
kubectl run test-unapproved \
--image=docker.io/library/nginx:latest
# Verify the pod was denied
kubectl get events --field-selector reason=FailedCreate
```
### Verify attestation exists
```bash
gcloud container binauthz attestations list \
--attestor=prod-build-attestor \
--attestor-project=PROJECT_ID
```
## Break-Glass Override
For emergency deployments bypassing Binary Authorization:
```yaml
apiVersion: v1
kind: Pod
metadata:
name: emergency-pod
labels:
image-policy.k8s.io/break-glass: "true"
annotations:
alpha.image-policy.k8s.io/break-glass: "Emergency deployment - ticket INC-12345"
spec:
containers:
- name: emergency
image: gcr.io/PROJECT_ID/emergency-fix:latest
```
## References
- GCP Binary Authorization: https://cloud.google.com/binary-authorization/docs
- SLSA Framework: https://slsa.dev
- Sigstore/Cosign for container signing
- Google Software Supply Chain Security Best PracticesRelated Skills
testing-api-for-broken-object-level-authorization
Tests REST and GraphQL APIs for Broken Object Level Authorization (BOLA/IDOR) vulnerabilities where an authenticated user can access or modify resources belonging to other users by manipulating object identifiers in API requests. The tester intercepts API calls, identifies object ID parameters (numeric IDs, UUIDs, slugs), and systematically replaces them with IDs belonging to other users to determine if the server enforces per-object authorization. This is OWASP API Security Top 10 2023 risk API1. Activates for requests involving BOLA testing, IDOR in APIs, object-level authorization testing, or API access control bypass.
performing-binary-exploitation-analysis
Analyze binary exploitation techniques including buffer overflows and ROP chains using pwntools Python library. Covers checksec analysis, gadget discovery with ROPgadget, and exploit development for CTF and authorized security assessments.
implementing-zero-trust-with-hashicorp-boundary
Implement HashiCorp Boundary for identity-aware zero trust infrastructure access management with dynamic credential brokering, session recording, and Vault integration.
implementing-zero-trust-with-beyondcorp
Deploy Google BeyondCorp Enterprise zero trust access controls using Identity-Aware Proxy (IAP), context-aware access policies, device trust validation, and Access Context Manager to enforce identity and posture-based access to GCP resources and internal applications.
implementing-zero-trust-network-access
Implementing Zero Trust Network Access (ZTNA) in cloud environments by configuring identity-aware proxies, micro-segmentation, continuous verification with conditional access policies, and replacing traditional VPN-based access with BeyondCorp-style architectures across AWS, Azure, and GCP.
implementing-zero-trust-for-saas-applications
Implementing zero trust access controls for SaaS applications using CASB, SSPM, conditional access policies, OAuth app governance, and session controls to enforce identity verification, device compliance, and data protection for cloud-hosted services.
implementing-zero-trust-dns-with-nextdns
Implement NextDNS as a zero trust DNS filtering layer with encrypted resolution, threat intelligence blocking, privacy protection, and organizational policy enforcement across all endpoints.
implementing-zero-standing-privilege-with-cyberark
Deploy CyberArk Secure Cloud Access to eliminate standing privileges in hybrid and multi-cloud environments using just-in-time access with time, entitlement, and approval controls.
implementing-zero-knowledge-proof-for-authentication
Zero-Knowledge Proofs (ZKPs) allow a prover to demonstrate knowledge of a secret (such as a password or private key) without revealing the secret itself. This skill implements the Schnorr identificati
implementing-web-application-logging-with-modsecurity
Configure ModSecurity WAF with OWASP Core Rule Set (CRS) for web application logging, tune rules to reduce false positives, analyze audit logs for attack detection, and implement custom SecRules for application-specific threats. The analyst configures SecRuleEngine, SecAuditEngine, and CRS paranoia levels to balance security coverage with operational stability. Activates for requests involving WAF configuration, ModSecurity rule tuning, web application audit logging, or CRS deployment.
implementing-vulnerability-sla-breach-alerting
Build automated alerting for vulnerability remediation SLA breaches with severity-based timelines, escalation workflows, and compliance reporting dashboards.
implementing-vulnerability-remediation-sla
Vulnerability remediation SLAs define mandatory timeframes for patching or mitigating identified vulnerabilities based on severity, asset criticality, and exploit availability. Effective SLA programs