Search code examples
securitykubernetesgoogle-kubernetes-enginegoogle-cloud-kms

Binary Authorization - Deployment failed - Denied by Attestor. Attestor cannot attest to an image in GKE

I was trying to showcase binary authorization to my client as POC. During the deployment, it is failing with the following error message:

pods "hello-app-6589454ddd-wlkbg" is forbidden: image policy webhook backend denied one or more images: Denied by cluster admission rule for us-central1.staging-cluster. Denied by Attestor. Image gcr.io//hello-app:e1479a4 denied by projects//attestors/vulnz-attestor: Attestor cannot attest to an image deployed by tag

I have adhered all steps mentioned in the site.

I have verified the image repeatedly for few occurances, for example using below command to force fully make the attestation:

gcloud alpha container binauthz attestations sign-and-create   --project "projectxyz"  --artifact-url "gcr.io/projectxyz/hello-app@sha256:82f1887cf5e1ff80ee67f4a820703130b7d533f43fe4b7a2b6b32ec430ddd699"   --attestor "vulnz-attestor"   --attestor-project "projectxyz"   --keyversion "1"   --keyversion-key "vulnz-signer"   --keyversion-location "us-central1"   --keyversion-keyring "binauthz"   --keyversion-project "projectxyz"

It throws error as:

ERROR: (gcloud.alpha.container.binauthz.attestations.sign-and-create) Resource in project [project xyz] is the subject of a conflict: occurrence ID "c5f03cc3-3829-44cc-ae38-2b2b3967ba61" already exists in project "projectxyz"

So when I verify, I found the attestion present:

gcloud beta container binauthz attestations list       --artifact-url "gcr.io/projectxyz/hello-app@sha256:82f1887cf5e1ff80ee67f4a820703130b7d533f43fe4b7a2b6b32ec430ddd699"       --attestor "vulnz-attestor"       --attestor-project "projectxyz"       --format json  | jq '.[0].kind' \
>       | grep 'ATTESTATION'
"ATTESTATION"

Here are the screen shots:

deployment error

container

cloud build

Any feedback please?

Thanks in advance.

Solution

  • Thank you for trying Binary Authorization. I just updated the Binary Authorization Solution, which you might find helpful.

    A few things I noticed along the way:

    ... denied by projects//attestors/vulnz-attestor:

    There should be a project ID in between projects and attestors, like:

    projects/my-project/attestors/vulnz-attestor

    Similarly, your gcr.io links should include that same project ID, for example:

    gcr.io//hello-app:e1479a4

    should be

    gcr.io/my-project/hello-app:e1479a4

    If you followed a tutorial, it likely asked you to set a variable like $PROJECT_ID, but you may have accidentally unset it or ran the command in a different terminal session.