Open gbohra opened 3 years ago
it's not verifing when deploying the same image to GKE cluster
do you mean that the cluster isn't verifying attestations when workloads are being admitted into the GKE cluster? if so, this should happen via Kritis so make sure that's set up correctly! if you mean something else, please let us know!
Thanks @Nilay-Shah.
I am following this document to attestated the image - https://cloud.google.com/binary-authorization/docs/creating-attestations-voucher
After attestation, I use binary authorization in GKE cluster to check the attestation key with the attestor. However, it doesn't work and start throwing the error.
I am not using Kritis. However, I am using Binary Authorization of GKE.
After attestation, I use binary authorization in GKE cluster to check the attestation key with the attestor. However, it doesn't work and start throwing the error.
can you expand more on how you went about doing this? what is the error (from your initial message, I can't see an error)?
I am using Binary authorization using GCP discussed in this article
{"image":"gcr.io/spinnaker-binary-auth/binauthz-test@sha256:23e9c4665ed4abc19b69beb902fd8c356953c74ad576bb1eb776951948b91ac5","success":true,"results":[{"name":"snakeoil","success":true,"attested":true,"details":{"CheckName":"snakeoil","Body":"{\"critical\":{\"identity\":{\"docker-reference\":\"gcr.io/{project-id}/binauthz-test\"},\"image\":{\"docker-manifest-digest\":\"sha256:23e9c4665ed4abc19b69beb902fd8c356953c74ad576bb1eb776951948b91ac5\"},\"type\":\"Google cloud binauthz container signature\"}}","Signature":"\ufffdBO9\u001f\ufffd\ufffd\ufffd\u0017\ufffdo\ufffd$\u000f\ufffd\ufffd]\ufffdQX\ufffdm\ufffd\ufffd2\ufffdI\\ufffd\ufffd\ufffd\ufffd\ufffdXG\ufffd44\ufffd/\ufffd\ufffd\r],C\ufffd\ufffd@$\ufffd\ufffdm\u0016\ufffd\u0004\ufffd\ufffd\ufffdaec3\ufffdq\ufffd\ufffd\u0013o^\ufffdͫ\ufffdg\ufffd\ufffd\ufffdW\ufffd\ufffd\ufffd01\ufffd\ufffd\u001f\ufffd\ufffd\ufffd\ufffdP{\ufffd(\ufffd\ufffd\ufffd\u001d\ufffd_\ufffd\u001fw\ufffd]\u000e\ufffd\ufffd\ufffd\"\u000chx\u001b]!\ufffd\ufffd\ufffd\ufffd\ufffdi:\ufffdَ|\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\u0010E\u0013\ufffd\ufffd\ufffd\u0007\ufffd).]\ufffd8\ufffd\ufffd:\ufffd\ufffd\u00261IÔ\ufffdK\ufffd\u001e\ufffd\ufffd\u001a\ufffd\ufffdwux|\u0026'S\ufffd9\ufffdB\ufffd%\ufffd\u000b;\ufffd\ufffdD\ufffd|E=)l\ufffd\ufffd8\ufffd):\ufffdA\ufffd%\u0005\u0006\u0002+\u0019V\ufffd\ufffdn\ufffd\u001eR[Icɘ\u001a\u001cEt\ufffd{\ufffdh\ufffd\u000c;m[\ufffd2\ufffdEc\ufffd\ufffd/t$f\u0011\ufffd\u000b\ufffdm\ufffdd1\ufffdm\ufffdj\ufffd\t\ufffd:8\ufffd\ufffd\u0012\ufffd\ufffdc\ufffd\ufffdz\ufffd\ufffd\ufffd\u0000\u001779\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdP\ufffd\ufffd7\u0019\ufffd\u0010A\u0008\ufffd\ufffdk\ufffd\u0007٭\ufffdV\u0005-\u0019\ufffd\u0004f\u001c\ufffd\u000b\ufffdL.\ufffd6w\ufffd\ufffd\ufffd\ufffd\u001a\ufffd\u001b\ufffd\ufffd\ufffd[l\ufffd\ufffd?\ufffd\u0015\ufffd!T$~\ufffd~\ufffd\ufffd\u000bxxA\ufffd\u001d\ufffd\ufffdѰr\ufffd\u0007\ufffds\ufffd5%\ufffd/ե\ufffd\ufffdM.ߝE\ufffd\ufffdrD=ٻ\ufffd\ufffd\u000f?W@\ufffd\ufffd\ufffd\ufffd7\ufffd\u0000\u003e\ufffd9\ufffdqg\ufffd\ufffd\ufffd\ufffd\ufffd\u0001V\ufffd9\ufffd\u00007h\ufffduZ\u0006\ufffd\ufffdmj\r\ufffd^z\u001ei\ufffd\ufffd6]\ufffd\ufffd\u000fU\\u0003(߳\ufffd;\ufffd\u000e|\u0019\ufffd\u001f\ufffd\ufffd\ufffdl\ufffd\ufffdי3\ufffd8\ufffd\ufffdPlu!\ufffd\u0005\u00073\ufffdF\ufffd\ufffd\ufffd\\ufffdU\ufffd\u000e\ufffd@7\ufffd\ufffd1UKr\ufffd\ufffdhй-=0\ufffd\n\ufffdC+\ufffd\u001e9\r\ufffd\ufffd\ufffd\u001f\u0019","KeyID":"//cloudkms.googleapis.com/v1/projects/{project-id}/locations/global/keyRings/voucher-key-ring/cryptoKeys/voucher-key/cryptoKeyVersions/1"}}]}
Although, we got the voucher attestation as true result. However, it's not verifing when deploying the same image to GKE cluster.