](https://4.bp.blogspot.com/-SRMfm5z606M/WfzDpHqlz-I/AAAAAAAAAHA/y2suaInhr9E0hU0u78PacBT_kZj2D7DKgCK4BGAYYCw/s1600/Screen%2BShot%2B2017-11-03%2Bat%2B12.28.34%2BPM.png)
Let’s consider a basic example of how Grafeas can provide deploy time control for the PaymentProcessor app using a demo verification pipeline.
Assume that a PaymentProcessor container image has been created and pushed to Google Container Registry. This example uses the gcr.io/exampleApp/PaymentProcessor container for testing. You as the QA engineer want to create an attestation certifying this image for production usage. Instead of trusting an image tag like 0.0.1, which can be reused and point to a different container image later, we can trust the image digest to ensure the attestation links to the full image contents.
**1. Set up the environment**
Generate a signing key:
```
gpg --quick-generate-key --yes qa\_bob@example.com
```
Export the image signer's public key:
```
gpg --armor --export image.signer@example.com \> ${GPG\_KEY\_ID}.pub
```
Create the ‘qa’ AttestationAuthority note via the Grafeas API:
```
curl -X POST \
"http://127.0.0.1:8080/v1alpha1/projects/image-signing/notes?noteId=qa" \
-d @note.json
```
Create the Kubernetes ConfigMap for admissions control and store the QA signer's public key:
```
kubectl create configmap image-signature-webhook \
--from-file ${GPG\_KEY\_ID}.pub
kubectl get configmap image-signature-webhook -o yaml
```
Set up an admissions control webhook to require QA signature during deployment.
```
kubectl apply -f kubernetes/image-signature-webhook.yaml
```
**2. Attempt to deploy an image without QA attestation**
Attempt to run the image in paymentProcessor.ymal before it is QA attested:
```
kubectl apply -f pods/nginx.yaml
apiVersion: v1
kind: Pod
metadata:
name: payment
spec:
containers: