Console
    Start free

    Enable dry-run mode

    This document explains how to enable dry-run mode.

    When you enable dry-run mode, Binary Authorization allows all container images to be deployed, even if those images violate the Binary Authorization policy. Policy compliance status messages are logged to Cloud Audit Logs . You can inspect the log to determine whether the images would have been disallowed and take corrective action. When the policy configuration works as you intend, you can disable dry-run mode to enable Binary Authorization enforcement; images that violate the policy are disallowed from being deployed.

    You can set dry-run mode in the default rule or a specific rule.

    Before you begin

    To use dry-run mode, set up Binary Authorization for your platform .

    Enable dry run

    To enable dry run, do the following:

    Console

    1. Go to the Binary Authorization page in the Google Cloud console.

      Go to Binary Authorization .

    2. Click Edit Policy.

    3. In Default Ruleor a specific rule, select Dry-run mode.

    4. Click Save Policy.

    gcloud

    1. Export the Binary Authorization policy to a YAML file:

       gcloud  
container  
binauthz  
policy  
 export 
 > 
/tmp/policy.yaml

    2. In a text editor, set enforcementMode to DRYRUN_AUDIT_LOG_ONLY and save the file.

    3. To update the policy, import the file by executing the following command:

       gcloud  
container  
binauthz  
policy  
import  
/tmp/policy.yaml

    To test dry-run mode, deploy images that violate the policy and then view dry-run mode events from Binary Authorization for GKE , Cloud Run , or Google Distributed Cloud .

    Disable dry-run mode

    To disable dry-run mode, update your policy as follows:

    Console

    1. Go to the Binary Authorization page in the Google Cloud console.

      Go to Binary Authorization

    2. Click Edit Policy.

    3. In Default Ruleor a specific rule, clear Dry-run mode.

    4. Click Save Policy.

    gcloud

    1. Export the Binary Authorization policy:

       gcloud  
container  
binauthz  
policy  
 export 
 > 
/tmp/policy.yaml

    2. In a text editor, set enforcementMode to ENFORCED_BLOCK_AND_AUDIT_LOG and save the file.

    3. To update the policy, import the file by executing the following command:

       gcloud  
container  
binauthz  
policy  
import  
/tmp/policy.yaml

    What's next

    • View dry-run mode events from Binary Authorization for GKE in Cloud Audit Logs.
    • View dry-run mode events from Binary Authorization for Cloud Run in Cloud Audit Logs.
    • View dry-run mode events from Binary Authorization for Distributed Cloud in Cloud Audit Logs.
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: