Container Registry is deprecated. Effective March 18, 2025, Container Registry is shut down and writing images to Container Registry is unavailable. For more information about the Container Registry deprecation and how to migrate to Artifact Registry, seeContainer Registry deprecation.
Stay organized with collectionsSave and categorize content based on your preferences.
Binary Authorization is a Google Cloud service that provides deploy-time
enforcement of security policies forGoogle Kubernetes Engine (GKE)andGoogle Distributed Cloud. It supports container
images in Container Registry, Artifact Registry and other container image
registries.
At deploy time, Binary Authorization can use signatures called attestations to determine that a process was completed earlier.
For example, you can use Binary Authorization to:
Verify that a container image was built by a specific build system or
continuous integration (CI) pipeline.
Validate that a container image is compliant with vulnerability signing policy.
Verify that a container image passes criteria for promotion to the next
deployment environment, such as development to QA.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eBinary Authorization is a Google Cloud service that enforces security policies for Google Kubernetes Engine (GKE) and Google Distributed Cloud deployments.\u003c/p\u003e\n"],["\u003cp\u003eIt supports container images from various registries, including Container Registry and Artifact Registry.\u003c/p\u003e\n"],["\u003cp\u003eBinary Authorization uses attestations to verify that processes were completed, such as ensuring an image was built by a specific CI pipeline.\u003c/p\u003e\n"],["\u003cp\u003eIt can validate container image compliance with vulnerability signing policies.\u003c/p\u003e\n"],["\u003cp\u003eIt verifies container image eligibility for promotion between environments, like from development to QA.\u003c/p\u003e\n"]]],[],null,["# Securing deployments\n\nBinary Authorization is a Google Cloud service that provides deploy-time\nenforcement of security policies for\n[Google Kubernetes Engine (GKE)](/kubernetes-engine/docs) and\n[Google Distributed Cloud](/anthos/gke/docs/on-prem). It supports container\nimages in Container Registry, Artifact Registry and other container image\nregistries.\n\nAt deploy time, Binary Authorization can use signatures called attestations to determine that a process was completed earlier.\nFor example, you can use Binary Authorization to:\n\n- Verify that a container image was built by a specific build system or continuous integration (CI) pipeline.\n- Validate that a container image is compliant with vulnerability signing policy.\n- Verify that a container image passes criteria for promotion to the next deployment environment, such as development to QA.\n\nTo learn about using Binary Authorization see the\n[Binary Authorization documentation](/binary-authorization/docs)."]]
