This guide shows you how to view Binary Authorization for Cloud Run in Cloud Audit Logs.
Blocked deployment events in Cloud Logging
Logs Explorer
To view bocked deployment events in the Cloud Logging Logs Explorer, do the following:
Go to the Cloud Audit Logs Logs Explorer page:
In the Project Selector at the top of the page, select the Google Cloud project ID of the project in which you run Cloud Run.
Enter the following query in the search-query box:
resource.type="cloud_run_revision" logName:"cloudaudit.googleapis.com%2Fsystem_event" protoPayload.response.status.conditions.reason="ContainerImageUnauthorized"Select the time range in the time-range selector.
To search within the log entries, click Expand nested fields.
gcloud
To view policy violation events from the past week in Cloud Logging using the Google Cloud CLI, do the following:
gcloud logging read --order="desc" --freshness=7d \
'resource.type="cloud_run_revision" AND
logName:"cloudaudit.googleapis.com%2Fsystem_event" AND
protoPayload.response.status.conditions.reason="ContainerImageUnauthorized"'
Breakglass events in Cloud Logging
Breakglass enables you to override Binary Authorization policy enforcement and deploy a container image that violates the policy.
Query Cloud Logging for revisions with breakglass specified
Logs Explorer
To view breakglass events in the Cloud Logging Logs Explorer, do the following:
Go to the Cloud Audit Logs Logs Explorer page:
In the Project Selector at the top of the page, select the project ID of the project in which you run Cloud Run.
Enter the following in the search-query box:
resource.type="cloud_run_revision" logName:"cloudaudit.googleapis.com%2Fsystem_event" "breakglass"To further refine your search, add the following lines:
resource.labels.service_name = SERVICE_NAME resource.labels.location = LOCATIONSelect the time range in the time-range selector.
To search within the log entries, click Expand nested fields.
gcloud
To view breakglass events from the past week in Cloud Logging using the gcloud CLI, do the following:
gcloud logging read --order="desc" --freshness=7d \
'resource.type="cloud_run_revision" AND
logName:"cloudaudit.googleapis.com%2Fsystem_event" AND
"breakglass"'
Query Cloud Logging fail open events
Logs Explorer
To view fail open events in the Cloud Logging Logs Explorer, do the following:
Go to the Cloud Audit Logs Logs Explorer page:
In the Project Selector at the top of the page, select the project ID of the project in which you run Cloud Run.
Enter the following in the search-query box:
resource.type="cloud_run_revision" logName:"cloudaudit.googleapis.com%2Fsystem_event" "encountered an error"Select the time range in the time-range selector.
To search within the log entries, click Expand nested fields.
gcloud
To view fail open events from the past week in Cloud Logging using the gcloud CLI, do the following:
gcloud logging read --order="desc" --freshness=7d \
'resource.type="cloud_run_revision" AND
logName:"cloudaudit.googleapis.com%2Fsystem_event" AND
"encountered an error"'
Query Cloud Logging for dry run events
Logs Explorer
To view dry run events in the Cloud Logging Logs Explorer, do the following:
Go to the Cloud Audit Logs Logs Explorer page:
In the Project Selector at the top of the page, select the project ID of the project in which you run Cloud Run.
Enter the following in the search-query box:
resource.type="cloud_run_revision" logName:"cloudaudit.googleapis.com%2Fsystem_event" "dry run"Select the time range in the time-range selector.
To search within the log entries, click Expand nested fields.
gcloud
To view dry run deployment events from the past week in Cloud Logging using the gcloud CLI, do the following:
gcloud logging read --order="desc" --freshness=7d \
'resource.type="cloud_run_revision" AND
logName:"cloudaudit.googleapis.com%2Fsystem_event" AND
"dry run"'
What's next
Configure the Binary Authorization policy using the Google Cloud console or the command-line tool.
Use attestations to deploy only signed container images.