Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed to your Cloud Run resources. With Binary Authorization, you can require images to be signed by trusted authorities during the development process and then enforce signature validation when deploying. By enforcing validation, you can gain tighter control over your container environment by ensuring only verified images are integrated into the build-and-release process.
Learn how to set up Binary Authorization for Cloud Run.
Exempt Cloud Run functions images from Binary Authorization policy
To deploy functions in Cloud Run, the Binary Authorization policy administrator must configure a Binary Authorization policy using allowlist patterns to exempt all images from the specified repository and its subdirectories.
Functions using the Cloud Run Admin API
If you are deploying your function with the
gcloud run deploy...
command, use this allowlist pattern:
REGION-docker.pkg.dev/PROJECT_ID/cloud-run-source-deploy/**
With the allowlist enabled, deploy your function with Binary Authorization enabled
and set to default:
gcloud run deploy YOUR_FUNCTION_NAME \
...
--binary-authorization default
Functions using the Cloud Functions v2 API
If you are deploying your function with the
gcloud functions deploy...
command, use this allowlist pattern:
REGION-docker.pkg.dev/PROJECT_ID/gcf-artifacts/**
With the allowlist enabled, deploy your function with Binary Authorization enabled
and set to default:
gcloud functions deploy YOUR_FUNCTION_NAME \
...
--binary-authorization default
What's next
- Learn how to set up Binary Authorization for Cloud Run.