Enable dry-run mode

This document explains how to enable dry-run mode.

When you enable dry-run mode, Binary Authorization allows all container images to be deployed, even if those images violate the Binary Authorization policy. Policy compliance status messages are logged to Cloud Audit Logs. You can inspect the log to determine whether the images would have been disallowed and take corrective action. When the policy configuration works as you intend, you can disable dry-run mode to enable Binary Authorization enforcement; images that violate the policy are disallowed from being deployed.

You can set dry-run mode in the default rule or a specific rule.

Before you begin

To use dry-run mode, set up Binary Authorization for your platform.

Enable dry run

To enable dry run, do the following:

Console

  1. Go to the Binary Authorization page in the Google Cloud console.

    Go to Binary Authorization.

  2. Click Edit Policy.

  3. In Default Rule or a specific rule, select Dry-run mode.

  4. Click Save Policy.

gcloud

  1. Export the Binary Authorization policy to a YAML file:

    gcloud container binauthz policy export  > /tmp/policy.yaml
    
  2. In a text editor, set enforcementMode to DRYRUN_AUDIT_LOG_ONLY and save the file.

  3. To update the policy, import the file by executing the following command:

    gcloud container binauthz policy import /tmp/policy.yaml
    

To test dry-run mode, deploy images that violate the policy and then view dry-run mode events from Binary Authorization for GKE, Cloud Run, or Anthos clusters on VMware.

Disable dry-run mode

To disable dry-run mode, update your policy as follows:

Console

  1. Go to the Binary Authorization page in the Google Cloud console.

    Go to Binary Authorization

  2. Click Edit Policy.

  3. In Default Rule or a specific rule, clear Dry-run mode.

  4. Click Save Policy.

gcloud

  1. Export the Binary Authorization policy:

    gcloud container binauthz policy export  > /tmp/policy.yaml
    
  2. In a text editor, set enforcementMode to ENFORCED_BLOCK_AND_AUDIT_LOG and save the file.

  3. To update the policy, import the file by executing the following command:

    gcloud container binauthz policy import /tmp/policy.yaml
    

What's next

  • View dry-run mode events from Binary Authorization for GKE in Cloud Audit Logs.
  • View dry-run mode events from Binary Authorization for Cloud Run in Cloud Audit Logs.
  • View dry-run mode events from Binary Authorization for Anthos clusters on VMware in Cloud Audit Logs.