Enable dry-run mode

This document explains how to enable dry-run mode. With dry-run mode enabled, Binary Authorization checks policy compliance at Pod creation time without actually blocking the Pod from being created. Instead, policy compliance status messages are logged to Cloud Logging. With this information you can determine if any container images would have been unintentionally blocked from being deployed and correct the policy. When the policy enforces compliance as intended, you can disable dry-run mode.

Before you begin

This guide assumes that you have Binary Authorization set up. For a simple setup, see the quickstart.

For a complete end-to-end tutorial that describes how to use attestations with Google Kubernetes Engine (GKE), see Getting started using the CLI or Getting started using the Console.

Enable dry run

To enable dry run, do the following:


  1. Go to the Binary Authorization page in the Google Cloud Console.

    Go to Binary Authorization

  2. Click Configure Policy or, if a policy exists, Edit Policy.

  3. In Default Rule, select Disallow all images.

  4. Click Save Policy.


  1. Export the default Binary Authorization policy:

    gcloud container binauthz policy export  > /tmp/policy.yaml
  2. In a text editor, set the enforcementMode to DRYRUN_AUDIT_LOG_ONLY.

    The policy YAML file should look like this:

    - namePattern: gcr.io/google_containers/*
    - namePattern: gcr.io/google-containers/*
    - namePattern: k8s.gcr.io/*
    - namePattern: gke.gcr.io/*
    - namePattern: gcr.io/stackdriver-agents/*
      evaluationMode: ALWAYS_DENY
      enforcementMode: DRYRUN_AUDIT_LOG_ONLY
    name: projects/PROJECT_ID/policy
  3. Import the policy YAML file back into Binary Authorization:

    gcloud container binauthz policy import /tmp/policy.yaml
  4. Update the local kubeconfig file:

    gcloud container clusters get-credentials \
    --zone us-central1-a \

    Where CLUSTER_NAME is the name of your GKE cluster.

Deploy a container

  1. Deploy the container image

    1. [Optional]: Create a pod.yaml file that looks like the following:

      apiVersion: v1
      kind: Pod
        name: test-pod
        - name: test-container
          image: gcr.io/google-samples/hello-app@sha256:c62ead5b8c15c231f9e786250b07909daf6c266d0fcddd93fea882eb722c3be4
    2. Deploy the container image:

      kubectl apply -f pod.yaml
  2. Confirm the pod is running

    The pod should be running. To confirm, execute the following:

    kubectl get pods

    You should see that test-pod is running.

  3. Check the audit log:

    To view dry run audit log entries in Cloud Logging, see Dry run events in Cloud Logging.

    An example dry run audit log looks like the following:

     insertId: "f87d1ef8-fa7b-4079-be90-d0638e7983ba"
     labels: {
      authorization.k8s.io/decision: "allow"
      authorization.k8s.io/reason: ""
      imagepolicywebhook.image-policy.k8s.io/dry-run: "true"
      imagepolicywebhook.image-policy.k8s.io/overridden-verification-result: "'gcr.io/google-samples/hello-app@sha256:c62ead5b8c15c231f9e786250b07909daf6c266d0fcddd93fea882eb722c3be4': Denied by an ALWAYS_DENY admission rule
     logName: "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity"
     operation: {…}
     protoPayload: {…}
     receiveTimestamp: "2020-06-10T15:59:23.857650559Z"
     resource: {…}
     timestamp: "2020-06-10T15:59:00.185878Z"

    Where PROJECT_ID is your project ID.

Continuous Validation

When you enable Continuous Validation (CV), it logs running Pods that violate Binary Authorization policy, including Pods that are deployed with dry run enabled.

Clean up

Delete the pod

kubectl delete -f /tmp/pod.yaml

Disable dry-run mode

Make sure to disable dry-run mode by altering enforcementMode in the defaultAdmissionRule in your Binary Authorization policy. For example:

   enforcementMode: ALWAYS_ALLOW