Enable dry-run mode

This document explains how to enable dry-run mode.

When you enable dry-run mode, Binary Authorization allows all container images to be deployed, even if those images violate the Binary Authorization policy. Policy compliance status messages are logged to Cloud Audit Logs. You can inspect the log to determine whether the images would have been disallowed and take corrective action. When the policy configuration works as you intend, you can disable dry-run mode to enable Binary Authorization enforcement; images that violate the policy are disallowed from being deployed.

You can set dry-run mode in the default rule or a specific rule.

Before you begin

To use dry-run mode, set up Binary Authorization for your platform.

Enable dry run

To enable dry run, do the following:

Console

Go to the Binary Authorization page in the Google Cloud console.

Go to Binary Authorization.
Click Edit Policy.
In Default Rule or a specific rule, select Dry-run mode.

Note: To demonstrate dry-run mode, you can also set the rule to Disallow all images. With this setting, all images violate the policy, are disallowed from being deployed, and the violations are logged.
Click Save Policy.

gcloud

Export the Binary Authorization policy to a YAML file:

gcloud container binauthz policy export  > /tmp/policy.yaml

In a text editor, set enforcementMode to DRYRUN_AUDIT_LOG_ONLY and save the file.

Note: To demonstrate dry-run mode, you can set evaluationMode to ALWAYS_DENY. With this setting, all images violate the policy, are disallowed from being deployed, and the violations are logged.
To update the policy, import the file by executing the following command:
```
gcloud container binauthz policy import /tmp/policy.yaml
```

To test dry-run mode, deploy images that violate the policy and then view dry-run mode events from Binary Authorization for GKE, Cloud Run, or GKE clusters.

Disable dry-run mode

To disable dry-run mode, update your policy as follows:

Console

Go to the Binary Authorization page in the Google Cloud console.

Go to Binary Authorization
Click Edit Policy.
In Default Rule or a specific rule, clear Dry-run mode.
Click Save Policy.

gcloud

Export the Binary Authorization policy:

gcloud container binauthz policy export  > /tmp/policy.yaml

In a text editor, set enforcementMode to ENFORCED_BLOCK_AND_AUDIT_LOG and save the file.
To update the policy, import the file by executing the following command:
```
gcloud container binauthz policy import /tmp/policy.yaml
```

What's next

View dry-run mode events from Binary Authorization for GKE in Cloud Audit Logs.
View dry-run mode events from Binary Authorization for Cloud Run in Cloud Audit Logs.
View dry-run mode events from Binary Authorization for GKE clusters in Cloud Audit Logs.