Stay organized with collections
Save and categorize content based on your preferences.
This page documents production updates to Binary Authorization. You can
periodically check this page for announcements about new or updated features,
bug fixes, known issues, and deprecated functionality.
You can see the latest product updates for all of Google Cloud on the
Google Cloud page, browse and filter all release notes in the
Google Cloud console,
or programmatically access release notes in
BigQuery.
To get the latest product updates delivered to you, add the URL of this page to your
feed
reader, or add the
feed URL directly.
August 19, 2024
Setting specific rules in Binary Authorization policies is generally available (GA) as of September 28, 2023.
Added support for securing Binary Authorization resources with VPC Service Controls.
March 04, 2020
Support for the
Binary Authorization Beta API was discontinued on September 16, 2019. As a result,
the Binary Authorization Beta API will stop
working after March 16, 2020. To prevent service interruption, you must take
actions outlined in the Binary Authorization GA Migration Guide prior to that date.
September 16, 2019
The General Availability (GA) version of Binary Authorization is a feature of the Anthos platform. Use of Binary Authorization is included in the Anthos subscription. Please contact your sales representative to enroll in Anthos.
April 03, 2019
Binary Authorization now supports asymmetric PKIX key pairs to verify the identity of attestors. The asymmetric key pairs generated and stored in Cloud Key Management Service are compliant with the PKIX format. You set up PKIX keys when you create an attestor using the Google Cloud Platform Console or the CLI.
Dryrun mode is a policy setting that allows non-conformant images to be deployed, but writes details about the policy violation and deployment to the audit log. Dryrun mode allows you to test a policy in your production environment before it goes into effect.
Default whitelisting of exempt images may be incomplete, depending on the version of Kubernetes you are deploying to. You may need to add gcr.io/google-containers/ and k8s.io/ to the default whitelist.
Error messaging sometimes lacks detail when policies are updated. If you encounter an error when you update a policy, check the names of any attestor resources defined to make sure they are correct.
When editing a policy in the UI, you cannot remove/edit existing cluster specific deployment rules. This is possible using gcloud commands and the REST API.
In the UI, you cannot manage the IAM Policy on an Attestor or Binary Authorization Policy. Project level IAM permissions work as expected.
In the UI, detailed error messages are not shown for invalid whitelist patterns on a Policy or invalid PGP keys on an Attestor.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis page provides production updates for Binary Authorization, including new features, bug fixes, and deprecated functionality.\u003c/p\u003e\n"],["\u003cp\u003eBinary Authorization legacy continuous validation (CV) will be deprecated on May 1, 2025, in favor of continuous validation with check-based platform policies.\u003c/p\u003e\n"],["\u003cp\u003eSetting specific rules in Binary Authorization policies is now generally available (GA) as of September 28, 2023.\u003c/p\u003e\n"],["\u003cp\u003eBinary Authorization for Cloud Run became generally available (GA) on September 28, 2021, and quickstart and setup documentation is available.\u003c/p\u003e\n"],["\u003cp\u003eThe Binary Authorization Beta API stopped working after March 16, 2020, and users were directed to the GA Migration Guide for necessary actions.\u003c/p\u003e\n"]]],[],null,["# Binary Authorization release notes\n\nThis page documents production updates to Binary Authorization. You can\nperiodically check this page for announcements about new or updated features,\nbug fixes, known issues, and deprecated functionality.\n\n\nYou can see the latest product updates for all of Google Cloud on the\n[Google Cloud](/release-notes) page, browse and filter all release notes in the\n[Google Cloud console](https://console.cloud.google.com/release-notes),\nor programmatically access release notes in\n[BigQuery](https://console.cloud.google.com/bigquery?p=bigquery-public-data&d=google_cloud_release_notes&t=release_notes&page=table).\n\nTo get the latest product updates delivered to you, add the URL of this page to your\n[feed\nreader](https://wikipedia.org/wiki/Comparison_of_feed_aggregators), or add the\n[feed URL](https://cloud.google.com/feeds/binary-auth-release-notes.xml) directly.\n\nAugust 19, 2024\n---------------\n\nSetting specific rules in Binary Authorization policies is generally available (GA) as of September 28, 2023.\n\nApril 15, 2024\n--------------\n\nBinary Authorization legacy continuous validation (CV) is deprecated and will no longer be available on Google Cloud after May 1, 2025. You can instead use [continuous validation with check-based platform policies](https://cloud.google.com/binary-authorization/docs/overview-cv). To learn how to migrate to check-based platform policies, see [Legacy continuous validation deprecation and shutdown](https://cloud.google.com/binary-authorization/docs/deprecations/cv-project-singleton-policy).\n\nSeptember 29, 2021\n------------------\n\nBinary Authorization for Anthos clusters on VMware 0.2.2, which now supports Anthos clusters on VMware 0.1.9, is now available in [Preview](https://cloud.google.com/products#preview).\n\n[Set up Binary Authorization for Anthos clusters on VMware](https://cloud.google.com/binary-authorization/docs/setting-up-on-prem).\n\nSeptember 28, 2021\n------------------\n\nBinary Authorization for Cloud Run is now [generally available (GA)](https://cloud.google.com/products/?hl=EN#product-launch-stages).\n\nView the [quickstart](https://cloud.google.com/binary-authorization/docs/run/quickstart-cloud-run) or [set up Binary Authorization for Cloud Run](https://cloud.google.com/binary-authorization/docs/run/overview) on your service.\n\nApril 29, 2021\n--------------\n\nBinary Authorization now supports Continuous Validation. See [Continuous Validation documentation](https://cloud.google.com/binary-authorization/docs/overview-cv).\n\nJune 23, 2020\n-------------\n\nAdded support for securing Binary Authorization resources with VPC Service Controls.\n\nMarch 04, 2020\n--------------\n\nSupport for the\nBinary Authorization Beta API was discontinued on September 16, 2019. As a result,\n**the Binary Authorization Beta API will stop\nworking after March 16, 2020.** To prevent service interruption, you must take\nactions outlined in the [Binary Authorization GA Migration Guide](https://cloud.google.com/binary-authorization/docs/ga-migration-guide) prior to that date.\n\nSeptember 16, 2019\n------------------\n\nThe General Availability (GA) version of Binary Authorization is a feature of the [Anthos platform](https://cloud.google.com/anthos/). Use of Binary Authorization is included in the Anthos subscription. Please [contact](https://cloud.google.com/anthos/pricing) your sales representative to enroll in Anthos.\n\nApril 03, 2019\n--------------\n\nBinary Authorization now supports asymmetric PKIX key pairs to verify the identity of attestors. The asymmetric key pairs generated and stored in Cloud Key Management Service are compliant with the PKIX format. You set up PKIX keys when you create an attestor using the [Google Cloud Platform Console](https://cloud.google.com/binary-authorization/docs/creating-attestors-console) or the [CLI](https://cloud.google.com/binary-authorization/docs/creating-attestors-cli). \nBinary Authorization now supports [global policy evaluation mode](https://cloud.google.com/binary-authorization/docs/key-concepts#global_policy_evaluation_mode). \nBinary Authorization now supports dryrun mode.\n\nDryrun mode is a policy setting that allows non-conformant images to be deployed, but writes details about the policy violation and deployment to the audit log. Dryrun mode allows you to test a policy in your production environment before it goes into effect.\n\nYou can enable dryrun mode when you configure your policy using the [Google Cloud Platform Console](https://cloud.google.com/binary-authorization/docs/configuring-policy-console) or the [CLI](https://cloud.google.com/binary-authorization/docs/configuring-policy-cli).\n\nJuly 25, 2018\n-------------\n\nDefault whitelisting of exempt images may be incomplete, depending on the version of Kubernetes you are deploying to. You may need to add `gcr.io/google-containers/` and `k8s.io/` to the default whitelist. \nError messaging sometimes lacks detail when policies are updated. If you encounter an error when you update a policy, check the names of any attestor resources defined to make sure they are correct. \nWhen editing a policy in the UI, you cannot remove/edit existing cluster specific deployment rules. This is possible using `gcloud` commands and the REST API. \nIn the UI, you cannot manage the IAM Policy on an Attestor or Binary Authorization Policy. Project level IAM permissions work as expected. \nIn the UI, detailed error messages are not shown for invalid whitelist patterns on a Policy or invalid PGP keys on an Attestor."]]
