This page documents production updates to Binary Authorization. You can periodically check this page for announcements about new or updated features, bug fixes, known issues, and deprecated functionality.
To get the latest product updates delivered to you, add the URL of this page to your
reader, or add the feed URL directly:
September 16, 2019
The General Availability (GA) version of Binary Authorization is a feature of the Anthos platform. Use of Binary Authorization is included in the Anthos subscription. Please contact your sales representative to enroll in Anthos.
April 03, 2019
Binary Authorization now supports asymmetric PKIX key pairs to verify the identity of attestors. The asymmetric key pairs generated and stored in Cloud Key Management Service are compliant with the PKIX format. You set up PKIX keys when you create an attestor using the Google Cloud Platform Console or the CLI.
Binary Authorization now supports global policy evaluation mode.
Binary Authorization now supports dryrun mode.
Dryrun mode is a policy setting that allows non-conformant images to be deployed, but writes details about the policy violation and deployment to the audit log. Dryrun mode allows you to test a policy in your production environment before it goes into effect.
July 25, 2018
Default whitelisting of exempt images may be incomplete, depending on the version of Kubernetes you are deploying to. You may need to add
k8s.io/ to the default whitelist.
Error messaging sometimes lacks detail when policies are updated. If you encounter an error when you update a policy, check the names of any attestor resources defined to make sure they are correct.
When editing a policy in the UI, you cannot remove/edit existing cluster specific deployment rules. This is possible using
gcloud commands and the REST API.
In the UI, you cannot manage the IAM Policy on an Attestor or Binary Authorization Policy. Project level IAM permissions work as expected.
In the UI, detailed error messages are not shown for invalid whitelist patterns on a Policy or invalid PGP keys on an Attestor.