이 페이지에서는 Cloud Run 서비스 및 작업에 사용하도록 Binary Authorization을 설정하는 방법을 간략히 설명합니다.
Binary Authorization 정책이 Cloud Run에 적용되는 방법
Cloud Run 서비스 및 작업에서 Binary Authorization 정책을 설정할 수 있습니다.
그러나 정책 시행은 Cloud Run 서비스 및 작업 간에 약간 다릅니다.
Cloud Run 서비스에 적용된 정책
서비스에서 Binary Authorization 정책을 설정하면 새 버전을 배포할 때마다 Cloud Run이 정책을 검사합니다. 새 버전이 정책을 준수하지 않으면 배포가 실패합니다. 그러나 이 경우에는 breakglass 기능을 사용하여 Binary Authorization 정책을 우회하고 호환되지 않는 컨테이너를 사용하여 버전을 배포할 수 있습니다.
Binary Authorization 정책의 변경사항은 기존 버전에 소급해서 적용되지 않습니다.
Cloud Run 작업에 적용되는 정책
작업에 Binary Authorization 정책을 설정하면 작업을 실행할 때마다 Cloud Run이 정책을 검사합니다. 작업에 호환되지 않는 컨테이너가 포함된 경우:
여전히 작업을 성공적으로 업데이트할 수 있습니다.
작업 실행이 실패합니다. 이러한 경우 breakglass 기능을 사용하여 Binary Authorization 정책을 우회할 수 있습니다.
Binary Authorization 정책의 변경사항은 이미 실행 중인 실행에 소급해서 적용되지 않습니다.
시작하기 전에
Cloud Run용 Binary Authorization을 사용하기 전에 Cloud Run 환경을 설정하는 것이 좋습니다.
설정 단계
Cloud Run용 Binary Authorization을 설정하려면 다음 단계를 수행합니다.
Cloud Run에 함수를 배포하려면 Binary Authorization 정책 관리자는 REGION-docker.pkg.dev/PROJECT_ID/cloud-run-source-deploy/** 저장소 및 해당 하위 디렉터리에서 모든 이미지를 예외 처리하도록 Binary Authorization 정책을 구성해야 합니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[[["\u003cp\u003eThis guide details the process of setting up Binary Authorization for Cloud Run services and jobs, including how policies are applied and enforced.\u003c/p\u003e\n"],["\u003cp\u003eBinary Authorization policies for Cloud Run services are checked during new revision deployments, with failed deployments occurring if the new revision does not conform to the policy, although it has a breakglass feature.\u003c/p\u003e\n"],["\u003cp\u003eBinary Authorization policies for Cloud Run jobs are checked during each job execution, which will fail if a non-compliant container is present, although a breakglass feature is also available.\u003c/p\u003e\n"],["\u003cp\u003eChanges to Binary Authorization policies do not retroactively apply to existing Cloud Run revisions or already-running job executions.\u003c/p\u003e\n"],["\u003cp\u003eThe setup process involves enabling Binary Authorization, optionally requiring it via an organization policy, and then configuring the Binary Authorization policy, which may include exempting images or setting up attestations.\u003c/p\u003e\n"]]],[],null,["# Set up overview for Cloud Run\n\nThis page provides an overview of how to set up Binary Authorization for use with\nCloud Run services and jobs.\n\nHow Binary Authorization policies are applied to Cloud Run\n----------------------------------------------------------\n\nYou can set a Binary Authorization policy on Cloud Run services and jobs.\nHowever, policy enforcement varies slightly between Cloud Run services\nand jobs.\n\n### Policies applied to Cloud Run services\n\nWhen you set a Binary Authorization policy on a service, Cloud Run\nchecks the policy each time you deploy a new revision. If the new revision does\nnot conform to the policy, the deployment will fail. However, if this happens, you\ncan use the [breakglass](/binary-authorization/docs/run/using-breakglass-cloud-run)\nfeature to bypass the Binary Authorization policy and deploy a revision using a\nnon-compliant container.\n\nChanges in the Binary Authorization policy *do not* retroactively\napply to existing revisions.\n\n### Policies applied to Cloud Run jobs\n\nWhen you set a Binary Authorization policy on a job, Cloud Run checks the\npolicy each time you execute the job. If a job has a non-compliant container:\n\n- You can still update the job successfully.\n- Executing the job will fail. You can use the [breakglass](/binary-authorization/docs/run/using-breakglass-cloud-run) feature to bypass the Binary Authorization policy in these situations.\n\nChanges in the Binary Authorization policy *do not* retroactively\napply to already-running executions.\n\nBefore you begin\n----------------\n\nBefore you use Binary Authorization for Cloud Run, we recommend that you\n[set up your Cloud Run environment](/run/docs/setup).\n\nSetup Steps\n-----------\n\nTo set up Binary Authorization for Cloud Run, perform the following steps:\n\n1. [Enable Binary Authorization](/binary-authorization/docs/enabling).\n2. Recommended: [Require Binary Authorization for Cloud Run](/binary-authorization/docs/run/requiring-binauthz-cloud-run) using an organization policy.\n3. [Enable Binary Authorization for Cloud Run](/binary-authorization/docs/run/enabling-binauthz-cloud-run).\n4. Configure the Binary Authorization policy.\n\n | **Note:** Skip this step if you want to use attestations.\n\n You can configure the following features in your policy:\n - [Default rule](/binary-authorization/docs/configuring-policy-console#default-rule).\n - [Exempt images](/binary-authorization/docs/configuring-policy-console#exempt_images). [Learn more about exempt images](/binary-authorization/docs/key-concepts#exempt_images).\n\n To deploy functions in Cloud Run, the Binary Authorization\n policy administrator must configure the Binary Authorization policy to\n exempt all images from the\n \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e`-docker.pkg.dev/`\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e`/cloud-run-source-deploy/**`\n repository and its subdirectories.\n5. Optional: Use the `built-by-cloud-build` attestor to [deploy only images built by Cloud Build](/binary-authorization/docs/deploy-cloud-build) ([Preview](/products#product-launch-stages)).\n\n6. Optional: [Use attestations](/binary-authorization/docs/attestations).\n\n7. [View Binary Authorization for Cloud Run events in Cloud Audit Logs](/binary-authorization/docs/run/viewing-audit-logs-cloud-run)."]]
