Set up overview for Cloud Run

This page provides an overview of how to set up Binary Authorization for use with Cloud Run services and jobs.

How Binary Authorization policies are applied to Cloud Run

You can set a Binary Authorization policy on Cloud Run services and jobs. However, policy enforcement varies slightly between Cloud Run services and jobs.

Policies applied to Cloud Run services

When you set a Binary Authorization policy on a service, Cloud Run checks the policy each time you deploy a new revision. If the new revision does not conform to the policy, the deployment will fail. However, if this happens, you can use the breakglass feature to bypass the Binary Authorization policy and deploy a revision using a non-compliant container.

Changes in the Binary Authorization policy do not retroactively apply to existing revisions.

Policies applied to Cloud Run jobs

When you set a Binary Authorization policy on a job, Cloud Run checks the policy each time you execute the job. If a job has a non-compliant container:

• You can still update the job successfully.
• Executing the job will fail. You can use the breakglass feature to bypass the Binary Authorization policy in these situations.

Changes in the Binary Authorization policy do not retroactively apply to already-running executions.

Before you begin

Before you use Binary Authorization for Cloud Run, we recommend that you set up your Cloud Run environment.

Setup Steps

To set up Binary Authorization for Cloud Run, perform the following steps:

1. Enable Binary Authorization.
2. Recommended: Require Binary Authorization for Cloud Run using an organization policy.
3. Enable Binary Authorization for Cloud Run.

4. Configure the Binary Authorization policy.

   You can configure the following features in your policy:

   • Default rule.
   • Exempt images. Learn more about exempt images.

   To deploy functions in Cloud Run, the Binary Authorization policy administrator must configure the Binary Authorization policy to exempt all images from the REGION-docker.pkg.dev/PROJECT_ID/cloud-run-source-deploy/** repository and its subdirectories.

5. Optional: Use the built-by-cloud-build attestor to deploy only images built by Cloud Build (Preview).

6. Optional: Use attestations.

7. View Binary Authorization for Cloud Run events in Cloud Audit Logs.