Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Halaman ini memberikan ringkasan tentang cara menyiapkan Otorisasi Biner untuk digunakan dengan
layanan dan tugas Cloud Run.
Cara kebijakan Otorisasi Biner diterapkan ke Cloud Run
Anda dapat menetapkan kebijakan Otorisasi Biner pada layanan dan tugas Cloud Run.
Namun, penegakan kebijakan sedikit bervariasi antara layanan dan tugas Cloud Run.
Kebijakan yang diterapkan ke layanan Cloud Run
Saat Anda menetapkan kebijakan Otorisasi Biner pada layanan, Cloud Run akan memeriksa kebijakan tersebut setiap kali Anda men-deploy revisi baru. Jika revisi baru tidak
mematuhi kebijakan, deployment akan gagal. Namun, jika hal ini terjadi, Anda dapat menggunakan fitur breakglass untuk mengabaikan kebijakan Otorisasi Biner dan men-deploy revisi menggunakan penampung yang tidak mematuhi kebijakan.
Perubahan pada kebijakan Otorisasi Biner tidak berlaku secara surut
pada revisi yang ada.
Kebijakan yang diterapkan ke tugas Cloud Run
Saat Anda menetapkan kebijakan Otorisasi Biner pada tugas, Cloud Run akan memeriksa kebijakan setiap kali Anda menjalankan tugas. Jika tugas memiliki penampung yang tidak mematuhi kebijakan:
Anda tetap dapat memperbarui tugas dengan sukses.
Menjalankan tugas akan gagal. Anda dapat menggunakan fitur breakglass untuk mengabaikan kebijakan Otorisasi Biner dalam situasi ini.
Perubahan pada kebijakan Otorisasi Biner tidak berlaku secara surut
untuk eksekusi yang sudah berjalan.
Untuk men-deploy fungsi di Cloud Run, administrator kebijakan Otorisasi Biner harus mengonfigurasi kebijakan Otorisasi Biner untuk mengecualikan semua image dari repositori REGION-docker.pkg.dev/PROJECT_ID/cloud-run-source-deploy/** dan subdirektorinya.
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-09-04 UTC."],[[["\u003cp\u003eThis guide details the process of setting up Binary Authorization for Cloud Run services and jobs, including how policies are applied and enforced.\u003c/p\u003e\n"],["\u003cp\u003eBinary Authorization policies for Cloud Run services are checked during new revision deployments, with failed deployments occurring if the new revision does not conform to the policy, although it has a breakglass feature.\u003c/p\u003e\n"],["\u003cp\u003eBinary Authorization policies for Cloud Run jobs are checked during each job execution, which will fail if a non-compliant container is present, although a breakglass feature is also available.\u003c/p\u003e\n"],["\u003cp\u003eChanges to Binary Authorization policies do not retroactively apply to existing Cloud Run revisions or already-running job executions.\u003c/p\u003e\n"],["\u003cp\u003eThe setup process involves enabling Binary Authorization, optionally requiring it via an organization policy, and then configuring the Binary Authorization policy, which may include exempting images or setting up attestations.\u003c/p\u003e\n"]]],[],null,["# Set up overview for Cloud Run\n\nThis page provides an overview of how to set up Binary Authorization for use with\nCloud Run services and jobs.\n\nHow Binary Authorization policies are applied to Cloud Run\n----------------------------------------------------------\n\nYou can set a Binary Authorization policy on Cloud Run services and jobs.\nHowever, policy enforcement varies slightly between Cloud Run services\nand jobs.\n\n### Policies applied to Cloud Run services\n\nWhen you set a Binary Authorization policy on a service, Cloud Run\nchecks the policy each time you deploy a new revision. If the new revision does\nnot conform to the policy, the deployment will fail. However, if this happens, you\ncan use the [breakglass](/binary-authorization/docs/run/using-breakglass-cloud-run)\nfeature to bypass the Binary Authorization policy and deploy a revision using a\nnon-compliant container.\n\nChanges in the Binary Authorization policy *do not* retroactively\napply to existing revisions.\n\n### Policies applied to Cloud Run jobs\n\nWhen you set a Binary Authorization policy on a job, Cloud Run checks the\npolicy each time you execute the job. If a job has a non-compliant container:\n\n- You can still update the job successfully.\n- Executing the job will fail. You can use the [breakglass](/binary-authorization/docs/run/using-breakglass-cloud-run) feature to bypass the Binary Authorization policy in these situations.\n\nChanges in the Binary Authorization policy *do not* retroactively\napply to already-running executions.\n\nBefore you begin\n----------------\n\nBefore you use Binary Authorization for Cloud Run, we recommend that you\n[set up your Cloud Run environment](/run/docs/setup).\n\nSetup Steps\n-----------\n\nTo set up Binary Authorization for Cloud Run, perform the following steps:\n\n1. [Enable Binary Authorization](/binary-authorization/docs/enabling).\n2. Recommended: [Require Binary Authorization for Cloud Run](/binary-authorization/docs/run/requiring-binauthz-cloud-run) using an organization policy.\n3. [Enable Binary Authorization for Cloud Run](/binary-authorization/docs/run/enabling-binauthz-cloud-run).\n4. Configure the Binary Authorization policy.\n\n | **Note:** Skip this step if you want to use attestations.\n\n You can configure the following features in your policy:\n - [Default rule](/binary-authorization/docs/configuring-policy-console#default-rule).\n - [Exempt images](/binary-authorization/docs/configuring-policy-console#exempt_images). [Learn more about exempt images](/binary-authorization/docs/key-concepts#exempt_images).\n\n To deploy functions in Cloud Run, the Binary Authorization\n policy administrator must configure the Binary Authorization policy to\n exempt all images from the\n \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e`-docker.pkg.dev/`\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e`/cloud-run-source-deploy/**`\n repository and its subdirectories.\n5. Optional: Use the `built-by-cloud-build` attestor to [deploy only images built by Cloud Build](/binary-authorization/docs/deploy-cloud-build) ([Preview](/products#product-launch-stages)).\n\n6. Optional: [Use attestations](/binary-authorization/docs/attestations).\n\n7. [View Binary Authorization for Cloud Run events in Cloud Audit Logs](/binary-authorization/docs/run/viewing-audit-logs-cloud-run)."]]
