Google Cloud CLI를 사용하여 Cloud Logging에서 지난 주의 정책 위반 이벤트를 보려면 다음을 수행합니다.
gcloudloggingread--order="desc"--freshness=7d\'resource.type="cloud_run_revision" AND logName:"cloudaudit.googleapis.com%2Fsystem_event" AND protoPayload.response.status.conditions.reason="ContainerImageUnauthorized"'
Cloud Logging의 breakglass 이벤트
Breakglass를 사용하면 Binary Authorization 정책 시행을 재정의하고 정책을 위반하는 컨테이너 이미지를 배포할 수 있습니다.
Cloud Logging에서 breakglass가 지정된 버전 쿼리
로그 탐색기
Cloud Logging 로그 탐색기에서 breakglass 이벤트를 보려면 다음을 수행합니다.
gcloud CLI를 사용하여 Cloud Logging에서 이전 주의 breakglass 이벤트를 보려면 다음을 수행합니다.
gcloudloggingread--order="desc"--freshness=7d\'resource.type="cloud_run_revision" AND logName:"cloudaudit.googleapis.com%2Fsystem_event" AND "breakglass"'
Fail Open 이벤트의 Cloud Logging 쿼리
로그 탐색기
Cloud Logging 로그 탐색기에서 Fail Open 이벤트를 보려면 다음을 수행합니다.
페이지 상단의 프로젝트 선택기에서 Cloud Run을 실행하는 프로젝트의 프로젝트 ID를 선택합니다.
검색어 상자에 다음을 입력합니다.
resource.type="cloud_run_revision"logName:"cloudaudit.googleapis.com%2Fsystem_event""encountered an error"
시간 범위 선택기에서 기간을 선택합니다.
로그 항목 내에서 검색하려면 중첩된 필드 확장을 클릭합니다.
gcloud
Cloud Logging에서 gcloud CLI를 사용하여 이전 주의 Fail Open 이벤트를 보려면 다음을 수행합니다.
gcloudloggingread--order="desc"--freshness=7d\'resource.type="cloud_run_revision" AND logName:"cloudaudit.googleapis.com%2Fsystem_event" AND "encountered an error"'
gcloud CLI를 사용하여 Cloud Logging에서 이전 주의 테스트 실행 배포 이벤트를 보려면 다음을 수행합니다.
gcloudloggingread--order="desc"--freshness=7d\'resource.type="cloud_run_revision" AND logName:"cloudaudit.googleapis.com%2Fsystem_event" AND "dry run"'
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[[["\u003cp\u003eThis guide details how to use Cloud Audit Logs to view Binary Authorization events for Cloud Run, including blocked deployments, breakglass events, fail-open events, and dry run events.\u003c/p\u003e\n"],["\u003cp\u003eYou can use the Logs Explorer within Cloud Logging to search for specific events by constructing queries that target the \u003ccode\u003ecloud_run_revision\u003c/code\u003e resource type, \u003ccode\u003ecloudaudit.googleapis.com%2Fsystem_event\u003c/code\u003e log name, and relevant event-specific strings, like "ContainerImageUnauthorized" for blocked deployments.\u003c/p\u003e\n"],["\u003cp\u003eThe guide also provides gcloud CLI commands to query for these events within the past week, using similar filters as those used in the Logs Explorer.\u003c/p\u003e\n"],["\u003cp\u003eBreakglass, which is a policy enforcement override, is a capability that can be tracked and identified using the string "breakglass" within the Logs Explorer or gcloud CLI queries.\u003c/p\u003e\n"],["\u003cp\u003eFail open events can be identified by searching for "encountered an error" in Cloud Logging, while dry run events are found using the term "dry run" in the same manner.\u003c/p\u003e\n"]]],[],null,["This guide shows you how to view Binary Authorization for\nCloud Run in Cloud Audit Logs.\n\nBlocked deployment events in Cloud Logging \n\nLogs Explorer\n\nTo view bocked deployment events in the Cloud Logging Logs Explorer, do\nthe following:\n\n1. Go to the Cloud Audit Logs Logs Explorer page:\n\n [Go to Logs Explorer](https://console.cloud.google.com/logs/viewer).\n2. In the **Project Selector** at the top of the page, select the\n Google Cloud project ID of the project in which you run\n Cloud Run.\n\n3. Enter the following query in the *search-query* box:\n\n resource.type=\"cloud_run_revision\"\n logName:\"cloudaudit.googleapis.com%2Fsystem_event\"\n protoPayload.response.status.conditions.reason=\"ContainerImageUnauthorized\"\n\n4. Select the time range in the *time-range selector*.\n\nTo search within the log entries, click **Expand nested fields**.\n\ngcloud\n\nTo view policy violation events from the past week in Cloud Logging using\nthe Google Cloud CLI, do the following: \n\n gcloud logging read --order=\"desc\" --freshness=7d \\\n 'resource.type=\"cloud_run_revision\" AND\n logName:\"cloudaudit.googleapis.com%2Fsystem_event\" AND\n protoPayload.response.status.conditions.reason=\"ContainerImageUnauthorized\"'\n\nBreakglass events in Cloud Logging\n\n[Breakglass](/binary-authorization/docs/run/using-breakglass-cloud-run)\nenables you to override Binary Authorization policy enforcement and deploy a\ncontainer image that violates the policy.\n\nQuery Cloud Logging for revisions with breakglass specified \n\nLogs Explorer\n\nTo view breakglass events in the Cloud Logging Logs Explorer, do the\nfollowing:\n\n1. Go to the Cloud Audit Logs Logs Explorer page:\n\n [Go to Logs Explorer](https://console.cloud.google.com/logs/viewer).\n2. In the **Project Selector** at the top of the page, select the\n project ID of the project in which you run\n Cloud Run.\n\n3. Enter the following in the *search-query* box:\n\n resource.type=\"cloud_run_revision\"\n logName:\"cloudaudit.googleapis.com%2Fsystem_event\"\n \"breakglass\"\n\n To further refine your search, add the following lines: \n\n resource.labels.service_name = \u003cvar translate=\"no\"\u003eSERVICE_NAME\u003c/var\u003e\n resource.labels.location = \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e\n\n [View breakglass deployments in Cloud Logging](https://console.cloud.google.com/logs/viewer?advancedFilter=resource.type%3D%22cloud_run_revision%22%0AlogName%3A%22cloudaudit.googleapis.com%252Factivity%22%0A%22breakglass%22)\n4. Select the time range in the *time-range selector*.\n\nTo search within the log entries, click **Expand nested fields**.\n\ngcloud\n\nTo view breakglass events from the past week in Cloud Logging using the\ngcloud CLI, do the following: \n\n gcloud logging read --order=\"desc\" --freshness=7d \\\n 'resource.type=\"cloud_run_revision\" AND\n logName:\"cloudaudit.googleapis.com%2Fsystem_event\" AND\n \"breakglass\"'\n\nQuery Cloud Logging fail open events \n\nLogs Explorer\n\nTo view fail open events in the Cloud Logging Logs Explorer, do the\nfollowing:\n\n1. Go to the Cloud Audit Logs Logs Explorer page:\n\n [Go to Logs Explorer](https://console.cloud.google.com/logs/viewer).\n2. In the **Project Selector** at the top of the page, select the\n project ID of the project in which you run\n Cloud Run.\n\n3. Enter the following in the *search-query* box:\n\n resource.type=\"cloud_run_revision\"\n logName:\"cloudaudit.googleapis.com%2Fsystem_event\"\n \"encountered an error\"\n\n4. Select the time range in the *time-range selector*.\n\nTo search within the log entries, click **Expand nested fields**.\n\ngcloud\n\nTo view fail open events from the past week in Cloud Logging using\nthe gcloud CLI, do the following: \n\n gcloud logging read --order=\"desc\" --freshness=7d \\\n 'resource.type=\"cloud_run_revision\" AND\n logName:\"cloudaudit.googleapis.com%2Fsystem_event\" AND\n \"encountered an error\"'\n\nQuery Cloud Logging for dry run events \n\nLogs Explorer\n\nTo view dry run events in the Cloud Logging Logs Explorer, do the\nfollowing:\n\n1. Go to the Cloud Audit Logs Logs Explorer page:\n\n [Go to Logs Explorer](https://console.cloud.google.com/logs/viewer).\n2. In the **Project Selector** at the top of the page, select the\n project ID of the project in which you run\n Cloud Run.\n\n3. Enter the following in the *search-query* box:\n\n resource.type=\"cloud_run_revision\"\n logName:\"cloudaudit.googleapis.com%2Fsystem_event\"\n \"dry run\"\n\n4. Select the time range in the *time-range selector*.\n\nTo search within the log entries, click **Expand nested fields**.\n\ngcloud\n\nTo view dry run deployment events from the past week in Cloud Logging using\nthe gcloud CLI, do the following: \n\n gcloud logging read --order=\"desc\" --freshness=7d \\\n 'resource.type=\"cloud_run_revision\" AND\n logName:\"cloudaudit.googleapis.com%2Fsystem_event\" AND\n \"dry run\"'\n\nWhat's next\n\n- Configure the Binary Authorization policy using the [Google Cloud console](/binary-authorization/docs/configuring-policy-console) or the [command-line tool](/binary-authorization/docs/configuring-policy-cli).\n\n- [Use attestations](/binary-authorization/docs/attestations) to deploy only signed container images."]]