Binary Authorization is a deploy-time security control that ensures only trustedcontainer images are deployed to your Cloud Run resources. WithBinary Authorization, you can require images to be signed by trustedauthorities during the development process and then enforce signature validationwhen deploying. By enforcing validation, you can gain tighter control over yourcontainer environment by ensuring only verified images are integrated into thebuild-and-release process.

Learn how toset up Binary Authorization for Cloud Run.

Exempt Cloud Run functions images from Binary Authorization policy

To deploy functions in Cloud Run, the Binary Authorization policyadministrator must configure a Binary Authorization policy usingallowlist patterns to exempt allimages from the specified repository and its subdirectories.

Functions using the Cloud Run Admin API

If you are deploying your function with thegcloud run deploy...command, use this allowlist pattern:

REGION-docker.pkg.dev/PROJECT_ID/cloud-run-source-deploy/**

With the allowlist enabled, deploy your function withBinary Authorization enabledand set todefault:

  gcloud run deployYOUR_FUNCTION_NAME \    ...    --binary-authorization default

Functions using the Cloud Functions v2 API

If you are deploying your function with thegcloud functions deploy...command, use this allowlist pattern:

REGION-docker.pkg.dev/PROJECT_ID/gcf-artifacts/**

With the allowlist enabled, deploy your function with Binary Authorization enabledand set todefault:

  gcloud functions deployYOUR_FUNCTION_NAME \    ...    --binary-authorization default

What's next

• Learn how toset up Binary Authorization for Cloud Run.