Stay organized with collections
Save and categorize content based on your preferences.
This document explains how to enable dry-run mode.
When you enable dry-run mode, Binary Authorization allows all container images to be
deployed, even if those images violate the Binary Authorization policy. Policy
compliance status messages are logged to Cloud Audit Logs.
You can inspect the log to determine whether the images would have been
disallowed and take corrective action. When the policy configuration works as
you intend, you can disable dry-run mode to enable Binary Authorization enforcement;
images that violate the policy are disallowed from being deployed.
You can set dry-run mode in the default rule or a specific rule.
To test dry-run mode, deploy images that violate the policy and then view
dry-run mode events from Binary Authorization for GKE,
Cloud Run,
or Google Distributed Cloud.
Disable dry-run mode
To disable dry-run mode, update your policy as follows:
Console
Go to the Binary Authorization page in the Google Cloud console.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eDry-run mode in Binary Authorization allows all container images to be deployed, regardless of policy violations, with policy compliance status logged in Cloud Audit Logs.\u003c/p\u003e\n"],["\u003cp\u003eEnabling dry-run mode can be done either through the Google Cloud console or via the \u003ccode\u003egcloud\u003c/code\u003e command-line tool, by modifying the Binary Authorization policy settings.\u003c/p\u003e\n"],["\u003cp\u003eYou can test dry-run mode by deploying images that violate the policy and then viewing the logged events for GKE, Cloud Run, or Google Distributed Cloud.\u003c/p\u003e\n"],["\u003cp\u003eDry-run mode can be disabled by updating the Binary Authorization policy in the Google Cloud console or through the \u003ccode\u003egcloud\u003c/code\u003e command-line tool, switching to enforced mode that blocks and logs violations.\u003c/p\u003e\n"]]],[],null,["# Enable dry-run mode\n\n| **Note:** This document or section includes references to one or more terms that Google considers disrespectful or offensive. The terms are used because they are keywords in the software that's described in the document. \n| The terms: `whitelist`\n\nThis document explains how to enable dry-run mode.\n\nWhen you enable dry-run mode, Binary Authorization allows all container images to be\ndeployed, even if those images violate the Binary Authorization policy. Policy\ncompliance status messages are logged to [Cloud Audit Logs](/logging/docs/audit).\nYou can inspect the log to determine whether the images would have been\ndisallowed and take corrective action. When the policy configuration works as\nyou intend, you can disable dry-run mode to enable Binary Authorization enforcement;\nimages that violate the policy are disallowed from being deployed.\n\nYou can set dry-run mode in the default rule or a specific rule.\n\nBefore you begin\n----------------\n\nTo use dry-run mode, [set up Binary Authorization for your platform](/binary-authorization/docs/set-up-platform).\n\nEnable dry run\n--------------\n\n| **Caution:** Enabling dry run in your default admission rule, as shown, allows all container images to be deployed, even if they violate the deployment policy.\n\nTo enable dry run, do the following: \n\n### Console\n\n1. Go to the Binary Authorization page in the Google Cloud console.\n\n [Go to Binary Authorization](https://console.cloud.google.com/security/binary-authorization/).\n2. Click **Edit Policy**.\n\n3. In **Default Rule** or a specific rule, select **Dry-run mode**.\n\n | **Note:** To demonstrate dry-run mode, you can also set the rule to **Disallow all images**. With this setting, all images violate the policy, are disallowed from being deployed, and the violations are logged.\n4. Click **Save Policy**.\n\n### gcloud\n\n1. Export the Binary Authorization policy to a YAML file:\n\n gcloud container binauthz policy export \u003e /tmp/policy.yaml\n\n2. In a text editor, set `enforcementMode` to `DRYRUN_AUDIT_LOG_ONLY` and\n save the file.\n\n | **Note:** To demonstrate dry-run mode, you can set `evaluationMode` to `ALWAYS_DENY`. With this setting, all images violate the policy, are disallowed from being deployed, and the violations are logged.\n3. To update the policy, import the file by executing the following command:\n\n gcloud container binauthz policy import /tmp/policy.yaml\n\n| **Note:** It can take a few minutes for the policy to take effect.\n\nTo test dry-run mode, deploy images that violate the policy and then view\ndry-run mode events from Binary Authorization for [GKE](/binary-authorization/docs/viewing-audit-logs#dry_run_events),\n[Cloud Run](/binary-authorization/docs/run/viewing-audit-logs-cloud-run#query_for_dry_run_events),\nor [Google Distributed Cloud](/binary-authorization/docs/viewing-on-prem-logs#view_dry_run_log_entries).\n\n### Disable dry-run mode\n\nTo disable dry-run mode, update your policy as follows: \n\n### Console\n\n1. Go to the Binary Authorization page in the Google Cloud console.\n\n [Go to Binary Authorization](https://console.cloud.google.com/security/binary-authorization/)\n2. Click **Edit Policy**.\n\n3. In **Default Rule** or a specific rule, clear **Dry-run mode**.\n\n4. Click **Save Policy**.\n\n### gcloud\n\n1. Export the Binary Authorization policy:\n\n gcloud container binauthz policy export \u003e /tmp/policy.yaml\n\n2. In a text editor, set `enforcementMode` to\n `ENFORCED_BLOCK_AND_AUDIT_LOG` and save the file.\n\n3. To update the policy, import the file by executing the following\n command:\n\n gcloud container binauthz policy import /tmp/policy.yaml\n\n| **Note:** It can take a few minutes for the policy to take effect.\n\nWhat's next\n-----------\n\n- View dry-run mode events from Binary Authorization for [GKE](/binary-authorization/docs/viewing-audit-logs#dry_run_events) in Cloud Audit Logs.\n- View dry-run mode events from Binary Authorization for [Cloud Run](/binary-authorization/docs/run/viewing-audit-logs-cloud-run#query_for_dry_run_events) in Cloud Audit Logs.\n- View dry-run mode events from Binary Authorization for [Distributed Cloud](/binary-authorization/docs/viewing-on-prem-logs#view_dry_run_log_entries) in Cloud Audit Logs."]]
