Use functions with Binary Authorization
Cloud Run functions are subject to Binary Authorization policy enforcement on Cloud Run. If Binary Authorization policy is enabled in Cloud Run, there may be cases where you need to exempt Cloud Run functions images from the Binary Authorization policy.
Exempt Cloud Run functions images from Binary Authorization policy
The Binary Authorization authorization policy lets you exempt images from the policy rules. To exempt your function images from Binary Authorization policies:
- Use allowlist patterns to exclude images created for Cloud Run functions.
- Deploy functions with the
--binary-authorizationflag.
Cloud Run functions allowlist pattern
By default, all function images are stored in the local project's Artifact Registry
under the gcf-artifacts/ folder.
You can use the following pattern to exempt all images generated as a result of deploying functions to Cloud Run functions:
REGION-docker.pkg.dev/PROJECT_ID/gcf-artifacts/**
Replace:
- REGION is the region where your function was deployed.
- PROJECT_ID is the project ID where the function is deployed.
Deploy functions with Binary Authorization
With the allowlist enabled, deploy your function with Binary Authorization enabled
and set to default:
gcloud
gcloud functions deploy YOUR_FUNCTION_NAME
... --binary-authorization default