Stay organized with collections Save and categorize content based on your preferences.
Preview
This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of the Service Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see the launch stage descriptions.
Caution: Legacy continuous validation (legacy CV) with project-singleton policies is deprecated. As of April 15, 2024, you can no longer enable legacy CV with project-singleton policies on new projects, and support for existing projects will be removed on May 1, 2025. Instead, use continuous validation (CV) with check-based platform policies. Existing legacy CV users can migrate project-singleton policies to platform policies. To learn how, see Migration.This page is intended for users of legacy continuous validation (legacy CV) (deprecated).
Legacy continuous validation is a feature of Binary Authorization that periodically checks container images associated with running Pods for continued compliance with your Binary Authorization project-singleton policy. Legacy CV logs findings to Cloud Logging.
Legacy CV does not terminate running Pods.
LimitationsLegacy CV has the following limitations:
Ensure that you have set up Binary Authorization for Google Kubernetes Engine in a project. legacy CV logs policy conformance events from Pods in all clusters in the project.
Ensure that the gcloud CLI is updated to the latest version
Identity and Access Management (IAM) roles include permissions and can be assigned to users, groups, and service accounts. The following roles include the listed permissions for CV:
Role name Legacy CV permissions Descriptionroles/binaryauthorization.policyEditor binaryauthorization.continuousValidationConfig.update Enable and disable CV. Note: We recommend that you grant binaryauthorization.continuousValidationConfig.update to users who also have permission to configure a policy.
To set the required IAM permissions, run the following commands:
PROJECT_NUMBER=$(gcloud projects list \
--filter="projectId:ATTESTATION_PROJECT_ID" \
--format="value(PROJECT_NUMBER)")
SERVICE_ACCOUNT="service-$PROJECT_NUMBER@gcp-sa-binaryauthorization.iam.gserviceaccount.com"
gcloud projects add-iam-policy-binding ATTESTATION_PROJECT_ID \
--member="serviceAccount:$SERVICE_ACCOUNT" \
--role='roles/containeranalysis.occurrences.viewer'
To enable legacy CV by using the Google Cloud console, do the following:
In the Google Cloud console, go to the Binary Authorization Policy page.
Click the Policy tab.
Click Edit Policy.
Expand the Additional settings for GKE and Anthos deployments section.
Select the Enable Continuous Validation checkbox.
Click Save Policy.
To enable legacy CV using the REST API, do the following:
Store your project ID:
DEPLOYER_PROJECT_ID=DEPLOYER_PROJECT_ID
Replace DEPLOYER_PROJECT_ID with the ID of the project where you run GKE.
Get the OAuth token for Google Cloud.
BEARER_TOKEN=$(gcloud auth print-access-token)
The token is only valid for a short time.
Enable legacy CV:
curl "https://binaryauthorization.googleapis.com/v1alpha2/projects/${DEPLOYER_PROJECT_ID}/continuousValidationConfig" -X PUT -H "authorization: Bearer $BEARER_TOKEN" -H "Content-Type: application/json" --data '{"enforcementPolicyConfig": {"enabled": "true"}}'
Legacy CV is now configured to log events.
Note: Legacy CV checks for policy violations at least every 24 hours, so it can take up to 24 hours for legacy CV events to appear in Logging after legacy CV is enabled or a Pod is deployed. Violations continue to be logged for non-conformant Pods until the Pod terminates. Pods that are running before legacy CV is enabled are not guaranteed to be checked.The Logging log entry is similar to the following example:
{
"insertId": "6054e143-0000-2562-aa64-883d24f57e70",
"jsonPayload": {
"@type": "type.googleapis.com/google.cloud.binaryauthorization.v1beta1.ContinuousValidationEvent",
"podEvent": {
"images": [
{
"description": "Image <var>IMAGE_NAME@IMAGE_DIGEST</var> denied by
attestor projects/<var>ATTESTOR_PROJECT_ID</var>/attestors/<var>ATTESTOR_NAME</var>:
No attestations found that were valid and signed by a key trusted by
the attestor",
"image": "<var>IMAGE_NAME@IMAGE_DIGEST</var>",
"result": "DENY"
}
],
"verdict": "VIOLATES_POLICY",
"deployTime": "2021-03-19T17:00:08Z",
"pod": "<var>POD_NAME</var>"
}
},
"resource": {
"type": "k8s_cluster",
"labels": {
"cluster_name": "<var>CLUSTER_NAME</var>",
"location": "<var>CLUSTER_LOCATION</var>",
"project_id": "<var>DEPLOYER_PROJECT_ID</var>"
}
},
"timestamp": "2021-03-19T17:15:43.872702342Z",
"severity": "WARNING",
"logName": "projects/<var>DEPLOYER_PROJECY_ID</var>/logs/binaryauthorization.googleapis.com%2Fcontinuous_validation",
"receiveTimestamp": "2021-03-19T17:57:00.432116179Z"
}
To learn how to query for legacy CV events, see View legacy CV events on Cloud Logging.
TroubleshootingLegacy CV uses other Google Cloud services, like Cloud Asset Inventory and Pub/Sub. In cases where legacy CV fails, you can check for Cloud Asset Inventory errors in Cloud Logging.
Additionally, legacy CV creates a feed resource called binauthz-cv-cai-feed. Deleting or modifying the feed could cause legacy CV to fail. Legacy CV automatically restores missing or altered feeds, but it can fail to log findings until it does so.
To disable legacy CV by using the Google Cloud console, do the following:
In the Google Cloud console, go to the Binary Authorization page:
Click the Policy tab.
Click Edit Policy.
Clear the Enable Continuous Validation checkbox.
Click Save Policy.
To disable legacy CV using the REST API, do the following:
Store your project ID:
DEPLOYER_PROJECT_ID=DEPLOYER_PROJECT_ID
Replace DEPLOYER_PROJECT_ID with the ID of the project where you run GKE.
Get the OAuth token for Google Cloud.
BEARER_TOKEN=$(gcloud auth print-access-token)
The token is only valid for a short time.
Disable legacy CV using the following command:
curl "https://binaryauthorization.googleapis.com/v1alpha2/projects/${DEPLOYER_PROJECT_ID}/continuousValidationConfig" -X PUT -H "authorization: Bearer $BEARER_TOKEN" -H "Content-Type: application/json" --data '{"enforcementPolicyConfig": {"enabled": "false"}}'
After you enable CV, it regularly logs all Pods that violate the Binary Authorization policy to Cloud Logging.
These log entries contain the following log name:
logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation"
To view legacy CV events in Cloud Logging using Logs Explorer, do the following:
Select the project ID where you enabled Google Cloud Observability.
Enter the following query in the search-query box:
logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation"
Select the time range in the time-range selector.
To view legacy CV events in Cloud Logging using the Logs Explorer, do the following:
Select Go back to the Legacy Logs Viewer from the Options drop-down menu.
Choose the Google Cloud project for in which you set up Google Cloud Observability.
Enter the following query into the search-query box:
logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation"
Select the time range in the time-range selector.
To view legacy CV events from the past week in Cloud Logging using gcloud, execute the following command:
gcloud logging read --order="desc" --freshness=7d \
'logName:"binaryauthorization.googleapis.com%2Fcontinuous_validation"'
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-11 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-11 UTC."],[[["This page provides information about legacy continuous validation (legacy CV), a deprecated feature of Binary Authorization that checks container image compliance with project-singleton policies for running Pods."],["Legacy CV with project-singleton policies is deprecated and will no longer be supported for new projects after April 15, 2024, and support will be removed entirely by May 1, 2025, in favor of continuous validation (CV) with check-based platform policies."],["Legacy CV only supports Pods deployed on Google Kubernetes Engine (GKE) and does not support Binary Authorization policies with specific rules for Cloud Service Mesh, Kubernetes service accounts, or Kubernetes namespaces."],["Enabling or disabling legacy CV can be done through the Google Cloud console or the REST API, with logs of policy violations viewable in Cloud Logging, which may take up to 24 hours to populate."],["Legacy CV logs events related to policy conformance for Pods in all clusters in a project, checking for violations at least every 24 hours, and it relies on other Google Cloud services like Cloud Asset Inventory and Pub/Sub."]]],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4