Stay organized with collections Save and categorize content based on your preferences.
Note: This document or section includes references to one or more terms that Google considers disrespectful or offensive. The terms are used because they are keywords in the software that's described in the document.The terms: whitelist
This page provides instructions on using breakglass with Binary Authorization.
Before you beginThis guide assumes you have set up Binary Authorization.
OverviewYou use breakglass to deploy a container image that Binary Authorization blocks.
Breakglass provides an emergency escape hatch that lets you override Binary Authorization policy enforcement to allow images to be deployed, even those that would be disallowed by the policy.
This feature is implemented consistent with recommendations in the Kubernetes admission controller specification.
When you use breakglass to deploy an image, a breakglass event is automatically logged to Cloud Audit Logs, regardless of whether the deployment satisfies or violates the policy. In Cloud Audit Logs, you can manually audit or automatically trigger an alert or other downstream event.
To enable breakglass, you add a label field to the Pod specification with a break-glass policy flag.
This section shows how to use breakglass to deploy images, including those that violate the Binary Authorization policy.
Update the Binary Authorization policy to reject all requests to deploy Note: We recommend that the following steps only be performed on a test Google Kubernetes Engine project. To demonstrate a policy violation that results in an image being blocked from deployment, the following instructions update the default Binary Authorization policy, disallowing all images from being deployed. This procedure replaces your existing policy. We recommend you save your existing policy before proceeding.To update the policy to disallow all images from being deployed, perform the following steps:
Google Cloud consoleGo to the Binary Authorization page in the Google Cloud console.
Click Edit policy.
In the Edit policy page, in Project default rule, note the original evaluation mode, then click Disallow all images.
Click Save policy.
To save the existing policy in the current project, execute the following command:
gcloud container binauthz policy export > SAVE_POLICY_YAML
Replace SAVE_POLICY_YAML with the path of the export file—for example, /tmp/save_policy.yaml.
Create a policy file:
cat > TEST_POLICY_YAML << EOM admissionWhitelistPatterns: defaultAdmissionRule: enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG evaluationMode: ALWAYS_DENY globalPolicyEvaluationMode: DISABLE EOM
Replace TEST_POLICY_YAML with a file path—for example, /tmp/policy.yaml.
Import the policy:
gcloud container binauthz policy import TEST_POLICY_YAML
Replace TEST_POLICY_YAML with a file path—for example, /tmp/policy.yaml.
By default, all images are now blocked from being deployed.
Attempt to deploy an imageIn this section you attempt to deploy an image. The default rule of the policy is configured to disallow all images from being deployed, so the deploy request fails.
Create a configuration file in YAML format. This file contains the basic information required to create the pod:
cat > /tmp/create_pod.yaml << EOM
apiVersion: v1
kind: Pod
metadata:
name: breakglass-pod
spec:
containers:
- name: container-name
image: us-docker.pkg.dev/google-samples/containers/gke/hello-app@sha256:c62ead5b8c15c231f9e786250b07909daf6c266d0fcddd93fea882eb722c3be4
EOM
Create the Pod using kubectl:
kubectl create -f /tmp/create_pod.yaml
You see an error indicating that the image was blocked by your policy. The error resembles the following:
Error from server (Forbidden): error when creating "/tmp/create_pod.yaml": pods "breakglass-pod" is forbidden: image policy webhook backend denied one or more images: Image gcr.io/google-samples/hello-app denied by Binary Authorization default admission rule. Denied by always_deny admission rule`.
In this section you enable breakglass. Although breakglass is specific to Binary Authorization, you must update the label field on the Pod specification to enable it.
To enable breakglass, execute the following commands:
Create a configuration file in YAML format.
The following command creates the file containing the break-glass label and other information required to create the pod:
cat > /tmp/create_pod.yaml << EOM
apiVersion: v1
kind: Pod
metadata:
name: pod-name
labels:
image-policy.k8s.io/break-glass: "true"
spec:
containers:
- name: container-name
image: us-docker.pkg.dev/google-samples/containers/gke/hello-app@sha256:c62ead5b8c15c231f9e786250b07909daf6c266d0fcddd93fea882eb722c3be4
EOM
Create the pod using kubectl:
kubectl create -f /tmp/create_pod.yaml
Note the output: pod/pod-name created
View breakglass events in Cloud Audit Logs.
Older PodSpecs that specify annotations: alpha.image-policy.k8s.io/break-glass also trigger breakglass and produce log entries. Using that annotation is no longer recommended but is still supported to maintain backwards compatibility.
To delete the Pod and disable breakglass, do the following:
Delete the Pod:
kubectl delete -f /tmp/create_pod.yaml
Verify you received output like pod <var>pod-name</var> deleted.
Remove the label block from your Pod specification.
Reset your policy:
Google Cloud consoleGo to the Binary Authorization page in the Google Cloud console.
Click Edit policy.
In the Edit policy page, in Project default rule, reset the evaluation mode to the previous setting.
Click Save policy.
Reimport your original policy.
gcloud container binauthz policy import SAVE_POLICY_YAML
Replace SAVE_POLICY_YAML with the path to the file you created earlier in this guide.
Your policy is reset.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-07 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["Breakglass is an emergency feature in Binary Authorization that allows the deployment of container images that would otherwise be blocked by policy."],["Using breakglass overrides the Binary Authorization policy enforcement, and a breakglass event is automatically logged in Cloud Audit Logs."],["To enable breakglass, a `break-glass` label must be added to the Pod specification."],["Demonstrating the use of breakglass involves updating the Binary Authorization policy to reject all image deployments and subsequently using the breakglass label to bypass this restriction and deploy an image."],["Cleaning up involves deleting the Pod, removing the breakglass label, and resetting your policy."]]],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4