To ensure that only trusted container images are deployed on Cloud Run, you can implement Binary Authorization, which is a deploy-time security control that ensures only trusted images are used.

Set Up Binary Authorization:

Navigate to the Google Cloud Console.

Go to Security > Binary Authorization.

Configure the policy to include attestors that verify your trusted images.

Enable Binary Authorization on Cloud Run:

Go to the Cloud Run service.

Enable Binary Authorization on your existing Cloud Run services by selecting the appropriate Binary Authorization policy.

Set Organization Policy:

Go to the Organization Policies page in the Google Cloud Console.

Add a constraint for constraints/run.allowedBinaryAuthorizationPolicies.

Specify the list of allowed Binary Authorization policy names to enforce across your organization.

These steps ensure that any container image deployed on Cloud Run is validated against the specified Binary Authorization policies, preventing untrusted images from being deployed.