Enable Binary Authorization

To enable Binary Authorization for GKE attached clusters, perform the following steps:

  1. Enable the Binary Authorization API in your project:

    gcloudservicesenablebinaryauthorization.googleapis.com\
--project=PROJECT_ID

    Replace PROJECT_ID with the ID of your Google Cloud project.

  2. Grant the binaryauthorization.policyEvaluator role to the Kubernetes service account associated with the Binary Authorization agent:

    gcloudprojectsadd-iam-policy-bindingPROJECT_ID\
--member=serviceAccount:PROJECT_ID.svc.id.goog[gke-system/binauthz-agent]\
--role="roles/binaryauthorization.policyEvaluator"

  3. Enable Binary Authorization when registering or updating a cluster.

    Register a cluster

    To enable Binary Authorization when registering a cluster, use the gcloud container attached clusters register command. Follow the instructions in attach your CNCF conformant cluster, and include the optional argument --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE:

    gcloudcontainerattachedclustersregisterCLUSTER_NAME\
...
--binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE

    Replace CLUSTER_NAME with the name of your cluster.

    Update a cluster

    To enable Binary Authorization when updating a cluster, use the gcloud container attached clusters update command. Follow the instructions in update your CNCF conformant cluster, and include the optional argument --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE:

    gcloudcontainerattachedclustersupdateCLUSTER_NAME\
...
--binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE

    Replace CLUSTER_NAME with the name of your cluster.

By following these steps, you ensure that only trusted and verified images are used to create Kubernetes containers in your GKE clusters. This helps to maintain a secure environment for your applications.

Configure policies

Enabling Binary Authorization alone doesn't automatically protect your cluster. By default, it allows all container images to be deployed if no policy is configured. This means that to effectively secure your cluster, you need to define and enforce a policy that specifies which images are allowed. To learn how to configure a Binary Authorization policy, see Configure a policy using the Google Cloud CLI.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025年10月13日 UTC.