This documentation is for the current version of GKE on AWS, released in November 2021. See the
Release notes for more information.
Send feedback
How to enable Binary Authorization
Stay organized with collections
Save and categorize content based on your preferences.
Note: Starting with GKE on AWS version 1.28, manual policy binding to
authorize the service account for Binary Authorization is no longer necessary.
The required permissions are now automatically granted to this service account.
You can therefore disregard step 2 in the following instructions.
To enable Binary Authorization for GKE on AWS, perform the following steps:
Enable the Binary Authorization API in your project:
gcloud services enable binaryauthorization.googleapis.com \
--project=PROJECT_ID
Replace PROJECT_ID
with the ID of your
Google Cloud project.
Grant the binaryauthorization.policyEvaluator
role to the Kubernetes
service account associated with the Binary Authorization agent:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=serviceAccount:PROJECT_ID .svc.id.goog[gke-system/binauthz-agent] \
--role="roles/binaryauthorization.policyEvaluator"
Enable Binary Authorization when creating or updating a cluster. Make sure to
include the flag
--binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE
since this
flag enables Binary Authorization:
Creating a cluster gcloud container aws clusters create CLUSTER_NAME \
--binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE
Replace CLUSTER_NAME
with the name of
your cluster.
Updating a cluster gcloud container aws clusters update CLUSTER_NAME \
--binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE
Replace CLUSTER_NAME
with the name of
your cluster.
By following these steps, you ensure that only trusted and verified images
are used to create Kubernetes containers in your GKE clusters. This helps
to maintain a secure environment for your applications.
Send feedback
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License , and code samples are licensed under the Apache 2.0 License . For details, see the Google Developers Site Policies . Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2024-10-01 UTC.
[{
"type": "thumb-down",
"id": "hardToUnderstand",
"label":"Hard to understand"
},{
"type": "thumb-down",
"id": "incorrectInformationOrSampleCode",
"label":"Incorrect information or sample code"
},{
"type": "thumb-down",
"id": "missingTheInformationSamplesINeed",
"label":"Missing the information/samples I need"
},{
"type": "thumb-down",
"id": "otherDown",
"label":"Other"
}]
[{
"type": "thumb-up",
"id": "easyToUnderstand",
"label":"Easy to understand"
},{
"type": "thumb-up",
"id": "solvedMyProblem",
"label":"Solved my problem"
},{
"type": "thumb-up",
"id": "otherUp",
"label":"Other"
}]
Need to tell us more?
{"lastModified": "Last updated 2024-10-01 UTC."}
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-10-01 UTC."]]