Binary Authorization documentation
Binary Authorization is a service on Google Cloud that provides centralized
software supply-chain security for applications that run on
Google Kubernetes Engine (GKE), Cloud Run, and Distributed Cloud.
Learn more
Start your proof of concept with $300 in free credit
-
Get access to Gemini 2.0 Flash Thinking
-
Free monthly usage of popular products, including AI APIs and BigQuery
-
No automatic charges, no commitment
Keep exploring with 20+ always-free products
Access 20+ free products for common use cases, including AI APIs, VMs, data warehouses,
and more.
Training
Training and tutorials
Secure your GKE Deployments with Binary Authorization
This lab describes how to secure a GKE cluster using Binary Authorization.
GKE
Training
Training and tutorials
Secure your GKE Deployments with Binary Authorization
Add deploy-time policy enforcement to your GKE cluster.
GKE
Training
Training and tutorials
Get up and running quickly with GKE and Binary Authorization with this end-to-end getting started tutorial.
GKE
Training
Training and tutorials
Multi-project setup
Use different projects to restrict access for different activities, enforcing separation of duties.
GKE
Training
Training and tutorials
View audit logs for Binary Authorization
View audit logs for Binary Authorization events.
GKE
Cloud Audit Logs
Training
Training and tutorials
View audit logs for Binary Authorization for Google Distributed Cloud (GDC)
View audit logs for Binary Authorization events for Google Distributed Cloud.
GKE on-prem
Cloud Audit Logs
Training
Training and tutorials
Monitor metrics for Binary Authorization for Google Distributed Cloud
Monitor metrics from Binary Authorization for GKE on-prem.
GKE on-prem
Cloud Monitoring
Use case
Use cases
Security controls and forensic analysis for GKE apps
Details instrumentation and tools used in forensic analysis for apps deployed to GKE.
Security
Container analysis
Use case
Use cases
Help secure software supply chains on GKE
Shows you how to ensure that your supply chain follows a known and secure path before you deploy your code in a GKE cluster.
DevOps
Code sample
Code Samples
Google Provider
With Google Provider for Terraform, you can configure your Google Cloud infrastructure.
Code sample
Code Samples
Attestor Provider
Create Binary Authorization attestors.
Code sample
Code Samples
IAM policy for Binary Authorization Attestor
Three different resources help you manage your IAM policy for Binary Authorization Attestor.
Code sample
Code Samples
Binary Authorization Policy
Configure a Binary Authorization policy.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-25 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eBinary Authorization is a Google Cloud service that enhances software supply-chain security for applications on Google Kubernetes Engine (GKE) and Distributed Cloud.\u003c/p\u003e\n"],["\u003cp\u003eThis documentation provides guides on configuring Binary Authorization policies, including quickstarts and tutorials for GKE, Cloud Console, and REST API.\u003c/p\u003e\n"],["\u003cp\u003eYou can learn how to create attestations, including using Kritis Signer or Voucher for vulnerability scanning.\u003c/p\u003e\n"],["\u003cp\u003eReference materials cover policy YAML, gcloud and REST API, along with permissions, roles, and custom roles.\u003c/p\u003e\n"],["\u003cp\u003eResources include pricing information, support options, billing questions, release notes, and details on quotas and limits.\u003c/p\u003e\n"]]],[],null,["# Binary Authorization documentation\n==================================\n\n[Read product documentation](/binary-authorization/docs/overview)\nBinary Authorization is a service on Google Cloud that provides centralized\nsoftware supply-chain security for applications that run on\nGoogle Kubernetes Engine (GKE), Cloud Run, and Distributed Cloud. [Learn more](/binary-authorization/docs/overview)\n[Get started for free](https://console.cloud.google.com/freetrial) \n\n#### Start your proof of concept with $300 in free credit\n\n- Get access to Gemini 2.0 Flash Thinking\n- Free monthly usage of popular products, including AI APIs and BigQuery\n- No automatic charges, no commitment \n[View free product offers](/free/docs/free-cloud-features#free-tier) \n\n#### Keep exploring with 20+ always-free products\n\n\nAccess 20+ free products for common use cases, including AI APIs, VMs, data warehouses,\nand more.\n\nDocumentation resources\n-----------------------\n\nFind quickstarts and guides, review key references, and get help with common issues. \nformat_list_numbered\n\n### Guides\n\n-\n\n [Quickstart: Configure a Binary Authorization policy with GKE](/binary-authorization/docs/configure-policy-gke)\n\n-\n\n [End-to-end attestation tutorial (GKE)](/binary-authorization/docs/getting-started-console)\n\n-\n\n [Set up Binary Authorization on your platform](/binary-authorization/docs/set-up-platform)\n\n-\n\n [Create attestations in a Cloud Build pipeline](/binary-authorization/docs/cloud-build)\n\n-\n\n [Configure a policy using Cloud console](/binary-authorization/docs/configuring-policy-console)\n\n-\n\n [Create attestors using Cloud console](/binary-authorization/docs/creating-attestors-console)\n\n-\n\n [Create attestations](/binary-authorization/docs/making-attestations)\n\n-\n\n [Configure a policy using the REST API](/binary-authorization/docs/configuring-policy-rest)\n\nfind_in_page\n\n### Reference\n\n-\n\n [Policy YAML reference](/binary-authorization/docs/policy-yaml-reference)\n\n-\n\n [Example policies](/binary-authorization/docs/example-policies)\n\n-\n\n [gcloud reference](/sdk/gcloud/reference/container/binauthz)\n\n-\n\n [REST API](/binary-authorization/docs/reference/rest)\n\n-\n\n [Permissions and roles](/binary-authorization/docs/reference/permissions-and-roles)\n\n-\n\n [Separation of duties and IAM roles](/binary-authorization/docs/reference/organizational-and-iam-roles)\n\n-\n\n [Custom roles](/binary-authorization/docs/reference/custom-roles)\n\n-\n\n [RPC API](/binary-authorization/docs/reference/rpc)\n\ninfo\n\n### Resources\n\n-\n\n [Pricing](/binary-authorization/pricing)\n\n-\n\n [Get support](/binary-authorization/docs/getting-support)\n\n-\n\n [Billing questions](/binary-authorization/docs/billing-questions)\n\n-\n\n [Release notes](/binary-authorization/docs/release-notes)\n\n-\n\n [Quotas and limits](/binary-authorization/docs/quotas)\n\nRelated resources\n-----------------\n\nTraining and tutorials \nUse cases \nCode samples \nExplore self-paced training, use cases, reference architectures, and code samples with examples of how to use and connect Google Cloud services. Training \nTraining and tutorials\n\n### Secure your GKE Deployments with Binary Authorization\n\n\nThis lab describes how to secure a GKE cluster using Binary Authorization.\n\nGKE\n\n\u003cbr /\u003e\n\n[Learn more](https://www.cloudskillsboost.google/focuses/1791?parent=catalog) \nTraining \nTraining and tutorials\n\n### Secure your GKE Deployments with Binary Authorization\n\n\nAdd deploy-time policy enforcement to your GKE cluster.\n\nGKE\n\n\u003cbr /\u003e\n\n[Learn more](https://codelabs.developers.google.com/codelabs/cloud-binauthz-intro) \nTraining \nTraining and tutorials\n\n### Get started using the command-line tool\n\n\nGet up and running quickly with GKE and Binary Authorization with this end-to-end getting started tutorial.\n\nGKE\n\n\u003cbr /\u003e\n\n[Learn more](/binary-authorization/docs/getting-started-cli) \nTraining \nTraining and tutorials\n\n### Multi-project setup\n\n\nUse different projects to restrict access for different activities, enforcing separation of duties.\n\nGKE\n\n\u003cbr /\u003e\n\n[Learn more](/binary-authorization/docs/multi-project-setup-cli) \nTraining \nTraining and tutorials\n\n### View audit logs for Binary Authorization\n\n\nView audit logs for Binary Authorization events.\n\nGKE Cloud Audit Logs\n\n\u003cbr /\u003e\n\n[Learn more](/binary-authorization/docs/viewing-audit-logs) \nTraining \nTraining and tutorials\n\n### View audit logs for Binary Authorization for Google Distributed Cloud (GDC)\n\n\nView audit logs for Binary Authorization events for Google Distributed Cloud.\n\nGKE on-prem Cloud Audit Logs\n\n\u003cbr /\u003e\n\n[Learn more](/binary-authorization/docs/viewing-on-prem-logs) \nTraining \nTraining and tutorials\n\n### Monitor metrics for Binary Authorization for Google Distributed Cloud\n\n\nMonitor metrics from Binary Authorization for GKE on-prem.\n\nGKE on-prem Cloud Monitoring\n\n\u003cbr /\u003e\n\n[Learn more](/binary-authorization/docs/on-prem-cloud-monitoring) \nUse case \nUse cases\n\n### Security controls and forensic analysis for GKE apps\n\n\nDetails instrumentation and tools used in forensic analysis for apps deployed to GKE.\n\nSecurity Container analysis\n\n\u003cbr /\u003e\n\n[Learn more](/solutions/security-controls-and-forensic-analysis-for-GKE-apps) \nUse case \nUse cases\n\n### Help secure software supply chains on GKE\n\n\nShows you how to ensure that your supply chain follows a known and secure path before you deploy your code in a GKE cluster.\n\nDevOps\n\n\u003cbr /\u003e\n\n[Learn more](/solutions/secure-software-supply-chains-on-google-kubernetes-engine) \nCode sample \nCode Samples\n\n### Google Provider\n\n\nWith Google Provider for Terraform, you can configure your Google Cloud infrastructure.\n\n\n[Learn more\narrow_forward](https://www.terraform.io/docs/providers/google/index.html) \nCode sample \nCode Samples\n\n### Attestor Provider\n\n\nCreate Binary Authorization attestors.\n\n\n[Learn more\narrow_forward](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/binary_authorization_attestor) \nCode sample \nCode Samples\n\n### IAM policy for Binary Authorization Attestor\n\n\nThree different resources help you manage your IAM policy for Binary Authorization Attestor.\n\n\n[Learn more\narrow_forward](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/binary_authorization_attestor_iam) \nCode sample \nCode Samples\n\n### Binary Authorization Policy\n\n\nConfigure a Binary Authorization policy.\n\n\n[Learn more\narrow_forward](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/binary_authorization_policy)\n\nRelated videos\n--------------"]]