Stay organized with collections
Save and categorize content based on your preferences.
If you are using fleets with
your Google Kubernetes Engine clusters, then
you can enable continuous validation (CV) as a fleet-default configuration. This
means that every new GKE on Google Cloud cluster registered
during cluster
creation will
have CV enabled on the cluster. You can find out more
about fleet default configuration in
Manage fleet-level features.
If you have an existing fleet, you can enable CV. However,
enabling CV for an existing fleet doesn't affect workloads in
existing fleet member clusters. If you want existing workloads to have
CV enabled, you need to enable the feature on individual
clusters.
To enable CV on an existing fleet, run the following command:
POLICY_PROJECT_ID: the ID of the project where the policy is stored
POLICY_ID: the policy ID
Disable
Disabling CV only affects workloads in new fleet member clusters.
If you want existing workloads to have CV disabled, you need to
disable the feature on individual clusters.
To disable CV on any new member clusters, run the following
command:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-02 UTC."],[],[],null,["| **Preview**\n|\n|\n| This product or feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA products and features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nIf you are using [fleets](/kubernetes-engine/fleet-management/docs) with\nyour Google Kubernetes Engine clusters, then\nyou can enable continuous validation (CV) as a fleet-default configuration. This\nmeans that every new GKE on Google Cloud cluster [registered\nduring cluster\ncreation](/anthos/fleet-management/docs/register/gke#register_your_cluster) will\nhave CV enabled on the cluster. You can find out more\nabout fleet default configuration in\n[Manage fleet-level features](/anthos/fleet-management/docs/manage-features).\n\nBefore you begin\n\n1. [Enable Binary Authorization](/binary-authorization/docs/enabling).\n2. Enable the GKE API.\n\n \u003cbr /\u003e\n\n [Enable GKE API](https://console.cloud.google.com/flows/enableapi?apiid=container.googleapis.com)\n\n \u003cbr /\u003e\n\n3. [Update the Google Cloud CLI](/sdk/docs/components#updating_components) to\n version 457.0.0 or later.\n\n4. [Create your platform policies](/binary-authorization/docs/manage-platform-policies).\n\nEnable on a new fleet\n\nTo enable CV on a new fleet, run the following command: \n\n gcloud container fleet create \\\n --binauthz-evaluation-mode=POLICY_BINDINGS \\\n --binauthz-policy-bindings=name=projects/\u003cvar translate=\"no\"\u003ePOLICY_PROJECT_ID\u003c/var\u003e/platforms/gke/policies/\u003cvar translate=\"no\"\u003ePOLICY_ID\u003c/var\u003e\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePOLICY_PROJECT_ID\u003c/var\u003e: the ID of the project where the policy is stored\n- \u003cvar translate=\"no\"\u003ePOLICY_ID\u003c/var\u003e: the policy ID\n\nYou can also create a new fleet with multiple platform policies: \n\n gcloud container fleet create \\\n --binauthz-evaluation-mode=POLICY_BINDINGS \\\n --binauthz-policy-bindings=name=projects/\u003cvar translate=\"no\"\u003ePOLICY_PROJECT_ID\u003c/var\u003e/platforms/gke/policies/\u003cvar translate=\"no\"\u003ePOLICY_ID_1\u003c/var\u003e \\\n --binauthz-policy-bindings=name=projects/\u003cvar translate=\"no\"\u003ePOLICY_PROJECT_ID\u003c/var\u003e/platforms/gke/policies/\u003cvar translate=\"no\"\u003ePOLICY_ID_2\u003c/var\u003e\n\nEnable on an existing fleet\n\nIf you have an existing fleet, you can enable CV. However,\nenabling CV for an existing fleet doesn't affect workloads in\nexisting fleet member clusters. If you want existing workloads to have\nCV enabled, you need to [enable the feature on individual\nclusters](/binary-authorization/docs/manage-platform-policies#update-cluster-platform-policy).\n\nTo enable CV on an existing fleet, run the following command: \n\n gcloud container fleet update \\\n --binauthz-evaluation-mode=POLICY_BINDINGS \\\n --binauthz-policy-bindings=name=projects/\u003cvar translate=\"no\"\u003ePOLICY_PROJECT_ID\u003c/var\u003e/platforms/gke/policies/\u003cvar translate=\"no\"\u003ePOLICY_ID\u003c/var\u003e\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePOLICY_PROJECT_ID\u003c/var\u003e: the ID of the project where the policy is stored\n- \u003cvar translate=\"no\"\u003ePOLICY_ID\u003c/var\u003e: the policy ID\n\nDisable\n\nDisabling CV only affects workloads in new fleet member clusters.\nIf you want existing workloads to have CV disabled, you need to\n[disable the feature on individual clusters](/binary-authorization/docs/disabling).\n\nTo disable CV on any new member clusters, run the following\ncommand: \n\n gcloud container fleet update \\\n --binauthz-evaluation-mode=DISABLED"]]