Replace CLUSTER_NAME with the name of
your cluster.
By following these steps, you ensure that only trusted and verified images
are used to create Kubernetes containers in your GKE clusters. This helps
to maintain a secure environment for your applications.
Configure policies
Enabling Binary Authorization alone doesn't automatically protect your cluster.
By default, it allows all container images to be deployed if no policy is
configured. This means that to effectively secure your cluster, you need to
define and enforce a policy that specifies which images are allowed. To
learn how to configure a Binary Authorization policy, see
Configure a policy using the Google Cloud CLI.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Enable Binary Authorization\n\n| **Note:** Starting with Google Kubernetes Engine (GKE) Enterprise edition version 1.28, manual policy binding to authorize the service account for Binary Authorization is no longer necessary. The required permissions are now automatically granted to this service account. You can therefore disregard step 2 in the following instructions.\n\nTo enable Binary Authorization for GKE attached clusters, perform the following steps:\n\n1. Enable the Binary Authorization API in your project:\n\n gcloud services enable binaryauthorization.googleapis.com \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the ID of your\n Google Cloud project.\n2. Grant the `binaryauthorization.policyEvaluator` role to the Kubernetes\n service account associated with the Binary Authorization agent:\n\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --member=serviceAccount:\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e.svc.id.goog[gke-system/binauthz-agent] \\\n --role=\"roles/binaryauthorization.policyEvaluator\"\n\n3. Enable Binary Authorization when registering or updating a cluster.\n\n ### Register a cluster\n\n To enable Binary Authorization when registering a cluster, use the\n [`gcloud container attached clusters register` command](/sdk/gcloud/reference/container/attached/clusters/register). Follow the instructions in\n [attach your CNCF conformant cluster](/kubernetes-engine/multi-cloud/docs/attached/generic/how-to/attach-cluster),\n and include the optional argument\n `--binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE`: \n\n gcloud container attached clusters register \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e \\\n ...\n --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE\n\n Replace \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e with the name of\n your cluster.\n\n ### Update a cluster\n\n To enable Binary Authorization when updating a cluster, use the\n [`gcloud container attached clusters update` command](/sdk/gcloud/reference/container/attached/clusters/update). Follow the instructions in\n [update your CNCF conformant cluster](/kubernetes-engine/multi-cloud/docs/attached/generic/how-to/update-cluster),\n and include the optional argument\n `--binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE`: \n\n gcloud container attached clusters update \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e \\\n ...\n --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE\n\n Replace \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e with the name of\n your cluster.\n\nBy following these steps, you ensure that only trusted and verified images\nare used to create Kubernetes containers in your GKE clusters. This helps\nto maintain a secure environment for your applications.\n\nConfigure policies\n------------------\n\nEnabling Binary Authorization alone doesn't automatically protect your cluster.\nBy default, it allows all container images to be deployed if no policy is\nconfigured. This means that to effectively secure your cluster, you need to\ndefine and enforce a policy that specifies which images are allowed. To\nlearn how to configure a Binary Authorization policy, see\n[Configure a policy using the Google Cloud CLI](/binary-authorization/docs/configuring-policy-cli)."]]
