Console
    Start free

    Enable enforcement on an existing cluster

    This guide shows you how to enable Binary Authorization enforcement on an existing Google Kubernetes Engine (GKE) cluster.

    Before you begin

    Before you use this guide do the following:

    1. Create a standard GKE cluster. To learn more about creating standard clusters, see Create a zonal cluster or Create a regional cluster .
    2. Enable the Binary Authorization API .

    Enable enforcement

    To enable enforcement, perform the following steps:

    Console

    1. In the Google Cloud console, go to the GKE page:

      Go to GKE .

    2. In the Kubernetes clusterslist, click the name of your cluster.

    3. Under Security, in the row for Binary authorization, click the edit icon ( ).

    4. In the Edit Binary Authorizationdialog, select the Enable Binary Authorizationcheckbox and click Save changes.

    gcloud

    For a zonal cluster, enter the following command:

     gcloud  
container  
clusters  
update  
 NAME 
  
 \ 
  
--zone  
 ZONE 
  
 \ 
  
--binauthz-evaluation-mode = 
PROJECT_SINGLETON_POLICY_ENFORCE

    Replace the following:

    • NAME : the name of the GKE cluster on which you want to enable Binary Authorization.
    • ZONE : the zone where the cluster resides.

    Clusters can have both Binary Authorization enforcement and CV monitoring enabled. To change CV monitoring and enforcement settings, set --binauthz-evaluation-mode to one of the following values:

    • POLICY_BINDINGS : enables only CV monitoring and disables an existing enforcement policy if there is one
    • PROJECT_SINGLETON_POLICY_ENFORCE : enables only enforcement and disables CV monitoring if it was previously enabled
    • POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE : enables both enforcement and CV monitoring

    For more information on CV policy and cluster management, see Manage CV platform policies .

    Alternatively, for a regional cluster, enter the following command:

     gcloud  
container  
clusters  
update  
 NAME 
  
 \ 
  
--region  
 REGION 
  
 \ 
  
--binauthz-evaluation-mode = 
PROJECT_SINGLETON_POLICY_ENFORCE

    Replace the following:

    • NAME : the name of the GKE cluster on which you want to enable Binary Authorization.
    • REGION : the region where the cluster resides.

    Clusters can have both Binary Authorization enforcement and CV monitoring enabled. To change CV monitoring and enforcement settings, set --binauthz-evaluation-mode to one of the following values:

    • POLICY_BINDINGS : enables only CV monitoring and disables an existing enforcement policy if there is one
    • PROJECT_SINGLETON_POLICY_ENFORCE : enables only enforcement and disables CV monitoring if it was previously enabled
    • POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE : enables both enforcement and CV monitoring

    For more information on CV policy and cluster management, see Manage CV platform policies .

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: