NAME: the name of the GKE cluster on which you
want to enable Binary Authorization.
ZONE: the zone where the cluster resides.
Clusters can have both Binary Authorization enforcement and
CV monitoring enabled. To change CV monitoring
and enforcement settings, set--binauthz-evaluation-modeto one
of the following values:
POLICY_BINDINGS: enables only CV monitoring and disables an existing enforcement policy if there is one
PROJECT_SINGLETON_POLICY_ENFORCE: enables only enforcement and disables CV monitoring if it was previously enabled
POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE: enables both enforcement and CV monitoring
NAME: the name of the GKE cluster on which you
want to enable Binary Authorization.
REGION: the region where the cluster resides.
Clusters can have both Binary Authorization enforcement and
CV monitoring enabled. To change CV monitoring
and enforcement settings, set--binauthz-evaluation-modeto one
of the following values:
POLICY_BINDINGS: enables only CV monitoring and disables an existing enforcement policy if there is one
PROJECT_SINGLETON_POLICY_ENFORCE: enables only enforcement and disables CV monitoring if it was previously enabled
POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE: enables both enforcement and CV monitoring
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis guide explains how to enable Binary Authorization enforcement on an existing Google Kubernetes Engine (GKE) cluster using the Google Cloud console or the gcloud command-line tool.\u003c/p\u003e\n"],["\u003cp\u003eBefore enabling enforcement, you must create a standard GKE cluster and enable the Binary Authorization API.\u003c/p\u003e\n"],["\u003cp\u003eYou can enable Binary Authorization enforcement for either a zonal or regional cluster using the \u003ccode\u003egcloud container clusters update\u003c/code\u003e command, specifying the cluster name and zone or region.\u003c/p\u003e\n"],["\u003cp\u003eBinary Authorization enforcement can be configured alongside CV monitoring, with different modes available to enable one, the other, or both.\u003c/p\u003e\n"],["\u003cp\u003eAfter enabling the policy, it can take several minutes for the changes to take full effect on the cluster.\u003c/p\u003e\n"]]],[],null,["# Enable enforcement on an existing cluster\n\nThis guide shows you how to enable Binary Authorization enforcement on an existing Google Kubernetes Engine (GKE) cluster.\n\n\u003cbr /\u003e\n\nBefore you begin\n----------------\n\nBefore you use this guide do the following:\n\n1. Create a [standard](/kubernetes-engine/docs/concepts/cluster-architecture) GKE cluster. To learn more about creating standard clusters, see [Create a zonal cluster](/kubernetes-engine/docs/how-to/creating-a-zonal-cluster) or [Create a regional cluster](/kubernetes-engine/docs/how-to/creating-a-regional-cluster).\n2. [Enable the Binary Authorization API](/binary-authorization/docs/enabling).\n\nEnable enforcement\n------------------\n\nTo enable enforcement, perform the following steps: \n\n### Console\n\n1. In the Google Cloud console, go to the GKE page:\n\n [Go to GKE](https://console.cloud.google.com/kubernetes/list).\n2. In the **Kubernetes clusters** list, click the name of your cluster.\n\n3. Under **Security** , in the row for **Binary authorization** , click the\n edit icon (*edit*).\n\n4. In the **Edit Binary Authorization** dialog, select the\n **Enable Binary Authorization** checkbox and click **Save changes**.\n\n### gcloud\n\nFor a zonal cluster, enter the following command: \n\n gcloud container clusters update \u003cvar translate=\"no\"\u003eNAME\u003c/var\u003e \\\n --zone \u003cvar translate=\"no\"\u003eZONE\u003c/var\u003e \\\n --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eNAME\u003c/var\u003e: the name of the GKE cluster on which you want to enable Binary Authorization.\n- \u003cvar translate=\"no\"\u003eZONE\u003c/var\u003e: the zone where the cluster resides.\n\n\nClusters can have both Binary Authorization enforcement and\nCV monitoring enabled. To change CV monitoring\nand enforcement settings, set `--binauthz-evaluation-mode` to one\nof the following values:\n\n- \u003cvar translate=\"no\"\u003ePOLICY_BINDINGS\u003c/var\u003e: enables only CV monitoring and disables an existing enforcement policy if there is one\n- \u003cvar translate=\"no\"\u003ePROJECT_SINGLETON_POLICY_ENFORCE\u003c/var\u003e: enables only enforcement and disables CV monitoring if it was previously enabled\n- \u003cvar translate=\"no\"\u003ePOLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE\u003c/var\u003e: enables both enforcement and CV monitoring\n\n\nFor more information on CV policy and cluster management, see\n[Manage CV platform policies](/binary-authorization/docs/manage-platform-policies).\n\n\u003cbr /\u003e\n\nAlternatively, for a regional cluster, enter the following command: \n\n gcloud container clusters update \u003cvar translate=\"no\"\u003eNAME\u003c/var\u003e \\\n --region \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e \\\n --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eNAME\u003c/var\u003e: the name of the GKE cluster on which you want to enable Binary Authorization.\n- \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e: the region where the cluster resides.\n\n\nClusters can have both Binary Authorization enforcement and\nCV monitoring enabled. To change CV monitoring\nand enforcement settings, set `--binauthz-evaluation-mode` to one\nof the following values:\n\n- \u003cvar translate=\"no\"\u003ePOLICY_BINDINGS\u003c/var\u003e: enables only CV monitoring and disables an existing enforcement policy if there is one\n- \u003cvar translate=\"no\"\u003ePROJECT_SINGLETON_POLICY_ENFORCE\u003c/var\u003e: enables only enforcement and disables CV monitoring if it was previously enabled\n- \u003cvar translate=\"no\"\u003ePOLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE\u003c/var\u003e: enables both enforcement and CV monitoring\n\n\nFor more information on CV policy and cluster management, see\n[Manage CV platform policies](/binary-authorization/docs/manage-platform-policies).\n\n\u003cbr /\u003e\n\n| **Note:** It can take a few minutes for the policy to take effect.\n\nWhat's next\n-----------\n\n- [Require attestations](/binary-authorization/docs/attestations)\n- [Deploy container images](/binary-authorization/docs/deploying-containers)\n- [View events in Cloud Audit Logs](/binary-authorization/docs/viewing-audit-logs)"]]
