Enable Binary Authorization when creating or updating a cluster. Make sure to
include the flag--binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCEsince this
flag enables Binary Authorization:
By following these steps, you ensure that only trusted and verified images
are used to create Kubernetes containers in your GKE clusters. This helps
to maintain a secure environment for your applications.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# How to enable Binary Authorization\n\n| **Note:** Starting with GKE on AWS version 1.28, manual policy binding to authorize the service account for Binary Authorization is no longer necessary. The required permissions are now automatically granted to this service account. You can therefore disregard step 2 in the following instructions.\n\nTo enable Binary Authorization for GKE on AWS, perform the following steps:\n\n1. Enable the Binary Authorization API in your project:\n\n gcloud services enable binaryauthorization.googleapis.com \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the ID of your\n Google Cloud project.\n2. Grant the `binaryauthorization.policyEvaluator` role to the Kubernetes\n service account associated with the Binary Authorization agent:\n\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --member=serviceAccount:\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e.svc.id.goog[gke-system/binauthz-agent] \\\n --role=\"roles/binaryauthorization.policyEvaluator\"\n\n3. Enable Binary Authorization when creating or updating a cluster. Make sure to\n include the flag\n `--binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE` since this\n flag enables Binary Authorization:\n\n ### Creating a cluster\n\n gcloud container aws clusters create \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e \\\n --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE\n\n Replace \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e with the name of\n your cluster.\n\n ### Updating a cluster\n\n gcloud container aws clusters update \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e \\\n --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE\n\n Replace \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e with the name of\n your cluster.\n\nBy following these steps, you ensure that only trusted and verified images\nare used to create Kubernetes containers in your GKE clusters. This helps\nto maintain a secure environment for your applications."]]
