This documentation is for the current version of GKE on AWS, released in November 2021. See the Release notes for more information.

How to enable Binary Authorization

To enable Binary Authorization for GKE on AWS, perform the following steps:

Enable the Binary Authorization API in your project:
```
gcloud services enable binaryauthorization.googleapis.com \
  --project=PROJECT_ID
```
Replace PROJECT_ID with the ID of your Google Cloud project.

Grant the binaryauthorization.policyEvaluator role to the Kubernetes service account associated with the Binary Authorization agent:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=serviceAccount:PROJECT_ID.svc.id.goog[gke-system/binauthz-agent] \
  --role="roles/binaryauthorization.policyEvaluator"

Enable Binary Authorization when creating or updating a cluster. Make sure to include the flag --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE since this flag enables Binary Authorization:
Creating a cluster
```
gcloud container aws clusters create CLUSTER_NAME \
  --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE
```
Replace CLUSTER_NAME with the name of your cluster.
Updating a cluster
```
gcloud container aws clusters update CLUSTER_NAME \
  --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE
```
Replace CLUSTER_NAME with the name of your cluster.

By following these steps, you ensure that only trusted and verified images are used to create Kubernetes containers in your GKE clusters. This helps to maintain a secure environment for your applications.

How to enable Binary Authorization

Creating a cluster

Updating a cluster