Create a cluster

This page explains how to create a cluster in Google Kubernetes Engine (GKE) with Binary Authorization enabled. You perform this step at the command line using gcloud commands or in the Google Cloud console. This step is part of setting up Binary Authorization for GKE.

Before you begin

If you haven't already, do the following:

Enable Binary Authorization.
Enable the GKE API.
Enable the API

Create a cluster with Binary Authorization enabled

To create a cluster with Binary Authorization enabled, do the following:

Console

In the Google Cloud console, go to the GKE page.

Go to GKE
Click Create Cluster. Enter values for the default fields as described in Creating a zonal cluster.
In the left navigation, click Security.
Select Enable Binary Authorization.
Click Create.

gcloud

Set your default Google Cloud project, by executing the following command:
```
gcloud config set project PROJECT_ID
```
Replace PROJECT_ID with the ID of the project where you want to create the cluster.
Create the cluster.

Enter the following command:
```
gcloud container clusters create \
    --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE \
    --zone ZONE \
    CLUSTER_NAME
```
Replace the following:
- ZONE: the GKE zone—for example, us-central1-a.
- CLUSTER_NAME: the name of the cluster you want to create—for example, test-cluster.

It can take a few minutes for your cluster to be created.

Enable Binary Authorization on an existing cluster

To enable Binary Authorization on an existing cluster, do the following:

Console

In the Google Cloud console, go to the GKE page.

Go to GKE
Under Kubernetes clusters, find for your cluster.
Click the cluster name.
In Clusters, under Security, find Binary Authorization and click .
Select Enable Binary Authorization.
Click Save Changes.

gcloud

Set your default Google Cloud project, by executing the following command:
```
gcloud config set project PROJECT_ID
```
Replace PROJECT_ID with the ID of the project where you want to create the cluster.
Create the cluster.

Enter the following command:
```
gcloud container clusters update CLUSTER_NAME \
    --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE
```
Replace CLUSTER_NAME with the name of the cluster for which you want to enable Binary Authorization.

Verify that Binary Authorization is enabled

To verify that Binary Authorization is enabled for the cluster, do the following:

Console

Open the GKE page in the Google Cloud console.

Go to GKE
Under Kubernetes clusters, find your cluster.
Under Security, verify that Binary Authorization is set to Enabled.

gcloud

To list running clusters in your project, execute the following command:

gcloud container clusters list

Optionally, you can restrict the listing to a specific compute zone by adding --zone ZONE to the command.

Replace ZONE with a zone—for example, us-central1-a.

What's next

Configure a policy using the Google Cloud console, command-line tool, or REST API.