Before you begin
Before you use this guide do the following:
- Create a standard GKE cluster. To learn more about creating standard clusters, see Create a zonal cluster or Create a regional cluster.
- Enable the Binary Authorization API.
Enable enforcement
To enable enforcement, perform the following steps:
Console
In the Google Cloud console, go to the GKE page:
In the Kubernetes clusters list, click the name of your cluster.
Under Security, in the row for Binary authorization, click the edit icon (edit).
In the Edit Binary Authorization dialog, select the Enable Binary Authorization checkbox and click Save changes.
gcloud
For a zonal cluster, enter the following command:
gcloud container clusters update NAME \
--zone ZONE \
--binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE
Replace the following:
NAME
: the name of the GKE cluster on which you want to enable Binary Authorization.ZONE
: the zone where the cluster resides.
Clusters can have both Binary Authorization enforcement and
CV monitoring enabled. To change CV monitoring
and enforcement settings, set --binauthz-evaluation-mode
to one
of the following values:
POLICY_BINDINGS
: enables only CV monitoring and disables an existing enforcement policy if there is onePROJECT_SINGLETON_POLICY_ENFORCE
: enables only enforcement and disables CV monitoring if it was previously enabledPOLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE
: enables both enforcement and CV monitoring
For more information on CV policy and cluster management, see Manage CV platform policies.
Alternatively, for a regional cluster, enter the following command:
gcloud container clusters update NAME \
--region REGION \
--binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE
Replace the following:
NAME
: the name of the GKE cluster on which you want to enable Binary Authorization.REGION
: the region where the cluster resides.
Clusters can have both Binary Authorization enforcement and
CV monitoring enabled. To change CV monitoring
and enforcement settings, set --binauthz-evaluation-mode
to one
of the following values:
POLICY_BINDINGS
: enables only CV monitoring and disables an existing enforcement policy if there is onePROJECT_SINGLETON_POLICY_ENFORCE
: enables only enforcement and disables CV monitoring if it was previously enabledPOLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE
: enables both enforcement and CV monitoring
For more information on CV policy and cluster management, see Manage CV platform policies.