Enable enforcement on an existing cluster

This guide shows you how to enable Binary Authorization enforcement on an existing Google Kubernetes Engine (GKE) cluster.

Before you begin

Before you use this guide do the following:

  1. Create a standard GKE cluster. To learn more about creating standard clusters, see Create a zonal cluster or Create a regional cluster.
  2. Enable the Binary Authorization API.

Enable enforcement

To enable enforcement, perform the following steps:

Console

  1. In the Google Cloud console, go to the GKE page:

    Go to GKE.

  2. In the Kubernetes clusters list, click the name of your cluster.

  3. Under Security, in the row for Binary authorization, click the edit icon ().

  4. In the Edit Binary Authorization dialog, select the Enable Binary Authorization checkbox and click Save changes.

gcloud

For a zonal cluster, enter the following command:

gcloud container clusters update NAME \
    --zone ZONE \
    --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE

Replace the following:

  • NAME: the name of the GKE cluster on which you want to enable Binary Authorization.
  • ZONE: the zone where the cluster resides.

Clusters can have both Binary Authorization enforcement and CV monitoring enabled. To change CV monitoring and enforcement settings, set --binauthz-evaluation-mode to one of the following values:

  • POLICY_BINDINGS: enables only CV monitoring and disables an existing enforcement policy if there is one
  • PROJECT_SINGLETON_POLICY_ENFORCE: enables only enforcement and disables CV monitoring if it was previously enabled
  • POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE: enables both enforcement and CV monitoring

For more information on CV policy and cluster management, see Manage CV platform policies.

Alternatively, for a regional cluster, enter the following command:

gcloud container clusters update NAME \
    --region REGION \
    --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE

Replace the following:

  • NAME: the name of the GKE cluster on which you want to enable Binary Authorization.
  • REGION: the region where the cluster resides.

Clusters can have both Binary Authorization enforcement and CV monitoring enabled. To change CV monitoring and enforcement settings, set --binauthz-evaluation-mode to one of the following values:

  • POLICY_BINDINGS: enables only CV monitoring and disables an existing enforcement policy if there is one
  • PROJECT_SINGLETON_POLICY_ENFORCE: enables only enforcement and disables CV monitoring if it was previously enabled
  • POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE: enables both enforcement and CV monitoring

For more information on CV policy and cluster management, see Manage CV platform policies.

What's next