Enable continuous validation at fleet level

If you've enabled Google Kubernetes Engine (GKE) Enterprise edition, you can enable continuous validation (CV) as a fleet-default configuration. This means that every new GKE on Google Cloud cluster registered during cluster creation will have CV enabled on the cluster. You can find out more about fleet default configuration in Manage fleet-level features.

Before you begin

  1. Enable Binary Authorization.
  2. Enable GKE Enterprise.
  3. Update the Google Cloud CLI to version 457.0.0 or later.
  4. Create your platform policies.

Enable on a new fleet

To enable CV on a new fleet, run the following command:

gcloud container fleet create \
    --binauthz-evaluation-mode=POLICY_BINDINGS \
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID

Replace the following:

  • POLICY_PROJECT_ID: the ID of the project where the policy is stored
  • POLICY_ID: the policy ID

You can also create a new fleet with multiple platform policies:

gcloud container fleet create \
    --binauthz-evaluation-mode=POLICY_BINDINGS \
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID_1 \
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID_2

Enable on an existing fleet

If you have an existing fleet, you can enable CV. However, enabling CV for an existing fleet doesn't affect workloads in existing fleet member clusters. If you want existing workloads to have CV enabled, you need to enable the feature on individual clusters.

To enable CV on an existing fleet, run the following command:

gcloud container fleet update \
    --binauthz-evaluation-mode=POLICY_BINDINGS \
    --binauthz-policy-bindings=name=projects/POLICY_PROJECT_ID/platforms/gke/policies/POLICY_ID

Replace the following:

  • POLICY_PROJECT_ID: the ID of the project where the policy is stored
  • POLICY_ID: the policy ID

Disable

Disabling CV only affects workloads in new fleet member clusters. If you want existing workloads to have CV disabled, you need to disable the feature on individual clusters.

To disable CV on any new member clusters, run the following command:

gcloud container fleet update \
    --binauthz-evaluation-mode=DISABLED