Set up for GKE

This page provides an overview of how to set up Binary Authorization enforcement in your environment for use with Google Kubernetes Engine (GKE). You can set up Binary Authorization by using the Google Cloud console or the Google Cloud CLI. You can also perform some setup steps by using the Binary Authorization REST API.

For an end-to-end tutorial that includes the following setup steps, see Get started using the Google Cloud CLI or Get started using the Google Cloud console.

To set up Binary Authorization, perform the following steps:

1. Enable Binary Authorization.

   Enabling the Binary Authorization API also lets you view issues with running container images in the GKE Security Posture page in the Google Cloud console without enabling features on individual clusters. For more details, see About the security posture dashboard in the GKE documentation.

2. Create a cluster with Binary Authorization enabled or enable Binary Authorization on an existing cluster.

3. Configure your Binary Authorization policy.

   You can configure the following features in your policy:

   • Default rule.
   • Cluster-specific rules.
   • Specific rules for your Kubernetes service identity or namespace.
   • Exempt images. Learn more about exempt images.

4. Optional: If you have different Google Cloud projects that own your policy or your Container Registry repositories, grant the IAM roles required for cross-project access. For instructions, see Configure cross-project access for Binary Authorization in GKE.

5. Optional: Use the built-by-cloud-build attestor to deploy only images built by Cloud Build (Preview).

6. Optional: Use attestations.

7. Deploy container images.

8. View events in Cloud Audit Logs.