Stay organized with collections
Save and categorize content based on your preferences.
Binary Authorization for Google Distributed Cloud is a Google Cloud feature
that extends the hosted, deploy-time enforcement of
Binary Authorization to your on-premises
user clusters. The primary use case for Binary Authorization on
Google Distributed Cloud is to secure workloads on your user clusters. Follow the
steps in this guide to apply the enforcement rules of a Binary Authorization
policy configured in your Google Cloud project to your user clusters. For more
information about Binary Authorization policies and rules, see
Binary Authorizationoverview.
Prerequisites
Before you can enable Binary Authorization policy enforcement for a user
cluster, ensure you've met the following prerequisite criteria:
Register the cluster with a fleet: For a cluster created with gkectl,
the cluster is registered to the Google Cloud project that you specify
in the gkeConnect.projectID field in the cluster configuration file. This
project is referred to as the fleet host
project.
To learn more about fleets, including use cases, best practices, and
examples, see the Fleet management
documentation.
Add the Binary Authorization Policy Evaluator role to your fleet host
project: To grant the Binary Authorization Policy Evaluator
(roles/binaryauthorization.policyEvaluator) role to the Kubernetes service
account on your fleet host project, run the following command:
If your cluster is running behind a proxy server, make sure the proxy server
allows connections to the Binary Authorization API
(binaryauthorization.googleapis.com). This API provides policy-based
deployment validation and control for images deployed to your cluster. For
more information about, see
Proxy and firewall rules proxy.
Once you satisfy the prerequisites, you can enable (or disable) the
Binary Authorization policy when you create a new cluster or update an existing
cluster.
Enable the Binary Authorization policy during cluster creation
You can enable the Binary Authorization policy enforcement with either gkectl
or gcloud CLI.
gkectl
To enable Binary Authorization when you create a cluster with gkectl:
Before you create your cluster, add
binaryAuthorization.evaluationMode to the user cluster
configuration file as shown in the following example:
project_singleton_policy_enforce: enforce the rules specified in the
Binary Authorization policy, also known as a project-singleton
policy, on your Google Cloud project to govern the deployment of
container images on your cluster.
disabled: disable the use of Binary Authorization for your cluster.
This is the default value. If you omit binaryAuthorization, the
feature is disabled.
Make any other changes needed in the cluster configuration file and then
run the gkectl create cluster command.
ADMIN_CLUSTER_KUBECONFIG: the path of the
admin cluster kubeconfig file
USER_CLUSTER_CONFIG_FILE: the path of your
user cluster configuration file.
Wait for the Deployment named binauthz-module-deployment in the
binauthz-system namespace to become ready.
When the deployment is ready, Binary Authorization enforces the rules
specified in the Binary Authorization policy, also known as a
project-singleton policy. This policy is associated with your
Google Cloud project and specifies rules to govern the deployment of
container images. For more information about using gkectl to update a
cluster, see Update clusters.
For more information about Binary Authorization policies and rules,
see Binary Authorization overview.
To disable:
Edit the cluster configuration file and either remove the
binaryAuthorization section or by set evaluationMode to
disabled.
After you make this change, wait a few minutes until the Deployment named
binauthz-module-deployment in the binauthz-system namespace is
removed.
Troubleshooting
If you don't complete all of the prerequisites, you may see a message like the
following indicates there is a problem with the Binary Authorization configuration:
failedtovalidateBinaryAuthorizationpolicy
(1)EnsuretheBinaryAuthorizationAPIisenabledforyour Google Cloud project:
gcloudservicesenablebinaryauthorization.googleapis.com--project=PROJECT_ID(2)EnsureanIAMpolicybindingisinplacegrantingbinaryauthorization.policyEvaluatorroletothebinauthz-system/binauthz-agentKubernetesserviceaccount:
gcloudprojectsadd-iam-policy-bindingPROJECT_ID\--member="serviceAccount:PROJECT_ID.svc.id.goog[binauthz-system/binauthz-agent]"\--role=roles/binaryauthorization.policyEvaluator
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["Binary Authorization for Google Distributed Cloud is a Google Cloud feature\nthat extends the hosted, deploy-time enforcement of\n[Binary Authorization](/binary-authorization/docs/overview) to your on-premises\nuser clusters. The primary use case for Binary Authorization on\nGoogle Distributed Cloud is to secure workloads on your user clusters. Follow the\nsteps in this guide to apply the enforcement rules of a Binary Authorization\npolicy configured in your Google Cloud project to your user clusters. For more\ninformation about Binary Authorization policies and rules, see\n[Binary Authorizationoverview](/binary-authorization/docs/key-concepts).\n| **Note:** If you enabled the ([Preview](/products#product-launch-stages)) Binary Authorization for Google Distributed Cloud, [disable it and clean up the\n| resources](/binary-authorization/docs/setting-up-on-prem#clean_up) before you enable the GA feature. Use the instructions in this document to enable the GA feature on version 1.28 or higher clusters.\n\nPrerequisites\n\nBefore you can enable Binary Authorization policy enforcement for a user\ncluster, ensure you've met the following prerequisite criteria:\n\n- **Register the cluster with a fleet:** For a cluster created with `gkectl`,\n the cluster is registered to the Google Cloud project that you specify\n in the `gkeConnect.projectID` field in the cluster configuration file. This\n project is referred to as the [fleet host\n project](/anthos/fleet-management/docs/fleet-concepts#fleet-host-project).\n To learn more about fleets, including use cases, best practices, and\n examples, see the [Fleet management](/anthos/fleet-management/docs)\n documentation.\n\n- **Enable the Binary Authorization API in your Google Cloud project:** [enable\n the Binary Authorization service](/binary-authorization/docs/enabling) in\n your fleet host project.\n\n- **Add the Binary Authorization Policy Evaluator role to your fleet host\n project:** To grant the Binary Authorization Policy Evaluator\n (`roles/binaryauthorization.policyEvaluator`) role to the Kubernetes service\n account on your fleet host project, run the following command:\n\n gcloud projects add-iam-policy-binding \u003cvar label=\"ID for the fleet host project\" translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --member=\"serviceAccount:\u003cvar scope=\"PROJECT_ID\" translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e.svc.id.goog[binauthz-system/binauthz-agent]\" \\\n --role=\"roles/binaryauthorization.policyEvaluator\"\n\n If your cluster is running behind a proxy server, make sure the proxy server\n allows connections to the Binary Authorization API\n (`binaryauthorization.googleapis.com`). This API provides policy-based\n deployment validation and control for images deployed to your cluster. For\n more information about, see\n [Proxy and firewall rules proxy](/kubernetes-engine/distributed-cloud/vmware/docs/how-to/firewall-rules).\n\nOnce you satisfy the prerequisites, you can enable (or disable) the\nBinary Authorization policy when you create a new cluster or update an existing\ncluster.\n\nEnable the Binary Authorization policy during cluster creation\n\nYou can enable the Binary Authorization policy enforcement with either `gkectl`\nor gcloud CLI. \n\n`gkectl`\n\nTo enable Binary Authorization when you create a cluster with `gkectl`:\n\n1. Before you create your cluster, add\n `binaryAuthorization.evaluationMode` to the user cluster\n configuration file as shown in the following example:\n\n ...\n binaryAuthorization:\n evaluationMode: \"project_singleton_policy_enforce\"\n ...\n\n Allowed values for `evaluationMode` are:\n - `project_singleton_policy_enforce`: enforce the rules specified in the\n Binary Authorization *policy* , also known as a *project-singleton\n policy*, on your Google Cloud project to govern the deployment of\n container images on your cluster.\n\n - `disabled`: disable the use of Binary Authorization for your cluster.\n This is the default value. If you omit `binaryAuthorization`, the\n feature is disabled.\n\n2. Make any other changes needed in the cluster configuration file and then\n run the `gkectl create cluster` command.\n\nFor more information about creating clusters, see\n[Google Distributed Cloud installation overview](/kubernetes-engine/distributed-cloud/vmware/docs/how-to/install-overview).\n\nEnable or disable the Binary Authorization policy for an existing cluster\n\nIf you have an existing version 1.28 or higher cluster, you can enable or\ndisable Binary Authorization at any time, using `gkectl` or\ngcloud CLI. \n\n`gkectl`\n\n- To enable:\n\n 1. Edit the cluster configuration file to add the `binaryAuthorization`\n fields:\n\n ...\n binaryAuthorization:\n evaluationMode: \"project_singleton_policy_enforce\"\n\n 2. Update the cluster:\n\n ```\n gkectl update cluster \\\n --kubeconfig ADMIN_CLUSTER_KUBECONFIG \\\n --config USER_CLUSTER_CONFIG_FILE \\\n --force\n ```\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eADMIN_CLUSTER_KUBECONFIG\u003c/var\u003e: the path of the admin cluster kubeconfig file\n - \u003cvar translate=\"no\"\u003eUSER_CLUSTER_CONFIG_FILE\u003c/var\u003e: the path of your user cluster configuration file.\n 3. Wait for the Deployment named `binauthz-module-deployment` in the\n `binauthz-system` namespace to become ready.\n\n When the deployment is ready, Binary Authorization enforces the rules\n specified in the Binary Authorization *policy* , also known as a\n *project-singleton policy* . This policy is associated with your\n Google Cloud project and specifies rules to govern the deployment of\n container images. For more information about using `gkectl` to update a\n cluster, see [Update clusters](/kubernetes-engine/distributed-cloud/vmware/docs/how-to/upgrading).\n For more information about Binary Authorization policies and rules,\n see [Binary Authorization overview](/binary-authorization/docs/key-concepts).\n- To disable:\n\n 1. Edit the cluster configuration file and either remove the\n `binaryAuthorization` section or by set `evaluationMode` to\n `disabled`.\n\n ...\n binaryAuthorization:\n evaluationMode: \"disabled\"\n\n 2. Update the cluster:\n\n ```\n gkectl update cluster \\\n --kubeconfig ADMIN_CLUSTER_KUBECONFIG \\\n --config USER_CLUSTER_CONFIG_FILE \\\n --force\n ```\n\n After you make this change, wait a few minutes until the Deployment named\n `binauthz-module-deployment` in the `binauthz-system` namespace is\n removed.\n\nTroubleshooting\n\nIf you don't complete all of the prerequisites, you may see a message like the\nfollowing indicates there is a problem with the Binary Authorization configuration: \n\n```bash\nfailed to validate Binary Authorization policy\n\n(1) Ensure the Binary Authorization API is enabled for your Google Cloud project:\n gcloud services enable binaryauthorization.googleapis.com --project=PROJECT_ID\n(2) Ensure an IAM policy binding is in place granting binaryauthorization.policyEvaluator role to the binauthz-system/binauthz-agent Kubernetes service account:\n gcloud projects add-iam-policy-binding PROJECT_ID \\\n --member=\"serviceAccount:\u003cvar class=\"readonly\" translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e.svc.id.goog[binauthz-system/binauthz-agent]\" \\\n --role=roles/binaryauthorization.policyEvaluator\n```"]]
