To enable Binary Authorization for GKE attached clusters, perform the following steps:
Enable the Binary Authorization API in your project:
gcloud services enable binaryauthorization.googleapis.com \ --project=PROJECT_IDReplace
PROJECT_IDwith the ID of your Google Cloud project.Grant the
binaryauthorization.policyEvaluatorrole to the Kubernetes service account associated with the Binary Authorization agent:gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:PROJECT_ID.svc.id.goog[gke-system/binauthz-agent] \ --role="roles/binaryauthorization.policyEvaluator"Enable Binary Authorization when registering or updating a cluster.
Register a cluster
To enable Binary Authorization when registering a cluster, use the
gcloud container attached clusters registercommand. Follow the instructions in attach your EKS cluster, and include the optional argument--binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE:gcloud container attached clusters register CLUSTER_NAME \ ... --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCEReplace
CLUSTER_NAMEwith the name of your cluster.Update a cluster
To enable Binary Authorization when updating a cluster, use the
gcloud container attached clusters updatecommand. Follow the instructions in update your EKS cluster, and include the optional argument--binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE:gcloud container attached clusters update CLUSTER_NAME \ ... --binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCEReplace
CLUSTER_NAMEwith the name of your cluster.
By following these steps, you ensure that only trusted and verified images are used to create Kubernetes containers in your GKE clusters. This helps to maintain a secure environment for your applications.
Configure policies
Enabling Binary Authorization alone doesn't automatically protect your cluster. By default, it allows all container images to be deployed if no policy is configured. This means that to effectively secure your cluster, you need to define and enforce a policy that specifies which images are allowed. To learn how to configure a Binary Authorization policy, see Configure a policy using the Google Cloud CLI.