diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
index 859919063..5a9f63f6b 100644
--- a/autogen/main/cluster.tf.tmpl
+++ b/autogen/main/cluster.tf.tmpl
@@ -151,7 +151,14 @@ resource "google_container_cluster" "primary" {
   {% if autopilot_cluster != true %}
   default_max_pods_per_node = var.default_max_pods_per_node
   enable_shielded_nodes       = var.enable_shielded_nodes
-  enable_binary_authorization = var.enable_binary_authorization
+
+  dynamic "binary_authorization" {
+    for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
+    content {
+      evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+    }
+  }
+
   {% if beta_cluster %}
   enable_intranode_visibility = var.enable_intranode_visibility
   enable_kubernetes_alpha     = var.enable_kubernetes_alpha
diff --git a/cluster.tf b/cluster.tf
index ab31caac8..cebee0167 100644
--- a/cluster.tf
+++ b/cluster.tf
@@ -76,9 +76,16 @@ resource "google_container_cluster" "primary" {
   vertical_pod_autoscaling {
     enabled = var.enable_vertical_pod_autoscaling
   }
-  default_max_pods_per_node   = var.default_max_pods_per_node
-  enable_shielded_nodes       = var.enable_shielded_nodes
-  enable_binary_authorization = var.enable_binary_authorization
+  default_max_pods_per_node = var.default_max_pods_per_node
+  enable_shielded_nodes     = var.enable_shielded_nodes
+
+  dynamic "binary_authorization" {
+    for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
+    content {
+      evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+    }
+  }
+
   dynamic "master_authorized_networks_config" {
     for_each = local.master_authorized_networks_config
     content {
diff --git a/modules/beta-private-cluster-update-variant/cluster.tf b/modules/beta-private-cluster-update-variant/cluster.tf
index bdec3940c..802ef2f22 100644
--- a/modules/beta-private-cluster-update-variant/cluster.tf
+++ b/modules/beta-private-cluster-update-variant/cluster.tf
@@ -116,9 +116,16 @@ resource "google_container_cluster" "primary" {
   vertical_pod_autoscaling {
     enabled = var.enable_vertical_pod_autoscaling
   }
-  default_max_pods_per_node   = var.default_max_pods_per_node
-  enable_shielded_nodes       = var.enable_shielded_nodes
-  enable_binary_authorization = var.enable_binary_authorization
+  default_max_pods_per_node = var.default_max_pods_per_node
+  enable_shielded_nodes     = var.enable_shielded_nodes
+
+  dynamic "binary_authorization" {
+    for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
+    content {
+      evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+    }
+  }
+
   enable_intranode_visibility = var.enable_intranode_visibility
   enable_kubernetes_alpha     = var.enable_kubernetes_alpha
   enable_tpu                  = var.enable_tpu
diff --git a/modules/beta-private-cluster/cluster.tf b/modules/beta-private-cluster/cluster.tf
index c269b128e..8d64e2d42 100644
--- a/modules/beta-private-cluster/cluster.tf
+++ b/modules/beta-private-cluster/cluster.tf
@@ -116,9 +116,16 @@ resource "google_container_cluster" "primary" {
   vertical_pod_autoscaling {
     enabled = var.enable_vertical_pod_autoscaling
   }
-  default_max_pods_per_node   = var.default_max_pods_per_node
-  enable_shielded_nodes       = var.enable_shielded_nodes
-  enable_binary_authorization = var.enable_binary_authorization
+  default_max_pods_per_node = var.default_max_pods_per_node
+  enable_shielded_nodes     = var.enable_shielded_nodes
+
+  dynamic "binary_authorization" {
+    for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
+    content {
+      evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+    }
+  }
+
   enable_intranode_visibility = var.enable_intranode_visibility
   enable_kubernetes_alpha     = var.enable_kubernetes_alpha
   enable_tpu                  = var.enable_tpu
diff --git a/modules/beta-public-cluster-update-variant/cluster.tf b/modules/beta-public-cluster-update-variant/cluster.tf
index 71415c2b1..731002cd3 100644
--- a/modules/beta-public-cluster-update-variant/cluster.tf
+++ b/modules/beta-public-cluster-update-variant/cluster.tf
@@ -116,9 +116,16 @@ resource "google_container_cluster" "primary" {
   vertical_pod_autoscaling {
     enabled = var.enable_vertical_pod_autoscaling
   }
-  default_max_pods_per_node   = var.default_max_pods_per_node
-  enable_shielded_nodes       = var.enable_shielded_nodes
-  enable_binary_authorization = var.enable_binary_authorization
+  default_max_pods_per_node = var.default_max_pods_per_node
+  enable_shielded_nodes     = var.enable_shielded_nodes
+
+  dynamic "binary_authorization" {
+    for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
+    content {
+      evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+    }
+  }
+
   enable_intranode_visibility = var.enable_intranode_visibility
   enable_kubernetes_alpha     = var.enable_kubernetes_alpha
   enable_tpu                  = var.enable_tpu
diff --git a/modules/beta-public-cluster/cluster.tf b/modules/beta-public-cluster/cluster.tf
index da0c8522c..9d22602e5 100644
--- a/modules/beta-public-cluster/cluster.tf
+++ b/modules/beta-public-cluster/cluster.tf
@@ -116,9 +116,16 @@ resource "google_container_cluster" "primary" {
   vertical_pod_autoscaling {
     enabled = var.enable_vertical_pod_autoscaling
   }
-  default_max_pods_per_node   = var.default_max_pods_per_node
-  enable_shielded_nodes       = var.enable_shielded_nodes
-  enable_binary_authorization = var.enable_binary_authorization
+  default_max_pods_per_node = var.default_max_pods_per_node
+  enable_shielded_nodes     = var.enable_shielded_nodes
+
+  dynamic "binary_authorization" {
+    for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
+    content {
+      evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+    }
+  }
+
   enable_intranode_visibility = var.enable_intranode_visibility
   enable_kubernetes_alpha     = var.enable_kubernetes_alpha
   enable_tpu                  = var.enable_tpu
diff --git a/modules/private-cluster-update-variant/cluster.tf b/modules/private-cluster-update-variant/cluster.tf
index d43c96d71..b0cfb538b 100644
--- a/modules/private-cluster-update-variant/cluster.tf
+++ b/modules/private-cluster-update-variant/cluster.tf
@@ -76,9 +76,16 @@ resource "google_container_cluster" "primary" {
   vertical_pod_autoscaling {
     enabled = var.enable_vertical_pod_autoscaling
   }
-  default_max_pods_per_node   = var.default_max_pods_per_node
-  enable_shielded_nodes       = var.enable_shielded_nodes
-  enable_binary_authorization = var.enable_binary_authorization
+  default_max_pods_per_node = var.default_max_pods_per_node
+  enable_shielded_nodes     = var.enable_shielded_nodes
+
+  dynamic "binary_authorization" {
+    for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
+    content {
+      evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+    }
+  }
+
   dynamic "master_authorized_networks_config" {
     for_each = local.master_authorized_networks_config
     content {
diff --git a/modules/private-cluster/cluster.tf b/modules/private-cluster/cluster.tf
index 0effdf9fa..460b85d7b 100644
--- a/modules/private-cluster/cluster.tf
+++ b/modules/private-cluster/cluster.tf
@@ -76,9 +76,16 @@ resource "google_container_cluster" "primary" {
   vertical_pod_autoscaling {
     enabled = var.enable_vertical_pod_autoscaling
   }
-  default_max_pods_per_node   = var.default_max_pods_per_node
-  enable_shielded_nodes       = var.enable_shielded_nodes
-  enable_binary_authorization = var.enable_binary_authorization
+  default_max_pods_per_node = var.default_max_pods_per_node
+  enable_shielded_nodes     = var.enable_shielded_nodes
+
+  dynamic "binary_authorization" {
+    for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
+    content {
+      evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+    }
+  }
+
   dynamic "master_authorized_networks_config" {
     for_each = local.master_authorized_networks_config
     content {
diff --git a/test/integration/beta_cluster/controls/gcloud.rb b/test/integration/beta_cluster/controls/gcloud.rb
index 0fcb76f4e..99f477e09 100644
--- a/test/integration/beta_cluster/controls/gcloud.rb
+++ b/test/integration/beta_cluster/controls/gcloud.rb
@@ -81,7 +81,7 @@
 
       it "has the expected binaryAuthorization config" do
         expect(data['binaryAuthorization']).to eq({
-          "enabled" => true,
+          "evaluationMode" => "PROJECT_SINGLETON_POLICY_ENFORCE",
         })
       end
 
diff --git a/test/integration/safer_cluster/controls/gcloud.rb b/test/integration/safer_cluster/controls/gcloud.rb
index 14323652c..9faae675c 100644
--- a/test/integration/safer_cluster/controls/gcloud.rb
+++ b/test/integration/safer_cluster/controls/gcloud.rb
@@ -76,7 +76,7 @@
 
     it "has binary authorization" do
       expect(data['binaryAuthorization']).to eq({
-        "enabled" => true,
+        "evaluationMode" => "PROJECT_SINGLETON_POLICY_ENFORCE",
       })
     end
 
diff --git a/test/integration/simple_regional/controls/gcloud.rb b/test/integration/simple_regional/controls/gcloud.rb
index eac8fd0ee..81fa2e720 100644
--- a/test/integration/simple_regional/controls/gcloud.rb
+++ b/test/integration/simple_regional/controls/gcloud.rb
@@ -70,7 +70,7 @@
 
       it "has the expected binaryAuthorization config" do
         expect(data['binaryAuthorization']).to eq({
-          "enabled" => true,
+          "evaluationMode" => "PROJECT_SINGLETON_POLICY_ENFORCE",
         })
       end
     end