diff --git a/autogen/main/cluster.tf.tmpl b/autogen/main/cluster.tf.tmpl
index 747d2ab574..ab87a61aae 100644
--- a/autogen/main/cluster.tf.tmpl
+++ b/autogen/main/cluster.tf.tmpl
@@ -208,6 +208,7 @@ resource "google_container_cluster" "primary" {
   {% if autopilot_cluster != true %}
   default_max_pods_per_node = var.default_max_pods_per_node
   enable_shielded_nodes       = var.enable_shielded_nodes
+  {% endif %}
 
   dynamic "binary_authorization" {
     for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
@@ -215,6 +216,7 @@ resource "google_container_cluster" "primary" {
       evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
     }
   }
+  {% if autopilot_cluster != true %}
 
   dynamic "identity_service_config" {
     for_each = var.enable_identity_service ? [var.enable_identity_service] : []
@@ -248,7 +250,7 @@ resource "google_container_cluster" "primary" {
       enabled = secret_manager_config.value
     }
   }
-  
+
   enable_fqdn_network_policy = var.enable_fqdn_network_policy
 {% endif %}
 {% if autopilot_cluster %}
@@ -1039,7 +1041,7 @@ resource "google_container_node_pool" "windows_pools" {
       for_each = length(merge(
         local.node_pools_linux_node_configs_sysctls["all"],
         local.node_pools_linux_node_configs_sysctls[each.value["name"]],
-        local.node_pools_cgroup_mode[each.value["name"]] == "" ? {} : {cgroup = local.node_pools_cgroup_mode[each.value["name"]]} 
+        local.node_pools_cgroup_mode[each.value["name"]] == "" ? {} : {cgroup = local.node_pools_cgroup_mode[each.value["name"]]}
       )) != 0 ? [1] : []
 
       content {
diff --git a/autogen/main/variables.tf.tmpl b/autogen/main/variables.tf.tmpl
index 56c493825d..46f93dc6f9 100644
--- a/autogen/main/variables.tf.tmpl
+++ b/autogen/main/variables.tf.tmpl
@@ -743,12 +743,14 @@ variable "enable_shielded_nodes" {
   default     = true
 }
 
+{% endif %}
 variable "enable_binary_authorization" {
   type        = bool
   description = "Enable BinAuthZ Admission controller"
   default     = false
 }
 
+{% if autopilot_cluster != true %}
 variable "node_metadata" {
   description = "Specifies how node metadata is exposed to the workload running on the node"
   default     = "GKE_METADATA"
diff --git a/examples/autopilot_private_firewalls/main.tf b/examples/autopilot_private_firewalls/main.tf
index 979261c992..556816d370 100644
--- a/examples/autopilot_private_firewalls/main.tf
+++ b/examples/autopilot_private_firewalls/main.tf
@@ -52,6 +52,7 @@ module "gke" {
   add_shadow_firewall_rules         = true
   network_tags                      = ["allow-google-apis"]
   deletion_protection               = false
+  enable_binary_authorization       = true
 
   master_authorized_networks = [
     {
diff --git a/modules/beta-autopilot-private-cluster/README.md b/modules/beta-autopilot-private-cluster/README.md
index 2f6b48b146..bddbd67667 100644
--- a/modules/beta-autopilot-private-cluster/README.md
+++ b/modules/beta-autopilot-private-cluster/README.md
@@ -88,6 +88,7 @@ Then perform the following commands on the root folder:
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
 | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no |
+| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
 | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
 | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |
diff --git a/modules/beta-autopilot-private-cluster/cluster.tf b/modules/beta-autopilot-private-cluster/cluster.tf
index 0a8fd598b6..80555c69d4 100644
--- a/modules/beta-autopilot-private-cluster/cluster.tf
+++ b/modules/beta-autopilot-private-cluster/cluster.tf
@@ -85,6 +85,13 @@ resource "google_container_cluster" "primary" {
     enabled = var.enable_vertical_pod_autoscaling
   }
 
+  dynamic "binary_authorization" {
+    for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
+    content {
+      evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+    }
+  }
+
   enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
 
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy
diff --git a/modules/beta-autopilot-private-cluster/variables.tf b/modules/beta-autopilot-private-cluster/variables.tf
index c39bf7b18a..9b177106af 100644
--- a/modules/beta-autopilot-private-cluster/variables.tf
+++ b/modules/beta-autopilot-private-cluster/variables.tf
@@ -469,6 +469,12 @@ variable "database_encryption" {
   }]
 }
 
+variable "enable_binary_authorization" {
+  type        = bool
+  description = "Enable BinAuthZ Admission controller"
+  default     = false
+}
+
 
 variable "gke_backup_agent_config" {
   type        = bool
diff --git a/modules/beta-autopilot-public-cluster/README.md b/modules/beta-autopilot-public-cluster/README.md
index 0c5d037049..4de1900468 100644
--- a/modules/beta-autopilot-public-cluster/README.md
+++ b/modules/beta-autopilot-public-cluster/README.md
@@ -81,6 +81,7 @@ Then perform the following commands on the root folder:
 | description | The description of the cluster | `string` | `""` | no |
 | disable\_default\_snat | Whether to disable the default SNAT to support the private use of public IP addresses | `bool` | `false` | no |
 | dns\_cache | The status of the NodeLocal DNSCache addon. | `bool` | `true` | no |
+| enable\_binary\_authorization | Enable BinAuthZ Admission controller | `bool` | `false` | no |
 | enable\_cilium\_clusterwide\_network\_policy | Enable Cilium Cluster Wide Network Policies on the cluster | `bool` | `false` | no |
 | enable\_confidential\_nodes | An optional flag to enable confidential node config. | `bool` | `false` | no |
 | enable\_cost\_allocation | Enables Cost Allocation Feature and the cluster name and namespace of your GKE workloads appear in the labels field of the billing export to BigQuery | `bool` | `false` | no |
diff --git a/modules/beta-autopilot-public-cluster/cluster.tf b/modules/beta-autopilot-public-cluster/cluster.tf
index 63b92d253e..bcdd82fdc8 100644
--- a/modules/beta-autopilot-public-cluster/cluster.tf
+++ b/modules/beta-autopilot-public-cluster/cluster.tf
@@ -85,6 +85,13 @@ resource "google_container_cluster" "primary" {
     enabled = var.enable_vertical_pod_autoscaling
   }
 
+  dynamic "binary_authorization" {
+    for_each = var.enable_binary_authorization ? [var.enable_binary_authorization] : []
+    content {
+      evaluation_mode = "PROJECT_SINGLETON_POLICY_ENFORCE"
+    }
+  }
+
   enable_l4_ilb_subsetting = var.enable_l4_ilb_subsetting
 
   enable_cilium_clusterwide_network_policy = var.enable_cilium_clusterwide_network_policy
diff --git a/modules/beta-autopilot-public-cluster/variables.tf b/modules/beta-autopilot-public-cluster/variables.tf
index e5d50f44f7..aabe1e2667 100644
--- a/modules/beta-autopilot-public-cluster/variables.tf
+++ b/modules/beta-autopilot-public-cluster/variables.tf
@@ -433,6 +433,12 @@ variable "database_encryption" {
   }]
 }
 
+variable "enable_binary_authorization" {
+  type        = bool
+  description = "Enable BinAuthZ Admission controller"
+  default     = false
+}
+
 
 variable "gke_backup_agent_config" {
   type        = bool