diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5c0893e8f9..5876189388 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ Extending the adopted spec, each change should have a link to its corresponding
 
 ### Added
 
+* Add configuration flag for enable BinAuthZ Admission controller [#160]
 * Support for a guest accelerator in node pool configuration. [#157]
 * Support to scale the default node cluster. [#149]
 * Support for configuring the network policy provider. [#159]
diff --git a/autogen/cluster_regional.tf b/autogen/cluster_regional.tf
index 46e5e7710e..36bfdb1cd4 100644
--- a/autogen/cluster_regional.tf
+++ b/autogen/cluster_regional.tf
@@ -42,6 +42,9 @@ resource "google_container_cluster" "primary" {
   logging_service    = "${var.logging_service}"
   monitoring_service = "${var.monitoring_service}"
 
+{% if private_cluster %}
+  enable_binary_authorization = "${var.enable_binary_authorization}"
+{% endif %}
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {
diff --git a/autogen/cluster_zonal.tf b/autogen/cluster_zonal.tf
index 261fcc04c2..00b5729a4d 100644
--- a/autogen/cluster_zonal.tf
+++ b/autogen/cluster_zonal.tf
@@ -42,6 +42,9 @@ resource "google_container_cluster" "zonal_primary" {
   logging_service    = "${var.logging_service}"
   monitoring_service = "${var.monitoring_service}"
 
+{% if private_cluster %}
+  enable_binary_authorization = "${var.enable_binary_authorization}"
+{% endif %}
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {
diff --git a/autogen/variables.tf b/autogen/variables.tf
index 49af377738..1b4ce5b884 100644
--- a/autogen/variables.tf
+++ b/autogen/variables.tf
@@ -86,6 +86,13 @@ variable "master_authorized_networks_config" {
   default = []
 }
 
+{% if private_cluster %}
+variable "enable_binary_authorization" {
+  description = "Enable BinAuthZ Admission controller"
+  default     = false
+}
+
+{% endif %}
 variable "horizontal_pod_autoscaling" {
   description = "Enable horizontal pod autoscaling addon"
   default     = true
diff --git a/modules/private-cluster/README.md b/modules/private-cluster/README.md
index e50dc73b3f..52c969f71b 100644
--- a/modules/private-cluster/README.md
+++ b/modules/private-cluster/README.md
@@ -124,6 +124,7 @@ In either case, upgrading to module version `v1.0.0` will trigger a recreation o
 | deploy\_using\_private\_endpoint | (Beta) A toggle for Terraform and kubectl to connect to the master's internal IP address during deployment. | string | `"false"` | no |
 | description | The description of the cluster | string | `""` | no |
 | disable\_legacy\_metadata\_endpoints | Disable the /0.1/ and /v1beta1/ metadata server endpoints on the node. Changing this value will cause all node pools to be recreated. | string | `"true"` | no |
+| enable\_binary\_authorization | Enable BinAuthZ Admission controller | string | `"false"` | no |
 | enable\_private\_endpoint | (Beta) Whether the master's internal IP address is used as the cluster endpoint | string | `"false"` | no |
 | enable\_private\_nodes | (Beta) Whether nodes have internal IP addresses only | string | `"false"` | no |
 | horizontal\_pod\_autoscaling | Enable horizontal pod autoscaling addon | string | `"true"` | no |
diff --git a/modules/private-cluster/cluster_regional.tf b/modules/private-cluster/cluster_regional.tf
index 34f21fd9d1..9630acf411 100644
--- a/modules/private-cluster/cluster_regional.tf
+++ b/modules/private-cluster/cluster_regional.tf
@@ -42,6 +42,7 @@ resource "google_container_cluster" "primary" {
   logging_service    = "${var.logging_service}"
   monitoring_service = "${var.monitoring_service}"
 
+  enable_binary_authorization = "${var.enable_binary_authorization}"
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {
diff --git a/modules/private-cluster/cluster_zonal.tf b/modules/private-cluster/cluster_zonal.tf
index 692cc1a6a6..fc98826190 100644
--- a/modules/private-cluster/cluster_zonal.tf
+++ b/modules/private-cluster/cluster_zonal.tf
@@ -42,6 +42,7 @@ resource "google_container_cluster" "zonal_primary" {
   logging_service    = "${var.logging_service}"
   monitoring_service = "${var.monitoring_service}"
 
+  enable_binary_authorization = "${var.enable_binary_authorization}"
   master_authorized_networks_config = ["${var.master_authorized_networks_config}"]
 
   master_auth {
diff --git a/modules/private-cluster/variables.tf b/modules/private-cluster/variables.tf
index 005a04228e..c3537af0de 100644
--- a/modules/private-cluster/variables.tf
+++ b/modules/private-cluster/variables.tf
@@ -86,6 +86,11 @@ variable "master_authorized_networks_config" {
   default = []
 }
 
+variable "enable_binary_authorization" {
+  description = "Enable BinAuthZ Admission controller"
+  default     = false
+}
+
 variable "horizontal_pod_autoscaling" {
   description = "Enable horizontal pod autoscaling addon"
   default     = true