ASSOCIATE-CLOUD-ENGINEER · Question #122
ASSOCIATE-CLOUD-ENGINEER Question #122: Real Exam Question with Answer & Explanation
The correct answer is C: Create a GKE node pool with a sandbox type configured to gvisor. Add the parameter. You can enable GKE Sandbox on your cluster to isolate untrusted workloads in sandboxes on the node. GKE Sandbox is built using gVisor, an open source project. https://cloud.google.com/kubernetes-engine/docs/concepts/security- overview?hl=en#protecting_nodes_from_untrusted_workloa
Question
You are building a product on top of Google Kubernetes Engine (GKE). You have a single GKE cluster. For each of your customers, a Pod is running in that cluster, and your customers can run arbitrary code inside their Pod. You want to maximize the isolation between your customers' Pods. What should you do?
Options
- AUse Binary Authorization and whitelist only the container images used by your customers' Pods.
- BUse the Container Analysis API to detect vulnerabilities in the containers used by your customers'
- CCreate a GKE node pool with a sandbox type configured to gvisor. Add the parameter
- DUse the cos_containerd image for your GKE nodes. Add a nodeSelector with the value
Explanation
You can enable GKE Sandbox on your cluster to isolate untrusted workloads in sandboxes on the node. GKE Sandbox is built using gVisor, an open source project. https://cloud.google.com/kubernetes-engine/docs/concepts/security- overview?hl=en#protecting_nodes_from_untrusted_workloads
Community Discussion
No community discussion yet for this question.