PROFESSIONAL-CLOUD-ARCHITECT · Question #300
PROFESSIONAL-CLOUD-ARCHITECT Question #300: Real Exam Question with Answer & Explanation
The correct answer is C: Enable GKE Audit Logging to send Kubernetes API server logs to Cloud Logging, and ensure. Enabling GKE Audit Logging records all interactions with the Kubernetes API server (such as deployments, config changes, kubectl exec/port-forward/secret access), including who performed each action and what they did. Combined with Cloud Audit Logs at the project level, this prov
Question
You are designing a new insurance claims processing application that will be deployed on Google Kubernetes Engine (GKE) Your company's compliance team requires a complete and non- repudiable audit trail for all administrative actions from day one. Your application must capture who deploys a new container image, who modifies the GKE cluster's configuration, and who interacts with running pods or Kubernetes secrets using kubectl. What should you do?
Options
- AEnable Binary Authorization on the GKE cluster, and create a policy that requires all deployed
- BDeploy a DaemonSet to every node in the GKE cluster that runs a logging agent to collect and
- CEnable GKE Audit Logging to send Kubernetes API server logs to Cloud Logging, and ensure
- DActivate the Security Command Center Premium tier to analyze GKE logs and detect threats,
Explanation
Enabling GKE Audit Logging records all interactions with the Kubernetes API server (such as deployments, config changes, kubectl exec/port-forward/secret access), including who performed each action and what they did. Combined with Cloud Audit Logs at the project level, this provides a complete, tamper-resistant, and non-repudiable audit trail of all administrative operations from day one, satisfying the compliance requirements.
Community Discussion
No community discussion yet for this question.