nerdexam
Google

PROFESSIONAL-CLOUD-DEVELOPER · Question #114

You are a SaaS provider deploying dedicated blogging software to customers in your Google Kubernetes Engine (GKE) cluster. You want to configure a secure multi-tenant platform to ensure that each cust

The correct answer is B. Deploy a namespace per tenant and use Network Policies in each blog deployment.. Namespaces in Kubernetes provide logical isolation between tenants - each customer's resources live in their own namespace, limiting the scope of their access and RBAC policies. Network Policies enforce L3/L4 traffic rules at the pod level, preventing pods in one tenant's namespa

Implementing Security for Applications

Question

You are a SaaS provider deploying dedicated blogging software to customers in your Google Kubernetes Engine (GKE) cluster. You want to configure a secure multi-tenant platform to ensure that each customer has access to only their own blog and can't affect the workloads of other customers. What should you do?

Options

  • AEnable Application-layer Secrets on the GKE cluster to protect the cluster.
  • BDeploy a namespace per tenant and use Network Policies in each blog deployment.
  • CUse GKE Audit Logging to identify malicious containers and delete them on discovery.
  • DBuild a custom image of the blogging software and use Binary Authorization to prevent untrusted

How the community answered

(37 responses)
  • A
    5% (2)
  • B
    84% (31)
  • C
    8% (3)
  • D
    3% (1)

Explanation

Namespaces in Kubernetes provide logical isolation between tenants - each customer's resources live in their own namespace, limiting the scope of their access and RBAC policies. Network Policies enforce L3/L4 traffic rules at the pod level, preventing pods in one tenant's namespace from communicating with pods in another's. Together, namespace-per-tenant and Network Policies are the standard Kubernetes multi-tenancy pattern, addressing both access control and workload isolation. Choice A (Application-layer Secrets Encryption) protects secrets at rest in etcd but does nothing for tenant isolation. Choice C (Audit Logging) is reactive - it detects problems after they happen but doesn't prevent them. Choice D (Binary Authorization) ensures only trusted container images run but doesn't isolate tenants from each other.

Topics

#Multi-tenancy#Kubernetes Namespaces#Network Policies#GKE Security

Community Discussion

No community discussion yet for this question.

Full PROFESSIONAL-CLOUD-DEVELOPER Practice