PROFESSIONAL-CLOUD-DEVELOPER · Question #148
Your security team is auditing all deployed applications running in Google Kubernetes Engine. After completing the audit, your team discovers that some of the applications send traffic within the clus
The correct answer is B. Install Istio, enable proxy injection on your application namespace, and then enable mTLS.. Istio is a service mesh that operates at the infrastructure level by injecting a sidecar proxy (Envoy) into each application pod. When mTLS (mutual TLS) is enabled, all traffic between services is automatically encrypted by the sidecar proxies - no changes to application code are
Question
Your security team is auditing all deployed applications running in Google Kubernetes Engine. After completing the audit, your team discovers that some of the applications send traffic within the cluster in clear text. You need to ensure that all application traffic is encrypted as quickly as possible while minimizing changes to your applications and maintaining support from Google. What should you do?
Options
- AUse Network Policies to block traffic between applications.
- BInstall Istio, enable proxy injection on your application namespace, and then enable mTLS.
- CDefine Trusted Network ranges within the application, and configure the applications to allow
- DUse an automated process to request SSL Certificates for your applications from Let's Encrypt
How the community answered
(16 responses)- A6% (1)
- B69% (11)
- C6% (1)
- D19% (3)
Explanation
Istio is a service mesh that operates at the infrastructure level by injecting a sidecar proxy (Envoy) into each application pod. When mTLS (mutual TLS) is enabled, all traffic between services is automatically encrypted by the sidecar proxies - no changes to application code are required, satisfying the 'minimize changes to applications' requirement. Istio is also a Google-supported technology on GKE (via Anthos Service Mesh), satisfying the 'maintaining support from Google' requirement. Option A (Network Policies) controls which pods can communicate but does not encrypt traffic. Option C requires changes to the applications themselves (defining trusted networks and configuring allow rules). Option D (Let's Encrypt certificates) requires application-level TLS configuration changes and ongoing certificate management, making it more invasive than a service mesh approach.
Topics
Community Discussion
No community discussion yet for this question.