nerdexam
Google

PROFESSIONAL-CLOUD-DEVELOPER · Question #165

You are developing a microservice-based application that will run on Google Kubernetes Engine (GKE). Some of the services need to access different Google Cloud APIs. How should you set up authenticati

The correct answer is B. Enable Workload Identity in the cluster via the gcloud command-line tool. E. Use gcloud to bind the Kubernetes service account and the Google service account using. Google's recommended approach for GKE workload authentication is Workload Identity. It eliminates the need to manage or distribute service account key files by allowing Kubernetes Service Accounts (KSA) to impersonate Google Service Accounts (GSA). Step B enables Workload Identit

Deploying Applications

Question

You are developing a microservice-based application that will run on Google Kubernetes Engine (GKE). Some of the services need to access different Google Cloud APIs. How should you set up authentication of these services in the cluster following Google-recommended best practices? (Choose two.)

Options

  • AUse the service account attached to the GKE node.
  • BEnable Workload Identity in the cluster via the gcloud command-line tool.
  • CAccess the Google service account keys from a secret management service.
  • DStore the Google service account keys in a central secret management service.
  • EUse gcloud to bind the Kubernetes service account and the Google service account using

How the community answered

(24 responses)
  • A
    4% (1)
  • B
    79% (19)
  • C
    4% (1)
  • D
    13% (3)

Explanation

Google's recommended approach for GKE workload authentication is Workload Identity. It eliminates the need to manage or distribute service account key files by allowing Kubernetes Service Accounts (KSA) to impersonate Google Service Accounts (GSA). Step B enables Workload Identity on the cluster, and Step E performs the IAM binding that links a KSA to a GSA - both are required steps. Using the node's service account (A) violates least-privilege because all pods on that node share the same permissions. Storing service account keys in a secret manager (C/D) is better than hardcoding them, but it still requires key rotation and is explicitly less secure than Workload Identity per Google's best practices.

Topics

#Workload Identity#GKE Security#Service Accounts#API Authentication

Community Discussion

No community discussion yet for this question.

Full PROFESSIONAL-CLOUD-DEVELOPER Practice