nerdexam
Google

PROFESSIONAL-CLOUD-DEVELOPER · Question #251

Your team is setting up a build pipeline for an application that will run in Google Kubernetes Engine (GKE). For security reasons, you only want images produced by the pipeline to be deployed to your

The correct answer is D. Cloud Build, Artifact Registry, and Binary Authorization. The requirement is a secure build pipeline where only images built by the pipeline can be deployed to GKE. Three services work together: (1) Cloud Build builds and signs container images as part of the CI/CD pipeline. (2) Artifact Registry stores the container images and integrat

Implementing secure deployment strategies

Question

Your team is setting up a build pipeline for an application that will run in Google Kubernetes Engine (GKE). For security reasons, you only want images produced by the pipeline to be deployed to your GKE cluster. Which combination of Google Cloud services should you use?

Options

  • ACloud Build, Cloud Storage, and Binary Authorization
  • BGoogle Cloud Deploy, Cloud Storage, and Google Cloud Armor
  • CGoogle Cloud Deploy, Artifact Registry, and Google Cloud Armor
  • DCloud Build, Artifact Registry, and Binary Authorization

How the community answered

(45 responses)
  • A
    24% (11)
  • B
    11% (5)
  • C
    7% (3)
  • D
    58% (26)

Explanation

The requirement is a secure build pipeline where only images built by the pipeline can be deployed to GKE. Three services work together: (1) Cloud Build builds and signs container images as part of the CI/CD pipeline. (2) Artifact Registry stores the container images and integrates with IAM for access control and with Binary Authorization for attestation. (3) Binary Authorization enforces a policy on GKE that requires images to have a valid attestation (cryptographic signature) from the pipeline before they can be deployed - any unsigned or externally sourced image is blocked. Cloud Storage (A, B) is not an appropriate container registry. Google Cloud Armor (B, C) is a DDoS and WAF service unrelated to image deployment policies.

Topics

#CI/CD#GKE Security#Container Image Security#Binary Authorization

Community Discussion

No community discussion yet for this question.

Full PROFESSIONAL-CLOUD-DEVELOPER Practice