PROFESSIONAL-CLOUD-DEVELOPER · Question #269
You work for a financial services company that has a container-first approach. Your team develops microservices applications. A Cloud Build pipeline creates the container image, runs regression tests,
The correct answer is A. Create an attestor and a policy. After a container image has successfully passed the regression. With Binary Authorization already enabled on the GKE clusters, you need to create an attestor (which defines who can vouch for images) and a policy (which requires attestations before deployment). The key step is integrating attestation creation into the Cloud Build pipeline: aft
Question
You work for a financial services company that has a container-first approach. Your team develops microservices applications. A Cloud Build pipeline creates the container image, runs regression tests, and publishes the image to Artifact Registry. You need to ensure that only containers that have passed the regression tests are deployed to Google Kubernetes Engine (GKE) clusters. You have already enabled Binary Authorization on the GKE clusters. What should you do next?
Options
- ACreate an attestor and a policy. After a container image has successfully passed the regression
- BDeploy Voucher Server and Voucher Client components. After a container image has
- CSet the Pod Security Standard level to Restricted for the relevant namespaces. Use Cloud Build
- DCreate an attestor and a policy. Create an attestation for the container images that have passed
How the community answered
(52 responses)- A81% (42)
- B12% (6)
- C6% (3)
- D2% (1)
Explanation
With Binary Authorization already enabled on the GKE clusters, you need to create an attestor (which defines who can vouch for images) and a policy (which requires attestations before deployment). The key step is integrating attestation creation into the Cloud Build pipeline: after regression tests pass, Cloud Build automatically creates a cryptographic attestation for the image using the attestor's key. GKE then enforces the Binary Authorization policy and rejects any image that lacks a valid attestation, ensuring only tested images deploy. Choice B (Voucher) is a valid but more complex third-party solution requiring additional components. Choice C (Pod Security Standards) controls pod-level security contexts, not deployment gating based on test results. Choice D also creates an attestor and policy but lacks the automated Cloud Build integration step, making the attestation process manual rather than pipeline-driven.
Topics
Community Discussion
No community discussion yet for this question.