nerdexam
Google

PROFESSIONAL-CLOUD-DEVELOPER · Question #269

You work for a financial services company that has a container-first approach. Your team develops microservices applications. A Cloud Build pipeline creates the container image, runs regression tests,

The correct answer is A. Create an attestor and a policy. After a container image has successfully passed the regression. With Binary Authorization already enabled on the GKE clusters, you need to create an attestor (which defines who can vouch for images) and a policy (which requires attestations before deployment). The key step is integrating attestation creation into the Cloud Build pipeline: aft

Implementing security for applications

Question

You work for a financial services company that has a container-first approach. Your team develops microservices applications. A Cloud Build pipeline creates the container image, runs regression tests, and publishes the image to Artifact Registry. You need to ensure that only containers that have passed the regression tests are deployed to Google Kubernetes Engine (GKE) clusters. You have already enabled Binary Authorization on the GKE clusters. What should you do next?

Options

  • ACreate an attestor and a policy. After a container image has successfully passed the regression
  • BDeploy Voucher Server and Voucher Client components. After a container image has
  • CSet the Pod Security Standard level to Restricted for the relevant namespaces. Use Cloud Build
  • DCreate an attestor and a policy. Create an attestation for the container images that have passed

How the community answered

(52 responses)
  • A
    81% (42)
  • B
    12% (6)
  • C
    6% (3)
  • D
    2% (1)

Explanation

With Binary Authorization already enabled on the GKE clusters, you need to create an attestor (which defines who can vouch for images) and a policy (which requires attestations before deployment). The key step is integrating attestation creation into the Cloud Build pipeline: after regression tests pass, Cloud Build automatically creates a cryptographic attestation for the image using the attestor's key. GKE then enforces the Binary Authorization policy and rejects any image that lacks a valid attestation, ensuring only tested images deploy. Choice B (Voucher) is a valid but more complex third-party solution requiring additional components. Choice C (Pod Security Standards) controls pod-level security contexts, not deployment gating based on test results. Choice D also creates an attestor and policy but lacks the automated Cloud Build integration step, making the attestation process manual rather than pipeline-driven.

Topics

#Binary Authorization#GKE Security#Container Security#CI/CD Security

Community Discussion

No community discussion yet for this question.

Full PROFESSIONAL-CLOUD-DEVELOPER Practice