nerdexam
Google

PROFESSIONAL-CLOUD-DEVELOPER · Question #306

You manage an application deployed on GKE clusters across multiple environments. You are using Cloud Build to run user acceptance testing (UAT) tests. You have integrated Cloud Build with Artifact Ana

The correct answer is D. After the UAT phase, sign the attestation with a key stored in Cloud Key Management Service. Binary Authorization enforces deployment policies by requiring cryptographically signed attestations before images can be deployed. Option D is correct because it uses Cloud Key Management Service (Cloud KMS) to store the signing key, which is the secure, Google-recommended appro

Implementing secure deployment strategies

Question

You manage an application deployed on GKE clusters across multiple environments. You are using Cloud Build to run user acceptance testing (UAT) tests. You have integrated Cloud Build with Artifact Analysis, and enabled the Binary Authorization API in all Google Cloud projects hosting your environments. You want only container images that have passed certain automated UAT tests to be deployed to the production environment. You have already created an attestor. What should you do next?

Options

  • AAfter the UAT phase, sign the attestation with a key stored as a Kubernetes secret. Add a GKE
  • BAfter the UAT phase, sign the attestation with a key stored as a Kubernetes secret. Add a GKE
  • CAfter the UAT phase, sign the attestation with a key stored in Cloud Key Management Service
  • DAfter the UAT phase, sign the attestation with a key stored in Cloud Key Management Service

How the community answered

(22 responses)
  • A
    5% (1)
  • B
    9% (2)
  • C
    5% (1)
  • D
    82% (18)

Explanation

Binary Authorization enforces deployment policies by requiring cryptographically signed attestations before images can be deployed. Option D is correct because it uses Cloud Key Management Service (Cloud KMS) to store the signing key, which is the secure, Google-recommended approach for managing cryptographic keys in production. Options A and B store the signing key as a Kubernetes secret, which is significantly less secure - Kubernetes secrets are base64-encoded (not encrypted by default) and can be exposed if cluster RBAC is misconfigured. With Cloud KMS, the private key never leaves the KMS boundary, audit logs are automatic, and key rotation is managed. After signing the attestation with the KMS-backed key, a Binary Authorization policy requiring that attestation is applied to the production GKE cluster, blocking any image without it.

Topics

#Binary Authorization#Cloud KMS#Secure Deployments#CI/CD

Community Discussion

No community discussion yet for this question.

Full PROFESSIONAL-CLOUD-DEVELOPER Practice