PROFESSIONAL-CLOUD-DEVELOPER · Question #309
You use Cloud Build to build and test container images prior to deploying them to Cloud Run. Your images are stored in Artifact Registry. You need to ensure that only container images that have passed
The correct answer is B. Enable Binary Authorization on your Cloud Run service. Create an attestation if the container. Binary Authorization is a deploy-time security control that prevents container images without valid attestations from being deployed to Cloud Run. Option B is correct: enabling Binary Authorization on the Cloud Run service and creating an attestation only after tests pass means a
Question
You use Cloud Build to build and test container images prior to deploying them to Cloud Run. Your images are stored in Artifact Registry. You need to ensure that only container images that have passed testing are deployed. You want to minimize operational overhead. What should you do?
Options
- ADeploy a new revision to a Cloud Run service. Assign a tag that allows access to the revision at a
- BEnable Binary Authorization on your Cloud Run service. Create an attestation if the container
- CCreate a GKE cluster. Verify that all tests have passed, and then deploy the image to the GKE
- DConfigure build provenance on your Cloud Build pipeline. Verify that all the tests have passed,
How the community answered
(14 responses)- A7% (1)
- B71% (10)
- C7% (1)
- D14% (2)
Explanation
Binary Authorization is a deploy-time security control that prevents container images without valid attestations from being deployed to Cloud Run. Option B is correct: enabling Binary Authorization on the Cloud Run service and creating an attestation only after tests pass means any image that did not pass testing will lack the required attestation and be blocked from deployment - automatically and with minimal ongoing overhead. Option A (Cloud Run revision tags for testing) provides a staging URL but does not block untested images from being promoted. Option C (GKE cluster) introduces significant operational overhead just to gate deployments. Option D (build provenance) records metadata about how an image was built but does not by itself enforce a block on deployment - it must be combined with a Binary Authorization policy to enforce the gate.
Topics
Community Discussion
No community discussion yet for this question.