PROFESSIONAL-CLOUD-DEVELOPER · Question #312
You are migrating a containerized application to Cloud Run. You plan to use Cloud Build to build your container image and push it to Artifact Registry, and you plan to use Cloud Deploy to deploy the i
The correct answer is D. Use Binary Authorization to enforce a policy that only allows images that have been signed with a. Binary Authorization (option D) is the purpose-built Google Cloud solution for enforcing image provenance at deploy time. It works by requiring images to carry cryptographic attestations - digital signatures created by trusted authorities (such as your Cloud Build pipeline) - bef
Question
You are migrating a containerized application to Cloud Run. You plan to use Cloud Build to build your container image and push it to Artifact Registry, and you plan to use Cloud Deploy to deploy the image to production. You need to ensure that only secure images are deployed to production. What should you do?
Options
- AUse Cloud Armor in front of Cloud Run to protect the container image from threats.
- BUse Artifact Analysis to scan the image for vulnerabilities. Use Cloud Key Management Service to
- CUse Secret Manager to store the encrypted image. Deploy this image to production.
- DUse Binary Authorization to enforce a policy that only allows images that have been signed with a
How the community answered
(36 responses)- A8% (3)
- B14% (5)
- C6% (2)
- D72% (26)
Explanation
Binary Authorization (option D) is the purpose-built Google Cloud solution for enforcing image provenance at deploy time. It works by requiring images to carry cryptographic attestations - digital signatures created by trusted authorities (such as your Cloud Build pipeline) - before they can be deployed. You configure a policy on GKE or Cloud Run that rejects any image lacking a valid attestation. This creates a closed loop: only images that successfully passed your build pipeline and were signed can ever reach production. Option A (Cloud Armor) protects network traffic, not image integrity. Option B (Artifact Analysis + KMS) scans for vulnerabilities but does not enforce a deployment gate. Option C (Secret Manager) is unrelated to image signing or deployment policy enforcement.
Topics
Community Discussion
No community discussion yet for this question.