PROFESSIONAL-CLOUD-DEVELOPER · Question #314
You are developing a container build pipeline for an application hosted on GKE. You have the following requirements: - Only images that are created using your build pipeline should be deployed on your
The correct answer is B. 1. Create a build pipeline by using Cloud Build with a private worker pool.. Option B is correct because it combines two critical controls: (1) Cloud Build with a private worker pool, which runs build jobs inside your own VPC rather than on Google's shared public infrastructure. This keeps source code and build artifacts from traversing the public interne
Question
You are developing a container build pipeline for an application hosted on GKE. You have the following requirements:
- Only images that are created using your build pipeline should be
deployed on your GKE cluster.
- All code and build artifacts should remain within your environment
and protected from data exfiltration. How should you build the pipeline?
Options
- A
- Create a build pipeline by using Cloud Build with the default worker pool.
- B
- Create a build pipeline by using Cloud Build with a private worker pool.
- C
- Create a build pipeline by using Cloud Build with a private worker pool.
- D
- Create a build pipeline by using Cloud Build with the default worker pool.
How the community answered
(40 responses)- A5% (2)
- B78% (31)
- C5% (2)
- D13% (5)
Explanation
Option B is correct because it combines two critical controls: (1) Cloud Build with a private worker pool, which runs build jobs inside your own VPC rather than on Google's shared public infrastructure. This keeps source code and build artifacts from traversing the public internet, satisfying the data exfiltration requirement. (2) Binary Authorization, which enforces that only images produced and signed by your specific pipeline can be deployed to the GKE cluster, satisfying the image provenance requirement. Options A and D use the default (public) worker pool, meaning build traffic crosses the public internet, which violates the data exfiltration constraint. Option C uses a private worker pool but likely lacks Binary Authorization or uses an incorrect deployment enforcement mechanism.
Topics
Community Discussion
No community discussion yet for this question.