PROFESSIONAL-CLOUD-DEVELOPER · Question #336
You work for a financial services company that has a container-first approach. Your team develops microservices applications. You have a Cloud Build pipeline that creates a container image, runs regre
The correct answer is C. Create an attestor and a policy. Create an attestation for the container images that have passed. Binary Authorization enforces deployment policies by requiring cryptographic attestations before allowing a container to run on GKE. The correct workflow is: (1) create an attestor (the trusted authority that signs attestations) and a policy (which requires that attestor's signat
Question
You work for a financial services company that has a container-first approach. Your team develops microservices applications. You have a Cloud Build pipeline that creates a container image, runs regression tests, and publishes the image to Artifact Registry. You need to ensure that only containers that have passed the regression tests are deployed to GKE clusters. You have already enabled Binary Authorization on the GKE clusters. What should you do next?
Options
- ADeploy Voucher Server and Voucher Client components. After a container image has passed the
- BCreate an attestor and a policy. Run a vulnerability scan to create an attestation for the container
- CCreate an attestor and a policy. Create an attestation for the container images that have passed
- DSet the Pod Security Standard level to Restricted for the relevant namespaces. Digitally sign the
How the community answered
(16 responses)- A6% (1)
- B6% (1)
- C75% (12)
- D13% (2)
Explanation
Binary Authorization enforces deployment policies by requiring cryptographic attestations before allowing a container to run on GKE. The correct workflow is: (1) create an attestor (the trusted authority that signs attestations) and a policy (which requires that attestor's signature), then (2) after a container image passes regression tests in Cloud Build, create an attestation signed by that attestor. Only images with valid attestations matching the policy can be deployed. Option B incorrectly ties attestation to a vulnerability scan rather than regression test passage. Option A (Voucher) is a valid but significantly more complex framework. Option D (Pod Security Standards) controls workload permissions but cannot enforce which images are allowed based on test results.
Topics
Community Discussion
No community discussion yet for this question.