PROFESSIONAL-CLOUD-DEVOPS-ENGINEER · Question #88
PROFESSIONAL-CLOUD-DEVOPS-ENGINEER Question #88: Real Exam Question with Answer & Explanation
The correct answer is A: Configure Binary Authorization in your GKE clusters to enforce deploy-time security policies.. Binary Authorization is Google Cloud's fully managed deploy-time security policy service for GKE. It enforces that only container images with valid attestations (from trusted sources such as Cloud Build) can be deployed, satisfying the requirement for trusted images with minimal
Question
Your company operates in a highly regulated domain. Your security team requires that only trusted container images can be deployed to Google Kubernetes Engine (GKE). You need to implement a solution that meets the requirements of the security team while minimizing management overhead. What should you do?
Options
- AConfigure Binary Authorization in your GKE clusters to enforce deploy-time security policies.
- BGrant the roles/artifactregistry.writer role to the Cloud Build service account. Confirm that no
- CUse Cloud Run to write and deploy a custom validator. Enable an Eventarc trigger to perform
- DConfigure Kritis to run in your GKE clusters to enforce deploy-time security policies.
Explanation
Binary Authorization is Google Cloud's fully managed deploy-time security policy service for GKE. It enforces that only container images with valid attestations (from trusted sources such as Cloud Build) can be deployed, satisfying the requirement for trusted images with minimal management overhead. Option D (Kritis) is the open-source project that Binary Authorization is built upon, but self-managing Kritis adds significant operational overhead compared to the managed service. Options B and C do not implement a comprehensive deploy-time image trust policy.
Topics
Community Discussion
No community discussion yet for this question.