ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Subtask 3.1: Security DesignGKESecurityWorkload IdentityIAM

GCP PCA · Question 31 · Security Design

You are designing a multi-tenant SaaS application on GKE. Each tenant's microservices run in a dedicated Kubernetes namespace. Tenant A's microservices need access to Tenant A's Cloud Storage bucket, and Tenant B's microservices need access to Tenant B's bucket. How should you configure authentication to ensure strict isolation?

Answer options:

A.

Assign a single GCP Service Account to the GKE node pool that has access to both buckets.

B.

Generate JSON keys for Tenant A and Tenant B's GCP Service Accounts and store them as Kubernetes Secrets in their respective namespaces.

C.

Enable Workload Identity on the GKE cluster. Map Tenant A's Kubernetes Service Account to a GCP Service Account with access to Tenant A's bucket, and do the same for Tenant B.

D.

Use VPC Service Controls to restrict bucket access based on the pod's internal IP address.

How to approach this question

Identify the GCP feature that links Kubernetes identities to IAM identities.

Full Answer

C.Enable Workload Identity on the GKE cluster. Map Tenant A's Kubernetes Service Account to a GCP Service Account with access to Tenant A's bucket, and do the same for Tenant B.✓ Correct
Enable Workload Identity on the GKE cluster. Map Tenant A's Kubernetes Service Account to a GCP Service Account with access to Tenant A's bucket, and do the same for Tenant B.
Workload Identity is the best practice for GKE authentication to GCP services. It allows you to configure a Kubernetes Service Account (KSA) to act as a Google Service Account (GSA). Pods running as the KSA automatically authenticate as the GSA when accessing GCP APIs. This provides granular, pod-level security isolation required for multi-tenancy without the risk of managing static JSON keys.

Common mistakes

Using Node Service Accounts (too broad) or Kubernetes Secrets with JSON keys (security risk).
30All questions32

Practice the full GCP Professional Cloud Architect Practice Exam 1

50 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...HardQ02**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...MediumQ03**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...HardQ04**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...MediumQ05**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...Medium
View all 50 questions →