ExpertMedium1 markMultiple Choice
GCP PCA · Question 30 · Technical Processes
You are designing a secure CI/CD pipeline for Google Kubernetes Engine (GKE). You must ensure that only container images that have been scanned for vulnerabilities and explicitly approved by the QA team can be deployed to the production cluster. Which GCP service should you use?
You are designing a secure CI/CD pipeline for Google Kubernetes Engine (GKE). You must ensure that only container images that have been scanned for vulnerabilities and explicitly approved by the QA team can be deployed to the production cluster. Which GCP service should you use?
Answer options:
A.
Cloud Build
B.
Binary Authorization
C.
Identity-Aware Proxy (IAP)
D.
Security Command Center
How to approach this question
Identify the service that enforces signature-based deployment policies for containers.
Full Answer
B.Binary Authorization✓ Correct
Binary Authorization
Binary Authorization integrates with GKE to enforce strict deploy-time policies. You can configure it to require 'attestations' (signatures). For example, the vulnerability scanner signs the image, then the QA team signs it. Only if both signatures are present will Binary Authorization allow GKE to run the container.
Common mistakes
Assuming Cloud Build (A) can enforce cluster-level deployment policies.
Practice the full GCP Professional Cloud Architect Practice Exam 5
50 questions · hints · full answers · grading
More questions from this exam
Q01CASE STUDY: TechStream Gaming
Overview: Gaming company, 500 employees, $100M revenue. 200 on-prem...HardQ02CASE STUDY: TechStream Gaming
Overview: Gaming company, 500 employees, $100M revenue. 200 on-prem...MediumQ03CASE STUDY: TechStream Gaming
Overview: Gaming company, 500 employees, $100M revenue. 200 on-prem...MediumQ04CASE STUDY: TechStream Gaming
Overview: Gaming company, 500 employees, $100M revenue. 200 on-prem...MediumQ05CASE STUDY: TechStream Gaming
Overview: Gaming company, 500 employees, $100M revenue. 200 on-prem...Easy