You are designing a secure CI/CD pipeline for Google Kubernetes Engine (GKE). You must ensure that only container images that have been scanned for vulnerabilities and explicitly approved by the QA team can be deployed to the production cluster. Which GCP service should you use?

Answer options:

Cloud Build

Binary Authorization

Identity-Aware Proxy (IAP)

Security Command Center

How to approach this question

Identify the service that enforces signature-based deployment policies for containers.

Full Answer

B.Binary Authorization✓ Correct

Binary Authorization integrates with GKE to enforce strict deploy-time policies. You can configure it to require 'attestations' (signatures). For example, the vulnerability scanner signs the image, then the QA team signs it. Only if both signatures are present will Binary Authorization allow GKE to run the container.

Common mistakes

Assuming Cloud Build (A) can enforce cluster-level deployment policies.

Question 29 All questions Question 31

Practice the full GCP Professional Cloud Architect Practice Exam 5

50 questions · hints · full answers · grading

More questions from this exam

Q01CASE STUDY: TechStream Gaming Overview: Gaming company, 500 employees, $100M revenue. 200 on-prem...Hard Q02CASE STUDY: TechStream Gaming Overview: Gaming company, 500 employees, $100M revenue. 200 on-prem...Medium Q03CASE STUDY: TechStream Gaming Overview: Gaming company, 500 employees, $100M revenue. 200 on-prem...Medium Q04CASE STUDY: TechStream Gaming Overview: Gaming company, 500 employees, $100M revenue. 200 on-prem...Medium Q05CASE STUDY: TechStream Gaming Overview: Gaming company, 500 employees, $100M revenue. 200 on-prem...Easy

View all 50 questions →