A highly regulated financial institution uses GKE to run its applications. The security team mandates that only container images that have been scanned for vulnerabilities and explicitly signed by the QA team can be deployed to the production cluster. How should you enforce this policy?

Answer options:

Write a custom Kubernetes admission controller webhook to check image tags.

Use IAM to restrict who can push images to the Artifact Registry.

Implement Binary Authorization and configure an attestor for the QA team.

Configure Google Cloud Armor to block deployments of unsigned images.

How to approach this question

Identify the GCP service that enforces deploy-time security policies for containers.

Full Answer

C.Implement Binary Authorization and configure an attestor for the QA team.✓ Correct

Implement Binary Authorization and configure an attestor for the QA team.

Binary Authorization integrates directly with GKE. It acts as an admission controller that verifies cryptographic signatures (attestations) on container images before they are allowed to run. If the QA team hasn't signed the image, Binary Authorization blocks the deployment.

Common mistakes

Relying on registry-level IAM (B), which doesn't protect the cluster from pulling external, unverified images.

Question 29 All questions Question 31

Practice the full GCP Professional Cloud Architect Practice Exam 6

50 questions · hints · full answers · grading

More questions from this exam

Q01CASE STUDY: TechStream Gaming Overview: Industry: Gaming Size: 500 employees, $100M revenue Env...Medium Q02CASE STUDY: TechStream Gaming Overview: Industry: Gaming Size: 500 employees, $100M revenue Env...Medium Q03CASE STUDY: TechStream Gaming Overview: Industry: Gaming Size: 500 employees, $100M revenue Env...Hard Q04CASE STUDY: TechStream Gaming Overview: Industry: Gaming Size: 500 employees, $100M revenue Env...Medium Q05CASE STUDY: TechStream Gaming Overview: Industry: Gaming Size: 500 employees, $100M revenue Env...Easy

View all 50 questions →