Technical Processes — GCP PCA Practice Question 28

How to approach this question

Look for the GCP service designed specifically for container supply chain security and deploy-time enforcement.

Full Answer

B.Implement Binary Authorization on the GKE cluster and require attestations from Cloud Build and Container Analysis.✓ Correct

Binary Authorization is a service that provides software supply-chain security for applications that run in the cloud. It works with GKE to enforce policies that require images to be signed by trusted authorities (like a vulnerability scanner or a CI/CD pipeline) before they can be deployed. If an image lacks the required attestations, Binary Authorization blocks the deployment.

Common mistakes

Assuming IAM restrictions (Option C) are enough. IAM controls who can deploy, but Binary Authorization controls WHAT can be deployed.

Your company is adopting a DevSecOps culture. The security team wants to ensure that only container images that have been built by the official CI/CD pipeline and scanned for vulnerabilities can be deployed to the production GKE cluster. How should you enforce this?

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Professional Cloud Architect Practice Exam 7

More questions from this exam