Google Cloud Associate Cloud Engineer — Question 178

You are building a product on top of Google Kubernetes Engine (GKE). You have a single GKE cluster. For each of your customers, a Pod is running in that cluster, and your customers can run arbitrary code inside their Pod. You want to maximize the isolation between your customers' Pods. What should you do?

Answer options

• A. Use Binary Authorization and whitelist only the container images used by your customers' Pods.
• B. Use the Container Analysis API to detect vulnerabilities in the containers used by your customers' Pods.
• C. Create a GKE node pool with a sandbox type configured to gvisor. Add the parameter runtimeClassName: gvisor to the specification of your customers' Pods.
• D. Use the cos_containerd image for your GKE nodes. Add a nodeSelector with the value cloud.google.com/gke-os-distribution: cos_containerd to the specification of your customers' Pods.

Correct answer: C

Explanation

The correct answer is C because using gvisor provides an additional layer of isolation for the Pods by running them in a sandbox environment, which enhances security. Options A and B focus on image security and vulnerability detection, but they do not improve runtime isolation between Pods. Option D relates to the underlying OS distribution but does not specifically enhance Pod isolation.