Google Cloud Associate Cloud Engineer — Question 64

You are using Container Registry to centrally store your company's container images in a separate project. In another project, you want to create a Google
Kubernetes Engine (GKE) cluster. You want to ensure that Kubernetes can download images from Container Registry. What should you do?

Answer options

• A. In the project where the images are stored, grant the Storage Object Viewer IAM role to the service account used by the Kubernetes nodes.
• B. When you create the GKE cluster, choose the Allow full access to all Cloud APIs option under 'Access scopes'.
• C. Create a service account, and give it access to Cloud Storage. Create a P12 key for this service account and use it as an imagePullSecrets in Kubernetes.
• D. Configure the ACLs on each image in Cloud Storage to give read-only access to the default Compute Engine service account.

Correct answer: A

Explanation

The correct answer, A, is valid because granting the Storage Object Viewer IAM role allows the Kubernetes nodes to pull images from Container Registry. Option B is incorrect as allowing full access to Cloud APIs does not specifically grant access to Container Registry. Option C is not necessary since configuring a service account and using a P12 key adds complexity without addressing the direct permission needed. Option D is also incorrect because setting ACLs on individual images is not the best practice compared to using IAM roles.