Google Cloud Professional Cloud Developer — Question 284

You manage an application deployed on GKE clusters across multiple environments. You are using Cloud Build to run user acceptance testing (UAT) tests. You have integrated Cloud Build with Artifact Analysis, and enabled the Binary Authorization API in all Google Cloud projects hosting your environments. You want only container images that have passed certain automated UAT tests to be deployed to the production environment. You have already created an attestor. What should you do next?

Answer options

• A. After the UAT phase, sign the attestation with a key stored as a Kubernetes secret. Add a GKE cluster-specific rule in Binary Authorization for the UAT Google Cloud project.
• B. After the UAT phase, sign the attestation with a key stored as a Kubernetes secret. Add a GKE cluster-specific rule in Binary Authorization for the production Google Cloud project policy.
• C. After the UAT phase, sign the attestation with a key stored in Cloud Key Management Service (KMS). Add a default rule in Binary Authorization for the UAT Google Cloud project.
• D. After the UAT phase, sign the attestation with a key stored in Cloud Key Management Service (KMS). Add a GKE cluster-specific rule in Binary Authorization for the production Google Cloud project policy.

Correct answer: D

Explanation

The correct answer is D because it ensures that the attestation is signed securely using a key stored in Cloud Key Management Service (KMS), which is recommended for managing keys. Furthermore, adding a GKE cluster-specific rule in Binary Authorization for the production project policy ensures that only images that have passed UAT are allowed in the production environment. Options A and B incorrectly reference the UAT project instead of the production project, and option C uses a default rule which is less secure than a cluster-specific rule.