Google Cloud Professional Cloud Developer — Question 292

You are developing a container build pipeline for an application hosted on GKE. You have the following requirements:

• Only images that are created using your build pipeline should be deployed on your GKE cluster.
• All code and build artifacts should remain within your environment and protected from data exfiltration.

How should you build the pipeline?

Answer options

• A. 1. Create a build pipeline by using Cloud Build with the default worker pool. 2. Deploy container images to a private container registry in your VPC. 3. Create a VPC firewall policy in your project that denies all egress and ingress traffic to public networks.
• B. 1. Create a build pipeline by using Cloud Build with a private worker pool. 2. Use VPC Service Controls to place all components and services in your CI/CD pipeline inside a security perimeter. 3. Configure your GKE cluster to only allow container images signed by Binary Authorization.
• C. 1. Create a build pipeline by using Cloud Build with a private worker pool. 2. Configure the CI/CD pipeline to build container images and store them in Artifact Registry. 3. Configure Artifact Registry to encrypt container images by using customer-managed encryption keys (CMEK).
• D. 1. Create a build pipeline by using Cloud Build with the default worker pool. 2. Configure the CI/CD pipeline to build container images and store them in Artifact Registry. 3. Configure your GKE cluster to only allow container images signed by Binary Authorization.

Correct answer: B

Explanation

Option B is the correct choice because it utilizes a private worker pool for enhanced security, employs VPC Service Controls to protect resources within a defined perimeter, and ensures that only signed images can be deployed, aligning with the requirements. The other options either do not enforce the necessary security measures or do not utilize a private worker pool, which increases the risk of data exfiltration.