Google Cloud Professional Cloud Developer — Question 313

You work for a financial services company that has a container-first approach. Your team develops microservices applications. You have a Cloud Build pipeline that creates a container image, runs regression tests, and publishes the image to Artifact Registry. You need to ensure that only containers that have passed the regression tests are deployed to GKE clusters. You have already enabled Binary Authorization on the GKE clusters. What should you do next?

Answer options

• A. Deploy Voucher Server and Voucher Client components. After a container image has passed the regression tests, run Voucher Client as a step in the Cloud Build pipeline.
• B. Create an attestor and a policy. Run a vulnerability scan to create an attestation for the container image as a step in the Cloud Build pipeline.
• C. Create an attestor and a policy. Create an attestation for the container images that have passed the regression tests as a step in the Cloud Build pipeline.
• D. Set the Pod Security Standard level to Restricted for the relevant namespaces. Digitally sign the container images that have passed the regression tests as a step in the Cloud Build pipeline.

Correct answer: C

Explanation

The correct answer is C because creating an attestor and a policy allows you to formally attest that the container images have passed the regression tests, which is necessary for Binary Authorization to function correctly. Options A and B focus on Voucher, which is not relevant here, while D involves Pod Security Standards, which do not directly address the attestation needed for Binary Authorization.