Google Cloud Professional Cloud DevOps Engineer — Question 155

As part of your company's initiative to shift left on security, the InfoSec team is asking all teams to implement guard rails on all the Google Kubernetes Engine (GKE) clusters to only allow the deployment of trusted and approved images. You need to determine how to satisfy the InfoSec team's goal of shifting left on security. What should you do?

Answer options

• A. Enable Container Analysis in Artifact Registry, and check for common vulnerabilities and exposures (CVEs) in your container images
• B. Use Binary Authorization to attest images during your CI/CD pipeline
• C. Configure Identity and Access Management (IAM) policies to create a least privilege model on your GKE clusters.
• D. Deploy Falco or Twistlock on GKE to monitor for vulnerabilities on your running Pods

Correct answer: B

Explanation

The correct answer is B, as Binary Authorization allows you to enforce policies that ensure only trusted images are deployed in your GKE clusters, directly addressing the InfoSec team's requirements. Option A, while helpful, focuses on vulnerability scanning rather than deployment restrictions. Option C involves IAM policies which are essential for access control but do not specifically prevent unapproved images from being deployed. Option D relates to monitoring rather than enforcing pre-deployment policies.