Google Cloud Professional Cloud DevOps Engineer — Question 156

Your company operates in a highly regulated domain. Your security team requires that only trusted container images can be deployed to Google Kubernetes Engine (GKE). You need to implement a solution that meets the requirements of the security team while minimizing management overhead. What should you do?

Answer options

• A. Configure Binary Authorization in your GKE clusters to enforce deploy-time security policies.
• B. Grant the roles/artifactregistry.writer role to the Cloud Build service account. Confirm that no employee has Artifact Registry write permission.
• C. Use Cloud Run to write and deploy a custom validator. Enable an Eventarc trigger to perform validations when new images are uploaded.
• D. Configure Kritis to run in your GKE clusters to enforce deploy-time security policies.

Correct answer: A

Explanation

The correct answer is A because Binary Authorization allows you to set policies that ensure only trusted images are deployed, meeting the security team's requirements with minimal management. Options B and C do not directly enforce image trust at deployment time, and option D, while valid, may involve more management overhead compared to the streamlined approach offered by Binary Authorization.