Google Cloud Professional Cloud DevOps Engineer — Question 157

You are configuring your CI/CD pipeline natively on Google Cloud. You want builds in a pre-production Google Kubernetes Engine (GKE) environment to be automatically load-tested before being promoted to the production GKE environment. You need to ensure that only builds that have passed this test are deployed to production. You want to follow Google-recommended practices. How should you configure this pipeline with Binary Authorization?

Answer options

• A. Create an attestation for the builds that pass the load test by requiring the lead quality assurance engineer to sign the attestation by using their personal private key.
• B. Create an attestation for the builds that pass the load test by using a private key stored in Cloud Key Management Service (Cloud KMS) with a service account JSON key stored as a Kubernetes Secret.
• C. Create an attestation for the builds that pass the load test by using a private key stored in Cloud Key Management Service (Cloud KMS) authenticated through Workload Identity.
• D. Create an attestation for the builds that pass the load test by requiring the lead quality assurance engineer to sign the attestation by using a key stored in Cloud Key Management Service (Cloud KMS).

Correct answer: C

Explanation

The correct answer is C because using Workload Identity allows for better security and management of permissions without needing to manage service account keys directly. Option A is incorrect as it relies on a personal key, which may not comply with best practices. Option B is less secure because it involves a service account JSON key, which can be compromised. Option D is not ideal since it still involves relying on a personal key without the enhanced security provided by Workload Identity.