Google Cloud Professional Cloud DevOps Engineer — Question 45

Your application services run in Google Kubernetes Engine (GKE). You want to make sure that only images from your centrally-managed Google Container
Registry (GCR) image registry in the altostrat-images project can be deployed to the cluster while minimizing development time. What should you do?

Answer options

• A. Create a custom builder for Cloud Build that will only push images to gcr.io/altostrat-images.
• B. Use a Binary Authorization policy that includes the whitelist name pattern gcr.io/altostrat-images/.
• C. Add logic to the deployment pipeline to check that all manifests contain only images from gcr.io/altostrat-images.
• D. Add a tag to each image in gcr.io/altostrat-images and check that this tag is present when the image is deployed.

Correct answer: B

Explanation

The correct answer is B because using a Binary Authorization policy allows for automated enforcement of image deployment rules, ensuring that only whitelisted images from gcr.io/altostrat-images can be deployed in an efficient manner. Options A and C require additional manual processes or custom development, which may increase development time, while option D relies on tagging, which is more error-prone and less efficient than a policy-based approach.