Google Cloud Professional Cloud Security Engineer — Question 125

Your organization is transitioning to Google Cloud. You want to ensure that only trusted container images are deployed on Google Kubernetes Engine (GKE) clusters in a project. The containers must be deployed from a centrally managed Container Registry and signed by a trusted authority.

What should you do? (Choose two.)

Answer options

• A. Enable Container Threat Detection in the Security Command Center (SCC) for the project.
• B. Configure the trusted image organization policy constraint for the project.
• C. Create a custom organization policy constraint to enforce Binary Authorization for Google Kubernetes Engine (GKE).
• D. Enable PodSecurity standards, and set them to Restricted.
• E. Configure the Binary Authorization policy with respective attestations for the project.

Correct answer: C, E

Explanation

The correct answers, C and E, focus on implementing Binary Authorization, which ensures that only signed images are deployed in GKE. Option A, while helpful for detecting threats, does not prevent the deployment of untrusted images. Option B does not specifically enforce Binary Authorization, and Option D relates to pod security but does not guarantee that only trusted images are used.