Google Cloud Professional Cloud Security Engineer — Question 196

Your organization uses a microservices architecture based on Google Kubernetes Engine (GKE). Recent security reviews recommend tighter controls around deployed container images to reduce potential vulnerabilities and maintain compliance. You need to implement an automated system by using managed services to ensure that only approved container images are deployed to the GKE clusters. What should you do?

Answer options

• A. Develop custom organization policies that restrict GKE cluster deployments to container images hosted within a specific Artifact Registry project where your approved images reside.
• B. Enforce Binary Authorization in your GKE clusters. Integrate container image vulnerability scanning into the CI/CD pipeline and require vulnerability scan results to be used for Binary Authorization policy decisions.
• C. Automatically deploy new container images upon successful CI/CD builds by using Cloud Build triggers. Set up firewall rules to limit and control access to instances to mitigate malware injection.
• D. Build a system using third-party vulnerability databases and custom scripts to identify potential Common Vulnerabilities and Exposures (CVEs) in your container images. Prevent image deployment if the CVE impact score is beyond a specified threshold.

Correct answer: B

Explanation

The correct answer is B, as Binary Authorization provides a mechanism to enforce deployment policies based on the results of container image vulnerability scans, ensuring only safe images are deployed. Option A lacks the automated scanning aspect, while C focuses on deployment automation without security checks, and D relies on manual thresholds rather than an integrated security framework.