Answer-first summary for fast verification
Answer: In the project where the images are stored, grant the Storage Object Viewer IAM role to the service account used by the Kubernetes nodes.
The correct answer is A. To ensure that Kubernetes can download container images from Container Registry, you need to grant the necessary permissions to the service account used by the Kubernetes nodes. Granting the Storage Object Viewer IAM role to the service account in the project where the images are stored allows the nodes to read objects from Cloud Storage buckets, including the container images stored in Container Registry. This setup aligns with best practices, as it uses specific permissions tailored to the task at hand.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You are tasked with utilizing Container Registry to centrally store your company's container images within a dedicated Google Cloud project. Concurrently, you need to establish a Google Kubernetes Engine (GKE) cluster in a different project. To ensure that the GKE cluster can successfully pull container images from the Container Registry, what steps should you take?
A
In the project where the images are stored, grant the Storage Object Viewer IAM role to the service account used by the Kubernetes nodes.
B
When you create the GKE cluster, choose the Allow full access to all Cloud APIs option under 'Access scopes'.
C
Create a service account, and give it access to Cloud Storage. Create a P12 key for this service account and use it as an imagePullSecrets in Kubernetes.
D
Configure the ACLs on each image in Cloud Storage to give read-only access to the default Compute Engine service account.