Answer-first summary for fast verification
Answer: Create a GKE node pool with a sandbox type configured to gvisor. Add the parameter runtimeClassName: gvisor to the specification of your customers' Pods.
The correct answer is C. In order to maximize the isolation between your customers' Pods, you should create a GKE node pool with a sandbox type configured to gvisor and add the parameter runtimeClassName: gvisor to the specification of your customers' Pods. gVisor is a sandboxing technology that provides an additional layer of isolation between running containers, making it suitable for scenarios where containers run untrusted or arbitrary code. This helps mitigate the risk of kernel exploits better than the other options provided.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
As part of developing a new product using Google Kubernetes Engine (GKE), you have set up a single GKE cluster. Within this cluster, you run individual Pods for each of your customers, allowing them to execute arbitrary code inside their respective Pods. Your goal is to ensure maximum isolation between the different customer Pods to maintain a high level of security and prevent interference between them. What measures should you implement to achieve this level of isolation?
A
Use Binary Authorization and whitelist only the container images used by your customers' Pods.
B
Use the Container Analysis API to detect vulnerabilities in the containers used by your customers' Pods.
C
Create a GKE node pool with a sandbox type configured to gvisor. Add the parameter runtimeClassName: gvisor to the specification of your customers' Pods.
D
Use the cos_containerd image for your GKE nodes. Add a nodeSelector with the value cloud.google.com/gke-os-distribution: cos_containerd to the specification of your customers' Pods.
No comments yet.