Answer-first summary for fast verification
Answer: Enable Workload Identity in the cluster via the gcloud command-line tool., Use gcloud to bind the Kubernetes service account and the Google service account using roles/iam.workloadIdentity.
The recommended best practices for authenticating services in GKE to access Google Cloud APIs are to use Workload Identity. Enabling Workload Identity (option B) allows Kubernetes service accounts to impersonate Google Cloud service accounts, avoiding the use of static credentials. Binding the Kubernetes service account (KSA) to a Google service account (GSA) using IAM roles (option E) is the necessary step to establish this identity federation. Options C and D involve using service account keys, which are long-lived credentials and not recommended. Option A uses the node's service account, which is overly permissive and not workload-specific.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
How should you configure authentication for microservices running on Google Kubernetes Engine (GKE) that require access to Google Cloud APIs, adhering to Google's recommended best practices? (Select two correct approaches.)
A
Use the service account attached to the GKE node.
B
Enable Workload Identity in the cluster via the gcloud command-line tool.
C
Access the Google service account keys from a secret management service.
D
Store the Google service account keys in a central secret management service.
E
Use gcloud to bind the Kubernetes service account and the Google service account using roles/iam.workloadIdentity.
No comments yet.