Answer-first summary for fast verification
Answer: After the UAT phase, sign the attestation with a key stored in Cloud Key Management Service (KMS). Add a GKE cluster-specific rule in Binary Authorization for the production Google Cloud project policy.
To ensure only container images that have passed certain automated UAT tests are deployed to the production environment, the correct approach involves signing the attestation with a key stored in Cloud Key Management Service (KMS) after the UAT phase. This ensures the security and manageability of the signing keys. Additionally, adding a GKE cluster-specific rule in Binary Authorization for the production Google Cloud project policy is necessary to enforce that only images with the correct attestations are deployed. This approach leverages the security features of KMS and the enforcement capabilities of Binary Authorization in the context of the production environment, making option D the correct choice.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You manage an application deployed on GKE clusters across multiple environments, using Cloud Build for user acceptance testing (UAT). Cloud Build is integrated with Artifact Analysis, and the Binary Authorization API is enabled in all relevant Google Cloud projects. To ensure only container images that pass specific UAT tests are deployed to production, and given that an attestor is already created, what are the next steps you should take?
A
After the UAT phase, sign the attestation with a key stored as a Kubernetes secret. Add a GKE cluster-specific rule in Binary Authorization for the UAT Google Cloud project.
B
After the UAT phase, sign the attestation with a key stored as a Kubernetes secret. Add a GKE cluster-specific rule in Binary Authorization for the production Google Cloud project policy.
C
After the UAT phase, sign the attestation with a key stored in Cloud Key Management Service (KMS). Add a default rule in Binary Authorization for the UAT Google Cloud project.
D
After the UAT phase, sign the attestation with a key stored in Cloud Key Management Service (KMS). Add a GKE cluster-specific rule in Binary Authorization for the production Google Cloud project policy.