Answer-first summary for fast verification
Answer: Create an attestor and a policy. Create an attestation for the container images that have passed the regression tests as a step in the Cloud Build pipeline.
Binary Authorization in GKE requires attestations to validate container images before deployment. The correct approach involves creating an attestor (to vouch for images) and a policy (to enforce the requirement). After regression tests pass in the Cloud Build pipeline, an attestation for the image must be created. This ensures only attested images (with passed tests) are deployed. Option C directly addresses this by creating the attestation post-testing. Other options either focus on unrelated security measures (D), vulnerability scans (B), or introduce unnecessary components like Voucher (A), which is not part of the standard Binary Authorization workflow.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
To enforce that only container images that have passed regression tests are deployed to your GKE clusters with Binary Authorization enabled, what steps should you take next?
(Assume you have a Cloud Build pipeline that builds container images, runs regression tests, and publishes them to Artifact Registry.)
A
Deploy Voucher Server and Voucher Client components. After a container image has passed the regression tests, run Voucher Client as a step in the Cloud Build pipeline.
B
Create an attestor and a policy. Run a vulnerability scan to create an attestation for the container image as a step in the Cloud Build pipeline.
C
Create an attestor and a policy. Create an attestation for the container images that have passed the regression tests as a step in the Cloud Build pipeline.
D
Set the Pod Security Standard level to Restricted for the relevant namespaces. Digitally sign the container images that have passed the regression tests as a step in the Cloud Build pipeline.