Answer-first summary for fast verification
Answer: 1. Establish a GKE node pool with a sandbox type set to gvisor. 2. Include the parameter runtimeClassName: gvisor in your customers' Pods specifications.
Option A is incorrect because Binary Authorization does not isolate customer pods post-deployment. It only authorizes container images. Option B is incorrect as the Container Analysis API detects vulnerabilities but does not provide isolation. Option C is correct because GKE Sandbox, with gVisor, isolates each pod in its secure environment, ideal for executing untrusted code. Option D is incorrect since using cos_containerd and a nodeSelector does not ensure pod isolation. For more details, visit [GKE Sandbox documentation](https://cloud.google.com/kubernetes-engine/sandbox/).
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You are developing a training platform for Docker and Kubernetes on Google Kubernetes Engine (GKE). The application operates on a GKE cluster. Each time a user starts a tutorial, a pod is generated for them to execute arbitrary code. For security, it's essential to isolate all customer pods. What is the best method to achieve this isolation?
A
Utilize Binary Authorization to only authorize the container images used by your customers' Pods.
B
Identify vulnerabilities in the containers used by your customers' Pods with the Container Analysis API.
C
D
No comments yet.