Answer-first summary for fast verification
Answer: In the project where the images are stored, grant the Storage Object Viewer IAM role to the service account used by the Kubernetes nodes.
Option C is correct because Container Registry uses Cloud Storage buckets for storing container images. Granting the Storage Object Viewer IAM role to the service account used by Kubernetes nodes allows them read access to the images in the central project’s Container Registry. Options A, B, and D are incorrect for various reasons: A provides broad API access but not specific Container Registry access, B involves a security risk with P12 keys and doesn't specifically grant Container Registry access, and D is not scalable as it requires configuring ACLs on each image individually. For more details, refer to [Google Cloud's documentation on Container Registry access control](https://cloud.google.com/container-registry/docs/access-control).
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
In a finance company, the security team requires all container images to be stored in a single GCP project. You've created a new project and need to use one of these images in a GKE cluster. How can you ensure GKE can download images from the central project’s Container Registry?
A
While creating the GKE cluster, select the 'Allow full access to all Cloud APIs' option under ‘Access scopes‘.
B
Create a service account with access to Cloud Storage. Create a P12 key for the service account and use it as an imagePullSecrets in Kubernetes.
C
In the project where the images are stored, grant the Storage Object Viewer IAM role to the service account used by the Kubernetes nodes.
D
Configure the ACLs on each image in Cloud Storage to give read-only access to the default Compute Engine service account.
No comments yet.