Answer-first summary for fast verification
Answer: 1. Create individual service accounts for each deployment pipeline. 2. Add an identifier for the pipeline in the service account naming convention. 3. Ensure each pipeline runs on dedicated pods. 4. Use workload identity to map a deployment pipeline pod with a service account.
The question requires designing secure CI/CD pipelines for multiple teams on GKE with secure Google Cloud API access. Option C is optimal because it implements the principle of least privilege at the most granular level by creating individual service accounts per pipeline, ensuring each pipeline runs on dedicated pods to prevent container escapes, and using Workload Identity for secure authentication without managing private keys. This approach provides better isolation between teams compared to option A, which only separates infrastructure and application deployments but not individual team pipelines. Option B uses node-level service accounts, which is less secure than pod-level identity mapping. Option D relies on private keys stored as secrets, which is less secure than Workload Identity and introduces key management overhead. The community discussion supports C with detailed reasoning on granular permissions and security, despite A having similar vote percentages, as C offers finer-grained security for multiple teams.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
Your organization is implementing a new CI/CD process for deploying infrastructure and applications on Google Cloud. Multiple teams will operate their own instances of this CI/CD workflow, which will run on Google Kubernetes Engine (GKE). How should you design the CI/CD pipelines to ensure they can securely access Google Cloud APIs?
A
B
C
D
No comments yet.