Your organization is migrating its primary web application from on-premises to Google Kubernetes Engine (GKE). You need to advise the development team on the security best practices for granting their applications access to Google Cloud services from within GKE. What should you tell them to do?

Exam-Like

Configure the GKE nodes to use the default Compute Engine service account.

Enable Workload Identity for GKE. Assign a Kubernetes service account to the application and configure that Kubernetes service account to act as an Identity and Access Management (IAM) service account. Grant the required roles to the IAM service account.

Create a user-managed service account with only the roles required for the specific workload. Assign this service account to the GKE nodes.

Create an application-specific IAM service account and generate a user-managed service account key for it. Inject the key to the workload by storing it as a Kubernetes secret within the same namespace as the application.

Google Professional Cloud Security Engineer

Get started today

Comments

Your organization is migrating its primary web application from on-premises to Google Kubernetes Engine (GKE). You need to advise the development team on the security best practices for granting their applications access to Google Cloud services from within GKE. What should you tell them to do?