Google Professional Cloud Security Engineer

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Enforce Binary Authorization in your GKE clusters. Integrate container image vulnerability scanning into the CI/CD pipeline and require vulnerability scan results to be used for Binary Authorization policy decisions.

The question requires an automated system using managed services to ensure only approved container images are deployed to GKE clusters. Option B is optimal because Binary Authorization is a Google Cloud managed service that enforces deployment policies at the cluster level, and integrating vulnerability scanning into CI/CD ensures images are scanned before deployment, using the results for policy decisions. This provides a comprehensive, automated approach. Option A uses custom organization policies which are less managed and don't address vulnerability scanning. Option C focuses on deployment automation and network controls but lacks image approval enforcement. Option D relies on third-party tools and custom scripts, which are not fully managed services and less integrated with GKE.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

Your organization uses a microservices architecture on Google Kubernetes Engine (GKE). To comply with security reviews that recommend stricter controls for deployed container images, you need to implement an automated system using managed services to guarantee that only approved images are deployed to your GKE clusters. What should you do?

Exam-Like

Develop custom organization policies that restrict GKE cluster deployments to container images hosted within a specific Artifact Registry project where your approved images reside.

Enforce Binary Authorization in your GKE clusters. Integrate container image vulnerability scanning into the CI/CD pipeline and require vulnerability scan results to be used for Binary Authorization policy decisions.

Automatically deploy new container images upon successful CI/CD builds by using Cloud Build triggers. Set up firewall rules to limit and control access to instances to mitigate malware injection.

Build a system using third-party vulnerability databases and custom scripts to identify potential Common Vulnerabilities and Exposures (CVEs) in your container images. Prevent image deployment if the CVE impact score is beyond a specified threshold.