Explanation:
The question requires a cloud-native, cost-efficient solution with minimal operational overhead to prevent vulnerable containers from being deployed to GKE. Option A integrates vulnerability scanning directly into the CI/CD pipeline using Cloud Build and Container Analysis, which is cloud-native, automated, and reduces manual effort. Option E uses Binary Authorization with attestations to enforce that only scanned, vulnerability-free images are deployed, providing a security gate without additional infrastructure. Both options leverage managed Google Cloud services, aligning with cloud-native principles, cost-efficiency (no VM costs), and low operational overhead. Option B uses Cloud Functions triggered by logs, which is reactive rather than preventive and may incur delays. Option C relies on a cron job on Compute Engine, introducing VM management overhead and not being fully cloud-native. Option D uses Jenkins on GKE, which adds complexity and operational burden compared to native services like Cloud Build.
Ultimate access to all questions.
No comments yet.
You are deploying containerized applications to production Google Kubernetes Engine (GKE) clusters via a CI/CD pipeline and must prevent containers with known vulnerabilities from being deployed. Your solution must meet these requirements:
How should you accomplish this? (Choose two.)
A
Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue.
B
Use a Cloud Function triggered by log events in Google Cloud's operations suite to automatically scan your container images in Container Registry.
C
Use a cron job on a Compute Engine instance to scan your existing repositories for known vulnerabilities and raise an alert if a non-compliant container image is found.
D
Deploy Jenkins on GKE and configure a CI/CD pipeline to deploy your containers to Container Registry. Add a step to validate your container images before deploying your container to the cluster.
E
In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.