Technical Processes — GCP PCA Practice Question 30

How to approach this question

Identify the GCP service that enforces deploy-time security policies for containers.

Full Answer

C.Implement Binary Authorization and configure an attestor for the QA team.✓ Correct

Binary Authorization integrates directly with GKE. It acts as an admission controller that verifies cryptographic signatures (attestations) on container images before they are allowed to run. If the QA team hasn't signed the image, Binary Authorization blocks the deployment.

Common mistakes

Relying on registry-level IAM (B), which doesn't protect the cluster from pulling external, unverified images.

A highly regulated financial institution uses GKE to run its applications. The security team mandates that only container images that have been scanned for vulnerabilities and explicitly signed by the QA team can be deployed to the production cluster. How should you enforce this policy?

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Professional Cloud Architect Practice Exam 6

More questions from this exam