Ensure only containers that pass regression tests are deployed to your GKE clusters using Binary Authorization. Learn how to create attestors, policies, and attestations in your Cloud Build pipeline.
Table of Contents
Question
You work for a financial services company that has a container-first approach. Your team develops microservices applications. You have a Cloud Build pipeline that creates a container image, runs regression tests, and publishes the image to Artifact Registry. You need to ensure that only containers that have passed the regression tests are deployed to GKE clusters. You have already enabled Binary Authorization on the GKE clusters. What should you do next?
A. Deploy Voucher Server and Voucher Client components. After a container image has passed the regression tests, run Voucher Client as a step in the Cloud Build pipeline.
B. Create an attestor and a policy. Run a vulnerability scan to create an attestation for the container image as a step in the Cloud Build pipeline.
C. Create an attestor and a policy. Create an attestation for the container images that have passed the regression tests as a step in the Cloud Build pipeline.
D. Set the Pod Security Standard level to Restricted for the relevant namespaces. Digitally sign the container images that have passed the regression tests as a step in the Cloud Build pipeline.
Answer
C. Create an attestor and a policy. Create an attestation for the container images that have passed the regression tests as a step in the Cloud Build pipeline.
Explanation
To ensure that only containers that have passed regression tests are deployed to your GKE clusters when using Binary Authorization, you should:
- Create an attestor in Binary Authorization. An attestor is an authority responsible for attesting to the validity of your containers.
- Define a policy that specifies the attestors required and the level of attestation needed for a container to be deployed to your GKE clusters.
- In your Cloud Build pipeline, after the step that runs the regression tests, add a step to create an attestation for the container images that have passed the tests. This attestation is signed by the attestor you created.
- The attestation serves as a stamp of approval from the attestor, indicating that the container has passed the necessary regression tests according to your policy.
- With the attestor, policy, and attestation in place, Binary Authorization will only allow containers with valid attestations to be deployed to your GKE clusters.
By following this approach, you can ensure that only containers that have passed regression testing are deployed, enhancing the reliability and security of your deployments. Binary Authorization with attestations provides a strong guarantee that your policies are being enforced.
Google Professional Cloud Developer certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Google Professional Cloud Developer exam and earn Google Professional Cloud Developer certification.