Learn the best practice for ensuring only secure container images are deployed to production in Google Cloud Run. Find out how Binary Authorization can help enforce image signing policies.
Table of Contents
Question
You are migrating a containerized application to Cloud Run. You plan to use Cloud Build to build your container image and push it to Artifact Registry, and you plan to use Cloud Deploy to deploy the image to production. You need to ensure that only secure images are deployed to production. What should you do?
A. Use Cloud Armor in front of Cloud Run to protect the container image from threats.
B. Use Artifact Analysis to scan the image for vulnerabilities. Use Cloud Key Management Service to encrypt the image to be deployed to production.
C. Use Secret Manager to store the encrypted image. Deploy this image to production.
D. Use Binary Authorization to enforce a policy that only allows images that have been signed with a trusted key to be deployed to production.
Answer
D. Use Binary Authorization to enforce a policy that only allows images that have been signed with a trusted key to be deployed to production.
Explanation
To ensure that only secure container images are deployed to your Cloud Run production environment, the best approach is to use Binary Authorization.
Binary Authorization is a Google Cloud service that allows you to enforce policies on container images, ensuring only trusted images are deployed. You can require images to be signed with a trusted key before they are allowed to be deployed to production.
Here’s how it works:
- Define an attestation policy that specifies the requirements for an image to be considered trusted, such as being signed with an approved key.
- When you build the container image using Cloud Build, sign the image with the trusted key.
- Configure the Binary Authorization policy to enforce the attestation requirements on the production environment.
- When deploying with Cloud Deploy, Binary Authorization will check that the image meets the defined policy. Only images signed with the trusted key will be allowed to deploy to production.
This creates a secure supply chain where only vetted and approved images can make it through to production. It prevents deployments of untrusted or vulnerable images.
The other options like Cloud Armor, encrypting images, or storing them in Secret Manager do not directly ensure that only trusted images are deployed. They address other aspects of security but don’t enforce build-to-production security policies like Binary Authorization does.
So in summary, using Binary Authorization to require images to be signed by a trusted key is the best practice for ensuring only secure images are deployed to Cloud Run production. It allows you to define and enforce policy from build to deployment.
Google Professional Cloud Developer certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Google Professional Cloud Developer exam and earn Google Professional Cloud Developer certification.