Learn how to use Binary Authorization with Cloud Run to deploy only container images that have passed testing, minimizing operational overhead. Follow best practices for secure and reliable deployments on Google Cloud.
Table of Contents
Question
You use Cloud Build to build and test container images prior to deploying them to Cloud Run. Your images are stored in Artifact Registry. You need to ensure that only container images that have passed testing are deployed. You want to minimize operational overhead. What should you do?
A. Deploy a new revision to a Cloud Run service. Assign a tag that allows access to the revision at a specific URL without serving traffic. Test that revision again. Migrate the traffic to the Cloud Run service after you confirm that the new revision is performing as expected.
B. Enable Binary Authorization on your Cloud Run service. Create an attestation if the container image has passed all tests. Configure Binary Authorization to allow only images with appropriate attestation to be deployed to the Cloud Run service.
C. Create a GKE cluster. Verify that all tests have passed, and then deploy the image to the GKE cluster.
D. Configure build provenance on your Cloud Build pipeline. Verify that all the tests have passed, and then deploy the image to a Cloud Run service.
Answer
B. Enable Binary Authorization on your Cloud Run service. Create an attestation if the container image has passed all tests. Configure Binary Authorization to allow only images with appropriate attestation to be deployed to the Cloud Run service.
Explanation
Binary Authorization provides a policy enforcement chokepoint to ensure only verified images are integrated into the build-and-release process. It enables you to require images to be signed by trusted authorities during the development process and then enforce signature validation when deploying.
To ensure only tested container images from Artifact Registry are deployed to Cloud Run with minimal overhead:
- Enable Binary Authorization on your Cloud Run service. This allows you to enforce deployment policies.
- Set up an attestation process in your CI/CD pipeline. When a container image passes all required tests, create an attestation signature for that image.
- Configure the Binary Authorization policy to allow only container images with a valid attestation signature from your CI/CD pipeline to be deployed to the Cloud Run service.
- When deploying a new revision to Cloud Run, Binary Authorization will check if the container image has the required attestation before allowing deployment.
This way, Binary Authorization acts as a secure deployment gateway, ensuring only properly tested and attested images make it to production on Cloud Run. It integrates security into the build-and-release process with minimal operational overhead compared to manually verifying tests or using a separate test environment.
Google Professional Cloud Developer certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Google Professional Cloud Developer exam and earn Google Professional Cloud Developer certification.