Learn the steps to ensure only container images that have passed user acceptance testing (UAT) are deployed to production environments in Google Kubernetes Engine (GKE) using Cloud Build, Artifact Analysis, and Binary Authorization.
Table of Contents
Question
You manage an application deployed on GKE clusters across multiple environments. You are using Cloud Build to run user acceptance testing (UAT) tests. You have integrated Cloud Build with Artifact Analysis, and enabled the Binary Authorization API in all Google Cloud projects hosting your environments. You want only container images that have passed certain automated UAT tests to be deployed to the production environment. You have already created an attestor. What should you do next?
A. After the UAT phase, sign the attestation with a key stored as a Kubernetes secret. Add a GKE cluster-specific rule in Binary Authorization for the UAT Google Cloud project.
B. After the UAT phase, sign the attestation with a key stored as a Kubernetes secret. Add a GKE cluster-specific rule in Binary Authorization for the production Google Cloud project policy.
C. After the UAT phase, sign the attestation with a key stored in Cloud Key Management Service (KMS). Add a default rule in Binary Authorization for the UAT Google Cloud project.
D. After the UAT phase, sign the attestation with a key stored in Cloud Key Management Service (KMS). Add a GKE cluster-specific rule in Binary Authorization for the production Google Cloud project policy.
Answer
D. After the UAT phase, sign the attestation with a key stored in Cloud Key Management Service (KMS). Add a GKE cluster-specific rule in Binary Authorization for the production Google Cloud project policy.
Explanation
1. Signing the attestation with a key stored in Cloud KMS:
- After the container images have passed the UAT tests, you should sign the attestation using a key stored in Cloud Key Management Service (KMS).
- Cloud KMS provides a secure and centralized way to manage cryptographic keys used for signing attestations.
- Using a key stored in Cloud KMS ensures that the attestation is signed with a trusted and protected key.
2. Adding a GKE cluster-specific rule in Binary Authorization for the production project:
- To enforce that only container images that have passed UAT tests are deployed to the production environment, you need to add a GKE cluster-specific rule in Binary Authorization for the production Google Cloud project policy.
- A GKE cluster-specific rule allows you to define deployment restrictions at the cluster level, ensuring that only attested images are allowed to be deployed to the production clusters.
- By adding this rule to the production project policy, you enforce the requirement that only container images with valid attestations can be deployed to the production environment.
Options A and B suggest storing the key as a Kubernetes secret, which is not the recommended approach for securing cryptographic keys. Cloud KMS provides a more secure and managed solution for key storage and management.
Option C suggests adding a default rule in Binary Authorization for the UAT Google Cloud project, which is not relevant to the goal of ensuring only tested images are deployed to the production environment. The focus should be on adding the rule to the production project policy.
By following the steps in option D, you can ensure that only container images that have passed the required UAT tests and have been attested with a trusted key stored in Cloud KMS are allowed to be deployed to the production GKE clusters. This setup provides a secure and automated way to enforce deployment policies and maintain the integrity of your production environment.
Google Professional Cloud Developer certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Google Professional Cloud Developer exam and earn Google Professional Cloud Developer certification.