Learn the best practices for creating a secure container build pipeline for applications hosted on Google Kubernetes Engine (GKE). Leverage Cloud Build with private worker pools, VPC Service Controls, and Binary Authorization to ensure only trusted images are deployed.
Table of Contents
Question
You are developing a container build pipeline for an application hosted on GKE. You have the following requirements:
- Only images that are created using your build pipeline should be deployed on your GKE cluster.
- All code and build artifacts should remain within your environment and protected from data exfiltration.
How should you build the pipeline?
A. 1. Create a build pipeline by using Cloud Build with the default worker pool.
2. Deploy container images to a private container registry in your VPC.
3. Create a VPC firewall policy in your project that denies all egress and ingress traffic to public networks.
B. 1. Create a build pipeline by using Cloud Build with a private worker pool.
2. Use VPC Service Controls to place all components and services in your CI/CD pipeline inside a security perimeter.
3. Configure your GKE cluster to only allow container images signed by Binary Authorization.
C. 1. Create a build pipeline by using Cloud Build with a private worker pool.
2. Configure the CI/CD pipeline to build container images and store them in Artifact Registry.
3. Configure Artifact Registry to encrypt container images by using customer-managed encryption keys (CMEK).
D. 1. Create a build pipeline by using Cloud Build with the default worker pool.
2. Configure the CI/CD pipeline to build container images and store them in Artifact Registry.
3. Configure your GKE cluster to only allow container images signed by Binary Authorization.
Answer
B. 1. Create a build pipeline by using Cloud Build with a private worker pool.
2. Use VPC Service Controls to place all components and services in your CI/CD pipeline inside a security perimeter.
3. Configure your GKE cluster to only allow container images signed by Binary Authorization.
Explanation
The correct solution is B. To meet the requirements of only deploying images created using your build pipeline and protecting code and artifacts from data exfiltration, you should:
- Create a build pipeline using Cloud Build with a private worker pool. Private worker pools ensure the build environment is isolated and can only access resources within your VPC network. This prevents unauthorized access to your code and artifacts.
- Use VPC Service Controls to place all components and services in your CI/CD pipeline inside a security perimeter. VPC Service Controls provide an additional layer of security by defining a perimeter around Google Cloud resources and services, preventing data exfiltration.
- Configure your GKE cluster to only allow container images signed by Binary Authorization. Binary Authorization ensures only trusted, signed images that have passed your verification process can be deployed on your GKE cluster. This prevents unauthorized or untrusted images from being deployed.
By combining these three measures – private worker pools, VPC Service Controls, and Binary Authorization – you create a secure end-to-end container build and deployment pipeline. This ensures your application code and artifacts remain protected within your environment, and only trusted images created by your pipeline can be deployed on your GKE cluster.
Google Professional Cloud Developer certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Google Professional Cloud Developer exam and earn Google Professional Cloud Developer certification.