Exam Professional Cloud Architect topic 4 question 2 discussion

A & D Binary Authorization to ensure only verified containers are deployed To ensure deployment are secure and and consistent, automatically scan images for vulnerabilities with container analysis (https://cloud.google.com/docs/ci-cd/overview?hl=en&skip_cache=true)

IMHO its A&C

From Gemini: By combining options A and B, you establish a system where containers are signed (verified) as part of your development process, and Google Cloud's Binary Authorization enforces that only these signed containers can be deployed to your GKE clusters, thus meeting both requirements of secure deployment and ensuring only verified containers are used.

Answer is A&B. remember the questions ask abut securely deployment container images and verified containers. scanning for vulnerabilities does not accomplish this. I know this goes against common sense, but good code or bad code - how would you securely deploy the container? Answer is A&B.

A&D I'm sure

AC Question is about: - Securing the deployment process - Make sure only verified containers can run on the cluster A: Covers the secondo point thanks to binary authorization. It also covers the signing requirement, as it is performed at CICD level. B: This is already covered by A. C: Makes sure that only required Service Accounts can pull the code from registry, so it covers the first part of the questione D. Secure scanning is about "security vulnerability in code". So it does not cover deployment phase, nor authorization phase. So, it's A & C

who deploy is not an issue, the question is 'only verified containers' ....kritis can do that.

A : use binary authorization then D check vulnerabilities before being able to deploy

Just got out of the exam. You only need to specify one answer, hence I chose A.

ad for me

https://cloud.google.com/docs/ci-cd/overview?hl=en&skip_cache=true https://cloud.google.com/binary-authorization/docs/overview

For surę AC

Answer should be A & C, as the ask is to ensure only verified containers to be deployed. With just Binary Authorisation and signing images, you can't fulfil the requirement, you would need to also restrict it at the IAM level, so that no bad actor can create an image in the registry and bypass Binary Authorization to deploy an image.

I think A&B Kritis is an admission controller webhook for Kubernetes that enforces deploy-time security policies. By configuring Jenkins to use Kritis, you can cryptographically sign containers as part of the CI/CD pipeline, ensuring only signed containers are deployed. https://cloud.google.com/binary-authorization/docs/creating-attestations-kritis

Option C is incorrect because while limiting access to trusted service accounts enhances security, it doesn't ensure that only verified containers are deployed.

Checked with standard process for this. I found the below. Image Building and Scanning: Developers build container images locally or using Cloud Build. Images are scanned for vulnerabilities using integrated tools or third-party services. Clean images are pushed to GCR. Image Verification: Binary Authorization enforces policies for image acceptance. Attestations from Cloud Security Scanner or third-party tools can be used.

A&D. C is incorrect because you configuring Container Registry doesn't only allow trusted service accounts to create/deploy containers. With IAM permissions, anyone can create non-trusted service accounts to deploy containers, or users can still deploy containers not in Container Registry.