Exam Professional Cloud Developer topic 1 question 252 discussion

I will go for D. D: The next step, after enable Binary Auth, is creating an attestor and a policy and then configure the attestation step in the cloud build pipeline. Not A because when you use kritis to sign an image you must provide the private key file from the attestor. And for that you must save the private key when you create the attestor for it later use. Its more complicated. Not C because pod security standard level to restricted don't enforce the use of signed images.

simpler thatn using Kritis

https://cloud.google.com/binary-authorization/docs/cloud-build Attestation Creation: The key difference is that you don't necessarily need to use Kritis Signer within Cloud Build to create the attestation. The Cloud Build documentation shows how you can use the gcloud beta container binauthz attestations create command directly within your Cloud Build steps to generate the attestation.

A is correct.

I go with A since it is detailed and more specific about Kritis digital signature.

A. For folks wonder what differences between Kritis Signer and Voucher Server Voucher Client, I asked Google Bard about it. Bard stated Kritis Signer is a command-line tools, whereas Voucher Server Voucher Client is a web-based tool. I then tried to verify that with Google search and Google image search (search "voucher server voucher client" then click Images). It seems Bard report correctly. Someone even wrote a Kritis Signer integrated pipeline with terraform (https://xebia.com/blog/how-to-automate-the-kritis-signer-on-google-cloud-platform/) . Also, yes, both Kritis Signer and Voucher Server Voucher Client have Google official documentations. However, if you look carefully on Voucher Server Voucher Client Google official doc, they use curl to the Voucher Server address, which indirectly prove Vouch Server Vouch Client is a web-based tool.

question is not about checking vulnerabilities. its not A. The Kritis Signer is a command-line utility to check whether an image violates the policy on security vulnerabilities. its not a voucher too.

took my exam yesterday (01-03-2023) and this question was there

info on voucher server: https://cloud.google.com/binary-authorization/docs/creating-attestations-voucher

Kritis Signer is an open source command-line tool that can create Binary Authorization attestations based on a policy that you configure. You can also use Kritis Signer to create attestations after checking an image for vulnerabilities identified by Container Analysis. https://cloud.google.com/binary-authorization/docs/creating-attestations-kritis

Binary Authorization in GKE provides a way to enforce that only verified container images are deployed in a cluster. In this scenario, to ensure that only containers that have passed the regression tests are deployed, you would create an attestor and a policy in Binary Authorization, and use Kritis Signer to create an attestation for the container image after it has passed the tests. The attestation verifies that the image meets the policy's criteria and is authorized to be deployed. This provides a secure and automated way to enforce that only containers that have passed the required tests are deployed in the cluster.

https://cloud.google.com/binary-authorization/docs/creating-attestations-kritis