Question 4 - Google Professional Cloud Security Engineer Real Exam Questions [Jan 2026 Update]

Q: 4

Your organization uses a microservices architecture based on Google Kubernetes Engine (GKE). Security reviews recommend tighter controls around deployed container images to reduce potential vulnerabilities and maintain compliance. You need to implement an automated system by using managed services to ensure that only approved container images are deployed to the GKE clusters. What should you do?

Options

Correct Answer:

Explanation

To enhance the security of your microservices architecture on Google Kubernetes Engine (GKE) and

ensure that only approved container images are deployed, implementing Binary Authorization is a

robust solution.

Option A: Enforcing Binary Authorization in your GKE clusters ensures that only container images that

meet your organization's security policies are deployed. By integrating container image vulnerability

scanning into your Continuous Integration/Continuous Deployment (CI/CD) pipeline, you can assess

images for known vulnerabilities before they are deployed. Binary Authorization can be configured to

use these vulnerability scan results to make policy decisions, effectively preventing the deployment

of insecure images. This approach leverages managed services provided by Google Cloud, ensuring

scalability and compliance with security standards.

Option B: Developing custom organization policies to restrict deployments to images within a specific

Artifact Registry project helps in controlling the source of images but does not inherently assess the

security posture of those images. Without integrated vulnerability scanning and enforcement

mechanisms, this approach may not fully mitigate the risk of deploying vulnerable images.

Option C: Building a system using third-party vulnerability databases and custom scripts requires

significant maintenance and may not integrate seamlessly with GKE. This approach can be error-

prone and lacks the efficiency of managed services designed for this purpose.

Option D: Automatically deploying new images upon successful CI/CD builds ensures rapid

deployment but does not address the need for security assessments of the images. While setting up

firewall rules is good practice, it does not prevent the deployment of potentially vulnerable images.

Therefore, Option A is the most effective approach, as it utilizes Google Cloud's managed services to

enforce security policies and integrate vulnerability assessments directly into the deployment

process, ensuring that only approved and secure container images are deployed to your GKE clusters.

Reference::

Binary Authorization Documentation

Container Analysis Documentation

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE