Q: 4
Your organization uses a microservices architecture based on Google Kubernetes Engine (GKE).
Security reviews recommend tighter controls around deployed container images to reduce potential
vulnerabilities and maintain compliance. You need to implement an automated system by using
managed services to ensure that only approved container images are deployed to the GKE clusters.
What should you do?
Options
Discussion
A for sure. Binary Authorization is built to enforce only signed and approved images get deployed, and you can wire it up with vulnerability scanning in the pipeline for compliance. B just limits to a specific registry but skips the actual vulnerability checks-doesn't meet the "maintain compliance" ask imo. Let me know if anyone interprets "approved" differently!
If “approved” just means coming from Artifact Registry and not needing vulnerability scans, wouldn’t B work too? Curious how strict the question wants us to be with compliance.
Not D, A is correct. Binary Authorization plus vulnerability scanning directly stops risky images, which meets the compliance requirement.
C or A but leaning A since Binary Authorization actually blocks unapproved images, and you can tie in vulnerability scanning from CI/CD. B just narrows down source, not actual security status of the images. If anyone thinks B is stronger, let me know.
Makes sense to me, A does both enforced approval and vulnerability checks. Managed service too. Not seeing B as enough here.
I’d say B. Restricting deployments to a specific Artifact Registry should block unapproved images, so that covers “approved” images I think.
A, not B, . Restricting to a specific Artifact Registry in B does stop unapproved images but doesn't enforce vulnerability scanning or use managed enforcement. Binary Authorization (A) is the managed service that covers both-compliance checks and policy enforcement. Pretty sure that's what the exam expects here.
A imo, because Binary Authorization is the managed service Google expects for this scenario. It's what the official guide and practice tests mention for automated enforcement plus vulnerability scans. If anyone's seen it worded differently on recent exams let me know.
B . Limiting deployments to a specific Artifact Registry project should keep things approved, since only whitelisted images would get through. Doesn't mention vulnerabilities but I think that's enough for compliance here. Tell me if I'm missing something obvious.
Nah, A is the way to go. B trips folks up but doesn't have the automated compliance checks from Binary Authorization.
Be respectful. No spam.
