Deploying Images to Production Using a Trusted CI/CD Pipeline
Question
You are managing the production deployment to a set of Google Kubernetes Engine (GKE) clusters.
You want to make sure only images which are successfully built by your trusted CI/CD pipeline are deployed to production.
What should you do?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.B.
https://codelabs.developers.google.com/codelabs/cloud-builder-gke-continuous-deploy/index.html#1The correct answer to this question is D. Set up the Kubernetes Engine clusters with Binary Authorization.
Binary Authorization is a Google Cloud Platform (GCP) feature that provides a security control for your container images. With Binary Authorization, you can define policies that determine which container images are allowed to run on your GKE clusters. You can use it to ensure that only container images that are signed by trusted authorities and meet specific requirements are deployed to production.
To set up Binary Authorization, you need to create an admission controller for your GKE clusters. This admission controller intercepts requests to deploy new workloads to your cluster and verifies that the images meet your defined policies before allowing them to run. Binary Authorization integrates with other GCP services, such as Container Registry and Cloud Build, to enable you to define and enforce your policies.
By using Binary Authorization to manage your container images, you can ensure that only images that have been successfully built by your trusted CI/CD pipeline are deployed to production. This helps to improve the security and reliability of your production environment and reduces the risk of deploying untested or untrusted code.
Option A, enabling Cloud Security Scanner on the clusters, is not relevant to this scenario. Cloud Security Scanner is a web security scanner that helps you to identify security vulnerabilities in your web applications running on GKE clusters.
Option B, enabling Vulnerability Analysis on the Container Registry, is also not directly relevant to this scenario. Vulnerability Analysis is a feature of Container Registry that provides a summary of known vulnerabilities in your container images, but it does not enforce policies on which images can be deployed.
Option C, setting up the Kubernetes Engine clusters as private clusters, is also not directly relevant to this scenario. Private clusters help to isolate your GKE clusters from the public internet, but they do not provide any specific controls over which container images can be deployed.
