Exam Professional-Cloud-DevOps-Engineer Topic 1 Question 114 Discussion
Actual exam question for Google's Professional-Cloud-DevOps-Engineer exam
Question #: 114
Topic #: 1
Question #: 114
Topic #: 1
You are configuring your CI/CD pipeline natively on Google Cloud. You want builds in a pre-production Google Kubernetes Engine (GKE) environment to be automatically load-tested before being promoted to the production GKE environment. You need to ensure that only builds that have passed this test are deployed to production. You want to follow Google-recommended practices. How should you configure this pipeline with Binary Authorization?
Suggested Answer: B Vote an answer
The correct answer is B. Create an attestation for the builds that pass the load test by using a private key stored in Cloud Key Management Service (Cloud KMS) authenticated through Workload Identity.
According to the Google Cloud documentation, Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE) or Cloud Run1.
Binary Authorization uses attestations to certify that a specific image has completed a previous stage in the CI
/CD pipeline, such as passing a load test2.Attestations are signed by private keys that are associated with attestors, which are entities that verify the attestations3.To follow Google-recommended practices, you should store your private keys in Cloud Key ManagementService (Cloud KMS), which is a secure and scalable service for managing cryptographic keys4.You should also use Workload Identity, which is a feature that allows Kubernetes service accounts to act as Google service accounts, to authenticate to Cloud KMS and sign attestations without having to manage or expose service account keys5.
The other options are incorrect because they do not follow Google-recommended practices. Option A and option D require human intervention to sign the attestations, which is not scalable or automated. Option C exposes the service account JSON key as a Kubernetes Secret, which is less secure than using Workload Identity.
Reference:
Creating an attestor, Creating an attestor.Cloud Key Management Service Documentation, Overview.
Attestations overview, Attestations overview.Using Workload Identity with Binary Authorization, Using Workload Identity with Binary Authorization.Binary Authorization, Binary Authorization.
According to the Google Cloud documentation, Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE) or Cloud Run1.
Binary Authorization uses attestations to certify that a specific image has completed a previous stage in the CI
/CD pipeline, such as passing a load test2.Attestations are signed by private keys that are associated with attestors, which are entities that verify the attestations3.To follow Google-recommended practices, you should store your private keys in Cloud Key ManagementService (Cloud KMS), which is a secure and scalable service for managing cryptographic keys4.You should also use Workload Identity, which is a feature that allows Kubernetes service accounts to act as Google service accounts, to authenticate to Cloud KMS and sign attestations without having to manage or expose service account keys5.
The other options are incorrect because they do not follow Google-recommended practices. Option A and option D require human intervention to sign the attestations, which is not scalable or automated. Option C exposes the service account JSON key as a Kubernetes Secret, which is less secure than using Workload Identity.
Reference:
Creating an attestor, Creating an attestor.Cloud Key Management Service Documentation, Overview.
Attestations overview, Attestations overview.Using Workload Identity with Binary Authorization, Using Workload Identity with Binary Authorization.Binary Authorization, Binary Authorization.
by Primo at Jul 27, 2025, 10:46 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).