Home › GCP Associate Cloud Engineer › cloudcomputing › gcpsecurity › An organisation wants to enforce that only signe…
An organisation wants to enforce that only signed and approved container images can be deployed to GKE. Which Google Cloud product does this?
ABinary Authorization (with attestation policies on the container's image digest)
BCloud NAT (network egress filtering)
CCloud DNS query policies
DCloud Build (signing source repos)
Answer & Solution
Correct answer: A. Binary Authorization (with attestation policies on the container's image digest)
Binary Authorization sits in the GKE / Cloud Run deploy path and blocks deployment unless the image has the required attestations. Cloud Build builds artifacts, Cloud NAT routes traffic, DNS query policies aren't a deployment gate.
Related questions
Which IAM principle does Google Cloud recommend when granting a service account access to Which Google Cloud feature provides a centralised reverse proxy that verifies the user's iWorkload Identity Federation lets external (non-Google) identities (e.g. AWS IAM, GitHub AAn auditor needs to determine which user deleted a Cloud Storage bucket in a project last Which approach gives a GKE workload SHORT-LIVED credentials to access Google APIs WITHOUT Which Google Cloud product stores secrets (API tokens, passwords, certificates) with versiWhich Google Cloud service centrally manages cryptographic keys (creation, rotation, destrService account impersonation lets a principal: