Topic 1 Question 71
You are using Container Registry to centrally store your company's container images in a separate project. In another project, you want to create a Google Kubernetes Engine (GKE) cluster. You want to ensure that Kubernetes can download images from Container Registry. What should you do?
In the project where the images are stored, grant the Storage Object Viewer IAM role to the service account used by the Kubernetes nodes.
When you create the GKE cluster, choose the Allow full access to all Cloud APIs option under 'Access scopes'.
Create a service account, and give it access to Cloud Storage. Create a P12 key for this service account and use it as an imagePullSecrets in Kubernetes.
Configure the ACLs on each image in Cloud Storage to give read-only access to the default Compute Engine service account.
ユーザの投票
コメント(17)
Correct Answer (A): IAM permissions IAM permissions determine who can access resources. All users, service accounts, and other identities that interact with Container Registry must have the appropriate Cloud Storage permissions.
By default, Google Cloud use default service accounts to interact with resources within the same project. For example, the Cloud Build service account can both push and pull images when Container Registry is in the same project.
You must configure or modify permissions yourself if:
You are using a service account in one project to access Container Registry in a different project You are using a default service account with read-only access to storage, but you want to both pull and push images You are using a custom service account to interact with Container Registry
https://cloud.google.com/container-registry/docs/access-control
👍 57ESP_SAP2020/08/16A is correct... Container Registry uses Cloud Storage buckets as the underlying storage for container images. You control access to your images by granting appropriate Cloud Storage permissions to a user, group, service account, or other identity.
If the service account needs to access Container Registry in another project, you must grant the required permissions in the project with Container Registry.
Reference: https://cloud.google.com/container-registry/docs/access-control#permissions
👍 17XRiddlerX2020/08/12- 正解だと思う選択肢: A
Answer A. In the project where the images are stored, grant the Storage Object Viewer IAM role to the service account used by the Kubernetes nodes.
To ensure that Kubernetes can download container images from Container Registry, you need to grant the necessary permissions to the service account used by the Kubernetes nodes. In this case, you would need to grant the Storage Object Viewer IAM role to the service account used by the Kubernetes nodes in the project where the images are stored. This role allows the service account to read objects from Cloud Storage buckets, including the container images in Container Registry.
👍 3Buruguduystunstugudunstuy2023/02/20
シャッフルモード