Topic 1 Question 97
You are building a product on top of Google Kubernetes Engine (GKE). You have a single GKE cluster. For each of your customers, a Pod is running in that cluster, and your customers can run arbitrary code inside their Pod. You want to maximize the isolation between your customers' Pods. What should you do?
Use Binary Authorization and whitelist only the container images used by your customers' Pods.
Use the Container Analysis API to detect vulnerabilities in the containers used by your customers' Pods.
Create a GKE node pool with a sandbox type configured to gvisor. Add the parameter runtimeClassName: gvisor to the specification of your customers' Pods.
Use the cos_containerd image for your GKE nodes. Add a nodeSelector with the value cloud.google.com/gke-os-distribution: cos_containerd to the specification of your customers' Pods.
解説
ユーザの投票
コメント(8)
Let me be honest, I did not have any clue to answer this question. However, I spotted the keyword, 'isolation', from the question and a keyword, 'sandbox' from the answers and guessed the answer which turned out to be correct. So, yes it is C!
👍 14akshaychavan72022/05/22Correct answer is C: You can enable GKE Sandbox on your cluster to isolate untrusted workloads in sandboxes on the node. GKE Sandbox is built using gVisor, an open source project: https://cloud.google.com/kubernetes-engine/docs/concepts/security-overview?hl=en#protecting_nodes_from_untrusted_workloads
👍 5Sac34332022/05/05gVisor is the way to isolate. Those who already preparing for CKS can answer this question without even thinking further. C is right
👍 3AzureDP9002022/06/23
シャッフルモード