Topic 1 Question 104
You are developing a microservice-based application that will be deployed on a Google Kubernetes Engine cluster. The application needs to read and write to a Spanner database. You want to follow security best practices while minimizing code changes. How should you configure your application to retrieve Spanner credentials?
Configure the appropriate service accounts, and use Workload Identity to run the pods.
Store the application credentials as Kubernetes Secrets, and expose them as environment variables.
Configure the appropriate routing rules, and use a VPC-native cluster to directly connect to the database.
Store the application credentials using Cloud Key Management Service, and retrieve them whenever a database connection is made.
ユーザの投票
コメント(14)
- 正解だと思う選択肢: A
A Cloud IAM service account is an identity that an application can use to make requests to Google APIs. As an application developer, you could generate individual IAM service accounts for each application, and then download and store the keys as a Kubernetes secret that you manually rotate. Not only is this process burdensome, but service account keys only expire every 10 years (or until you manually rotate them). In the case of a breach or compromise, an unaccounted-for key could mean prolonged access for an attacker. This potential blind spot, plus the management overhead of key inventory and rotation, makes using service account keys as secrets a less than ideal method for authenticating GKE workloads.
👍 5kinoko13302022/08/14 - 👍 4scaenruy2022/01/09
I assume that nobody read through the official docs and GCP Best practices for K8s and Cloud SQL. https://cloud.google.com/sql/docs/mysql/connect-kubernetes-engine#secrets
"A database credentials Secret includes the name of the database user you are connecting as, and the user's database password."
The best answer here is B, having K8s Secrets is the go-to method to configure and store sensitive information within a cluster such as Spanner credentials
👍 4htakami2022/03/26
シャッフルモード