Topic 1 Question 148
2 つ選択You are developing a microservice-based application that will run on Google Kubernetes Engine (GKE). Some of the services need to access different Google Cloud APIs. How should you set up authentication of these services in the cluster following Google-recommended best practices?
Use the service account attached to the GKE node.
Enable Workload Identity in the cluster via the gcloud command-line tool.
Access the Google service account keys from a secret management service.
Store the Google service account keys in a central secret management service.
Use gcloud to bind the Kubernetes service account and the Google service account using roles/iam.workloadIdentity.
ユーザの投票
コメント(4)
- 正解だと思う選択肢: BE
BE is the answer.
https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
👍 2zellck2022/12/17 - 👍 2TNT872022/12/25
- 正解だと思う選択肢: BE
A is incorrect. While it could work, all the services are using the same service account, there is no separation of permissions, and no detailed logging. B and E together connect GKE and Google service accounts, so GKE can authenticate a service with a Google service account. C is incorrect. While this is feasible, it’s not the recommended practice for workload identity because of the mandatory key rotation of the service accounts. D is incorrect. While this is feasible, it’s not the recommended practice for workload identity because of the mandatory key rotation of the service accounts. E and B together connect GKE and Google service accounts, so GKE can authenticate a service with a Google service account.
👍 1telp2023/01/13
シャッフルモード