Topic 1 Question 50
Your organization recently adopted a container-based workflow for application development. Your team develops numerous applications that are deployed continuously through an automated build pipeline to a Kubernetes cluster in the production environment. The security auditor is concerned that developers or operators could circumvent automated testing and push code changes to production without approval. What should you do to enforce approvals?
Configure the build system with protected branches that require pull request approval.
Use an Admission Controller to verify that incoming requests originate from approved sources.
Leverage Kubernetes Role-Based Access Control (RBAC) to restrict access to only approved users.
Enable binary authorization inside the Kubernetes cluster and configure the build pipeline as an attestor.
ユーザの投票
コメント(12)
this question is a little bit strange, but first we need to remove the invalid answers
B: Incorrect An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized. (its for security but not "enforce approvals") C: Incorrect, we need to "enforce approvals" roles apply in the cluster and Ops always could push to production without approval. A: Incorrect, for me this answer sound well but this does not sound that an answer for a gcp exam and this do not enforce the use of the pipeline. D: Correct, they cannot push code to production without approval because their images are not signed.
👍 25francisco_guerra2021/06/25I win the exam today so this questions help me a lot
👍 15francisco_guerra2021/07/01Agreed with D. The keywords here is "developers or operators". Option A the operators could push images to production without approval (operators could touch the cluster directly and the cluster cannot do any action against them). Rest same as francisco_guerra.
👍 4zanhsieh2021/06/29
シャッフルモード