Topic 1 Question 125

Professional Cloud Security Engineer

Topic 1 Question 125
You are setting up a CI/CD pipeline to deploy containerized applications to your production clusters on Google Kubernetes Engine (GKE). You need to prevent containers with known vulnerabilities from being deployed. You have the following requirements for your solution:

Must be cloud-native - ✑ Must be cost-efficient ✑ Minimize operational overhead How should you accomplish this?

2 つ選択
- Create a Cloud Build pipeline that will monitor changes to your container templates in a Cloud Source Repositories repository. Add a step to analyze Container Analysis results before allowing the build to continue.
- Use a Cloud Function triggered by log events in Google Cloud's operations suite to automatically scan your container images in Container Registry.
- Use a cron job on a Compute Engine instance to scan your existing repositories for known vulnerabilities and raise an alert if a non-compliant container image is found.
- Deploy Jenkins on GKE and configure a CI/CD pipeline to deploy your containers to Container Registry. Add a step to validate your container images before deploying your container to the cluster.
- In your CI/CD pipeline, add an attestation on your container image when no vulnerabilities have been found. Use a Binary Authorization policy to block deployments of containers with no attestation in your cluster.
解説
Reference: https://cloud.google.com/architecture/prep-kubernetes-engine-for-prod

ユーザの投票
コメント(4)
- 正解だと思う選択肢: AE
  On-demand container analysis can be integrated into a Cloud Build Pipeline: https://cloud.google.com/container-analysis/docs/ods-cloudbuild Also binary attestation is a complementary mechanism "cloud-native".
  
  👍 7
  mikesp2022/06/03
- Ans: A,E https://cloud.google.com/architecture/binary-auth-with-cloud-build-and-gke#setting_the_binary_authorization_policy
  
  👍 2
  ExamQnA2022/05/20
- 正解だと思う選択肢: AE
  AE is the answer.
  
  https://cloud.google.com/container-analysis/docs/container-analysis Container Analysis is a service that provides vulnerability scanning and metadata storage for containers. The scanning service performs vulnerability scans on images in Container Registry and Artifact Registry, then stores the resulting metadata and makes it available for consumption through an API.
  
  https://cloud.google.com/binary-authorization/docs/attestations After a container image is built, an attestation can be created to affirm that a required activity was performed on the image such as a regression test, vulnerability scan, or other test. The attestation is created by signing the image's unique digest. During deployment, instead of repeating the activities, Binary Authorization verifies the attestations using an attestor. If all of the attestations for an image are verified, Binary Authorization allows the image to be deployed.
  
  👍 2
  zellck2022/09/27
シャッフルモード

解説

ユーザの投票

コメント(4)