Examtopics

Professional Cloud Security Engineer

  • Topic 1 Question 192

    Your organization is rolling out a new continuous integration and delivery (CI/CD) process to deploy infrastructure and applications in Google Cloud. Many teams will use their own instances of the CI/CD workflow. It will run on Google Kubernetes Engine (GKE). The CI/CD pipelines must be designed to securely access Google Cloud APIs.

    What should you do?

      1. Create two service accounts, one for the infrastructure and one for the application deployment.
      2. Use workload identities to let the pods run the two pipelines and authenticate with the service accounts.
      3. Run the infrastructure and application pipelines in separate namespaces.
      1. Create a dedicated service account for the CI/CD pipelines.
      2. Run the deployment pipelines in a dedicated nodes pool in the GKE cluster.
      3. Use the service account that you created as identity for the nodes in the pool to authenticate to the Google Cloud APIs.
      1. Create individual service accounts for each deployment pipeline.
      2. Add an identifier for the pipeline in the service account naming convention.
      3. Ensure each pipeline runs on dedicated pods.
      4. Use workload identity to map a deployment pipeline pod with a service account.
      1. Create service accounts for each deployment pipeline.
      2. Generate private keys for the service accounts.
      3. Securely store the private keys as Kubernetes secrets accessible only by the pods that run the specific deploy pipeline.
    シャッフルモード