Your organization recently adopted a container-based workflow for application development. Your team develops numerous applications that are deployed continuously through an automated build pipeline to a Kubernetes cluster in the production environment. The security auditor is concerned that developers or operators could circumvent automated testing and push code changes to production without approval. What should you do to enforce approvals?
A. Configure the build system with protected branches that require pull request approval.
B. Use an Admission Controller to verify that incoming requests originate from approved sources.
C. Leverage Kubernetes Role-Based Access Control (RBAC) to restrict access to only approved users.
D. Enable binary authorization inside the Kubernetes cluster and configure the build pipeline as an attestor.
Disclaimer
This is a practice question. There is no guarantee of coming this question in the certification exam.
Answer
D
Explanation
A. Configure the build system with protected branches that require pull request approval.
(This answer sound well but this does not sound that an answer for a GCP exam and this does not enforce the use of the pipeline.)
B. Use an Admission Controller to verify that incoming requests originate from approved sources.
(An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized. (its for security but not “enforce approvals”.)
C. Leverage Kubernetes Role-Based Access Control (RBAC) to restrict access to only approved users.
(We need to “enforce approvals” roles apply in the cluster and Ops always could push to production without approval.)
D. Enable binary authorization inside the Kubernetes cluster and configure the build pipeline as an attestor.
(They cannot push code to production without approval because their images are not signed.)