Your team uses Cloud Build for all CI/CD pipelines. You want to use the kubectl builder for Cloud Build to deploy new images to Google Kubernetes Engine (GKE). You need to authenticate GKE while minimizing development effort. What should you do?
A. Assign the Container Developer role to the Cloud Build service account.
B. Specify the Container Developer role for Cloud Build in the cloudbuild.yaml file.
C. Create a new service account with the Container Developer role and use it to run Cloud Build.
D. Create a separate step in Cloud Build to retrieve service account credentials and pass these to kubectl.
Disclaimer
This is a practice question. There is no guarantee of coming this question in the certification exam.
Answer
A
Explanation
A. Assign the Container Developer role to the Cloud Build service account.
(https://cloud.google.com/build/docs/securing-builds/configure-user-specified-service-accounts
The best option for authenticating GKE while minimizing development effort would be A. Assign the Container Developer role to the Cloud Build service account.
Google Cloud Build uses a default service account to run the build. This service account is automatically created by Cloud Build and it has the necessary permissions to access the resources used by the build. By assigning the Container Developer role to this service account, it will have the necessary permissions to deploy new images to GKE. This way you don’t need to create a new service account or specify the role in the cloudbuild.yaml file. This is an easy and secure way to authenticate to GKE without adding extra steps to the CI/CD pipeline.)
B. Specify the Container Developer role for Cloud Build in the cloudbuild.yaml file.
C. Create a new service account with the Container Developer role and use it to run Cloud Build.
D. Create a separate step in Cloud Build to retrieve service account credentials and pass these to kubectl.