GCP Professional Cloud Security Engineer Practice Question
Your company builds container images with Cloud Build and pushes them to Artifact Registry, where automatic vulnerability scanning is enabled. Security policy states that any image containing unresolved HIGH or CRITICAL CVEs must be blocked from running on Google Kubernetes Engine (GKE), except when an on-call SRE group needs to perform an emergency "breakglass" deployment. With minimal ongoing maintenance, which solution best enforces these requirements during every deployment to all GKE clusters?
Schedule a nightly Cloud Build job that exports a list of vulnerability-free image digests to Cloud Storage; deploy an admission webhook in each GKE cluster that rejects images not on the list, granting the SRE group permission to modify the webhook for emergency deployments.
Enable Cloud Audit Logs and configure a log-based alert that triggers a Cloud Function to delete any image with HIGH or CRITICAL findings after it is pushed; require developers to redeploy once issues are fixed.
Mandate that developers add a "vuln=pass" label to Deployment manifests and use OPA Gatekeeper to reject resources lacking the label; allow the SRE group to edit the Gatekeeper constraint to bypass checks in emergencies.
Enable Artifact Registry vulnerability scanning and create a Binary Authorization policy that blocks images with HIGH or CRITICAL findings unless they carry an attestation signed by Cloud Build; add the SRE group to the policy's breakglass allowlist so they can override enforcement when needed.
Artifact Analysis automatically scans images in Artifact Registry and writes vulnerability notes in Container Analysis. A Binary Authorization policy can be configured to require an attestation (signed by Cloud Build) that no HIGH or CRITICAL vulnerabilities are present before an image is admitted to a GKE cluster. The same policy can include a breakglass exemption that permits members of a specific IAM group to deploy non-compliant images by adding the admission.binauth.io/Breakglass annotation, satisfying the emergency override requirement. The other approaches either rely on post-deployment deletion, require custom admission webhooks and manual list management, or depend on developers manually adding labels, all of which add unnecessary operational overhead and do not guarantee enforcement at deploy time.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Binary Authorization in GCP?
Open an interactive chat with Bash
What are CVEs and how does Artifact Registry vulnerability scanning address them?
Open an interactive chat with Bash
What is a breakglass deployment, and how does it work in GKE?
Open an interactive chat with Bash
What is Artifact Registry and how does vulnerability scanning work?
Open an interactive chat with Bash
What is Binary Authorization and how does it enforce security policies?
Open an interactive chat with Bash
What is a breakglass deployment and how does it work in this context?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .