GCP Professional Cloud Security Engineer Practice Question

Your development teams build container images with Cloud Build and push them to Artifact Registry, where automatic vulnerability scanning is already enabled. Compliance requires that any image containing HIGH or CRITICAL CVEs must be prevented from running in the production Google Kubernetes Engine (GKE) cluster, but builds themselves must still finish so engineers can review scan results and remediate issues. You want to implement this control with the fewest moving parts and no changes to application code. Which solution should you implement?

Enable Binary Authorization on the production GKE cluster and set a vulnerability-based admission rule that blocks images whose maximum vulnerability severity exceeds MEDIUM, using the scan results automatically generated by Artifact Registry.
Attach a Cloud Armor security policy to the production load balancer that drops traffic from any pod whose container image includes HIGH or CRITICAL CVEs.
Create an organization policy that denies the artifactregistry.repositories.upload permission when pushed images contain vulnerabilities with severity above HIGH.
Add a Cloud Build post-build step that fails the pipeline whenever Artifact Registry reports any HIGH or CRITICAL vulnerabilities, preventing the image from being pushed.

Report Issue

Answer Description

Artifact Registry's native scanning will continue to generate vulnerability metadata for every image. By enabling Binary Authorization on the production GKE cluster and configuring its vulnerability-based admission policy, you can specify a maximum allowed CVE severity (for example, MEDIUM). At deploy time, Binary Authorization consults Container Analysis for the scan results that Artifact Registry produced. If any HIGH or CRITICAL findings exist, the admission controller denies the image pull, blocking the deployment, while the original Cloud Build still completes successfully so developers can inspect and fix issues. The other options are incorrect because:

Adding a build-failure step would stop the build instead of allowing developers to examine images, and it adds custom scripting rather than using managed enforcement.
Organization Policy cannot evaluate image vulnerability data; it controls IAM and resource configurations, not CVE severities in container images.
Cloud Armor cannot inspect container image metadata and therefore cannot block deployments based on CVE severity.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.