GCP Professional Cloud Security Engineer Practice Question
Your organization builds container images with Cloud Build and stores them in Artifact Registry where automatic vulnerability scanning is already enabled. During a recent audit you discovered that several images containing HIGH and CRITICAL CVEs were still deployed to multiple Google Kubernetes Engine (GKE) clusters through the CI/CD pipeline. You must ensure that any future deployment to these clusters is automatically rejected unless the image contains no vulnerabilities above MEDIUM severity, and you want to rely only on Google-managed controls rather than custom admission webhooks. Which approach meets the requirement?
Enable Binary Authorization enforcement on all GKE clusters and in the policy add a vulnerability requirement that allows deployment only when the image's maximum detected CVE severity is MEDIUM or lower.
Install the OPA Gatekeeper admission controller on each GKE cluster and write a custom constraint template that rejects images with HIGH or CRITICAL CVEs.
Add Cloud Build's built-in vulnerability scanning step and configure the build to fail when HIGH or CRITICAL findings are reported.
Create an Eventarc trigger that listens for new HIGH or CRITICAL vulnerability findings and automatically deletes the affected image from Artifact Registry before it can be pulled by GKE.
Binary Authorization is Google Cloud's deploy-time control that can be set to Examine Vulnerability Occurrences. In a policy you can define a vulnerabilityRequirements stanza that specifies the highest CVSS severity level an image may contain (for example, MAX_SEVERITY=MEDIUM). When the policy is set to enforcement mode and attached to a GKE cluster, the control runs automatically for every image pull. Images with HIGH or CRITICAL findings fail admission and the deployment is blocked. Failing the Cloud Build step merely stops that specific build but does not protect clusters from images built outside that pipeline, Eventarc-based revocation is reactive and allows initial deployment, and using OPA Gatekeeper requires custom components rather than Google-managed enforcement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Binary Authorization and how does it help secure GKE clusters?
Open an interactive chat with Bash
What are CVEs and how does severity classification work?
Open an interactive chat with Bash
How does the vulnerability scanning in Artifact Registry work with Binary Authorization?
Open an interactive chat with Bash
What is Binary Authorization in Google Cloud?
Open an interactive chat with Bash
How does vulnerability scanning work in Artifact Registry?
Open an interactive chat with Bash
What is a CVE and why is it important for container security?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .