GCP Professional Cloud Security Engineer Practice Question
Your organization operates two GKE clusters, gke-dev (zonal) and gke-prod (regional), in the same Google Cloud project. Security policy mandates that only container images signed by Cloud Build may run in production. In the dev cluster, engineers should be free to deploy any image, but any policy violations must still be recorded for later review without blocking the rollout. Which Binary Authorization configuration best meets these requirements while keeping operational overhead low?
Create one project-level Binary Authorization policy whose defaultAdmissionRule requires a Cloud Build attestation and enforces with BLOCK_AND_AUDIT; add a clusterAdmissionRule for gke-dev that keeps REQUIRE_ATTESTATION but sets enforcementMode to DRYRUN_AUDIT_LOG_ONLY.
Add an admissionWhitelistPattern that matches gke-dev so its deployments bypass Binary Authorization, and set the defaultAdmissionRule to require and enforce attestations for all other clusters.
Disable Binary Authorization on the gke-dev cluster and configure a project-level policy for gke-prod that requires and enforces Cloud Build attestations.
Move gke-dev to its own Google Cloud project with Binary Authorization disabled, and keep enforcement enabled for gke-prod in the original project.
Binary Authorization lets you define a single project-level policy and override it selectively per cluster with clusterAdmissionRule entries. By setting the project's defaultAdmissionRule to evaluationMode REQUIRE_ATTESTATION and enforcementMode ENFORCED_BLOCK_AND_AUDIT_LOG, prod will block any unsigned image. Adding a clusterAdmissionRule that targets the gke-dev cluster, keeps evaluationMode set to REQUIRE_ATTESTATION but changes enforcementMode to DRYRUN_AUDIT_LOG_ONLY. This causes the dev cluster to accept all images yet still generate audit-log findings whenever an image is missing the Cloud Build attestation. Disabling Binary Authorization or whitelisting the dev cluster would prevent any findings from being generated, and moving the cluster to a separate project introduces unnecessary complexity compared with a single policy that uses per-cluster overrides.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Binary Authorization?
Open an interactive chat with Bash
What does DRYRUN_AUDIT_LOG_ONLY mean in Binary Authorization?
Open an interactive chat with Bash
Why is setting a project-level policy with cluster-level overrides beneficial?
Open an interactive chat with Bash
What is Binary Authorization in Google Cloud?
Open an interactive chat with Bash
What is the difference between ENFORCED_BLOCK_AND_AUDIT_LOG and DRYRUN_AUDIT_LOG_ONLY in Binary Authorization?
Open an interactive chat with Bash
How do clusterAdmissionRule overrides work in Binary Authorization?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .