GCP Professional Cloud Security Engineer Practice Question
Your organization runs multiple Anthos clusters on VMware (GKE Enterprise edition). A centralized Cloud project already hosts a Binary Authorization policy named team-policy that requires every container image to carry an attestation signed by the CI/CD system's KMS key. You must ensure that:
All workloads deployed to the production user cluster are blocked at deploy-time unless they comply with team-policy.
Developers should be able to test non-attested images on the dev user cluster, but any violations must be logged for later review.
Which approach meets these requirements while minimizing operational overhead?
Disable Binary Authorization at the project level and instead run vulnerability scans post-deployment with Cloud Run Jobs in both clusters.
Duplicate team-policy into each cluster's namespace and annotate any deployment in production with breakglass: "true"; leave dev without Binary Authorization enabled.
Reference the centralized team-policy in both user-cluster configuration files, set enableBinaryAuthorization: true, and specify defaultAdmissionRule.enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG for production while using DRYRUN_AUDIT_LOG_ONLY for the dev cluster.
Set defaultAdmissionRule.enforcementMode: DRYRUN_AUDIT_LOG_ONLY in the centralized policy so both clusters log violations, and instruct platform admins to manually delete non-compliant pods in production.
Anthos clusters on VMware inherit Binary Authorization policies defined in a Google Cloud project, but each user cluster decides whether the admission controller blocks non-compliant images or only audits them. Enabling Binary Authorization by setting enableBinaryAuthorization: true in the user cluster configuration activates the admission webhook. Setting
defaultAdmissionRule.enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG on the production cluster stops deployments that lack the required attestation and records the event.
defaultAdmissionRule.enforcementMode: DRYRUN_AUDIT_LOG_ONLY on the dev cluster leaves the same policy in place but merely logs any violations.
This enforces the shared team-policy everywhere, guarantees production protection, and avoids separate policy copies or disabling the controller on dev. Using the break-glass annotation would allow uncontrolled bypass, and disabling Binary Authorization or switching the policy to dry run at the project level would weaken security for production.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Binary Authorization and why is it important for Anthos clusters?
Open an interactive chat with Bash
How does the enforcement mode in Binary Authorization work?
Open an interactive chat with Bash
What is the role of attestation in Binary Authorization policies?
Open an interactive chat with Bash
What is Binary Authorization in Google Cloud?
Open an interactive chat with Bash
What does `defaultAdmissionRule.enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG` do?
Open an interactive chat with Bash
How does `DRYRUN_AUDIT_LOG_ONLY` help in dev environments?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .