GCP Professional Cloud Security Engineer Practice Question
Your security team is rolling out a Binary Authorization policy that requires images to carry a vulnerability-scan attestation before they can run in the company's production GKE clusters. Before enforcing the policy, they want to deploy it to a staging cluster for one week to gauge how many existing workloads would be rejected, without disrupting any deployments. Which configuration will meet this goal?
Disable Binary Authorization entirely on the staging cluster while the policy is refined, and rely on Cloud Logging to flag any risky images.
Set the admission rule that targets the staging cluster to enforcementMode: DRYRUN_AUDIT_LOG_ONLY and evaluationMode: REQUIRE_ATTESTATION.
Set the global default admission rule to evaluationMode: ALWAYS_ALLOW so all images are permitted, then inspect Cloud Audit Logs for violations.
Use enforcementMode: ENFORCED_BLOCK_AND_AUDIT_LOG on the admission rule but add an allowlist exception for the staging cluster's namespace.
Binary Authorization admission rules include an enforcementMode field that determines what happens when a deployment violates the rule. Setting enforcementMode to DRYRUN_AUDIT_LOG_ONLY on the admission rule (for the staging cluster or its matching cluster-selector) causes the policy engine to evaluate every deploy request and write an audit-log entry if the image lacks the required attestation, but it does not block the request. Modes that disable Binary Authorization or use ALWAYS_ALLOW skip evaluation altogether, so no policy-violation data would be captured. ENFORCED_BLOCK_AND_AUDIT_LOG would immediately prevent non-compliant images from being deployed, which the team wants to avoid during the test.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Binary Authorization?
Open an interactive chat with Bash
What is enforcementMode and how does DRYRUN_AUDIT_LOG_ONLY work?
Open an interactive chat with Bash
What is an attestation in Binary Authorization?
Open an interactive chat with Bash
What does enforcementMode: DRYRUN_AUDIT_LOG_ONLY do in Binary Authorization?
Open an interactive chat with Bash
What is the difference between evaluationMode and enforcementMode in Binary Authorization?
Open an interactive chat with Bash
What are the key use cases for Binary Authorization in Google Kubernetes Engine (GKE)?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .