Professional-Cloud-DevOps-Engineer Exam Dumps : Google Cloud Certified - Professional Cloud DevOps Engineer Exam

The correct answer is B. Create an attestation for the builds that pass the load test by using a private key stored in Cloud Key Management Service (Cloud KMS) authenticated through Workload Identity.

According to the Google Cloud documentation, Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE) or Cloud Run1.Binary Authorization uses attestations to certify that a specific image has completed a previous stage in the CI/CD pipeline, such as passing a load test2.Attestations are signed by private keys that are associated with attestors, which are entities that verify the attestations3.To follow Google-recommended practices, you should store your private keys in Cloud Key ManagementService (Cloud KMS), which is a secure and scalable service for managing cryptographic keys4.You should also use Workload Identity, which is a feature that allows Kubernetes service accounts to act as Google service accounts, to authenticate to Cloud KMS and sign attestations without having to manage or expose service account keys5.

The other options are incorrect because they do not follow Google-recommended practices. Option A and option D require human intervention to sign the attestations, which is not scalable or automated. Option C exposes the service account JSON key as a Kubernetes Secret, which is less secure than using Workload Identity.

The best option for ensuring that the three environments are consistent and following Google-recommended practices is to use Cloud Build to render and deploy the network policies and the DaemonSet, and set up Config Sync to sync the configurations for the three environments. Cloud Build is a service that executes your builds on Google Cloud infrastructure. You can use Cloud Build to render and deploy your network policies and DaemonSet as code using tools like Kustomize, Helm, or kpt. Config Sync is a feature that enables you to manage the configurations of your GKE clusters from a single source of truth, such as a Git repository. You can use Config Sync to sync the configurations for your development, staging, and production environments and ensure that they are consistent.

To control data residency in Secret Manager, you must use a user-managed replication policy to specify that secrets reside in U.S. regions, satisfying healthcare compliance requirements (e.g., HIPAA, regional residency).

“To ensure that secrets are stored only in certain regions, use user-managed replication.”

— Secret Manager Replication Policies

“If an organization policy restricts the use of the global location, use a user-managed replication policy to comply with those restrictions.”

— Policy Restrictions on Global Resources

Using user-managed replication allows you to explicitly define U.S. regions while resolving the policy block.