What happens when a container image is deployed to Google Kubernetes Engine (GKE) with Binary Authorization enabled, but the image is not signed by a trusted authority?
Think about the purpose of Binary Authorization in enforcing image trust.
Binary Authorization blocks deployment of container images that are not signed by trusted authorities to ensure only verified images run in the cluster.
You want to enforce that only container images signed by your internal CI system can be deployed to your GKE cluster. Which component must you configure in Binary Authorization to achieve this?
Consider how Binary Authorization verifies image signatures.
Attestors are entities in Binary Authorization that verify signatures from trusted sources like your CI system.
What is the effect on container image deployment if a Binary Authorization policy requires an Attestor that is not configured or missing?
Think about how Binary Authorization enforces policies with required Attestors.
If a required Attestor is missing, Binary Authorization cannot verify signatures and blocks all deployments to maintain security.
If a Binary Authorization policy requires multiple Attestors, what is the expected behavior when a container image is signed by only some of them?
Consider the strictness of requiring multiple Attestors in a policy.
Binary Authorization requires that all specified Attestors approve the image for deployment to proceed.
Which practice is best for managing signing keys used by Binary Authorization Attestors to ensure security and operational reliability?
Think about key security and operational continuity.
Regular key rotation and secure storage using Cloud KMS reduce risk of key compromise and ensure trusted signing.