Your team uses Cloud Build for all CI/CD pipelines. You want to use the kubectl builder for Cloud Build to deploy new images to Google Kubernetes Engine (GKE). You need to authenticate to GKE while minimizing development effort. What should you do?
A.
Assign the Container Developer role to the Cloud Build service account.
B.
Specify the Container Developer role for Cloud Build in the cloudbuild.yaml file.
C.
Create a new service account with the Container Developer role and use it to run Cloud Build.
D.
Create a separate step in Cloud Build to retrieve service account credentials and pass these to kubectl.
I think that the A is incorrect... The good practices says that the CB like the other resources should avoid to use the default SA, so the correct one is the C which creates a SA and then give the required roles.
The best option for authenticating to GKE while minimizing development effort would be A. Assign the Container Developer role to the Cloud Build service account.
Google Cloud Build uses a default service account to run the build, this service account is automatically created by Cloud Build and it has the necessary permissions to access the resources used by the build. By assigning the Container Developer role to this service account, it will have the necessary permissions to deploy new images to GKE. This way you don't need to create a new service account or specify the role in the cloudbuild.yaml file. This is an easy and secure way to authenticate to GKE without adding extra steps to the CI/CD pipeline.
Ans: A
Exam passed and taken on 19/12/2022, 50/50 from this dump without buying the full access and looking for 'devops' word here: https://www.examtopics.com/discussions/google/1/
i think A, new service account needs " Cloud Build Service Account " role and " kubernete engine developer" role to execute the build steps for cloud build.
I think A is correct, but please note that question specify that kubectl builder (https://github.com/GoogleCloudPlatform/cloud-builders/tree/master/kubectl) and NOT gke-deploy (https://github.com/GoogleCloudPlatform/cloud-builders/tree/master/gke-deploy) is being used!
https://cloud.google.com/build/docs/deploying-builds/deploy-gke
In any case, as specified in kubectl builder documentation: When executed in the Cloud Build environment, commands are executed with credentials of the builder service account for the build project.
A should be the correct one. because assigning permission to cloud build service account will give permission to deploy while minimizing additional overhead.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
[Removed]
Highly Voted 3 years, 5 months agoTNT87
Highly Voted 3 years, 2 months agojomonkp
Most Recent 11 months agoOrzechowski
1 year, 1 month agosidharthwader
1 year, 4 months agoaswani
1 year, 3 months agoMagist3r
1 year, 3 months agojoshtechgroup
9 months, 2 weeks agosamuelmorher
1 year, 4 months agoaswani
1 year, 3 months agofelipeschossler
1 year, 6 months agoJonathanSJ
1 year, 9 months agojuliefighting
1 year, 10 months agofloppino
1 year, 10 months agohanweiCN
1 year, 11 months agoAzureDP900
2 years agookercho
2 years agoGCP72
2 years, 3 months agoPankul
2 years, 6 months agocloudbee
2 years, 10 months agoBiden
2 years, 10 months ago