I think A

A https://cloud.google.com/build/docs/securing-builds/configure-user-specified-service-accounts

Option C

A https://cloud.google.com/build/docs/deploying-builds/deploy-gke#required_iam_permissions

Doesn't C makes more sense ? Why is it A?

I think that the A is incorrect... The good practices says that the CB like the other resources should avoid to use the default SA, so the correct one is the C which creates a SA and then give the required roles.

100% A and this is the doc the proves this: https://cloud.google.com/build/docs/deploying-builds/deploy-gke#required_iam_permissions

The best option for authenticating to GKE while minimizing development effort would be A. Assign the Container Developer role to the Cloud Build service account. Google Cloud Build uses a default service account to run the build, this service account is automatically created by Cloud Build and it has the necessary permissions to access the resources used by the build. By assigning the Container Developer role to this service account, it will have the necessary permissions to deploy new images to GKE. This way you don't need to create a new service account or specify the role in the cloudbuild.yaml file. This is an easy and secure way to authenticate to GKE without adding extra steps to the CI/CD pipeline.

Answer is A https://cloud.google.com/build/docs/deploying-builds/deploy-gke#required_iam_permissions

Ans: A Exam passed and taken on 19/12/2022, 50/50 from this dump without buying the full access and looking for 'devops' word here: https://www.examtopics.com/discussions/google/1/

i think A, new service account needs " Cloud Build Service Account " role and " kubernete engine developer" role to execute the build steps for cloud build.

A is more suitable for this scenario https://cloud.google.com/build/docs/securing-builds/configure-access-for-cloud-build-service-account

I think A is correct, but please note that question specify that kubectl builder (https://github.com/GoogleCloudPlatform/cloud-builders/tree/master/kubectl) and NOT gke-deploy (https://github.com/GoogleCloudPlatform/cloud-builders/tree/master/gke-deploy) is being used! https://cloud.google.com/build/docs/deploying-builds/deploy-gke In any case, as specified in kubectl builder documentation: When executed in the Cloud Build environment, commands are executed with credentials of the builder service account for the build project.

Answer is A

A is the correct answer

A should be the correct one. because assigning permission to cloud build service account will give permission to deploy while minimizing additional overhead.

Agree with A. Reference to container.developer role: https://cloud.google.com/kubernetes-engine/docs/how-to/iam