this question is a little bit strange, but first we need to remove the invalid answers B: Incorrect An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized. (its for security but not "enforce approvals") C: Incorrect, we need to "enforce approvals" roles apply in the cluster and Ops always could push to production without approval. A: Incorrect, for me this answer sound well but this does not sound that an answer for a gcp exam and this do not enforce the use of the pipeline. D: Correct, they cannot push code to production without approval because their images are not signed.

I win the exam today so this questions help me a lot

Option D

If you are not familiarised, Pull Requests are one way to bring changes from one branch (e.g. develop) into protected branches (e.g. master, main). 1. First you need to protect the production branch (e.g, master, main) 2. If a developer attempts to push new code to a production (now protected) it will trow a Permission denied error like this: remote: Permission denied to update branch master. To git.com:org/repository.git ! [remote rejected] master -> master (pre-receive hook declined) error: failed to push some refs to 'git.com:org/repository.git' 3. in order to push their code to production branch, the developers will need to open a Pull Request (If you are using GitLab, it is called Merge Request) and ask someone to Review and Approve your changes. 4. The pipeline points to the protected branch; any new code pushed trigger the pipeline, and runs the tests and then deploy it. This is how we do devops.

D is correct answer, binary auth is best practice

Correct me if I am wrong, but this question is ambiguous. You can push the code at 3 stages: 1. You can merge a branch to master without Merge Request if the master is not protected 2. You can push the image to container registry to a repository if you have role assigned (only pipeline should be privileged to do). 3. An operator can change the code altering image/yaml using kubectl cli. The ultimate question is which problem are we trying to solve?

D - Binary authorisation

D https://cloud.google.com/binary-authorization Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE) or Cloud Run. With Binary Authorization, you can require images to be signed by trusted authorities during the development process and then enforce signature validation when deploying. By enforcing validation, you can gain tighter control over your container environment by ensuring only verified images are integrated into the build-and-release process.

Questions 51-55 is not available.. can someone please help me to get 51-55 questions?

Agreed with D. The keywords here is "developers or operators". Option A the operators could push images to production without approval (operators could touch the cluster directly and the cluster cannot do any action against them). Rest same as francisco_guerra.

D - PR approval will ensure the automated testing etc., the question is asking how to ensure all code changes go through the pipeline, where automated tests are integrated

Answer C is the most close answer. Leverage best practice . answer A is for pulling the code but in the question , the security auditor is concern about pushing the code .

A could be the ans