You manage an application deployed on GKE clusters across multiple environments. You are using Cloud Build to run user acceptance testing (UAT) tests. You have integrated Cloud Build with Artifact Analysis, and enabled the Binary Authorization API in all Google Cloud projects hosting your environments. You want only container images that have passed certain automated UAT tests to be deployed to the production environment. You have already created an attestor. What should you do next?
A. After the UAT phase, sign the attestation with a key stored as a Kubernetes secret. Add a GKE cluster-specific rule in Binary Authorization for the UAT Google Cloud project.
B. After the UAT phase, sign the attestation with a key stored as a Kubernetes secret. Add a GKE cluster-specific rule in Binary Authorization for the production Google Cloud project policy.
C. After the UAT phase, sign the attestation with a key stored in Cloud Key Management Service (KMS). Add a default rule in Binary Authorization for the UAT Google Cloud project.
D. After the UAT phase, sign the attestation with a key stored in Cloud Key Management Service (KMS). Add a GKE cluster-specific rule in Binary Authorization for the production Google Cloud project policy.
Answer
D