Your development team uses Cloud Build to create Docker images. How should Docker images be managed securely in a centralized registry?

• A. Create a registry in each development team's project and grant access to the operations team.
• B. Create a separate project for the operations team with a Container Registry and assign permissions accordingly.
• C. Set up a new multi-tenant registry for all teams and enforce access policies.
• D. Use the same Container Registry for all teams without additional permissions required.

Answer: (B)

Creating a separate project for the operations team with a Container Registry and assigning permissions accordingly ensures a clear separation of duties and enhances the security of your Docker images. By centralizing the Container Registry in a dedicated project, you can enforce stricter access controls and ensure that only authorized personnel can push or pull images. This project-based isolation helps mitigate risks associated with accidental exposure or unauthorized access.

Additionally, separated projects allow for tailored access management, so various teams can have different permissions based on their roles. For example, development teams can have the ability to create and push images, while operations can be restricted to pull only, thereby providing an effective way to manage roles and compliance with security best practices.

This approach not only improves security but also simplifies governance around Docker image management. By having clear boundaries and specific roles established through permissions, the risk of misconfiguration or misuse reduces significantly, fostering a more secure environment for development and deployment processes.