{"results":[{"id":"ar-default-compute-sa-read-only","text":"Compute Engine, GKE, and Cloud Run default service accounts get read-only access to Artifact Registry by default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"binary-authorization-build-to-runtime-security-chain","text":"Binary Authorization forms a continuous supply chain security chain: Cloud Build creates attestations at build time and can block unauthorized deployments, while GKE continuous validation (CV) monitors running containers against policies — covering both deployment-time gating and runtime drift detection.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudbuild-binary-authorization-integration","text":"Cloud Build integrates with Binary Authorization to check build attestations and block unauthorized deployments to Cloud Run/GKE.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudrun-billing-fully-optimizable","text":"Cloud Run billing is fully optimizable through request-based pay-per-use default, CUD discounts shared across Cloud Run, GKE, and Compute Engine, and zero-cost for IAM-denied requests.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudrun-compute-flexible-cuds-shared","text":"Compute Flexible CUDs apply across Cloud Run, GKE, and Compute Engine; 3-year flexible CUD offers ~46% savings on CPU.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcp-immutable-infrastructure-decisions-require-upfront-design","text":"Multiple GCP services enforce immutable-after-creation configuration that cannot be corrected without resource recreation: Artifact Registry locks format and mode, KMS cannot delete key rings or change key type/purpose/protection, GKE Workload Identity pool is not deletable, and Cloud SQL private IP cannot be removed — establishing a cross-service pattern where initial design mistakes are permanently embedded in the resource hierarchy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcp-managed-service-risk-concentrates-in-naming-and-identity","text":"GCP managed service risk concentrates in naming and identity dimensions: GKE naming collisions cascade through the managed service chain granting unintended IAM identity across Cloud Run, Pub/Sub, and Secret Manager integrations, while every managed service independently demands mastery of both application semantics and identity lifecycle — making naming conventions the single highest-leverage security control across the platform.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gcp-managed-services-shift-complexity-not-eliminate","text":"GCP managed services (Cloud Run, GKE Autopilot) shift operational complexity rather than eliminating it: serverless networking requires VPC bridging, NAT chains, and peering navigation, while container security demands build attestation, binary authorization, and namespace-disciplined identity — both require the infrastructure expertise the managed abstractions were designed to replace.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gke-3000-sa-limit-metadata-server-oom","text":"GKE clusters with more than 3,000 Kubernetes service accounts may cause metadata server pod OOM kills.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gke-alpha-clusters-standard-only","text":"GKE alpha clusters for testing unstable Kubernetes features are available in Standard mode only.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gke-apparmor-default-selinux-not-supported","text":"AppArmor default Docker profile is applied by the container runtime on all GKE containers; SELinux is not supported on GKE.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gke-artifact-registry-dependency","text":"GKE cluster creation and upgrades pull container images from Artifact Registry (`pkg.dev` or `gcr.io`); an outage there can block new cluster creation and upgrades.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gke-autopilot-always-cos-and-workload-identity","text":"GKE Autopilot always uses Container-Optimized OS and always has Workload Identity Federation enabled.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gke-autopilot-always-cos-containerd","text":"GKE Autopilot nodes always use `cos_containerd` OS; Standard mode offers multiple OS choices.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gke-autopilot-always-regional","text":"GKE Autopilot clusters are always regional and always enrolled in a release channel (default: Regular).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gke-autopilot-billing-per-pod-request","text":"GKE Autopilot bills per Pod resource request; Standard mode bills per node regardless of Pod utilization.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gke-autopilot-builtin-compute-classes","text":"GKE Autopilot provides built-in ComputeClasses: `Balanced`, `Scale-Out`, and `autopilot-spot`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gke-autopilot-complete-managed-kubernetes","text":"GKE Autopilot provides a complete managed Kubernetes experience — always regional, pod-level billing, zero-node scaling, Google-managed nodes — suitable for all production workload types.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gke-autopilot-concentrates-risk-in-naming-conventions","text":"GKE Autopilot eliminates all infrastructure operations (always regional, Google-managed nodes, pod-level billing) but the identity design it shifts to is itself fragile: Workload Identity isolation depends on namespace + service account naming conventions across clusters (same name = same IAM identity), and service accounts require active hardening against dual-nature privilege escalation — concentrating all Autopilot operational risk into Kubernetes naming discipline and IAM policy hygiene.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"gke-autopilot-dataplane-v2-default","text":"GKE Dataplane V2 is enabled by default in Autopilot clusters, enabling network policy enforcement and observability.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":75,"limit":20,"offset":0}