
[Jan-2024] Professional-Cloud-DevOps-Engineer exam torrent Google study guide
Use Valid New Professional-Cloud-DevOps-Engineer Test Notes & Professional-Cloud-DevOps-Engineer Valid Exam Guide
NEW QUESTION # 52
You are developing a strategy for monitoring your Google Cloud Platform (GCP) projects in production using Stackdriver Workspaces. One of the requirements is to be able to quickly identify and react to production environment issues without false alerts from development and staging projects. You want to ensure that you adhere to the principle of least privilege when providing relevant team members with access to Stackdriver Workspaces. What should you do?
- A. Grant relevant team members the Project Viewer IAM role on all GCP production projects. Create Slackdriver workspaces inside each project.
- B. Create a new GCP monitoring project, and create a Stackdriver Workspace inside it. Attach the production projects to this workspace. Grant relevant team members read access to the Stackdriver Workspace.
- C. Choose an existing GCP production project to host the monitoring workspace. Attach the production projects to this workspace. Grant relevant team members read access to the Stackdriver Workspace.
- D. Grant relevant team members read access to all GCP production projects. Create Stackdriver workspaces inside each project.
Answer: B
Explanation:
"A Project can host many Projects and appear in many Projects, but it can only be used as the scoping project once. We recommend that you create a new Project for the purpose of having multiple Projects in the same scope."
NEW QUESTION # 53
You are developing reusable infrastructure as code modules. Each module contains integration tests that launch the module in a test project. You are using GitHub for source control. You need to Continuously test your feature branch and ensure that all code is tested before changes are accepted. You need to implement a solution to automate the integration tests. What should you do?
- A. Use Cloud Build to run the tests. Trigger all tests to run after a pull request is merged.
- B. Use a Jenkins server for Cl/CD pipelines. Periodically run all tests in the feature branch.
- C. Use Cloud Build to run tests in a specific folder. Trigger Cloud Build for every GitHub pull request.
- D. Ask the pull request reviewers to run the integration tests before approving the code.
Answer: C
Explanation:
Explanation
Cloud Build is a service that executes your builds on Google Cloud Platform infrastructure. Cloud Build can import source code from Google Cloud Storage, Cloud Source Repositories, GitHub, or Bitbucket, execute a build to your specifications, and produce artifacts such as Docker containers or Java archives1. Cloud Build can also run integration tests as part of your build steps2.
You can use Cloud Build to run tests in a specific folder by specifying the path to the folder in the dir field of your build step3. For example, if you have a folder named tests that contains your integration tests, you can use the following build step to run them:
steps:
- name: 'gcr.io/cloud-builders/go'
args: ['test', '-v']
dir: 'tests'
Copy
You can use Cloud Build to trigger builds for every GitHub pull request by using the Cloud Build GitHub app. The app allows you to automatically build on Git pushes and pull requests and view your build results on GitHub and Google Cloud console4. You can configure the app to run builds on specific branches, tags, or paths5. For example, if you want to run builds on pull requests that target the master branch, you can use the following trigger configuration:
includedFiles:
- '**'
name: 'pull-request-trigger'
github:
name: 'my-repo'
owner: 'my-org'
pullRequest:
branch: '^master$'
Using Cloud Build to run tests in a specific folder and trigger builds for every GitHub pull request is a good way to continuously test your feature branch and ensure that all code is tested before changes are accepted.
This way, you can catch any errors or bugs early and prevent them from affecting the main branch.
Using a Jenkins server for CI/CD pipelines is not a bad option, but it would require more setup and maintenance than using Cloud Build, which is fully managed by Google Cloud. Periodically running all tests in the feature branch is not as efficient as running tests for every pull request, as it may delay the feedback loop and increase the risk of conflicts or failures.
Using Cloud Build to run the tests after a pull request is merged is not a good practice, as it may introduce errors or bugs into the main branch that could have been prevented by testing before merging.
Asking the pull request reviewers to run the integration tests before approving the code is not a reliable way of ensuring code quality, as it depends on human intervention and may be prone to errors or oversights.
References:
1: Overview | Cloud Build Documentation | Google Cloud
2: Running integration tests | Cloud Build Documentation | Google Cloud
3: Build configuration overview | Cloud Build Documentation | Google Cloud
4: Building repositories from GitHub | Cloud Build Documentation | Google Cloud
5: Creating GitHub app triggers | Cloud Build Documentation | Google Cloud
NEW QUESTION # 54
You support a web application that is hosted on Compute Engine. The application provides a booking service for thousands of users. Shortly after the release of a new feature, your monitoring dashboard shows that all users are experiencing latency at login. You want to mitigate the impact of the incident on the users of your service. What should you do first?
- A. Deploy a new release to see whether it fixes the problem.
- B. Review the Stackdriver monitoring.
- C. Roll back the recent release.
- D. Upsize the virtual machines running the login services.
Answer: D
Explanation:
Rollback to previous stable version. Then you need to find what is causing the issue.
NEW QUESTION # 55
You are creating and assigning action items in a postmodern for an outage. The outage is over, but you need to address the root causes. You want to ensure that your team handles the action items quickly and efficiently.
How should you assign owners and collaborators to action items?
- A. Assign multiple owners for each item to guarantee that the team addresses items quickly
- B. Assign collaborators but no individual owners to the items to keep the postmortem blameless.
- C. Assign one owner for each action item and any necessary collaborators.
- D. Assign the team lead as the owner for all action items because they are in charge of the SRE team.
Answer: C
Explanation:
Explanation
https://devops.com/when-it-disaster-strikes-part-3-conducting-a-blameless-post-mortem/
NEW QUESTION # 56
As part of your company's initiative to shift left on security, the infoSec team is asking all teams to implement guard rails on all the Google Kubernetes Engine (GKE) clusters to only allow the deployment of trusted and approved images You need to determine how to satisfy the InfoSec teams goal of shifting left on security. What should you do?
- A. Use Binary Authorization to attest images during your CI CD pipeline
- B. Configure Identity and Access Management (1AM) policies to create a least privilege model on your GKE clusters
- C. Deploy Falco or Twistlock on GKE to monitor for vulnerabilities on your running Pods
- D. Enable Container Analysis in Artifact Registry, and check for common vulnerabilities and exposures (CVEs) in your container images
Answer: A
Explanation:
The best option for implementing guard rails on all GKE clusters to only allow the deployment of trusted and approved images is to use Binary Authorization to attest images during your CI/CD pipeline. Binary Authorization is a feature that allows you to enforce signature-based validation when deploying container images. You can use Binary Authorization to create policies that specify which images are allowed or denied in your GKE clusters. You can also use Binary Authorization to attest images during your CI/CD pipeline by using tools such as Container Analysis or third-party integrations. An attestation is a digital signature that certifies that an image meets certain criteria, such as passing vulnerability scans or code reviews. By using Binary Authorization to attest images during your CI/CD pipeline, you can ensure that only trusted and approved images are deployed to your GKE clusters.
NEW QUESTION # 57
Your team uses Cloud Build for all CI/CO pipelines. You want to use the kubectl builder for Cloud Build to deploy new images to Google Kubernetes Engine (GKE). You need to authenticate to GKE while minimizing development effort. What should you do?
- A. Specify the Container Developer role for Cloud Build in the cloudbuild.yaml file.
- B. Create a separate step in Cloud Build to retrieve service account credentials and pass these to kubectl.
- C. Create a new service account with the Container Developer role and use it to run Cloud Build.
- D. Assign the Container Developer role to the Cloud Build service account.
Answer: C
NEW QUESTION # 58
You are running an experiment to see whether your users like a new feature of a web application. Shortly after deploying the feature as a canary release, you receive a spike in the number of 500 errors sent to users, and your monitoring reports show increased latency. You want to quickly minimize the negative impact on users. What should you do first?
- A. Start monitoring latency, traffic, errors, and saturation.
- B. Record data for the postmortem document of the incident.
- C. Trace the origin of 500 errors and the root cause of increased latency.
- D. Roll back the experimental canary release.
Answer: C
NEW QUESTION # 59
You support a production service that runs on a single Compute Engine instance. You regularly need to spend time on recreating the service by deleting the crashing instance and creating a new instance based on the relevant image. You want to reduce the time spent performing manual operations while following Site Reliability Engineering principles. What should you do?
- A. Add a Load Balancer in front of the Compute Engine instance and use health checks to determine the system status.
- B. File a bug with the development team so they can find the root cause of the crashing instance.
- C. Create a Stackdriver Monitoring dashboard with SMS alerts to be able to start recreating the crashed instance promptly after it has crashed.
- D. Create a Managed Instance Group with a single instance and use health checks to determine the system status.
Answer: B
NEW QUESTION # 60
You have an application running in Google Kubernetes Engine. The application invokes multiple services per request but responds too slowly. You need to identify which downstream service or services are causing the delay. What should you do?
- A. Investigate the Liveness and Readiness probes for each service.
- B. Use a distributed tracing framework such as OpenTelemetry or Stackdriver Trace.
- C. Analyze VPC flow logs along the path of the request.
- D. Create a Dataflow pipeline to analyze service metrics in real time.
Answer: D
NEW QUESTION # 61
Your organization recently adopted a container-based workflow for application development. Your team develops numerous applications that are deployed continuously through an automated build pipeline to a Kubernetes cluster in the production environment. The security auditor is concerned that developers or operators could circumvent automated testing and push code changes to production without approval. What should you do to enforce approvals?
- A. Use an Admission Controller to verify that incoming requests originate from approved sources.
- B. Leverage Kubernetes Role-Based Access Control (RBAC) to restrict access to only approved users.
- C. Configure the build system with protected branches that require pull request approval.
- D. Enable binary authorization inside the Kubernetes cluster and configure the build pipeline as an attestor.
Answer: B
NEW QUESTION # 62
You are managing an application that exposes an HTTP endpoint without using a load balancer. The latency of the HTTP responses is important for the user experience. You want to understand what HTTP latencies all of your users are experiencing. You use Stackdriver Monitoring. What should you do?
- A. * In your application, create a metric with a metricKind set to gauge and a valueType set to distribution.
* In Stackdriver's Metrics Explorer, use a Heatmap graph to visualize the metric. - B. * In your application, create a metric with a metricKind set to CUMULATIVE and a valueType set to DOUBLE.
* In Stackdriver's Metrics Explorer, use a Line graph to visualize the metric. - C. * In your application, create a metric with a metricKind. set toMETRlc_KIND_UNSPECIFIEDanda valueType set to INT64.
* In Stackdriver's Metrics Explorer, use a Stacked Area graph to visualize the metric. - D. * In your application, create a metric with a metricKind set to DELTA and a valueType set to DOUBLE.
* In Stackdriver's Metrics Explorer, use a Slacked Bar graph to visualize the metric.
Answer: A
Explanation:
Explanation
https://sre.google/workbook/implementing-slos/
https://cloud.google.com/architecture/adopting-slos/
Latency is commonly measured as a distribution. Given a distribution, you can measure various percentiles.
For example, you might measure the number of requests that are slower than the historical 99th percentile.
NEW QUESTION # 63
Your organization recently adopted a container-based workflow for application development. Your team develops numerous applications that are deployed continuously through an automated build pipeline to the production environment. A recent security audit alerted your team that the code pushed to production could contain vulnerabilities and that the existing tooling around virtual machine (VM) vulnerabilities no longer applies to the containerized environment. You need to ensure the security and patch level of all code running through the pipeline. What should you do?
- A. Implement static code analysis tooling against the Docker files used to create the containers.
- B. Set up Container Analysis to scan and report Common Vulnerabilities and Exposures.
- C. Reconfigure the existing operating system vulnerability software to exist inside the container.
- D. Configure the containers in the build pipeline to always update themselves before release.
Answer: A
Explanation:
Explanation
https://cloud.google.com/binary-authorization
Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE) or Cloud Run. With Binary Authorization, you can require images to be signed by trusted authorities during the development process and then enforce signature validation when deploying. By enforcing validation, you can gain tighter control over your container environment by ensuring only verified images are integrated into the build-and-release process.
NEW QUESTION # 64
You use Spinnaker to deploy your application and have created a canary deployment stage in the pipeline. Your application has an in-memory cache that loads objects at start time. You want to automate the comparison of the canary version against the production version. How should you configure the canary analysis?
- A. Compare the canary with a new deployment of the previous production version.
- B. Compare the canary with a new deployment of the current production version.
- C. Compare the canary with the existing deployment of the current production version.
- D. Compare the canary with the average performance of a sliding window of previous production versions.
Answer: B
NEW QUESTION # 65
You use Cloud Build to build and deploy your application. You want to securely incorporate database credentials and other application secrets into the build pipeline. You also want to minimize the development effort. What should you do?
- A. Use client-side encryption to encrypt the secrets and store them in a Cloud Storage bucket. Store a decryption key in the bucket and grant Cloud Build access to the bucket.
- B. Use Cloud Key Management Service (Cloud KMS) to encrypt the secrets and include them in your Cloud Build deployment configuration. Grant Cloud Build access to the KeyRing.
- C. Encrypt the secrets and store them in the application repository. Store a decryption key in a separate repository and grant Cloud Build access to the repository.
- D. Create a Cloud Storage bucket and use the built-in encryption at rest. Store the secrets in the bucket and grant Cloud Build access to the bucket.
Answer: B
Explanation:
https://cloud.google.com/build/docs/securing-builds/use-encrypted-credentials
NEW QUESTION # 66
Your team is designing a new application for deployment into Google Kubernetes Engine (GKE). You need to set up monitoring to collect and aggregate various application-level metrics in a centralized location. You want to use Google Cloud Platform services while minimizing the amount of work required to set up monitoring. What should you do?
- A. Install the OpenTelemetry client libraries in the application, configure Stackdriver as the export destination for the metrics, and then observe the application's metrics in Stackdriver.
- B. Publish various metrics from the application directly to the Slackdriver Monitoring API, and then observe these custom metrics in Stackdriver.
- C. Emit all metrics in the form of application-specific log messages, pass these messages from the containers to the Stackdriver logging collector, and then observe metrics in Stackdriver.
- D. Install the Cloud Pub/Sub client libraries, push various metrics from the application to various topics, and then observe the aggregated metrics in Stackdriver.
Answer: A
NEW QUESTION # 67
Your company runs applications in Google Kubernetes Engine (GKE) that are deployed following a GitOps methodology.
Application developers frequently create cloud resources to support their applications. You want to give developers the ability to manage infrastructure as code, while ensuring that you follow Google-recommended practices. You need to ensure that infrastructure as code reconciles periodically to avoid configuration drift.
What should you do?
- A. Create a Job resource with a Terraform docker image to execute terraforrm plan and terraform apply commands.
- B. Configure Cloud Build with a Terraform builder to execute plan and apply commands.
- C. Install and configure Config Connector in Google Kubernetes Engine (GKE).
- D. Create a Pod resource with a Terraform docker image to execute terraform plan and terraform apply commands.
Answer: C
Explanation:
Explanation
The best option to give developers the ability to manage infrastructure as code, while ensuring that you follow Google-recommended practices, is to install and configure Config Connector in Google Kubernetes Engine (GKE).
Config Connector is a Kubernetes add-on that allows you to manage Google Cloud resources through Kubernetes. You can use Config Connector to create, update, and delete Google Cloud resources using Kubernetes manifests. Config Connector also reconciles the state of the Google Cloud resources with the desired state defined in the manifests, ensuring that there is no configuration drift1.
Config Connector follows the GitOps methodology, as it allows you to store your infrastructure configuration in a Git repository, and use tools such as Anthos Config Management or Cloud Source Repositories to sync the configuration to your GKE cluster. This way, you can use Git as the source of truth for your infrastructure, and enable reviewable and version-controlled workflows2.
Config Connector can be installed and configured in GKE using either the Google Cloud Console or the gcloud command-line tool. You need to enable the Config Connector add-on for your GKE cluster, and create a Google Cloud service account with the necessary permissions to manage the Google Cloud resources. You also need to create a Kubernetes namespace for each Google Cloud project that you want to manage with Config Connector3.
By using Config Connector in GKE, you can give developers the ability to manage infrastructure as code, while ensuring that you follow Google-recommended practices. You can also benefit from the features and advantages of Kubernetes, such as declarative configuration, observability, and portability4.
References:
1: Overview | Artifact Registry Documentation | Google Cloud
2: Deploy Anthos on GKE with Terraform part 1: GitOps with Config Sync | Google Cloud Blog
3: Installing Config Connector | Config Connector Documentation | Google Cloud
4: Why use Config Connector? | Config Connector Documentation | Google Cloud
NEW QUESTION # 68
You have a CI/CD pipeline that uses Cloud Build to build new Docker images and push them to Docker Hub. You use Git for code versioning. After making a change in the Cloud Build YAML configuration, you notice that no new artifacts are being built by the pipeline. You need to resolve the issue following Site Reliability Engineering practices. What should you do?
- A. Disable the CI pipeline and revert to manually building and pushing the artifacts.
- B. Run a Git compare between the previous and current Cloud Build Configuration files to find and fix the bug.
- C. Upload the configuration YAML file to Cloud Storage and use Error Reporting to identify and fix the issue.
- D. Change the CI pipeline to push the artifacts to Container Registry instead of Docker Hub.
Answer: D
NEW QUESTION # 69
Your company's security team needs to have read-only access to Data Access audit logs in the _Required bucket You want to provide your security team with the necessary permissions following the principle of least privilege and Google-recommended practices. What should you do?
- A. Assign the roles/logging.privateLogviewer role to a group with all the security team members
- B. Assign the roles/logging, viewer role to each member of the security team
- C. Assign the roles/logging. viewer role to a group with all the security team members
- D. Assign the roles/logging.privateLogViewer role to each member of the security team
Answer: A
Explanation:
The best option for providing your security team with the necessary permissions following the principle of least privilege and Google-recommended practices is to assign the roles/logging.privateLogViewer role to a group with all the security team members. The roles/logging.privateLogViewer role is a predefined role that grants read-only access to Data Access audit logs and other private logs in Cloud Logging. A group is a collection of users that can be assigned roles and permissions as a single unit. You can assign the roles/logging.privateLogViewer role to a group with all the security team members by using IAM policies. This way, you can provide your security team with the minimum level of access they need to view Data Access audit logs in the _Required bucket.
NEW QUESTION # 70
......
Professional-Cloud-DevOps-Engineer Exam questions and answers: https://practicetorrent.exam4pdf.com/Professional-Cloud-DevOps-Engineer-dumps-torrent.html

