You need to enforce several constraint templates across your Google Kubernetes Engine (GKE) clusters. The constraints include policy parameters, such as restricting the Kubernetes API. You must ensure that the policy parameters are stored in a GitHub repository and automatically applied when changes occur. What should you do?
Correct Answer: C
Comprehensive and Detailed Explanation From General GKE and GitOps Knowledge: The requirements are: Enforce constraint templates (implying a policy agent like OPA Gatekeeper) on GKE. Store policy parameters in a GitHub repository. Automatically apply changes from the GitHub repository to the clusters. This is a classic GitOps scenario. A: Set up a GitHub action to trigger Cloud Build when there is a parameter change. In Cloud Build, run a gcloud CLI command to apply the change.This is a plausible CI/CD approach. GitHub Actions can trigger Cloud Build, which can then use kubectl or gcloud to apply configurations. However, this is a push-based imperative approach. GitOps tools offer a more declarative, pull-based model specifically designed for syncing Kubernetes configurations. B: When there is a change in GitHub, use a webhook to send a request to Cloud Service Mesh, and apply the change.Cloud Service Mesh (based on Istio) is primarily for managing traffic, security, and observability for microservices. It's not designed for applying general Kubernetes policy configurations like Gatekeeper constraints from a Git repository. C: Configure Config Sync with the GitHub repository. When there is a change in the repository, use Config Sync to apply the change.Config Sync is a Google Cloud product specifically designed for GitOps with GKE (and other Kubernetes clusters). It synchronizes configurations (including CustomResourceDefinitions for constraint templates and the constraints themselves) from a Git repository (like GitHub) to your clusters. It continuously monitors the repository and automatically applies any committed changes to the clusters, ensuring they remain in the desired state. This perfectly matches the requirements. D: Configure Config Connector with the GitHub repository. When there is a change in the repository, use Config Connector to apply the change.Config Connector allows you to manage Google Cloud resources (like Pub/Sub topics, Spanner instances, etc.) using Kubernetes-style declarative configurations and kubectl. While it uses Kubernetes tooling, its primary purpose is managing Google Cloud resources, not syncing general Kubernetes configurations like Gatekeeper constraints from Git. Config Sync is the tool for syncing arbitrary Kubernetes manifests from Git to a cluster. Config Sync is the Google Cloud tool built for the exact purpose described: maintaining consistency between Kubernetes cluster configurations and a Git repository using a GitOps model. Reference (Based on Google Cloud GKE and Config Sync documentation): Config Sync Overview: https://cloud.google.com/anthos-config-management/docs/config-sync-overview or https://cloud.google.com/kubernetes-engine/docs/add-on/config-sync/overview (if referring to it as a GKE add-on)."Config Sync is a GitOps tool that helps you keep your Google Kubernetes Engine (GKE) Enterprise edition clusters synchronized with configs stored in a Git repository." It supports syncing various Kubernetes objects, including CustomResources, which are used by OPA Gatekeeper for defining constraints and constraint templates. It automatically pulls changes from the Git repository and applies them, which meets the "automatically applied when changes occur" requirement.
Question 72
Your application images are built and pushed to Google Container Registry (GCR). You want to build an automated pipeline that deploys the application when the image is updated while minimizing the development effort. What should you do?
Correct Answer: D
Question 73
You are running a web application that connects to an AlloyDB cluster by using a private IP address in your default VPC. You need to run a database schema migration in your CI/CD pipeline by using Cloud Build before deploying a new version of your application. You want to follow Google-recommended security practices. What should you do?
Correct Answer: D
Question 74
A third-party application needs to have a service account key to work properly When you try to export the key from your cloud project you receive an error "The organization policy constraint larn. disableServiceAccountKeyCreation is enforcedM You need to make the third-party application work while following Google-recommended security practices What should you do?
Correct Answer: D
The best option for making the third-party application work while following Google-recommended security practices is to add a rule to set the iam.disableServiceAccountKeyCreation policy to off in your project and create a key. The iam.disableServiceAccountKeyCreation policy is an organization policy that controls whether service account keys can be created in a project or organization. By default, this policy is set to on, which means that service account keys cannot be created. However, you can override this policy at a lower level, such as a project, by adding a rule to set it to off. This way, you can create a service account key for your project without affecting other projects or organizations. You should also follow the best practices for managing service account keys, such as rotating them regularly, storing them securely, and deleting them when they are no longer needed.
Question 75
Your team of Infrastructure DevOps Engineers is growing, and you are starting to use Terraform to manage infrastructure. You need a way to implement code versioning and to share code with other team members. What should you do?
