Google Professional-Cloud-DevOps-Engineer Google Cloud Certified - Professional Cloud DevOps Engineer Exam Exam Practice Test

https://cloud.google.com/build/docs/securing-builds/use-encrypted-credentials

https://cloud.google.com/binary-authorization

Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE) or Cloud Run. With Binary Authorization, you can require images to be signed by trusted authorities during the development process and then enforce signature validation when deploying. By enforcing validation, you can gain tighter control over your container environment by ensuring only verified images are integrated into the build-and-release process.

https://cloud.google.com/architecture/adopting-slos?hl=en

https://sre.google/workbook/implementing-slos/

https://cloud.google.com/architecture/adopting-slos/

Latency is commonly measured as a distribution. Given a distribution, you can measure various percentiles. For example, you might measure the number of requests that are slower than the historical 99th percentile.

Scaling App Engine scales the number of instances automatically in response to processing volume. This scaling factors in the automatic_scaling settings that are provided on a per-version basis in the configuration file. A service with basic scaling is configured by setting the maximum number of instances in the max_instances parameter of the basic_scaling setting. The number of live instances scales with the processing volume. You configure the number of instances of each version in that service's configuration file. The number of instances usually corresponds to the size of a dataset being held in memory or the desired throughput for offline work. You can adjust the number of instances of a manually-scaled version very quickly, without stopping instances that are currently running, using the Modules API set_num_instances function. https://cloud.google.com/appengine/docs/standard/python/how-instances-are-managed

https://cloud.google.com/appengine/docs/standard/python/config/appref

max_idle_instances Optional. The maximum number of idle instances that App Engine should maintain for this version. Specify a value from 1 to 1000. If not specified, the default value is automatic, which means App Engine will manage the number of idle instances. Keep the following in mind: A high maximum reduces the number of idle instances more gradually when load levels return to normal after a spike. This helps your application maintain steady performance through fluctuations in request load, but also raises the number of idle instances (and consequent running costs) during such periods of heavy load.

https://sre.google/sre-book/managing-incidents/

https://sre.google/workbook/incident-response/

"The main roles in incident response are the Incident Commander (IC), Communications Lead (CL), and Operations or Ops Lead (OL)."

Eliminate bad monitoring : Unactionable alerts (i.e., spam) https://cloud.google.com/blog/products/management-tools/meeting-reliability-challenges-with-sre-principles

agree with kyubiblaze about having to remove unactionable items aka spam: "good monitoring alerts on actionable problems" @ https://cloud.google.com/blog/products/management-tools/meeting-reliability-challenges-with-sre-principles

The best option to give developers the ability to manage infrastructure as code, while ensuring that you follow Google-recommended practices, is to install and configure Config Connector in Google Kubernetes Engine (GKE).

Config Connector is a Kubernetes add-on that allows you to manage Google Cloud resources through Kubernetes. You can use Config Connector to create, update, and delete Google Cloud resources using Kubernetes manifests. Config Connector also reconciles the state of the Google Cloud resources with the desired state defined in the manifests, ensuring that there is no configuration drift1.

Config Connector follows the GitOps methodology, as it allows you to store your infrastructure configuration in a Git repository, and use tools such as Anthos Config Management or Cloud Source Repositories to sync the configuration to your GKE cluster. This way, you can use Git as the source of truth for your infrastructure, and enable reviewable and version-controlled workflows2.

Config Connector can be installed and configured in GKE using either the Google Cloud Console or the gcloud command-line tool. You need to enable the Config Connector add-on for your GKE cluster, and create a Google Cloud service account with the necessary permissions to manage the Google Cloud resources. You also need to create a Kubernetes namespace for each Google Cloud project that you want to manage with Config Connector3.

By using Config Connector in GKE, you can give developers the ability to manage infrastructure as code, while ensuring that you follow Google-recommended practices. You can also benefit from the features and advantages of Kubernetes, such as declarative configuration, observability, and portability4.

References:

1: Overview | Artifact Registry Documentation | Google Cloud

2: Deploy Anthos on GKE with Terraform part 1: GitOps with Config Sync | Google Cloud Blog

3: Installing Config Connector | Config Connector Documentation | Google Cloud

4: Why use Config Connector? | Config Connector Documentation | Google Cloud

https://cloud.google.com/binary-authorization

Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE) or Cloud Run. With Binary Authorization, you can require images to be signed by trusted authorities during the development process and then enforce signature validation when deploying. By enforcing validation, you can gain tighter control over your container environment by ensuring only verified images are integrated into the build-and-release process.

(https://sre.google/workbook/implementing-slos/#slo-decision-matrix )

https://cloud.google.com/container-registry/docs/pushing-and-pulling

The best option for providing your security team with the necessary permissions following the principle of least privilege and Google-recommended practices is to assign the roles/logging.privateLogViewer role to a group with all the security team members. The roles/logging.privateLogViewer role is a predefined role that grants read-only access to Data Access audit logs and other private logs in Cloud Logging. A group is a collection of users that can be assigned roles and permissions as a single unit. You can assign the roles/logging.privateLogViewer role to a group with all the security team members by using IAM policies. This way, you can provide your security team with the minimum level of access they need to view Data Access audit logs in the _Required bucket.

Terraform is an open-source tool that allows you to define and provision infrastructure as code1. Terraform can be used to create and manage Google Cloud resources, such as projects, networks, and services2. The Cloud Foundation Toolkit is a set of open-source Terraform modules and tools that provide best practices and guidance for deploying Google Cloud infrastructure3. The Cloud Foundation Toolkit includes Terraform repositories for creating Google Cloud projects and related resources, such as IAM policies, APIs, service accounts, and billing4. By using the Terraform repositories from the Cloud Foundation Toolkit, you can design a fast, reliable, and repeatable solution for your company to provision new projects and basic resources in Google Cloud. You can also customize the Terraform code to suit your specific needs and preferences.

For a postmortem to be truly blameless, it must focus on identifying the contributing causes of the incident without indicting any individual or team for bad or inappropriate behavior.

The best option for implementing the rollback actions is to update the Kubernetes Service to point to the previous Kubernetes Deployment. A Kubernetes Service is a resource that defines how to access a set of Pods. A Kubernetes Deployment is a resource that manages the creation and update of Pods. By using the blue/green deployment methodology, you can create two Deployments, one for the current version (blue) and one for the new version (green), and use a Service to switch traffic between them. If you need to rollback, you can update the Service to point to the previous Deployment (blue) and stop sending traffic to the new Deployment (green).

The best option for managing all charts uniformly, with native access control and VPC Service Controls is to store public and private charts in OCI format by using Artifact Registry. Artifact Registry is a service that allows you to store and manage container images and other artifacts in Google Cloud. Artifact Registry supports OCI format, which is an open standard for storing container images and other artifacts such as Helm charts. You can use Artifact Registry to store public and private charts in OCI format and manage them uniformly. You can also use Artifact Registry’s native access control features, such as IAM policies and VPC Service Controls, to secure your charts and control who can access them.

The correct answer is A. Communicate your intent to the incident team. Perform a load analysis to determine if the remaining nodes can handle the increase in traffic offloaded from the removed node, and scale appropriately. When any new nodes report healthy, drain traffic from the unhealthy node, and remove the unhealthy node from service.

This answer follows the Google-recommended practices for incident management, as described in the Chapter 9 - Incident Response, Google SRE Book1. According to this source, some of the best practices are:

• Maintain a clear line of command. Designate clearly defined roles. Keep a working record of debugging and mitigation as you go. Declare incidents early and often.
• Communicate your intent before taking any action that might affect the service or the incident response. This helps to avoid confusion, duplication of work, or unintended consequences.
• Perform a load analysis before removing a node from the load balancer pool, as this might affect the capacity and performance of the service. Scale the pool as necessary to handle the expected load.
• Drain traffic from the unhealthy node before removing it from service, as this helps to avoid dropping requests or causing errors for users.

Answer A follows these best practices by communicating the intent to the incident team, performing a load analysis and scaling the pool, and draining traffic from the unhealthy node before removing it.

Answer B does not follow the best practice of performing a load analysis before adding or removing nodes, as this might cause overloading or underutilization of resources.

Answer C does not follow the best practice of communicating the intent before taking any action, as this might cause confusion or conflict with other responders.

Answer D does not follow the best practice of draining traffic from the unhealthy node before removing it, as this might cause errors for users.

References:

1: Chapter 9 - Incident Response, Google SRE Book

The best option for detecting consumption of an error budget to protect customers and define release policies is to create a service level objective (SLO) and create an alert policy on select_slo_burn_rate. A SLO is a target value or range of values for a service level indicator (SLI) that measures some aspect of the service quality, such as availability or latency. An error budget is the amount of time or number of errors that a service can tolerate while still meeting its SLO. A select_slo_burn_rate is a metric that indicates how fast the error budget is being consumed by the service. By creating an alert policy on select_slo_burn_rate, you can trigger notifications or actions when the error budget consumption exceeds a certain threshold. This way, you can balance change, velocity, and reliability of the service by adjusting the release policies based on the error budget status.

The best options for defining triggers that indicate whether an incident requires a postmortem based on Site Reliability Engineering (SRE) practices are an external stakeholder asks for a postmortem and data is lost due to an incident. An external stakeholder is someone who is affected by or has an interest in the service, such as a customer or a partner. If an external stakeholder asks for a postmortem, it means that they are concerned about the impact or root cause of the incident, and they expect an explanation and remediation from the service provider. Therefore, this should trigger a postmortem to address their concerns and improve their satisfaction. Data loss is a serious consequence of an incident that can affect the integrity and reliability of the service. If data is lost due to an incident, it means that there was a failure in the backup or recovery mechanisms, or that there was a corruption or deletion of data. Therefore, this should trigger a postmortem to investigate the cause and impact of the data loss, and to prevent it from happening again.

The best option for determining whether the increase in availability is worth the investment for a single year of usage is to calculate the value of improved availability to be $900, and determine that the increase in availability is not worth the investment. To calculate the value of improved availability, we can use the following formula:

Value of improved availability = Revenue * (New availability - Current availability)

Plugging in the given numbers, we get:

Value of improved availability = $1,000,000 * (0.9999 - 0.999) = $900

Since the value of improved availability is less than the investment of $2,000, we can conclude that the increase in availability is not worth the investment.

The best option for sharing a Cloud Monitoring custom dashboard with a partner team is to provide the partner team with the dashboard URL to enable the partner team to create a copy of the dashboard. A Cloud Monitoring custom dashboard is a dashboard that allows you to create and customize charts and widgets to display metrics, logs, and traces from your Google Cloud resources and applications. You can share a custom dashboard with a partner team by providing them with the dashboard URL, which is a link that allows them to view the dashboard in their browser. The partner team can then create a copy of the dashboard in their own project by using the Copy Dashboard option. This way, they can access and modify the dashboard without affecting the original one.

The correct answer is D. Review the design of the product with the product development team to provide feedback early in the design phase.

According to the Google Cloud DevOps best practices, a Site Reliability Engineer (SRE) should collaborate with the product development team from the beginning of the product lifecycle, not just after the product is deployed or tested. This way, the SRE can provide operational input on the product design, such as scalability, reliability, security, and cost efficiency. The SRE can also help define service level objectives (SLOs) and service level indicators (SLIs) for the product, as well as monitoring and alerting strategies. By collaborating early and often, the SRE and the product development team can ensure that the product meets the operational requirements and expectations of the customers.

The correct answer is C. Configure Cloud Profiler, and initialize the cloud.google.com/go/profiler library in the application.

According to the Google Cloud documentation, Cloud Profiler is a statistical, low-overhead profiler that continuously gathers CPU usage and memory-allocation information from your production applications1. Cloud Profiler can help you identify slow paths in your code and optimize the performance of your applications. Cloud Profiler supports applications written in Go that run on App Engine standard environment2. To use Cloud Profiler, you need to configure it in your Google Cloud project and initialize the cloud.google.com/go/profiler library in your application code3. You can then use the Cloud Profiler interface to analyze the profiling data and visualize the results by using flame graphs4. Cloud Profiler has minimal performance impact and management overhead, as it only samples a small fraction of the application activity and does not require any additional infrastructure or agents.

The other options are incorrect because they do not meet the requirements of minimizing performance impact and management overhead. Option A is incorrect because it requires installing a continuous profiling tool into Compute Engine, which is an additional infrastructure that needs to be managed and maintained. Option B is incorrect because it requires periodically running the go tool pprof command against the application instance, which is a manual and disruptive process that can affect the application performance. Option D is incorrect because it only uses Cloud Monitoring to assess the App Engine CPU utilization metric, which is not enough to identify slow paths in the code or optimize the application performance.

The best option for storing all organization logs for seven years and avoiding any future loss of log capture or stored logs due to misconfiguration or human error is to use Cloud Logging to configure an aggregated sink at the organization level to export all logs into Cloud Storage with a seven-year retention policy and Bucket Lock. Cloud Logging is a service that allows you to collect and manage logs from your Google Cloud resources and applications. An aggregated sink is a sink that collects logs from multiple sources, such as projects, folders, or organizations. You can use Cloud Logging to configure an aggregated sink at the organization level to export all logs into Cloud Storage, which is a service that allows you to store and access data in Google Cloud. A retention policy is a policy that specifies how long objects in a bucket are retained before they are deleted. Bucket Lock is a feature that allows you to lock a retention policy on a bucket and prevent it from being reduced or removed. You can use Cloud Storage with a seven-year retention policy and Bucket Lock to ensure that your logs are stored for seven years and protected from accidental or malicious deletion.

The correct answer is D. Modify the application to use Cloud Logging software development kit (SDK), and send log entries with a jsonPayload field.

Cloud Logging SDKs are libraries that allow you to write structured logs from your Cloud Run application. You can use the SDKs to create log entries with a jsonPayload field, which contains a JSON object with the properties of your log entry. The jsonPayload field allows you to use advanced features of Cloud Logging, such as filtering, querying, and exporting logs based on the properties of your log entry1.

To use Cloud Logging SDKs, you need to install the SDK for your programming language, and then use the SDK methods to create and send log entries to Cloud Logging. For example, if you are using Node.js, you can use the following code to write a structured log entry with a jsonPayload field2:

// Imports the Google Cloud client library

const {Logging} = require('@google-cloud/logging');

// Creates a client

const logging = new Logging();

// Selects the log to write to

const log = logging.log('my-log');

// The data to write to the log

const text = 'Hello, world!';

const metadata = {

// Set the Cloud Run service name and revision as labels

labels: {

service_name: process.env.K_SERVICE || 'unknown',

revision_name: process.env.K_REVISION || 'unknown',

},

// Set the log entry payload type and value

jsonPayload: {

message: text,

timestamp: new Date(),

},

};

// Prepares a log entry

const entry = log.entry(metadata);

// Writes the log entry

await log.write(entry);

console.log(`Logged: ${text}`);

Using Cloud Logging SDKs is the best way to convert unstructured logs to structured logs, as it provides more flexibility and control over the format and content of your log entries.

Using a Fluent Bit sidecar container is not a good option, as it adds complexity and overhead to your Cloud Run application. Fluent Bit is a lightweight log processor and forwarder that can be used to collect and parse logs from various sources and send them to different destinations3. However, Cloud Run does not support sidecar containers, so you would need to run Fluent Bit as part of your main container image. This would require modifying your Dockerfile and configuring Fluent Bit to read logs from supported locations and parse them as JSON. This is more cumbersome and less reliable than using Cloud Logging SDKs.

Using the log agent in the Cloud Run container image is not possible, as the log agent is not supported on Cloud Run. The log agent is a service that runs on Compute Engine or Google Kubernetes Engine instances and collects logs from various applications and system components. However, Cloud Run does not allow you to install or run any agents on its underlying infrastructure, as it is a fully managed service that abstracts away the details of the underlying platform.

Storing the password directly in the code is not a good practice, as it exposes sensitive information and makes it hard to change or rotate the password. It also requires rebuilding and redeploying the application each time the password changes, which adds unnecessary work and downtime.

References:

1: Writing structured logs | Cloud Run Documentation | Google Cloud

2: Write structured logs | Cloud Run Documentation | Google Cloud

3: Fluent Bit - Fast and Lightweight Log Processor & Forwarder

Logging Best Practices for Serverless Applications - Google Codelabs

About the logging agent | Cloud Logging Documentation | Google Cloud

Cloud Run FAQ | Google Cloud

The best option for deploying a containerized web application to Google Cloud with the given acceptance criteria is to use Google Kubernetes Engine (GKE) with Anthos Service Mesh. GKE is a managed service for running Kubernetes clusters on Google Cloud, and Anthos Service Mesh is a service mesh that provides observability, traffic management, and security features for microservices. With Anthos Service Mesh, you can use traffic splitting to direct traffic from Android devices to an Android-specific microservice by configuring the user-agent header in the virtual service. You can also use traffic splitting to direct arbitrary percentage-based traffic to different versions of any microservice for continuous testing. For example, you can use a canary release strategy to direct 10% of user traffic to a new version of a microservice and monitor its performance and reliability.

https://cloud.google.com/monitoring/support/notification-options#creating_channels

To configure SMS notifications, do the following:

In the SMS section, click Add new and follow the instructions. Click Save. When you set up your alerting policy, select the SMS notification type and choose a verified phone number from the list.

Creating a development environment for writing code and a test environment for configurations, experiments, and load testing is the best practice to reduce the number of bugs and outages in production and to enable testers to load test new features. This way, the production environment is isolated from changes that could affect its stability and performance.

Reason : Incident has not occurred yet, even when development team is already pushing new features multiple times a week. The option A says, to define an error budget "policy", not to define error budget(It is already present). Just simple means to bring in all stakeholders, and decide how to consume the error budget effectively that could bring balance between feature deployment and reliability.

The goals of this policy are to: -- Protect customers from repeated SLO misses -- Provide an incentive to balance reliability with other features https://sre.google/workbook/error-budget-policy/

A change advisory board (CAB) is a traditional way of approving changes to a service, but it can slow down the software delivery performance and introduce bottlenecks. A better way to improve the speed and quality of changes is to use a peer-review based process for individual changes that is enforced at code check-in time and supported by automated tests. This way, developers can get fast feedback on the impact of their changes and catch any errors or bugs before they reach production. Additionally, the team’s development platform should enable developers to get fast feedback on the impact of their changes, such as using Cloud Code, Cloud Build, or Cloud Debugger.

https://cloud.google.com/kubernetes-engine/docs/tutorials/autoscaling-metrics

The Google Cloud HTTP Load Balancer (GCLB) provides metrics on the number of requests and the response latency for each backend service. These metrics can be used as custom metrics for the horizontal pod autoscaler (HPA) to scale the deployment based on the load. This is the correct solution to use an appropriate SLI for scaling.

https://cloud.google.com/architecture/automated-canary-analysis-kubernetes-engine-spinnaker

https://spinnaker.io/guides/user/canary/best-practices/#compare-canary-against-baseline-not-against-production

Cloud Build is a service that executes your builds on Google Cloud Platform infrastructure1. Cloud Build can be used as a pipeline runner for your CI pipeline, which is a process that automates the integration and testing of your code2. Cloud Build private pools are private, dedicated pools of workers that offer greater customization over the build environment, including the ability to access resources in a private VPC network3. A VPC network is a virtual network that provides connectivity for your Google Cloud resources and services. By using Cloud Build private pools, you can implement a solution that minimizes management overhead, as Cloud Build private pools are hosted and fully-managed by Cloud Build and scale up and down to zero, with no infrastructure to set up, upgrade, or scale3. You can also implement a solution that meets your security requirement, as Cloud Build private pools use network peering to connect into your private VPC network and do not expose API traffic publicly.

The correct answer is A. Notify the team that their error budget is used up. Negotiate with the team for a launch freeze or tolerate a slightly worse user experience.

According to the Site Reliability Engineering (SRE) practices, an error budget is the amount of unreliability that a service can tolerate without harming user satisfaction1. An error budget is derived from the service-level objectives (SLOs), which are the measurable goals for the service quality2. When a service exceeds its error budget, it means that it has violated its SLOs and may have negatively impacted the users. In this case, the SRE team should notify the product team that their error budget is used up and negotiate with them for a launch freeze or a lower SLO3. A launch freeze means that no new features are deployed until the service reliability is restored. A lower SLO means that the product team accepts a slightly worse user experience in exchange for launching new features. Both options require a trade-off between reliability and innovation, and should be agreed upon by both teams.

The other options are incorrect because they do not follow the SRE practices. Option B is incorrect because it violates the principle of error budget autonomy, which means that each service should have its own error budget and SLOs, and should not borrow or reallocate them from other services4. Option C is incorrect because it does not address the root cause of the error budget overspend, and may create unrealistic expectations for the service reliability. Option D is incorrect because it does not prevent the possibility of introducing new errors or bugs with the feature launch, which may further degrade the service quality and user satisfaction.

https://cloud.google.com/storage/docs/best-practices

https://cloud.google.com/build/docs/speeding-up-builds#caching_directories_with_google_cloud_storage

Caching directories with Google Cloud Storage To increase the speed of a build, reuse the results from a previous build. You can copy the results of a previous build to a Google Cloud Storage bucket, use the results for faster calculation, and then copy the new results back to the bucket. Use this method when your build takes a long time and produces a small number of files that does not take time to copy to and from Google Cloud Storage.

   upvoted 2 times

The best option for ensuring that the warehouse system accurately reflects product inventory at the time orders are placed and minimizing the impact on customers is to increase the number of Pod replicas. Increasing the number of Pod replicas will increase the scalability and availability of your microservice, which will allow it to handle more Pub/Sub messages and update stock information faster. This way, you can reduce the backlog of undelivered messages and oldest unacknowledged message age, which are causing delays in updating product inventory. You can use Horizontal Pod Autoscaler or Cloud Monitoring metrics-based autoscaling to automatically adjust the number of Pod replicas based on load or custom metrics.

The correct answer is A. Check the node/ephemeral_storage/used_bytes metric by using Metrics Explorer.

The node/ephemeral_storage/used_bytes metric reports the total amount of ephemeral storage used by Pods on each node1. You can use Metrics Explorer to query and visualize this metric and filter it by node name, namespace, or Pod name2. This way, you can identify which Pods are consuming the most ephemeral storage and causing disk pressure on the nodes. You do not need to have execute access to the workloads or nodes to use Metrics Explorer.

The other options are incorrect because they require execute access to the workloads or nodes, which you do not have. The df -h and du -sh * commands are Linux commands that can measure disk usage, but you need to run them inside the Pods or on the nodes, which is not possible in your scenario34.

https://cloud.google.com/kubernetes-engine/docs/concepts/custom-and-external-metrics#custom_metrics

https://github.com/GoogleCloudPlatform/k8s-stackdriver/blob/master/custom-metrics-stackdriver-adapter/README.md

Your application can report a custom metric to Cloud Monitoring. You can configure Kubernetes to respond to these metrics and scale your workload automatically. For example, you can scale your application based on metrics such as queries per second, writes per second, network performance, latency when communicating with a different application, or other metrics that make sense for your workload. https://cloud.google.com/kubernetes-engine/docs/concepts/custom-and-external-metrics

https://devops.com/when-it-disaster-strikes-part-3-conducting-a-blameless-post-mortem/

https://cloud.google.com/monitoring/access-control

https://cloud.google.com/monitoring/agent/monitoring/troubleshooting#checklist

The correct answer is C. Change the machine type for your VMs to n2-standard-8.

According to the Google Cloud documentation, the network throughput performance of a Compute Engine VM depends on its machine type1. The n2-standard-2 machine type has a maximum egress bandwidth of 4 Gbps, which can be a bottleneck for serving large files. By changing the machine type to n2-standard-8, you can increase the maximum egress bandwidth to 16 Gbps, which can improve the network throughput performance and reduce the download time for users. You also need to enable per VM Tier_1 networking performance, which is a feature that allows VMs to achieve higher network performance than the default settings2.

The other options are incorrect because they do not improve the network throughput performance of your VMs. Option A is incorrect because Cloud NAT is a service that allows private IP addresses to access the internet, but it does not increase the network bandwidth or speed3. Option B is incorrect because adding additional network interfaces (NICs) or IP addresses per NIC does not increase ingress or egress bandwidth for a VM1. Option D is incorrect because deploying the Ops Agent can help you monitor and troubleshoot your VMs, but it does not affect the network throughput performance4.