Professional-Cloud-DevOps-Engineer Google Cloud Certified - Professional Cloud DevOps Engineer Exam Free Practice Exam Questions (2025 Updated)

The best options for ensuring that the pipelines that run in the Pods have the appropriate IAM permissions to perform the Terraform deployments are to create a new Kubernetes service account and assign the service account to the Pods, and to use Workload Identity to authenticate as the Google service account. A Kubernetes service account is an identity that represents an application or a process running in a Pod. A Google service account is an identity that represents a Google Cloud resource or service. Workload Identity is a feature that allows you to bind Kubernetes service accounts to Google service accounts. By using Workload Identity, you can avoid creating and managing JSON service account keys, which are less secure and require more maintenance. You can also assign the appropriate IAM permissions to the Google service account that corresponds to the Kubernetes service account.

The best option for centralizing the logs generated by Google Cloud services from all projects only inside your production folder is to create an aggregated log sink associated with the production folder that uses a Cloud Logging bucket as the destination. An aggregated log sink is a log sink that collects logs from multiple sources, such as projects, folders, or organizations. A Cloud Logging bucket is a storage location for logs that can be used as a destination for log sinks. By creating an aggregated log sink with a Cloud Logging bucket, you can collect and store all the logs from the production folder in one place and allow for alerting and near-real time analysis using Cloud Monitoring and Cloud Operations.

https://cloud.google.com/container-registry/docs/pushing-and-pulling

The best option for ensuring that the warehouse system accurately reflects product inventory at the time orders are placed and minimizing the impact on customers is to increase the number of Pod replicas. Increasing the number of Pod replicas will increase the scalability and availability of your microservice, which will allow it to handle more Pub/Sub messages and update stock information faster. This way, you can reduce the backlog of undelivered messages and oldest unacknowledged message age, which are causing delays in updating product inventory. You can use Horizontal Pod Autoscaler or Cloud Monitoring metrics-based autoscaling to automatically adjust the number of Pod replicas based on load or custom metrics.

The correct answer is D. Grant the roles/storage.objectAdmin Identity and Access Management (IAM) role to the Cloud Build service account on the state file bucket.

According to the Google Cloud documentation, Cloud Build is a service that executes your builds on Google Cloud Platform infrastructure1. Cloud Build uses a service account to execute your build steps and access resources, such as Cloud Storage buckets2. Terraform is an open-source tool that allows you to define and provision infrastructure as code3. Terraform uses a state file to store and track the state of your infrastructure4. You can configure Terraform to use a Cloud Storage bucket as a backend to store and share the state file across multiple users or environments5.

The error message indicates that Cloud Build failed to access the Cloud Storage bucket that contains the Terraform state file. This is likely because the Cloud Build service account does not have the necessary permissions to read and write objects in the bucket. To resolve this issue, you need to grant the roles/storage.objectAdmin IAM role to the Cloud Build service account on the state file bucket. This role allows the service account to create, delete, and manage objects in the bucket6. You can use the gcloud command-line tool or the Google Cloud Console to grant this role.

The other options are incorrect because they do not follow Google-recommended practices. Option A is incorrect because it changes the Terraform code to use local state, which is not recommended for production or collaborative environments, as it can cause conflicts, data loss, or inconsistency. Option B is incorrect because it creates a new storage bucket with the name specified in the Terraform configuration, but it does not grant any permissions to the Cloud Build service account on the new bucket. Option C is incorrect because it grants the roles/owner IAM role to the Cloud Build service account on the project, which is too broad and violates the principle of least privilege. The roles/owner role grants full access to all resources in the project, which can pose a security risk if misused or compromised.

https://www.atlassian.com/incident-management/kpis/common-metrics

https://linkedin.github.io/school-of-sre/

The best option for sharing a Cloud Monitoring custom dashboard with a partner team is to provide the partner team with the dashboard URL to enable the partner team to create a copy of the dashboard. A Cloud Monitoring custom dashboard is a dashboard that allows you to create and customize charts and widgets to display metrics, logs, and traces from your Google Cloud resources and applications. You can share a custom dashboard with a partner team by providing them with the dashboard URL, which is a link that allows them to view the dashboard in their browser. The partner team can then create a copy of the dashboard in their own project by using the Copy Dashboard option. This way, they can access and modify the dashboard without affecting the original one.

https://medium.com/velotio-perspectives/exploring-upgrade-strategies-for-stateful-sets-in-kubernetes-c02b8286f251

(https://sre.google/workbook/implementing-slos/#slo-decision-matrix)

Comprehensive and Detailed Explanation From General Google Cloud Knowledge:

App Hub allows you to organize and discover services and applications within your Google Cloud environment. For App Hub to recognize and display resources as components of an "application," these resources often need to be explicitly registered or discovered as "services" within that application's configuration. While App Hub can automatically discover some resources (like GKE workloads, Cloud Run services), for other resources, or to establish specific relationships, manual registration or more detailed configuration is sometimes required.

Option A (Attach the project containing the forwarding rule as an App Hub service project): While App Hub works across projects (host project for the application, service projects for services and workloads), simply attaching the project might not be sufficient for App Hub to automatically pick up and categorize every resource like a forwarding rule specifically for a defined application without further context. The forwarding rule needs to be associated with a service within the App Hub application.

Option B (Enable the App Hub API in the project containing the forwarding rule): The App Hub API needs to be enabled in projects where you want to manage App Hub resources (applications, services, workloads). If it wasn't enabled, you likely wouldn't be able to see any resources from that project. Since other resources are visible, this is less likely the root cause for a single missing resource, though it's a prerequisite for App Hub to function at all with that project.

Option C (Configure the forwarding rule to forward to the correct target proxy): While correct configuration of the forwarding rule is essential for its operational functionality, App Hub's ability to list the forwarding rule is more about its discovery and registration within App Hub's model rather than its traffic-directing correctness. An incorrectly configured forwarding rule that is properly registered might still appear in App Hub, perhaps with an error status.

Option D (Register the forwarding rule as a service in the application configuration): App Hub applications are composed of "services," and these services are in turn composed of "workloads" or other discovered/registered resources. A forwarding rule is typically an entry point or part of the infrastructure for a service. Explicitly registering it or the resource it points to (which then allows App Hub to trace back to the forwarding rule) as a service or part of a service within the application configuration would make it visible and properly cataloged by App Hub. App Hub discovers resources by looking for specific labels or by manual registration. If it's not automatically discovered as part of a recognized workload (like a GCE instance group service exposed via a load balancer), explicit registration is often the way to make it appear.

Reference (Based on general App Hub functionality):

App Hub discovers resources that are part of registered applications and their services. Services in App Hub can be based on various Google Cloud resources. If a resource like a forwarding rule isn't automatically linked to a displayed workload, it might need to be explicitly defined as a service or part of a service.

From the Google Cloud documentation on App Hub concepts:

"Applications are the core organizational unit in App Hub. An application represents a logical system that delivers business value... Services represent the logical components of an application... Workloads are instances of your services running on Google Cloud infrastructure. App Hub automatically discovers workloads for supported resource types or you can manually register them."

Forwarding rules are associated with load balancing, which exposes services. If the service that the forwarding rule points to is correctly registered and identified by App Hub, associated infrastructure like the forwarding rule should typically be discoverable. If it's not, ensuring the service it fronts is correctly registered and that App Hub understands this link is key. Option D aligns with this concept of ensuring the relevant component (which the forwarding rule is part of) is registered within the application structure.

You can find more information in the official Google Cloud documentation regarding App Hub:

App Hub overview: https://cloud.google.com/app-hub/docs/overview

Registering services and workloads: Documentation would detail how different resources are discovered or need to be registered.

Google recommends using managed collection for GKE monitoring to reduce operational overhead. This sends Kubernetes metrics and custom workload metrics directly to Cloud Monitoring.

"You can enable Managed Service for Prometheus, which provides a fully managed Prometheus-compatible monitoring solution integrated with Cloud Monitoring."

— Managed Collection in GKE

"It automatically collects and stores metrics in Cloud Monitoring with no need to manage a Prometheus server."

— Google Cloud Managed Prometheus

It’s scalable, cost-effective, and requires no additional infrastructure like Thanos or Prometheus federation.

To restrict access to specific sensitive log fields (e.g. PII), Google Cloud offers Log field-level access control. You can apply field-level restrictions and then assign the Log Field Accessor role only to trusted personnel.

“You can use field-level access control to restrict access to certain fields in your logs. For example, you can restrict access to jsonPayload.user_email.”

— Cloud Logging Field-Level Access

“Grant the roles/logging.fieldAccessor role to principals that require access to these restricted fields.”

— Log Field Accessor Role

This lets your operations team continue using logs while ensuring that PII is only visible to the security team, fulfilling your compliance obligations.

https://cloud.google.com/architecture/continuous-delivery-toolchain-spinnaker-cloud

https://spinnaker.io/guides/user/pipeline/triggers/pubsub/

 The most efficient way to build an automated pipeline that deploys the application when the image is updated is to use Cloud Pub/Sub to trigger a Spinnaker pipeline. This way, you can leverage the built-in integration between GCR and Cloud Pub/Sub, and use Spinnaker as a continuous delivery platform for deploying your application .

The correct answer is B. Increase the memory limit in the application deployment.

The application is experiencing a memory leak, which means that it is allocating memory that is not freed or reused. This causes the heap usage to grow constantly until it reaches the memory limit of the pod, which triggers a restart by Kubernetes. Increasing the memory limit in the application deployment can help mitigate the problem by allowing the application to run longer before reaching the limit. However, this is not a permanent solution, as the memory leak will still occur and eventually exhaust the available memory.The best solution is to identify and fix the source of the memory leak in the application code, using tools like Cloud Profiler and pprof12.

https://cloud.google.com/monitoring/api/metrics_gcp#gcp-appengine

The best option for ensuring continued operations until the microservice is fixed is to add a HTTP liveness probe to the microservice’s deployment. A HTTP liveness probe is a type of probe that checks if a Pod is alive by sending an HTTP request and expecting a success response code. If the probe fails, Kubernetes will restart the Pod. You can add a HTTP liveness probe to your microservice’s deployment by using a livenessProbe field in your Pod spec. This way, you can ensure that any Pod that returns 403 errors after running for more than five hours will be restarted automatically and resume normal operations.

The correct answer is D. Grant the logging.logWriter and monitoring.metricWriter roles to the Compute Engine service accounts.

According to the Google Cloud documentation, the Compute Engine service account is a Google-managed service account that is automatically created when you enable the Compute Engine API1.This service account is used by default to run your Compute Engine instances and access other Google Cloud services on your behalf1.To ensure that monitoring metrics and logs for the instances are visible in Cloud Logging and Cloud Monitoring, you need to grant the following IAM roles to the Compute Engine service account23:

The logging.logWriter role allows the service account to write log entries to Cloud Logging4.

The monitoring.metricWriter role allows the service account to write custom metrics to Cloud Monitoring5.

These roles grant the minimum permissions that are needed for logging and monitoring, following the principle of least privilege. The other roles are either unnecessary or too broad for this purpose.For example, the logging.editor role grants permissions to create and update logs, log sinks, and log exclusions, which are not required for writing log entries6. The logging.admin role grants permissions to delete logs, log sinks, and log exclusions, which are not required for writing log entries and may pose a security risk if misused. The monitoring.editor role grants permissions to create and update alerting policies, uptime checks, notification channels, dashboards, and groups, which are not required for writing custom metrics.

https://cloud.google.com/logging/docs/access-control

The logging.configWriter role grants permissions to create, update, and delete log exports. This is the correct role to give team members who need to export logs2.

The best option for managing all charts uniformly, with native access control and VPC Service Controls is to store public and private charts in OCI format by using Artifact Registry. Artifact Registry is a service that allows you to store and manage container images and other artifacts in Google Cloud. Artifact Registry supports OCI format, which is an open standard for storing container images and other artifacts such as Helm charts. You can use Artifact Registry to store public and private charts in OCI format and manage them uniformly. You can also use Artifact Registry’s native access control features, such as IAM policies and VPC Service Controls, to secure your charts and control who can access them.