Professional-Cloud-DevOps-Engineer Exam Dumps - Google Cloud Certified - Professional Cloud DevOps Engineer Exam

The best option for deploying a new version of your containerized application to production on GKE and ensuring that the application does not have performance problems after deployment is to deploy the application through a continuous delivery pipeline by using canary deployments, use Cloud Monitoring to look for performance issues, and ramp up traffic as supported by the metrics. A canary deployment is a deployment strategy that involves releasing a new version of an application to a subset of users or servers and monitoring its performance and reliability. This way, you can test the new version in the production environment with real traffic and load, and gradually increase the traffic as the metrics indicate. You can use Cloud Monitoring to collect and analyze metrics from your application and GKE cluster, such as latency, error rate, CPU utilization, and memory usage. You can also use Cloud Monitoring to set up alerts and dashboards to track the performance of your application.

https://sre.google/sre-book/service-level-objectives/

You want the application's SLO to more closely reflect it's observed reliability. The key here is error budget never goes over 5%. This means they can have additional downtime and still stay within their budget.

The most effective ways to measure application reliability from a user perspective without making any engineering changes are to create new synthetic clients to simulate a user journey using the application, and to use current and historic Request Logs to trace customer interaction with the application. These methods can help you monitor the availability, latency, and errors of your application from an end-user perspective .

The best option for updating the instance template and minimizing disruption to the application and the number of pipeline runs is to set the create_before_destroy meta-argument to true in the lifecycle block on the instance template. The create_before_destroy meta-argument is a Terraform feature that specifies that a new resource should be created before destroying an existing one during an update. This way, you can avoid downtime and errors when updating a resource that is in use by another resource, such as an instance template that is used by a managed instance group. By setting the create_before_destroy meta-argument to true in the lifecycle block on the instance template, you can ensure that Terraform creates a new instance template with the updated machine type, updates the managed instance group to use the new instance template, and then deletes the old instance template.

The best option for sharing a Cloud Monitoring custom dashboard with a partner team is to provide the partner team with the dashboard URL to enable the partner team to create a copy of the dashboard. A Cloud Monitoring custom dashboard is a dashboard that allows you to create and customize charts and widgets to display metrics, logs, and traces from your Google Cloud resources and applications. You can share a custom dashboard with a partner team by providing them with the dashboard URL, which is a link that allows them to view the dashboard in their browser. The partner team can then create a copy of the dashboard in their own project by using the Copy Dashboard option. This way, they can access and modify the dashboard without affecting the original one.

For a postmortem to be truly blameless, it must focus on identifying the contributing causes of the incident without indicting any individual or team for bad or inappropriate behavior.

https://www.terraform.io/docs/cloud/guides/recommended-practices/part3.3.html

The best options for defining triggers that indicate whether an incident requires a postmortem based on Site Reliability Engineering (SRE) practices are an external stakeholder asks for a postmortem and data is lost due to an incident. An external stakeholder is someone who is affected by or has an interest in the service, such as a customer or a partner. If an external stakeholder asks for a postmortem, it means that they are concerned about the impact or root cause of the incident, and they expect an explanation and remediation from the service provider. Therefore, this should trigger a postmortem to address their concerns and improve their satisfaction. Data loss is a serious consequence of an incident that can affect the integrity and reliability of the service. If data is lost due to an incident, it means that there was a failure in the backup or recovery mechanisms, or that there was a corruption or deletion of data. Therefore, this should trigger a postmortem to investigate the cause and impact of the data loss, and to prevent it from happening again.

https://cloud.google.com/architecture/automated-canary-analysis-kubernetes-engine-spinnaker

https://spinnaker.io/guides/user/canary/best-practices/#compare-canary-against-baseline-not-against-production

https://cloud.google.com/monitoring/agent/monitoring/troubleshooting#checklist

The best option for detecting consumption of an error budget to protect customers and define release policies is to create a service level objective (SLO) and create an alert policy on select_slo_burn_rate. A SLO is a target value or range of values for a service level indicator (SLI) that measures some aspect of the service quality, such as availability or latency. An error budget is the amount of time or number of errors that a service can tolerate while still meeting its SLO. A select_slo_burn_rate is a metric that indicates how fast the error budget is being consumed by the service. By creating an alert policy on select_slo_burn_rate, you can trigger notifications or actions when the error budget consumption exceeds a certain threshold. This way, you can balance change, velocity, and reliability of the service by adjusting the release policies based on the error budget status.

The best option to give developers the ability to manage infrastructure as code, while ensuring that you follow Google-recommended practices, is to install and configure Config Connector in Google Kubernetes Engine (GKE).

Config Connector is a Kubernetes add-on that allows you to manage Google Cloud resources through Kubernetes. You can use Config Connector to create, update, and delete Google Cloud resources using Kubernetes manifests. Config Connector also reconciles the state of the Google Cloud resources with the desired state defined in the manifests, ensuring that there is no configuration drift1.

Config Connector follows the GitOps methodology, as it allows you to store your infrastructure configuration in a Git repository, and use tools such as Anthos Config Management or Cloud Source Repositories to sync the configuration to your GKE cluster. This way, you can use Git as the source of truth for your infrastructure, and enable reviewable and version-controlled workflows2.

Config Connector can be installed and configured in GKE using either the Google Cloud Console or the gcloud command-line tool. You need to enable the Config Connector add-on for your GKE cluster, and create a Google Cloud service account with the necessary permissions to manage the Google Cloud resources. You also need to create a Kubernetes namespace for each Google Cloud project that you want to manage with Config Connector3.

By using Config Connector in GKE, you can give developers the ability to manage infrastructure as code, while ensuring that you follow Google-recommended practices. You can also benefit from the features and advantages of Kubernetes, such as declarative configuration, observability, and portability4.

References:

1: Overview | Artifact Registry Documentation | Google Cloud

2: Deploy Anthos on GKE with Terraform part 1: GitOps with Config Sync | Google Cloud Blog

3: Installing Config Connector | Config Connector Documentation | Google Cloud

4: Why use Config Connector? | Config Connector Documentation | Google Cloud

https://cloud.google.com/blog/topics/retail/preparing-for-peak-holiday-season-while-wfh

Scaling App Engine scales the number of instances automatically in response to processing volume. This scaling factors in the automatic_scaling settings that are provided on a per-version basis in the configuration file. A service with basic scaling is configured by setting the maximum number of instances in the max_instances parameter of the basic_scaling setting. The number of live instances scales with the processing volume. You configure the number of instances of each version in that service's configuration file. The number of instances usually corresponds to the size of a dataset being held in memory or the desired throughput for offline work. You can adjust the number of instances of a manually-scaled version very quickly, without stopping instances that are currently running, using the Modules API set_num_instances function. https://cloud.google.com/appengine/docs/standard/python/how-instances-are-managed

https://cloud.google.com/appengine/docs/standard/python/config/appref

max_idle_instances Optional. The maximum number of idle instances that App Engine should maintain for this version. Specify a value from 1 to 1000. If not specified, the default value is automatic, which means App Engine will manage the number of idle instances. Keep the following in mind: A high maximum reduces the number of idle instances more gradually when load levels return to normal after a spike. This helps your application maintain steady performance through fluctuations in request load, but also raises the number of idle instances (and consequent running costs) during such periods of heavy load.

The best option for troubleshooting the issue without having execute access to workloads and nodes is to use Network Connectivity Center to perform a Connectivity Test from Cluster A to Cluster B. Network Connectivity Center is a service that allows you to create, manage, and monitor network connectivity across Google Cloud, hybrid, and multi-cloud environments. You can use Network Connectivity Center to perform a Connectivity Test, which is a feature that allows you to test the reachability and latency between two endpoints, such as GKE clusters, VM instances, or IP addresses. By using Network Connectivity Center to perform a Connectivity Test from Cluster A to Cluster B, you can identify the layer at which the network connectivity is broken, such as the firewall, routing, or load balancing.

a latency SLO is a service level objective that specifies a target level of responsiveness for a web application1. A latency SLO can be expressed as a percentile of latency over a time window, such as the 90th percentile of latency over 28 days2. A percentile of latency is the maximum amount of time that a given percentage of requests take to complete. For example, the 90th percentile of latency is the maximum amount of time that 90% of requests take to complete3.

To define a latency SLO, you need to consider the following factors24:

• The expectations and satisfaction of your customers. You want to set a latency SLO that reflects the level of performance that your customers are happy with and willing to pay for.
• The current and historical measurements of your latency. You want to set a latency SLO that is based on data and realistic for your web application.
• The trade-offs and costs of improving your latency. You want to set a latency SLO that balances the benefits of faster response times with the costs of engineering work, infrastructure, and complexity.

Based on these factors, the best option for defining a latency SLO for your web application is option B. Option B sets the latency SLO to match the current measurement of your latency, which means that you are meeting the expectations and satisfaction of your customers. Option B also sets a realistic and achievable target for your web application, which means that you do not need to invest extra resources or effort to improve your latency. Option B also aligns with the best practice of setting conservative SLOs, which means that you have some buffer or margin for error in case your latency fluctuates or degrades5.

The best option for ensuring that the three environments are consistent and following Google-recommended practices is to use Cloud Build to render and deploy the network policies and the DaemonSet, and set up Config Sync to sync the configurations for the three environments. Cloud Build is a service that executes your builds on Google Cloud infrastructure. You can use Cloud Build to render and deploy your network policies and DaemonSet as code using tools like Kustomize, Helm, or kpt. Config Sync is a feature that enables you to manage the configurations of your GKE clusters from a single source of truth, such as a Git repository. You can use Config Sync to sync the configurations for your development, staging, and production environments and ensure that they are consistent.

Cloud Build is a service that executes your builds on Google Cloud Platform infrastructure. Cloud Build can import source code from Google Cloud Storage, Cloud Source Repositories, GitHub, or Bitbucket, execute a build to your specifications, and produce artifacts such as Docker containers or Java archives1. Cloud Build can also run integration tests as part of your build steps2.

You can use Cloud Build to run tests in a specific folder by specifying the path to the folder in the dir field of your build step3. For example, if you have a folder named tests that contains your integration tests, you can use the following build step to run them:

steps:

- name: 'gcr.io/cloud-builders/go'

args: ['test', '-v']

dir: 'tests'

Copy

You can use Cloud Build to trigger builds for every GitHub pull request by using the Cloud Build GitHub app. The app allows you to automatically build on Git pushes and pull requests and view your build results on GitHub and Google Cloud console4. You can configure the app to run builds on specific branches, tags, or paths5. For example, if you want to run builds on pull requests that target the master branch, you can use the following trigger configuration:

includedFiles:

- '**'

name: 'pull-request-trigger'

github:

name: 'my-repo'

owner: 'my-org'

pullRequest:

branch: '^master$'

Using Cloud Build to run tests in a specific folder and trigger builds for every GitHub pull request is a good way to continuously test your feature branch and ensure that all code is tested before changes are accepted. This way, you can catch any errors or bugs early and prevent them from affecting the main branch.

Using a Jenkins server for CI/CD pipelines is not a bad option, but it would require more setup and maintenance than using Cloud Build, which is fully managed by Google Cloud. Periodically running all tests in the feature branch is not as efficient as running tests for every pull request, as it may delay the feedback loop and increase the risk of conflicts or failures.

Using Cloud Build to run the tests after a pull request is merged is not a good practice, as it may introduce errors or bugs into the main branch that could have been prevented by testing before merging.

Asking the pull request reviewers to run the integration tests before approving the code is not a reliable way of ensuring code quality, as it depends on human intervention and may be prone to errors or oversights.

References:

1: Overview  |  Cloud Build Documentation  |  Google Cloud

2: Running integration tests  |  Cloud Build Documentation  |  Google Cloud

3: Build configuration overview  |  Cloud Build Documentation  |  Google Cloud

4: Building repositories from GitHub  |  Cloud Build Documentation  |  Google Cloud

5: Creating GitHub app triggers  |  Cloud Build Documentation  |  Google Cloud

 The best option for mitigating the incident impact on users and enabling the developers to troubleshoot the issue is to change the selector on the Service app-svc to app: my-app, version: blue. A Service is a resource that defines how to access a set of Pods. A selector is a field that specifies which Pods are selected by the Service. By changing the selector on the Service app-svc to app: my-app, version: blue, you can ensure that the Service only routes traffic to the Pods that have both labels app: my-app and version: blue. These Pods belong to the Deployment app-blue, which uses the previous version of the application. This way, you can mitigate the incident impact on users by switching back to the working version of the application. You can also enable the developers to troubleshoot the issue with the new version of the application in the Deployment app-green without affecting users.

The correct answer is D. Option D.

According to the DevOps best practices, a joint-ownership model for a service between the DevOps team and the Software Development team should follow these principles12:

• The DevOps team and the Software Development team should share the responsibility and collaboration for managing the service infrastructure, performing code reviews, and adopting and sharing SLOs for the service.
• The DevOps team and the Software Development team should have end-to-end ownership of the service, from design to development to deployment to operation to maintenance.
• The DevOps team and the Software Development team should use common tools and processes to facilitate communication, coordination, and feedback.
• The DevOps team and the Software Development team should align their goals and incentives with the business outcomes and customer satisfaction.

Option D is the only option that reflects these principles. Option D assigns both teams the responsibilities of managing the service infrastructure, performing code reviews, and adopting and sharing SLOs for the service. Option D also implies that both teams have end-to-end ownership of the service, as they are involved in every stage of the service lifecycle. Option D also encourages both teams to use common tools and processes, such as GitLab3, to collaborate and communicate effectively. Option D also aligns both teams with the business outcomes and customer satisfaction, as they use SLOs to measure and improve the service quality.

The other options are incorrect because they do not follow the DevOps best practices. Option A is incorrect because it assigns only the DevOps team the responsibility of managing the service infrastructure, which creates a silo between the two teams and reduces their collaboration. Option A also does not assign any responsibility for adopting and sharing SLOs for the service, which means that both teams lack a common metric for measuring and improving the service quality. Option B is incorrect because it assigns only the Software Development team the responsibility of performing code reviews, which creates a gap between the two teams and reduces their feedback. Option B also does not assign any responsibility for adopting and sharing SLOs for the service, which means that both teams lack a common metric for measuring and improving the service quality. Option C is incorrect because it assigns both teams the same responsibilities as option A and option B, which combines their drawbacks.

Your application runs on Google Cloud Platform (GCP). You need to implement Jenkins for deploying application releases to GCP. You want to streamline the release process, lower operational toil, and keep user data secure. What should you do?

https://plugins.jenkins.io/google-compute-engine/

The best options for creating a CI/CD pipeline in Cloud Build to build an application container image and ensuring that production image builds are only run against the main branch and that the change control team approves all pushes to the main branch are to create a trigger on the Cloud Build job, set the repository event setting to Push to a branch, and configure a branch protection rule for the main branch on the repository. A trigger is a resource that starts a build when an event occurs, such as a code change. By creating a trigger on the Cloud Build job and setting the repository event setting to Push to a branch, you can ensure that the image build is only run when code is pushed to a specific branch, such as the main branch. A branch protection rule is a rule that enforces certain policies on a branch, such as requiring reviews, status checks, or approvals before merging code. By configuring a branch protection rule for the main branch on the repository, you can ensure that the change control team approves all pushes to the main branch.

https://cloud.google.com/monitoring/access-control

The correct answer is A. Check the node/ephemeral_storage/used_bytes metric by using Metrics Explorer.

The node/ephemeral_storage/used_bytes metric reports the total amount of ephemeral storage used by Pods on each node1. You can use Metrics Explorer to query and visualize this metric and filter it by node name, namespace, or Pod name2. This way, you can identify which Pods are consuming the most ephemeral storage and causing disk pressure on the nodes. You do not need to have execute access to the workloads or nodes to use Metrics Explorer.

The other options are incorrect because they require execute access to the workloads or nodes, which you do not have. The df -h and du -sh * commands are Linux commands that can measure disk usage, but you need to run them inside the Pods or on the nodes, which is not possible in your scenario34.

The correct answer is D. Grant the logging.logWriter and monitoring.metricWriter roles to the Compute Engine service accounts.

According to the Google Cloud documentation, the Compute Engine service account is a Google-managed service account that is automatically created when you enable the Compute Engine API1. This service account is used by default to run your Compute Engine instances and access other Google Cloud services on your behalf1. To ensure that monitoring metrics and logs for the instances are visible in Cloud Logging and Cloud Monitoring, you need to grant the following IAM roles to the Compute Engine service account23:

• The logging.logWriter role allows the service account to write log entries to Cloud Logging4.
• The monitoring.metricWriter role allows the service account to write custom metrics to Cloud Monitoring5.

These roles grant the minimum permissions that are needed for logging and monitoring, following the principle of least privilege. The other roles are either unnecessary or too broad for this purpose. For example, the logging.editor role grants permissions to create and update logs, log sinks, and log exclusions, which are not required for writing log entries6. The logging.admin role grants permissions to delete logs, log sinks, and log exclusions, which are not required for writing log entries and may pose a security risk if misused. The monitoring.editor role grants permissions to create and update alerting policies, uptime checks, notification channels, dashboards, and groups, which are not required for writing custom metrics.

The best option for providing your security team with the necessary permissions following the principle of least privilege and Google-recommended practices is to assign the roles/logging.privateLogViewer role to a group with all the security team members. The roles/logging.privateLogViewer role is a predefined role that grants read-only access to Data Access audit logs and other private logs in Cloud Logging. A group is a collection of users that can be assigned roles and permissions as a single unit. You can assign the roles/logging.privateLogViewer role to a group with all the security team members by using IAM policies. This way, you can provide your security team with the minimum level of access they need to view Data Access audit logs in the _Required bucket.

The best option for creating the development and production environments for each team while minimizing costs and ensuring isolation is to create a development and a production GKE cluster in separate projects, in each cluster create a Kubernetes namespace per team, and then configure Kubernetes role-based access control (RBAC) so that each team can only access its own namespace. This option allows you to use fewer clusters and projects than creating one project or cluster per team, which reduces costs and complexity. It also allows you to isolate each team’s environment by using namespaces and RBAC, which prevents teams from accessing other teams’ environments.

(https://sre.google/workbook/implementing-slos/#slo-decision-matrix )