Google Professional Cloud DevOps Engineer Exam Questions Instant Access

Question 1

You manage applications deployed on Google Kubernetes Engine (GKE) clusters across multiple Google Cloud projects. You require a centralized and scalable solution to collect and query Prometheus metrics from these clusters by using a flexible query language. You want to follow Google-recommended practices. What should you do?

ADeploy a Prometheus server as a sidecar to your applications on each cluster, and run queries in Cloud Monitoring.

BConfigure Google Cloud Managed Service for Prometheus with managed collection, and run queries in Metrics Explorer.

CConfigure the Ops Agent to collect metrics, and run queries in Metrics Explorer.

DInstall Prometheus server on an admin cluster with cluster autoscaler enabled, and expose the Prometheus endpoint for queries.

Answer : B

Comprehensive and Detailed 150 to 200 words of Explanation From Google Cloud DevOps guides documents:

Google Cloud's recommended practice for scalable, multi-cluster monitoring is Google Cloud Managed Service for Prometheus (GMP). This service is a fully managed, multi-cloud-capable solution built on top of Monarch (the same globally scalable time-series database Google uses internally). By using managed collection, GKE clusters automatically deploy collectors that scrape metrics without the operational overhead of managing a manual Prometheus server, scaling, or long-term storage (sharding).

This solution satisfies the 'centralized and scalable' requirement because GMP allows you to query data across multiple projects and clusters using PromQL, which provides the flexible query language requested. While the Ops Agent (Option C) is useful for VM-based workloads, GMP is the purpose-built solution for Kubernetes environments. Standard sidecar deployments (Option A) or self-managed admin clusters (Option D) introduce significant administrative toil and fail to leverage the global scale and high availability of the Cloud Monitoring backend. By centralizing metrics in Metrics Explorer, SRE teams gain a unified view of system health, making it easier to define SLOs and manage incidents across a complex microservices landscape.

Question 2

Your company runs an ecommerce website built with JVM-based applications and microservice architecture in Google Kubernetes Engine (GKE) The application load increases during the day and decreases during the night Your operations team has configured the application to run enough Pods to handle the evening peak load You want to automate scaling by only running enough Pods and nodes for the load What should you do?

AConfigure the Vertical Pod Autoscaler but keep the node pool size static

BConfigure the Vertical Pod Autoscaler and enable the cluster autoscaler

CConfigure the Horizontal Pod Autoscaler but keep the node pool size static

DConfigure the Horizontal Pod Autoscaler and enable the cluster autoscaler

Answer : D

The best option for automating scaling by only running enough Pods and nodes for the load is to configure the Horizontal Pod Autoscaler and enable the cluster autoscaler. The Horizontal Pod Autoscaler is a feature that automatically adjusts the number of Pods in a deployment or replica set based on observed CPU utilization or custom metrics. The cluster autoscaler is a feature that automatically adjusts the size of a node pool based on the demand for node capacity. By using both features together, you can ensure that your application runs enough Pods to handle the load, and that your cluster runs enough nodes to host the Pods. This way, you can optimize your resource utilization and cost efficiency.

Question 3

You manage your company's primary revenue-generating application. You have an error budget policy in place that freezes production deployments when the application is close to breaching its SLO. A number of issues have recently occurred, and the application has exhausted its error budget. You need to deploy a new release to the application that includes a feature urgently required by your largest customer. You have been told that the release has passed all unit tests. What should you do?

AStart the deployment of the feature immediately.

BDelay the deployment of the feature until the error budget is replenished.

CRe-run the unit tests, and start the deployment of the feature if the tests pass.

DDeploy the feature to a subset of users, and gradually roll out to all users if there are no errors reported.

Answer : D

Comprehensive and Detailed Explanation From SRE Principles:

This scenario presents a classic SRE conflict: maintaining reliability (as dictated by the exhausted error budget and deployment freeze) versus delivering an urgent business requirement. The error budget policy is there for a reason -- to protect users from further instability.

A . Start the deployment of the feature immediately: This directly violates the established error budget policy and the deployment freeze. While the feature is urgent, deploying without caution when the system is already unstable (as indicated by the exhausted error budget) is highly risky and could exacerbate existing problems or introduce new ones, further impacting revenue and customer trust.

B . Delay the deployment of the feature until the error budget is replenished: This strictly adheres to the policy but might not be acceptable given the 'urgently required by your largest customer' clause. SRE principles allow for reasoned exceptions and risk management, not just blind adherence if the business context is compelling enough and risks are managed.

C . Re-run the unit tests, and start the deployment of the feature if the tests pass: Unit tests are foundational but insufficient to guarantee a complex application will perform reliably in production, especially when the system is already indicating instability (exhausted error budget). Passing unit tests doesn't negate the risk signaled by the depleted error budget.

D . Deploy the feature to a subset of users, and gradually roll out to all users if there are no errors reported: This is the most balanced SRE approach in this situation. It acknowledges the urgency while attempting to mitigate risk:Risk Mitigation: A canary release (deploying to a small subset of users) limits the potential negative impact if the new feature introduces new errors or worsens existing instability.

Observation: It allows for careful monitoring of the new release in the production environment with real users.

Data-Driven Decision: The decision to proceed with a wider rollout is based on observed behavior ('if there are no errors reported'), not just assumptions.

Controlled Rollout: A gradual rollout allows for quick rollback if issues arise.

While an exhausted error budget signals a deployment freeze, critical business needs can sometimes necessitate a carefully managed exception. A canary release is a standard SRE technique for deploying changes with reduced risk, making it the most appropriate course of action when faced with such conflicting priorities. The team would also need to communicate clearly about the risks and the rationale for this exception. It's implied that this urgent feature might also fix existing issues or is critical enough to warrant the carefully managed risk.

Reference (Based on SRE principles from Google's SRE books and general practices):

Error Budgets: 'The SRE Book' (Site Reliability Engineering: How Google Runs Production Systems) discusses error budgets and deployment freezes. An exhausted error budget typically means no more risky changes until reliability improves.

Canary Releases: This is a fundamental practice for safely deploying new versions. It's about testing in production with a small percentage of traffic.

Managing Risk: SRE is about managing risk, not eliminating it entirely. In situations like this, a calculated risk with strong mitigation (canary, monitoring, rollback plan) can be justified for critical business needs. The decision involves weighing the risk of deploying against the risk of not deploying the urgent feature.

Option D represents a pragmatic SRE approach to navigate this difficult situation by minimizing the blast radius of the change.

Question 4

You are developing reusable infrastructure as code modules. Each module contains integration tests that launch the module in a test project. You are using GitHub for source control. You need to Continuously test your feature branch and ensure that all code is tested before changes are accepted. You need to implement a solution to automate the integration tests. What should you do?

AUse a Jenkins server for Cl/CD pipelines. Periodically run all tests in the feature branch.

BUse Cloud Build to run the tests. Trigger all tests to run after a pull request is merged.

CAsk the pull request reviewers to run the integration tests before approving the code.

DUse Cloud Build to run tests in a specific folder. Trigger Cloud Build for every GitHub pull request.

Answer : D

Cloud Build is a service that executes your builds on Google Cloud Platform infrastructure.Cloud Build can import source code from Google Cloud Storage, Cloud Source Repositories, GitHub, or Bitbucket, execute a build to your specifications, and produce artifacts such as Docker containers or Java archives1.Cloud Build can also run integration tests as part of your build steps2.

You can use Cloud Build to run tests in a specific folder by specifying the path to the folder in thedirfield of your build step3. For example, if you have a folder namedteststhat contains your integration tests, you can use the following build step to run them:

steps:

- name: 'gcr.io/cloud-builders/go'

args: ['test', '-v']

dir: 'tests'

Copy

You can use Cloud Build to trigger builds for every GitHub pull request by using the Cloud Build GitHub app.The app allows you to automatically build on Git pushes and pull requests and view your build results on GitHub and Google Cloud console4.You can configure the app to run builds on specific branches, tags, or paths5. For example, if you want to run builds on pull requests that target themasterbranch, you can use the following trigger configuration:

includedFiles:

- '**'

name: 'pull-request-trigger'

github:

name: 'my-repo'

owner: 'my-org'

pullRequest:

branch: '^master$'

Using Cloud Build to run tests in a specific folder and trigger builds for every GitHub pull request is a good way to continuously test your feature branch and ensure that all code is tested before changes areaccepted. This way, you can catch any errors or bugs early and prevent them from affecting the main branch.

Using a Jenkins server for CI/CD pipelines is not a bad option, but it would require more setup and maintenance than using Cloud Build, which is fully managed by Google Cloud. Periodically running all tests in the feature branch is not as efficient as running tests for every pull request, as it may delay the feedback loop and increase the risk of conflicts or failures.

Using Cloud Build to run the tests after a pull request is merged is not a good practice, as it may introduce errors or bugs into the main branch that could have been prevented by testing before merging.

Asking the pull request reviewers to run the integration tests before approving the code is not a reliable way of ensuring code quality, as it depends on human intervention and may be prone to errors or oversights.

1:Overview | Cloud Build Documentation | Google Cloud

2:Running integration tests | Cloud Build Documentation | Google Cloud

3: Build configuration overview | Cloud Build Documentation | Google Cloud

4:Building repositories from GitHub | Cloud Build Documentation | Google Cloud

5: Creating GitHub app triggers | Cloud Build Documentation | Google Cloud

Question 5

Your organization is using Helm to package containerized applications Your applications reference both public and private charts Your security team flagged that using a public Helm repository as a dependency is a risk You want to manage all charts uniformly, with native access control and VPC Service Controls What should you do?

AStore public and private charts in OCI format by using Artifact Registry

BStore public and private charts by using GitHub Enterprise with Google Workspace as the identity provider

CStore public and private charts by using Git repository Configure Cloud Build to synchronize contents of the repository into a Cloud Storage bucket Connect Helm to the bucket by using https: // [bucket] .srorage.googleapis.com/ [holnchart] as the Helm repository

DConfigure a Helm chart repository server to run in Google Kubernetes Engine (GKE) with Cloud Storage bucket as the storage backend

Answer : A

The best option for managing all charts uniformly, with native access control and VPC Service Controls is to store public and private charts in OCI format by using Artifact Registry. Artifact Registry is a service that allows you to store and manage container images and other artifacts in Google Cloud. Artifact Registry supports OCI format, which is an open standard for storing container images and other artifacts such as Helm charts. You can use Artifact Registry to store public and private charts in OCI format and manage them uniformly. You can also use Artifact Registry's native access control features, such as IAM policies and VPC Service Controls, to secure your charts and control who can access them.

Question 6

You have an application that runs on Cloud Run. You want to use live production traffic to test a new version of the application while you let the quality assurance team perform manual testing. You want to limit the potential impact of any issues while testing the new version, and you must be able to roll back to a previous version of the application if needed. How should you deploy the new version?

Choose 2 answers

ADeploy the application as a new Cloud Run service.

BDeploy a new Cloud Run revision with a tag and use the ---no-traffic option.

CDeploy a new Cloud Run revision without a tag and use the ---no-traffic option.

DDeploy the new application version and use the ---no-traffic option Route production traffic to the revision's URL.

EDeploy the new application version and split traffic to the new version.

Answer : B, E

Question 7

You have a pool of application servers running on Compute Engine. You need to provide a secure solution that requires the least amount of configuration and allows developers to easily access application logs for troubleshooting. How would you implement the solution on GCP?

A* Deploy the Stackdriver logging agent to the application servers.* Give the developers the IAM Logs Viewer role to access Stackdriver and view logs.

B* Deploy the Stackdriver logging agent to the application servers.* Give the developers the IAM Logs Private Logs Viewer role to access Stackdriver and view logs.

C* Deploy the Stackdriver monitoring agent to the application servers.* Give the developers the IAM Monitoring Viewer role to access Stackdriver and view metrics.

D* Install the gsutil command line tool on your application servers.* Write a script using gsutil to upload your application log to a Cloud Storage bucket, and then schedule it to run via cron every 5 minutes.* Give the developers IAM Object Viewer access to view the logs in the specified bucket.

Answer : A

https://cloud.google.com/logging/docs/audit#access-control