- (Exam Topic 2)
You are developing a microservice-based application that will be deployed on a Google Kubernetes Engine cluster. The application needs to read and write to a Spanner database. You want to follow security best practices while minimizing code changes. How should you configure your application to retrieve Spanner credentials?

1. A. Configure the appropriate service accounts, and use Workload Identity to run the pods.
2. B. Store the application credentials as Kubernetes Secrets, and expose them as environment variables.
3. C. Configure the appropriate routing rules, and use a VPC-native cluster to directly connect to the database.
4. D. Store the application credentials using Cloud Key Management Service, and retrieve them whenever a database connection is made.

Correct Answer: A
https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity

- (Exam Topic 2)
You deployed a new application to Google Kubernetes Engine and are experiencing some performance degradation. Your logs are being written to Cloud Logging, and you are using a Prometheus sidecar model for capturing metrics. You need to correlate the metrics and data from the logs to troubleshoot the performance issue and send real-time alerts while minimizing costs. What should you do?

1. A. Create custom metrics from the Cloud Logging logs, and use Prometheus to import the results using the Cloud Monitoring REST API.
2. B. Export the Cloud Logging logs and the Prometheus metrics to Cloud Bigtabl
3. C. Run a query to join the results, and analyze in Google Data Studio.
4. D. Export the Cloud Logging logs and stream the Prometheus metrics to BigQuer
5. E. Run a recurring query to join the results, and send notifications using Cloud Tasks.
6. F. Export the Prometheus metrics and use Cloud Monitoring to view them as external metric
7. G. Configure Cloud Monitoring to create log-based metrics from the logs, and correlate them with the Prometheus data.

Correct Answer: D
Reference:
https://cloud.google.com/blog/products/operations/troubleshoot-gke-faster-with-monitoring-data-in-your-logs

- (Exam Topic 2)
You are a developer at a large organization. You have an application written in Go running in a production Google Kubernetes Engine (GKE) cluster. You need to add a new feature that requires access to BigQuery. You want to grant BigQuery access to your GKE cluster following Google-recommended best practices. What should you do?

1. A. Create a Google service account with BigQuery acces
2. B. Add the JSON key to Secret Manager, and use the Go client library to access the JSON key.
3. C. Create a Google service account with BigQuery acces
4. D. Add the Google service account JSON key as a Kubernetes secret, and configure the application to use this secret.
5. E. Create a Google service account with BigQuery acces
6. F. Add the Google service account JSON key to Secret Manager, and use an init container to access the secret for the application to use.
7. G. Create a Google service account and a Kubernetes service accoun
8. H. Configure Workload Identity on the GKE cluster, and reference the Kubernetes service account on the application Deployment.

Correct Answer: D
https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity#what_is
Applications running on GKE might need access to Google Cloud APIs such as Compute Engine API, BigQuery Storage API, or Machine Learning APIs.
Workload Identity allows a Kubernetes service account in your GKE cluster to act as an IAM service account. Pods that use the configured Kubernetes service account automatically authenticate as the IAM service account when accessing Google Cloud APIs. Using Workload Identity allows you to assign distinct,
fine-grained identities and authorization for each application in your cluster.

- (Exam Topic 2)
You are developing a web application that contains private images and videos stored in a Cloud Storage bucket. Your users are anonymous and do not have Google Accounts. You want to use your
application-specific logic to control access to the images and videos. How should you configure access?

1. A. Cache each web application user's IP address to create a named IP table using Google Cloud Armor.Create a Google Cloud Armor security policy that allows users to access the backend bucket.
2. B. Grant the Storage Object Viewer IAM role to allUser
3. C. Allow users to access the bucket after authenticating through your web application.
4. D. Configure Identity-Aware Proxy (IAP) to authenticate users into the web applicatio
5. E. Allow users to access the bucket after authenticating through IAP.
6. F. Generate a signed URL that grants read access to the bucke
7. G. Allow users to access the URL after authenticating through your web application.

Correct Answer: D
https://cloud.google.com/storage/docs/access-control/signed-urls#should-you-use
In some scenarios, you might not want to require your users to have a Google account in order to access Cloud Storage, but you still want to control access using your application-specific logic. The typical way to address this use case is to provide a signed URL to a user, which gives the user read, write, or delete access to that resource for a limited time. You specify an expiration time when you create the signed URL. Anyone who knows the URL can access the resource until the expiration time for the URL is reached or the key used to sign the URL is rotated.

- (Exam Topic 2)
You manage a microservices application on Google Kubernetes Engine (GKE) using Istio. You secure the communication channels between your microservices by implementing an Istio AuthorizationPolicy, a Kubernetes NetworkPolicy, and mTLS on your GKE cluster. You discover that HTTP requests between two Pods to specific URLs fail, while other requests to other URLs succeed. What is the cause of the connection issue?

1. A. A Kubernetes NetworkPolicy resource is blocking HTTP traffic between the Pods.
2. B. The Pod initiating the HTTP requests is attempting to connect to the target Pod via an incorrect TCP port.
3. C. The Authorization Policy of your cluster is blocking HTTP requests for specific paths within your application.
4. D. The cluster has mTLS configured in permissive mode, but the Pod's sidecar proxy is sending unencrypted traffic in plain text.

Correct Answer: C