https://cloud.google.com/container-registry/docs/pushing-and-pulling

The correct answer is B. Use shadow testing with continuous deployment.

Shadow testing is a deployment technique that involves routing a copy of the live traffic to a new version of the application, without affecting the production environment. This way, you can gather performance metrics and compare them with the current version, without exposing the new version to the users. Shadow testing can help you test against the full production load and identify any issues or bottlenecks before launching the new version. You can use continuous deployment to automate the process of deploying the new version after it passes the shadow testing.

https://sre.google/workbook/implementing-slos/

https://cloud.google.com/architecture/adopting-slos/

Latency is commonly measured as a distribution. Given a distribution, you can measure various percentiles. For example, you might measure the number of requests that are slower than the historical 99th percentile.

The best option for creating the development and production environments for each team while minimizing costs and ensuring isolation is to create a development and a production GKE cluster in separate projects, in each cluster create a Kubernetes namespace per team, and then configure Kubernetes role-based access control (RBAC) so that each team can only access its own namespace. This option allows you to use fewer clusters and projects than creating one project or cluster per team, which reduces costs and complexity. It also allows you to isolate each team’s environment by using namespaces and RBAC, which prevents teams from accessing other teams’ environments.

https://cloud.google.com/logging/docs/routing/overview

The best option to give developers the ability to manage infrastructure as code, while ensuring that you follow Google-recommended practices, is to install and configure Config Connector in Google Kubernetes Engine (GKE).

Config Connector is a Kubernetes add-on that allows you to manage Google Cloud resources through Kubernetes. You can use Config Connector to create, update, and delete Google Cloud resources using Kubernetes manifests. Config Connector also reconciles the state of the Google Cloud resources with the desired state defined in the manifests, ensuring that there is no configuration drift1.

Config Connector follows the GitOps methodology, as it allows you to store your infrastructure configuration in a Git repository, and use tools such as Anthos Config Management or Cloud Source Repositories to sync the configuration to your GKE cluster. This way, you can use Git as the source of truth for your infrastructure, and enable reviewable and version-controlled workflows2.

Config Connector can be installed and configured in GKE using either the Google Cloud Console or the gcloud command-line tool. You need to enable the Config Connector add-on for your GKE cluster, and create a Google Cloud service account with the necessary permissions to manage the Google Cloud resources. You also need to create a Kubernetes namespace for each Google Cloud project that you want to manage with Config Connector3.

By using Config Connector in GKE, you can give developers the ability to manage infrastructure as code, while ensuring that you follow Google-recommended practices. You can also benefit from the features and advantages of Kubernetes, such as declarative configuration, observability, and portability4.

References:

1: Overview | Artifact Registry Documentation | Google Cloud

2: Deploy Anthos on GKE with Terraform part 1: GitOps with Config Sync | Google Cloud Blog

3: Installing Config Connector | Config Connector Documentation | Google Cloud

4: Why use Config Connector? | Config Connector Documentation | Google Cloud

Create log views for each project team, and only show each project team their application logs. Grant the operations team access to the _AllLogs View in the central logging project1.

This approach aligns with the Google Cloud’s recommended methodologies for Professional Cloud DevOps Engineers1. Log views allow you to create and manage access control at a finer granularity for your logs. By creating a separate log view for each project team, you can ensure that they only have access to their respective logs. The operations team, on the other hand, can be granted access to the _AllLogs view in the central logging project, allowing them to view all logs as required.

This solution not only meets the security team’s requirements but also minimizes costs as it leverages built-in features of Google Cloud’s logging and does not require exporting logs to another service like BigQuery (as suggested in option A), which could incur additional costs1.

a latency SLO is a service level objective that specifies a target level of responsiveness for a web application1. A latency SLO can be expressed as a percentile of latency over a time window, such as the 90th percentile of latency over 28 days2. A percentile of latency is the maximum amount of time that a given percentage of requests take to complete. For example, the 90th percentile of latency is the maximum amount of time that 90% of requests take to complete3.

To define a latency SLO, you need to consider the following factors24:

• The expectations and satisfaction of your customers. You want to set a latency SLO that reflects the level of performance that your customers are happy with and willing to pay for.
• The current and historical measurements of your latency. You want to set a latency SLO that is based on data and realistic for your web application.
• The trade-offs and costs of improving your latency. You want to set a latency SLO that balances the benefits of faster response times with the costs of engineering work, infrastructure, and complexity.

Based on these factors, the best option for defining a latency SLO for your web application is option B. Option B sets the latency SLO to match the current measurement of your latency, which means that you are meeting the expectations and satisfaction of your customers. Option B also sets a realistic and achievable target for your web application, which means that you do not need to invest extra resources or effort to improve your latency. Option B also aligns with the best practice of setting conservative SLOs, which means that you have some buffer or margin for error in case your latency fluctuates or degrades5.

The best option for managing all charts uniformly, with native access control and VPC Service Controls is to store public and private charts in OCI format by using Artifact Registry. Artifact Registry is a service that allows you to store and manage container images and other artifacts in Google Cloud. Artifact Registry supports OCI format, which is an open standard for storing container images and other artifacts such as Helm charts. You can use Artifact Registry to store public and private charts in OCI format and manage them uniformly. You can also use Artifact Registry’s native access control features, such as IAM policies and VPC Service Controls, to secure your charts and control who can access them.

The correct answer is D. Grant the logging.logWriter and monitoring.metricWriter roles to the Compute Engine service accounts.

According to the Google Cloud documentation, the Compute Engine service account is a Google-managed service account that is automatically created when you enable the Compute Engine API1. This service account is used by default to run your Compute Engine instances and access other Google Cloud services on your behalf1. To ensure that monitoring metrics and logs for the instances are visible in Cloud Logging and Cloud Monitoring, you need to grant the following IAM roles to the Compute Engine service account23:

• The logging.logWriter role allows the service account to write log entries to Cloud Logging4.
• The monitoring.metricWriter role allows the service account to write custom metrics to Cloud Monitoring5.

These roles grant the minimum permissions that are needed for logging and monitoring, following the principle of least privilege. The other roles are either unnecessary or too broad for this purpose. For example, the logging.editor role grants permissions to create and update logs, log sinks, and log exclusions, which are not required for writing log entries6. The logging.admin role grants permissions to delete logs, log sinks, and log exclusions, which are not required for writing log entries and may pose a security risk if misused. The monitoring.editor role grants permissions to create and update alerting policies, uptime checks, notification channels, dashboards, and groups, which are not required for writing custom metrics.

The best option for storing all organization logs for seven years and avoiding any future loss of log capture or stored logs due to misconfiguration or human error is to use Cloud Logging to configure an aggregated sink at the organization level to export all logs into Cloud Storage with a seven-year retention policy and Bucket Lock. Cloud Logging is a service that allows you to collect and manage logs from your Google Cloud resources and applications. An aggregated sink is a sink that collects logs from multiple sources, such as projects, folders, or organizations. You can use Cloud Logging to configure an aggregated sink at the organization level to export all logs into Cloud Storage, which is a service that allows you to store and access data in Google Cloud. A retention policy is a policy that specifies how long objects in a bucket are retained before they are deleted. Bucket Lock is a feature that allows you to lock a retention policy on a bucket and prevent it from being reduced or removed. You can use Cloud Storage with a seven-year retention policy and Bucket Lock to ensure that your logs are stored for seven years and protected from accidental or malicious deletion.

Hostname Storage location gcr.io Stores images in data centers in the United States asia.gcr.io Stores images in data centers in Asia eu.gcr.io Stores images in data centers within member states of the European Union us.gcr.io Stores images in data centers in the United States

The best option for deploying a new release of your microservice on Cloud Run and testing it extensively in the staging and production environments with minimal user and developer impact is to deploy the new version of the service to the staging environment with a new-release tag without serving traffic, test the new-release version, and if the test passes, gradually roll out this tagged version. A tag is a label that you can assign to a revision of your service on Cloud Run. You can use tags to create different versions of your service without affecting traffic. You can also use tags to gradually roll out traffic to a new version of your service by using traffic splitting. This way, you can test your new release extensively in both environments and minimize user and developer impact.

https://sre.google/workbook/implementing-slos/

In the SRE principles book, it's recommended treating the SLI as the ratio of two numbers: the number of good events divided by the total number of events. For example: Number of successful HTTP requests / total HTTP requests (success rate)

https://cloud.google.com/monitoring/support/notification-options#creating_channels

To configure SMS notifications, do the following:

In the SMS section, click Add new and follow the instructions. Click Save. When you set up your alerting policy, select the SMS notification type and choose a verified phone number from the list.

The best option for selecting a deployment and testing strategy that meets your requirements is to use blue/green deployment and canary testing. A blue/green deployment is a deployment strategy that involves creating two identical environments, one running the current version of the application (blue) and one running the new version of the application (green). The traffic is switched from blue to green after testing the new version, and if any issues are discovered, the traffic can be switched back to blue instantly. This way, you can reduce the complexity of release deployments and minimize the duration of deployment rollbacks. A canary testing is a testing strategy that involves releasing a new version of an application to a subset of users or servers and monitoring its performance and reliability. This way, you can test real production traffic with a gradual increase in the number of affected users.

The best option for sharing a Cloud Monitoring custom dashboard with a partner team is to provide the partner team with the dashboard URL to enable the partner team to create a copy of the dashboard. A Cloud Monitoring custom dashboard is a dashboard that allows you to create and customize charts and widgets to display metrics, logs, and traces from your Google Cloud resources and applications. You can share a custom dashboard with a partner team by providing them with the dashboard URL, which is a link that allows them to view the dashboard in their browser. The partner team can then create a copy of the dashboard in their own project by using the Copy Dashboard option. This way, they can access and modify the dashboard without affecting the original one.

https://cloud.google.com/monitoring/agent/monitoring/troubleshooting#checklist

https://cloud.google.com/build/docs/securing-builds/use-encrypted-credentials

The correct answer is A. Communicate your intent to the incident team. Perform a load analysis to determine if the remaining nodes can handle the increase in traffic offloaded from the removed node, and scale appropriately. When any new nodes report healthy, drain traffic from the unhealthy node, and remove the unhealthy node from service.

This answer follows the Google-recommended practices for incident management, as described in the Chapter 9 - Incident Response, Google SRE Book1. According to this source, some of the best practices are:

• Maintain a clear line of command. Designate clearly defined roles. Keep a working record of debugging and mitigation as you go. Declare incidents early and often.
• Communicate your intent before taking any action that might affect the service or the incident response. This helps to avoid confusion, duplication of work, or unintended consequences.
• Perform a load analysis before removing a node from the load balancer pool, as this might affect the capacity and performance of the service. Scale the pool as necessary to handle the expected load.
• Drain traffic from the unhealthy node before removing it from service, as this helps to avoid dropping requests or causing errors for users.

Answer A follows these best practices by communicating the intent to the incident team, performing a load analysis and scaling the pool, and draining traffic from the unhealthy node before removing it.

Answer B does not follow the best practice of performing a load analysis before adding or removing nodes, as this might cause overloading or underutilization of resources.

Answer C does not follow the best practice of communicating the intent before taking any action, as this might cause confusion or conflict with other responders.

Answer D does not follow the best practice of draining traffic from the unhealthy node before removing it, as this might cause errors for users.

References:

1: Chapter 9 - Incident Response, Google SRE Book

https://cloud.google.com/logging/docs/access-control

The logging.configWriter role grants permissions to create, update, and delete log exports. This is the correct role to give team members who need to export logs2.

Cloud Build is a service that executes your builds on Google Cloud Platform infrastructure. Cloud Build can import source code from Google Cloud Storage, Cloud Source Repositories, GitHub, or Bitbucket, execute a build to your specifications, and produce artifacts such as Docker containers or Java archives1. Cloud Build can also run integration tests as part of your build steps2.

You can use Cloud Build to run tests in a specific folder by specifying the path to the folder in the dir field of your build step3. For example, if you have a folder named tests that contains your integration tests, you can use the following build step to run them:

steps:

- name: 'gcr.io/cloud-builders/go'

args: ['test', '-v']

dir: 'tests'

Copy

You can use Cloud Build to trigger builds for every GitHub pull request by using the Cloud Build GitHub app. The app allows you to automatically build on Git pushes and pull requests and view your build results on GitHub and Google Cloud console4. You can configure the app to run builds on specific branches, tags, or paths5. For example, if you want to run builds on pull requests that target the master branch, you can use the following trigger configuration:

includedFiles:

- '**'

name: 'pull-request-trigger'

github:

name: 'my-repo'

owner: 'my-org'

pullRequest:

branch: '^master$'

Using Cloud Build to run tests in a specific folder and trigger builds for every GitHub pull request is a good way to continuously test your feature branch and ensure that all code is tested before changes are accepted. This way, you can catch any errors or bugs early and prevent them from affecting the main branch.

Using a Jenkins server for CI/CD pipelines is not a bad option, but it would require more setup and maintenance than using Cloud Build, which is fully managed by Google Cloud. Periodically running all tests in the feature branch is not as efficient as running tests for every pull request, as it may delay the feedback loop and increase the risk of conflicts or failures.

Using Cloud Build to run the tests after a pull request is merged is not a good practice, as it may introduce errors or bugs into the main branch that could have been prevented by testing before merging.

Asking the pull request reviewers to run the integration tests before approving the code is not a reliable way of ensuring code quality, as it depends on human intervention and may be prone to errors or oversights.

References:

1: Overview  |  Cloud Build Documentation  |  Google Cloud

2: Running integration tests  |  Cloud Build Documentation  |  Google Cloud

3: Build configuration overview  |  Cloud Build Documentation  |  Google Cloud

4: Building repositories from GitHub  |  Cloud Build Documentation  |  Google Cloud

5: Creating GitHub app triggers  |  Cloud Build Documentation  |  Google Cloud

A change advisory board (CAB) is a traditional way of approving changes to a service, but it can slow down the software delivery performance and introduce bottlenecks. A better way to improve the speed and quality of changes is to use a peer-review based process for individual changes that is enforced at code check-in time and supported by automated tests. This way, developers can get fast feedback on the impact of their changes and catch any errors or bugs before they reach production. Additionally, the team’s development platform should enable developers to get fast feedback on the impact of their changes, such as using Cloud Code, Cloud Build, or Cloud Debugger.

https://cloud.google.com/monitoring/access-control

The best option for implementing a scalable solution to support global Prometheus querying and minimize management overhead is to use Google Cloud Managed Service for Prometheus. Google Cloud Managed Service for Prometheus is a fully managed service that allows you to collect, query, and visualize metrics from your GKE clusters using Prometheus-based tooling. You can use Google Cloud Managed Service for Prometheus to query metrics across multiple clusters and regions using a global view. You can also use Google Cloud Managed Service for Prometheus to integrate with other Google Cloud services, such as Cloud Monitoring, Cloud Logging, and BigQuery. By using Google Cloud Managed Service for Prometheus, you can avoid managing and scaling your own Prometheus servers and focus on your application performance.

https://cloud.google.com/architecture/automated-canary-analysis-kubernetes-engine-spinnaker

https://spinnaker.io/guides/user/canary/best-practices/#compare-canary-against-baseline-not-against-production

The best option for storing all logs for one year and minimizing required code changes is to create a logs bucket and logging sink, set the retention on the logs bucket to 365 days, configure the logging sink to send logs to the bucket, and give your client access to the bucket to retrieve the logs. A logs bucket is a Cloud Storage bucket that is used to store logs from Cloud Logging. A logging sink is a resource that defines where log entries are sent, such as a logs bucket, BigQuery dataset, or Pub/Sub topic. You can create a logs bucket and logging sink in Cloud Logging and set the retention on the logs bucket to 365 days. This way, you can ensure that all logs are stored for one year and protected from deletion. You can also configure the logging sink to send logs from Cloud Run and Cloud Functions to the logs bucket without any code changes. You can then give your client access to the logs bucket by using IAM policies or signed URLs.

Scaling App Engine scales the number of instances automatically in response to processing volume. This scaling factors in the automatic_scaling settings that are provided on a per-version basis in the configuration file. A service with basic scaling is configured by setting the maximum number of instances in the max_instances parameter of the basic_scaling setting. The number of live instances scales with the processing volume. You configure the number of instances of each version in that service's configuration file. The number of instances usually corresponds to the size of a dataset being held in memory or the desired throughput for offline work. You can adjust the number of instances of a manually-scaled version very quickly, without stopping instances that are currently running, using the Modules API set_num_instances function. https://cloud.google.com/appengine/docs/standard/python/how-instances-are-managed

https://cloud.google.com/appengine/docs/standard/python/config/appref

max_idle_instances Optional. The maximum number of idle instances that App Engine should maintain for this version. Specify a value from 1 to 1000. If not specified, the default value is automatic, which means App Engine will manage the number of idle instances. Keep the following in mind: A high maximum reduces the number of idle instances more gradually when load levels return to normal after a spike. This helps your application maintain steady performance through fluctuations in request load, but also raises the number of idle instances (and consequent running costs) during such periods of heavy load.

"After making a change in the Cloud Build YAML configuration, you notice that no new artifacts are being built by the pipeline"- means something wrong on the recent change not with the image registry.

The correct answer is B. Store the password in Secret Manager and mount the secret as a volume within the application.

Secret Manager is a service that allows you to securely store and manage sensitive data such as passwords, API keys, certificates, and tokens. You can use Secret Manager to rotate your secrets automatically or manually, and access them from your Cloud Run applications1.

There are two ways to use secrets from Secret Manager in Cloud Run:

• As environment variables: You can set environment variables that point to secrets in Secret Manager. Cloud Run will resolve the secrets at runtime and inject them into the environment of your application. However, this method has some limitations, such as:
• As file system volumes: You can mount secrets from Secret Manager as files in a volume within your application. Cloud Run will create a tmpfs volume and write the secrets as files in it. This method has some advantages, such as:

Therefore, for your use case, it is better to use the second method and mount the secret as a file system volume within your application. This way, you can ensure that your application has the latest password, and you can deploy it with no downtime.

To mount a secret as a file system volume in Cloud Run, you can use the following command:

gcloud beta run deploy SERVICE --image IMAGE_URL --update-secrets=/path/to/file=secretName:version

where:

• SERVICE is the name of your Cloud Run service.
• IMAGE_URL is the URL of your container image.
• /path/to/file is the path where you want to mount the secret file in your application.
• secretName is the name of your secret in Secret Manager.
• version is the version of your secret. You can use latest to get the most recent version.3

You can also use the Cloud Console to mount secrets as file system volumes. For more details, see Mounting secrets from Secret Manager.

References:

1: Overview  |  Secret Manager Documentation  |  Google Cloud

2: Using secrets as environment variables  |  Cloud Run Documentation  |  Google Cloud

3: Mounting secrets from Secret Manager  |  Cloud Run Documentation  |  Google Cloud

https://cloud.google.com/blog/products/gcp/available-or-not-that-is-the-question-cre-life-lessons

The first thing you should do to prepare your ecommerce application for the upcoming peak traffic season is to load test the application to profile its performance for scaling. Load testing is a process of simulating high traffic or user demand on your application and measuring how it responds. Load testing can help you identify any bottlenecks, errors, or performance issues that might affect your application during the busy season1. Load testing can also help you determine the optimal scaling strategy for your application, such as horizontal scaling (adding more instances) or vertical scaling (adding more resources to each instance)2.

There are different tools and methods for load testing your ecommerce application on Google Cloud, depending on the type and complexity of your application. For example, you can use Cloud Load Balancing to distribute traffic across multiple instances of your application, and use Cloud Monitoring to measure the latency, throughput, and error rate of your application3. You can also use Cloud Functions or Cloud Run to create serverless load generators that can simulate user requests and send them to your application4. Alternatively, you can use third-party tools such as Apache JMeter or Locust to create and run load tests on your application.

By load testing your ecommerce application before the peak traffic season, you can ensure that your application is ready to handle the expected load and provide a good user experience. You can also use the results of your load tests to plan and implement other steps to prepare your application for the busy season, such as migrating to a more scalable platform, creating a Terraform configuration for deploying to additional regions, or pre-provisioning additional compute power.

References:

1: Load Testing 101: How To Test Website Performance | BlazeMeter

2: Scaling applications | Google Cloud

3: Load testing using Google Cloud | Solutions | Google Cloud

4: Serverless load testing using Cloud Functions | Solutions | Google Cloud

The best option for minimizing the number of log sinks created and ensuring that the log sinks apply to future projects is to create an aggregated log sink in the Dev and Prod folders. An aggregated log sink is a log sink that collects logs from multiple sources, such as projects, folders, or organizations. By creating an aggregated log sink in each folder, you can export log entries for development projects to dev_dataset and log entries for production projects to prod_dataset. You can also use filters to specify which logs you want to export. Additionally, by creating an aggregated log sink at the folder level, you can ensure that the log sink applies to future projects that are created under that folder.

https://cloud.google.com/architecture/continuous-delivery-toolchain-spinnaker-cloud

https://spinnaker.io/guides/user/pipeline/triggers/pubsub/

 The most efficient way to build an automated pipeline that deploys the application when the image is updated is to use Cloud Pub/Sub to trigger a Spinnaker pipeline. This way, you can leverage the built-in integration between GCR and Cloud Pub/Sub, and use Spinnaker as a continuous delivery platform for deploying your application .

The correct answer is D. Option D.

According to the DevOps best practices, a joint-ownership model for a service between the DevOps team and the Software Development team should follow these principles12:

• The DevOps team and the Software Development team should share the responsibility and collaboration for managing the service infrastructure, performing code reviews, and adopting and sharing SLOs for the service.
• The DevOps team and the Software Development team should have end-to-end ownership of the service, from design to development to deployment to operation to maintenance.
• The DevOps team and the Software Development team should use common tools and processes to facilitate communication, coordination, and feedback.
• The DevOps team and the Software Development team should align their goals and incentives with the business outcomes and customer satisfaction.

Option D is the only option that reflects these principles. Option D assigns both teams the responsibilities of managing the service infrastructure, performing code reviews, and adopting and sharing SLOs for the service. Option D also implies that both teams have end-to-end ownership of the service, as they are involved in every stage of the service lifecycle. Option D also encourages both teams to use common tools and processes, such as GitLab3, to collaborate and communicate effectively. Option D also aligns both teams with the business outcomes and customer satisfaction, as they use SLOs to measure and improve the service quality.

The other options are incorrect because they do not follow the DevOps best practices. Option A is incorrect because it assigns only the DevOps team the responsibility of managing the service infrastructure, which creates a silo between the two teams and reduces their collaboration. Option A also does not assign any responsibility for adopting and sharing SLOs for the service, which means that both teams lack a common metric for measuring and improving the service quality. Option B is incorrect because it assigns only the Software Development team the responsibility of performing code reviews, which creates a gap between the two teams and reduces their feedback. Option B also does not assign any responsibility for adopting and sharing SLOs for the service, which means that both teams lack a common metric for measuring and improving the service quality. Option C is incorrect because it assigns both teams the same responsibilities as option A and option B, which combines their drawbacks.

https://cloud.google.com/build/docs/deploying-builds/deploy-gke

https://cloud.google.com/build/docs/securing-builds/configure-user-specified-service-accounts