CCNA Pca Managing Provisioning Questions

12 of 87 questions · Page 2/2 · Pca Managing Provisioning topic · Answers revealed

76
MCQhard

A company runs a stateful workload on GKE that requires at most one pod per node. They want to survive a zonal failure with minimal downtime. The application can be restarted on a new node. Which configuration should they use?

A.Use a StatefulSet with pod anti-affinity required and a regional cluster
B.Use a Deployment with a PodDisruptionBudget set to maxUnavailable=0
C.Deploy a Deployment with a nodeSelector for one zone
D.Use a DaemonSet with node affinity
AnswerA

StatefulSet provides stable storage and network identity; anti-affinity ensures one pod per node; regional cluster spreads nodes across zones.

Why this answer

A StatefulSet with pod anti-affinity required ensures one pod per node. A regional cluster with nodes in multiple zones allows rescheduling in another zone. A single-zone cluster would not survive a zonal failure.

PDB limits disruption but does not handle zone failure.

77
MCQmedium

A DevOps engineer needs to automate the deployment of a containerized application to Google Kubernetes Engine (GKE) using a CI/CD pipeline. The pipeline should build a Docker image, store it in Artifact Registry, and then deploy it to a GKE cluster. Which two Google Cloud services should be used together to achieve this?

A.Cloud Build and Cloud Run
B.Artifact Registry and GKE alone
C.Cloud Source Repositories and Compute Engine
D.Cloud Build and Cloud Deploy
AnswerD

Correct: Cloud Build builds and pushes the image, Cloud Deploy handles deployment to GKE.

Why this answer

Cloud Build can build the Docker image and push it to Artifact Registry. Cloud Deploy can then deploy the image to GKE using a delivery pipeline. Cloud Run is for serverless containers, not GKE.

Cloud Source Repositories is a code repository, not a deployment service. Compute Engine is not needed for this use case.

78
MCQmedium

A team wants to collect and analyze logs from multiple projects into a centralized BigQuery dataset for long-term retention and SQL querying. They want to exclude health check logs to reduce costs. Which approach should they use?

A.Use Cloud Monitoring to exclude health check logs
B.Create a log metric for health check logs and filter in BigQuery
C.Create a log sink to BigQuery and add a log exclusion filter for health check logs
D.Set up a Cloud Function to delete health check logs from BigQuery
AnswerC

Log sinks export logs to a destination; exclusion filters prevent matching logs from being ingested or exported.

Why this answer

Log sinks can route logs to BigQuery, and exclusion filters can be applied to filter out specific logs before they are ingested.

79
Multi-Selectmedium

A data engineering team wants to ingest streaming data from Pub/Sub, transform it using Apache Beam, and load it into BigQuery for real-time analytics. They need a fully managed solution that handles autoscaling and does not require managing servers. Which TWO Google Cloud services should they use?

Select 2 answers
A.Cloud Dataproc
B.Cloud Dataflow
C.Cloud Dataprep
D.Cloud Composer
E.Cloud Pub/Sub
AnswersB, E

Dataflow runs Beam pipelines with autoscaling and serverless processing.

Why this answer

Dataflow is the fully managed service for executing Apache Beam pipelines, with autoscaling and serverless execution. Pub/Sub is the ingestion service. Cloud Composer is Airflow, not streaming; Dataproc is for Spark/Hadoop; Dataprep is for data preparation.

80
MCQmedium

A company uses Cloud Deploy for continuous delivery. They have a delivery pipeline with multiple targets: dev, staging, and prod. They want to require manual approval before deploying to prod. How should they configure this?

A.Add a Cloud Build trigger that pauses and waits for approval
B.Use IAM conditions to restrict deployment to prod
C.Configure an approval gate on the prod target in the delivery pipeline
D.Set up a Pub/Sub notification and a Cloud Function to approve
AnswerC

Approval gates are natively supported in Cloud Deploy delivery pipelines.

Why this answer

Approval gates in Cloud Deploy are configured as phases within a delivery pipeline, where a required approval step blocks progression until manually approved.

81
MCQhard

A team wants to enforce that only container images signed by their CI/CD system can be deployed to GKE. They have enabled Binary Authorization with a policy that requires an attestor. What additional step must they take to bind the attestor to the image signing process?

A.Create a Container Analysis note and grant the attestor service account the containeranalysis.notes.attacher role
B.Add the attestor to the Binary Authorization policy as a required attestor
C.Create a Cloud Build step that signs the image and stores the signature in Cloud Storage
D.Configure the GKE cluster to require Binary Authorization with the --no-enforce flag
AnswerA

This binds the attestor to the Container Analysis note, allowing it to create attestations for signed images.

Why this answer

After creating the attestor, you must create an AttestationAuthority note in Container Analysis and grant the attestor service account permission to bind attestations. Configuring Cloud Build to sign images is part of the process but not the binding step.

82
MCQhard

An organization wants to export their Cloud Logging logs to a centralized BigQuery dataset for long-term analysis. They also need to exclude logs from a specific source (e.g., a test project) to reduce costs. How should they set this up?

A.Disable logging in the test project
B.Create a log sink to BigQuery and add a log exclusion filter that excludes the test project's logs
C.Create two separate sinks: one for production logs to BigQuery and another for test logs to Cloud Storage
D.Create a log sink to BigQuery and use IAM to restrict access to the test project's logs
AnswerB

Exclusion filters can be applied to the sink or the log bucket to drop certain logs.

Why this answer

A log sink exports logs to BigQuery. To exclude logs from a test project, create a log exclusion filter that matches the test project's logs and apply it to the sink or the project's logs bucket.

83
Multi-Selecthard

A company runs a web application on Google Kubernetes Engine (GKE) that experiences sudden spikes in traffic. They need to automatically scale the number of pods and also ensure that the cluster itself can scale by adding new nodes when needed. Which THREE components should they configure to achieve this?

Select 2 answers
A.Cluster Autoscaler
B.Vertical Pod Autoscaler (VPA)
C.Horizontal Pod Autoscaler (HPA)
D.Node Auto-Repair
E.Pod Disruption Budget (PDB)
AnswersA, C

Cluster Autoscaler adds or removes nodes as needed when pods are pending.

Why this answer

Horizontal Pod Autoscaler (HPA) scales the number of pods based on CPU/memory or custom metrics. Cluster Autoscaler adds or removes nodes to accommodate pod scheduling. Vertical Pod Autoscaler (VPA) adjusts pod resource requests, but does not scale pods or nodes.

Pod Disruption Budget protects pods during voluntary disruptions. Node Auto-Repair is for health maintenance, not scaling.

84
Multi-Selecteasy

A cloud architect needs to implement a CI/CD pipeline for a team developing a Python-based microservice. The team uses GitHub as their source repository. The pipeline should automatically run unit tests and deploy the service to Cloud Run when changes are pushed to the main branch. Which THREE Google Cloud services should they use?

Select 3 answers
A.Artifact Registry
B.Cloud Run
C.Cloud Deploy
D.Cloud Source Repositories
E.Cloud Build
AnswersA, B, E

Artifact Registry stores the container image built by Cloud Build.

Why this answer

Cloud Build can connect to GitHub via triggers to run tests and build a container image. Artifact Registry stores the image. Cloud Run deploys the container.

Cloud Deploy is for GKE and other platforms, not Cloud Run directly. Cloud Functions is serverless but not for containers. Cloud Source Repositories is Google's own git, not GitHub.

85
MCQmedium

A company uses Cloud Deployment Manager to manage infrastructure. They want to roll back to a previous deployment state after a failed update. What is the recommended approach?

A.Use gcloud deployment-manager deployments rollback --deployment <name>
B.Use the --update-policy=PARTIAL flag to selectively revert changes
C.Delete the deployment and recreate it from the previous template
D.Run gcloud deployment-manager deployments update --config <previous_manifest>
AnswerD

This updates the deployment to the configuration defined in the previous manifest, effectively rolling back.

Why this answer

Deployment Manager stores the deployment manifests. You can use an update with a previous manifest to revert to a known good state. Deleting and recreating is not a rollback.

Partial updates are not supported directly.

86
Multi-Selectmedium

A team is building a CI/CD pipeline for a Java application that will run on GKE. They want to automatically build the application, run unit tests, create a Docker image, push it to Artifact Registry, and deploy to GKE. Which two GCP services should be combined? (Choose two.)

Select 2 answers
A.Cloud Functions
B.Compute Engine
C.Cloud Run
D.Cloud Deploy
E.Cloud Build
AnswersD, E

Cloud Deploy can manage delivery pipelines to deploy to GKE.

Why this answer

Cloud Build handles the build and test steps, builds the Docker image, and pushes to Artifact Registry. Cloud Deploy manages the deployment to GKE. Cloud Run is serverless; Cloud Functions is event-driven; Compute Engine is VMs.

87
MCQhard

A company has a GKE cluster with Workload Identity enabled. A pod needs to access a BigQuery dataset in a different project. The team has created a service account in the pod's project and granted it BigQuery Data Viewer on the dataset. They also created an IAM policy binding between the Kubernetes service account and the Google service account. The pod still gets permission denied. What is missing?

A.The Google service account needs the iam.workloadIdentityUser role on itself
B.The Kubernetes service account needs the iam.workloadIdentityUser role
C.The pod needs a node pool with Workload Identity enabled
D.The BigQuery dataset must be in the same project as the cluster
AnswerA

This role allows the Kubernetes service account to impersonate the Google service account.

Why this answer

Workload Identity requires the Google service account to be granted the iam.workloadIdentityUser role on the Google service account itself, not just on the Kubernetes service account.

← PreviousPage 2 of 2 · 87 questions total

Ready to test yourself?

Try a timed practice session using only Pca Managing Provisioning questions.

CCNA Pca Managing Provisioning Questions — Page 2 of 2 | Courseiva