A team deploys a containerized web application on Google Kubernetes Engine (GKE) using a Deployment. They need to expose the application externally via a stable IP address and enable SSL termination. Which resource should they use?
Provides SSL termination and a stable IP via the load balancer.
Why this answer
An Ingress with a Google-managed SSL certificate is the correct choice because it provides a single stable IP address via a global forwarding rule, terminates SSL at the Google Cloud HTTP(S) load balancer, and routes traffic to the GKE Deployment. This approach offloads SSL decryption from the application pods and uses a managed certificate that auto-renews, meeting both the stable IP and SSL termination requirements.
Exam trap
Cisco often tests the misconception that a Service type LoadBalancer provides SSL termination, but it only provides L4 load balancing with a stable IP; SSL termination requires an L7 Ingress or a dedicated SSL proxy.
How to eliminate wrong answers
Option A is wrong because a HorizontalPodAutoscaler only adjusts the number of pod replicas based on CPU/memory metrics and does not expose the application externally or handle SSL termination. Option C is wrong because a Service type NodePort exposes the application on a high-port on each node's IP, which is not a stable IP address and does not provide SSL termination. Option D is wrong because a Service type LoadBalancer creates a regional TCP/UDP load balancer with an ephemeral external IP (unless static IP is manually reserved) and does not natively terminate SSL; it would require additional configuration like a separate SSL proxy or an Ingress.