CCNA Pcde Cicd Pipelines Questions

60 of 135 questions · Page 2/2 · Pcde Cicd Pipelines topic · Answers revealed

76
MCQmedium

An organization uses Artifact Registry to store Docker images. They want to enforce that only images that have passed vulnerability scanning and are signed can be deployed to GKE. Which two services should they use together?

A.Cloud Deploy and Cloud Run
B.Cloud Build and Artifact Registry
C.Binary Authorization and Container Scanning API
D.Security Command Center and Cloud Asset Inventory
AnswerC

Binary Authorization enforces signing; Container Analysis provides vulnerability scanning.

Why this answer

Binary Authorization enforces that only signed and verified container images can be deployed to GKE, while the Container Scanning API (now part of Artifact Analysis) performs vulnerability scanning on images stored in Artifact Registry. Together, they ensure that only images that have passed vulnerability scanning and are cryptographically signed can be deployed, meeting the organization's requirements.

Exam trap

Google often tests the distinction between services that perform an action (like scanning or signing) versus services that enforce a policy based on that action, so candidates mistakenly pick Cloud Build and Artifact Registry (Option B) because they handle scanning and storage, but they lack the enforcement mechanism that Binary Authorization provides.

How to eliminate wrong answers

Option A is wrong because Cloud Deploy is a continuous delivery service for deploying to GKE, Cloud Run, or GKE clusters, but it does not enforce vulnerability scanning or image signing; Cloud Run is a serverless compute platform, not a security enforcement service. Option B is wrong because Cloud Build is a CI/CD service that can build and push images to Artifact Registry, but it does not provide the enforcement of signed images or vulnerability scanning policies at deployment time; Artifact Registry is the storage repository, not a policy enforcement service. Option D is wrong because Security Command Center is a security and risk management platform for threat detection and compliance, and Cloud Asset Inventory provides asset metadata and history, but neither enforces image signing or vulnerability scanning policies on GKE deployments.

77
Multi-Selecthard

A team uses Skaffold for local development and CI/CD. They want to run integration tests against the deployed application before releasing to production. Which THREE Skaffold features can they use?

Select 3 answers
A.Port forwarding to access the application locally
B.Custom test via the 'test' config section
C.Skaffold deploy with --status-check to verify rollout
D.Skaffold run for end-to-end pipeline
E.Skaffold debug for interactive debugging
AnswersB, C, D

Skaffold supports custom test commands in the 'test' phase.

78
MCQmedium

You are configuring a Cloud Build pipeline that builds a Docker image, pushes it to Artifact Registry, and deploys to Cloud Run. The build requires network access to a private VPC to download dependencies. Which approach should you use to provide VPC access?

A.Add the VPC firewall rule to allow traffic from Cloud Build's default IP range.
B.Use the default Cloud Build pool and configure VPC peering in the build steps.
C.Create a Cloud Build private pool connected to the VPC, and run the build using that pool.
D.Use Cloud NAT to allow egress from the default pool to the VPC.
AnswerC

Private pools provide direct VPC connectivity.

Why this answer

Option C is correct because Cloud Build private pools provide direct VPC connectivity by running worker VMs inside a customer-managed subnet within the specified VPC. This allows the build to access private resources (e.g., dependency mirrors, internal repositories) without traversing the public internet, meeting the requirement for network access to a private VPC.

Exam trap

Cisco often tests the distinction between default and private pools, trapping candidates who assume that firewall rules or NAT can bridge the network isolation of the default pool, when in fact only a private pool provides the necessary VPC integration.

How to eliminate wrong answers

Option A is wrong because Cloud Build's default pool uses ephemeral IPs from a Google-managed range that cannot be predicted or added to VPC firewall rules; moreover, VPC firewall rules control traffic to/from VM instances, not outbound access from Cloud Build workers. Option B is wrong because the default Cloud Build pool does not support VPC peering configuration in build steps; VPC peering is a network-level setup between VPCs, not a per-build configuration. Option D is wrong because Cloud NAT enables outbound internet access from private VMs, but the default Cloud Build pool's workers are not in your VPC, so Cloud NAT cannot provide egress from them to your private VPC.

79
MCQmedium

A DevOps engineer is building a CI/CD pipeline and needs to securely pass a database password to a Cloud Build step. The password is stored in Secret Manager. What is the correct way to access it in cloudbuild.yaml?

A.Use 'gcloud secrets versions access' directly in a step's entrypoint
B.Store the password in a Cloud Storage bucket and download it during build
C.Pass the password as a build substitution variable
D.Define the secret in 'availableSecrets' and reference it via 'secretEnv' in the step
AnswerD

This is the standard method: declare the secret in availableSecrets and use secretEnv to inject it as an environment variable.

Why this answer

Cloud Build can access secrets from Secret Manager using the 'availableSecrets' and 'secretEnv' configuration. The secret is then injected as an environment variable in the build step.

80
MCQeasy

A developer wants to manually promote a release from a staging target to a production target using Cloud Deploy. Which gcloud command should they use?

A.gcloud deploy releases promote
B.gcloud deploy releases approve
C.gcloud deploy rollouts create
D.gcloud deploy targets promote
AnswerA

This command promotes a release to the next target.

Why this answer

The `gcloud deploy releases promote` command is the correct choice because Cloud Deploy uses a promotion-based model where releases are advanced through targets (e.g., staging to production) via a promote action. This command triggers the creation of a new rollout in the next target in the promotion sequence, effectively moving the release forward without manual rollout creation.

Exam trap

The trap here is that candidates confuse the promotion action with the approval action or think they need to manually create a rollout, when in fact `promote` is the dedicated command for advancing a release through the pipeline's target sequence.

How to eliminate wrong answers

Option B is wrong because `gcloud deploy releases approve` is used to approve a pending rollout, not to promote a release to the next target; promotion and approval are separate lifecycle stages. Option C is wrong because `gcloud deploy rollouts create` manually creates a rollout for a specific release and target, bypassing the automated promotion pipeline and requiring explicit target specification, which is not the intended manual promotion workflow. Option D is wrong because `gcloud deploy targets promote` is not a valid gcloud command; Cloud Deploy does not support promoting targets directly—promotion is always release-centric.

81
MCQmedium

A team uses Cloud Build to deploy a Python service to Cloud Run. They need to ensure the service uses a custom domain and only accepts HTTPS traffic. Which flags should they include in the gcloud run deploy command?

A.--ingress=internal --platform=managed
B.--ingress=all --allow-unauthenticated
C.--ingress=all --no-allow-unauthenticated
D.No flags related to custom domain; use gcloud beta run domain-mappings create separately
AnswerD

Custom domain is configured via domain mappings, not a deploy flag. HTTPS is default for Cloud Run.

Why this answer

Option D is correct because the `gcloud run deploy` command does not include flags for mapping a custom domain. Custom domain mapping is a separate step that must be performed using the `gcloud beta run domain-mappings create` command (or via the Cloud Run console). The `--ingress` flag controls traffic routing (e.g., all, internal, internal-and-cloud-load-balancing), not domain configuration, and HTTPS is enforced by default on Cloud Run services.

Exam trap

The trap here is that candidates assume the `--ingress` flag or authentication flags can also configure custom domains, when in fact domain mapping is a separate, prerequisite step that must be completed before the service responds on the custom domain.

How to eliminate wrong answers

Option A is wrong because `--ingress=internal` restricts traffic to internal sources (VPC or Cloud Run internal), which does not allow public HTTPS traffic and does not address custom domain mapping. Option B is wrong because `--ingress=all` allows all traffic, but `--allow-unauthenticated` permits unauthenticated invocations, which is unrelated to custom domain or HTTPS enforcement. Option C is wrong because `--ingress=all` and `--no-allow-unauthenticated` control ingress and authentication, respectively, but neither flag maps a custom domain or enforces HTTPS-only; HTTPS is already default on Cloud Run.

82
MCQmedium

An engineer wants to deploy a set of GCP resources (e.g., Cloud SQL, Pub/Sub topics) alongside their Kubernetes workloads using a GitOps approach with Config Connector. What is the primary benefit of using Config Connector over deploying these resources manually?

A.It automatically scales GCP resources based on load.
B.It provides a graphical UI for managing GCP resources.
C.It allows managing GCP resources using Kubernetes-style YAML, enabling version control and CI/CD for infrastructure.
D.It reduces the cost of GCP resources by using committed use discounts.
AnswerC

This is the key benefit: GitOps for GCP resources.

Why this answer

Config Connector allows you to manage GCP resources (e.g., Cloud SQL, Pub/Sub topics) using Kubernetes-style YAML manifests. This enables GitOps workflows where infrastructure definitions are stored in a Git repository, version-controlled, and automatically applied via CI/CD pipelines, ensuring consistency and auditability.

Exam trap

The trap here is that candidates may confuse Config Connector with a scaling or cost-saving tool, when its core value is infrastructure-as-code integration with Kubernetes-native GitOps workflows.

How to eliminate wrong answers

Option A is wrong because Config Connector does not automatically scale GCP resources based on load; scaling is handled by separate GCP services like autoscalers or Cloud SQL's automatic storage increase. Option B is wrong because Config Connector is a Kubernetes controller that uses YAML manifests, not a graphical UI; the GCP Console provides the UI. Option D is wrong because Config Connector does not reduce costs via committed use discounts; those are contractual commitments made directly through the GCP billing console or API, independent of the deployment tool.

83
MCQhard

A company uses Cloud Build to build and deploy microservices to GKE. Each microservice has environment-specific configurations (dev, staging, prod). They want to manage these configurations using Kustomize. How should they structure the pipeline?

A.Store all configurations in separate branches
B.Use Helm charts with different values files
C.Create separate cloudbuild.yaml files for each environment
D.Use a single cloudbuild.yaml with kustomize build command and pass the environment as a substitution
AnswerD

Kustomize build with overlays + Cloud Build substitutions is the recommended approach.

Why this answer

Kustomize allows overlays for different environments. The cloudbuild.yaml can use the kustomize builder to apply the appropriate overlay based on a substitution variable like $_ENV.

84
MCQeasy

An engineer wants to run two Cloud Build steps in parallel to speed up the build. How should they configure the cloudbuild.yaml?

A.Use two separate cloudbuild.yaml files and run them concurrently
B.Set `waitFor: ['previous']` on both steps
C.Define steps under a `parallel` key in cloudbuild.yaml
D.Set `waitFor: ['-']` on both steps and ensure they are defined sequentially in the YAML
AnswerD

Correct: `waitFor: ['-']` indicates no dependencies, so they run in parallel.

Why this answer

In Cloud Build, steps defined sequentially in the YAML run in order by default. To run two steps in parallel, you set `waitFor: ['-']` on both steps, which tells Cloud Build not to wait for any previous step. This allows them to start simultaneously.

Option D correctly describes this configuration.

Exam trap

The trap here is that candidates assume a `parallel` keyword exists (like in GitHub Actions or GitLab CI) or misunderstand `waitFor` syntax, thinking 'previous' is a valid reference, when Cloud Build requires explicit step IDs or a dash to indicate no dependency.

How to eliminate wrong answers

Option A is wrong because Cloud Build does not support running multiple cloudbuild.yaml files concurrently; you would need to trigger separate builds manually, which is not a parallel step configuration. Option B is wrong because `waitFor: ['previous']` is not a valid value; the correct syntax is `waitFor: ['step-name']` or `-` for no wait, and 'previous' would cause a syntax error or unexpected behavior. Option C is wrong because Cloud Build does not have a `parallel` key; parallelism is achieved by setting `waitFor: ['-']` on steps defined sequentially in the YAML.

85
MCQeasy

A developer wants to deploy a containerized application to Cloud Run with a requirement that the service has at least 2 instances always running to handle low-latency requests. Which flag should they use with gcloud run deploy?

A.--concurrency=2
B.--cpu-throttling
C.--min-instances=2
D.--max-instances=2
AnswerC

This sets the minimum number of instances to 2.

Why this answer

Option C is correct because the `--min-instances` flag in `gcloud run deploy` specifies the minimum number of container instances that must remain warm and ready to serve requests at all times. Setting `--min-instances=2` ensures Cloud Run keeps at least two instances always running, which eliminates cold starts and guarantees low-latency responses for incoming traffic.

Exam trap

The trap here is that candidates confuse `--min-instances` (which guarantees a baseline of running instances) with `--max-instances` (which limits scaling) or `--concurrency` (which controls per-instance request handling), leading them to pick options that address scaling limits or concurrency rather than instance availability.

How to eliminate wrong answers

Option A is wrong because `--concurrency` sets the maximum number of simultaneous requests each container instance can handle, not the number of instances; it controls request multiplexing, not instance count. Option B is wrong because `--cpu-throttling` (or its absence) controls whether CPU is throttled during idle periods, which affects instance scaling behavior but does not set a minimum instance count. Option D is wrong because `--max-instances=2` caps the maximum number of instances the service can scale to, which would prevent scaling beyond two instances but does not guarantee that at least two are always running.

86
MCQmedium

A company uses Cloud Build to build a container image with Kaniko. They want to speed up builds by caching the base image layers. Which configuration should they add to their cloudbuild.yaml?

A.Add a 'docker pull' step before the Kaniko step to pre-pull the base image.
B.Use Docker's --layer-cache flag in the build step.
C.Configure Cloud Build to use a private pool with SSD persistent disks.
D.Add '--cache=true' and '--cache-repo=us-central1-docker.pkg.dev/$PROJECT_ID/cache' to the Kaniko builder arguments.
AnswerD

This enables Kaniko cache and specifies the repository for cache storage.

Why this answer

Kaniko does not rely on the Docker daemon, so it cannot use Docker's native layer caching. Instead, Kaniko supports remote caching by pushing cached layers to a container registry. Adding `--cache=true` enables layer caching, and `--cache-repo` specifies the registry repository where cached base image layers are stored, allowing subsequent builds to reuse them and significantly reduce build time.

Exam trap

Cisco often tests the distinction between Docker-based caching (which relies on the Docker daemon) and Kaniko's registry-based caching, leading candidates to mistakenly apply Docker-specific flags or workflows to Kaniko builds.

How to eliminate wrong answers

Option A is wrong because adding a `docker pull` step before Kaniko is ineffective; Kaniko builds images without the Docker daemon, so pre-pulling with Docker does not populate Kaniko's cache. Option B is wrong because `--layer-cache` is not a valid Docker flag; Docker uses `--cache-from` for build cache, but Kaniko does not support Docker's build cache mechanism. Option C is wrong because using a private pool with SSD persistent disks improves I/O performance but does not address caching of base image layers; caching requires storing and retrieving layers from a remote repository, not local disk speed.

87
MCQhard

A team is implementing Binary Authorization for containers deployed to GKE. They want to enforce that only images signed by their CI pipeline can be deployed. The CI pipeline runs in Cloud Build. What must they configure to allow Cloud Build to sign images?

A.Use Cloud KMS to sign the image digest and store the signature in Cloud Storage.
B.Enable the Binary Authorization API and configure a policy that requires attestations.
C.Grant the Cloud Build service account the roles/containeranalysis.notes.attacher role on the project.
D.Configure a Cloud Build step to run gcloud container binauthz attestations sign command.
AnswerC

This role allows Cloud Build to create attestations. Additionally, the service account needs roles/containeranalysis.occurrences.editor to attach attestations.

Why this answer

Option C is correct because the Cloud Build service account needs the `roles/containeranalysis.notes.attacher` role to create attestations in Container Analysis. This role allows the service account to attach attestations to vulnerability notes, which are then used by Binary Authorization to verify that an image has been signed by the CI pipeline. Without this role, Cloud Build cannot create the attestations required for the Binary Authorization policy to enforce image signing.

Exam trap

Cisco often tests the misconception that enabling the Binary Authorization API and configuring a policy is sufficient, but candidates overlook that the CI pipeline's service account needs explicit IAM permissions to create attestations in Container Analysis.

How to eliminate wrong answers

Option A is wrong because Cloud KMS is used to sign the image digest, but the signature must be stored as an attestation in Container Analysis, not in Cloud Storage; storing in Cloud Storage would not integrate with Binary Authorization's attestation verification. Option B is wrong because enabling the Binary Authorization API and configuring a policy is necessary for enforcement, but it does not grant Cloud Build the ability to sign images; the service account still needs the specific role to create attestations. Option D is wrong because the `gcloud container binauthz attestations sign` command does not exist; the correct command is `gcloud container binauthz attestations create` to create an attestation, and signing is done separately using Cloud KMS or a PGP key.

88
MCQeasy

An engineer needs to create a build trigger in Cloud Build that runs every day at midnight. Which type of trigger should they use?

A.Push to branch trigger
B.Pull request trigger
C.Scheduled trigger
D.Manual trigger
AnswerC

Scheduled triggers run on a cron schedule.

Why this answer

Cloud Build supports scheduled triggers using a cron syntax. This allows running builds at specific times or intervals.

89
MCQeasy

A DevOps engineer wants to implement a GitOps workflow for a GKE cluster using a tool that automatically syncs the cluster state with a Git repository. Which Google Cloud service is designed for this purpose?

A.Cloud Run
B.Config Connector
C.Cloud Deploy
D.Config Sync
AnswerD

Config Sync is the GitOps tool for automatic sync.

Why this answer

Config Sync is the Google Cloud service specifically designed to implement a GitOps workflow for GKE clusters. It automatically synchronizes the cluster's desired state (as defined in a Git repository) with the actual cluster state, ensuring continuous reconciliation without manual intervention.

Exam trap

The trap here is confusing a deployment or CI/CD tool (like Cloud Deploy) with a GitOps sync tool, when the key differentiator is automatic, continuous reconciliation from a Git repository rather than one-time or event-driven deployments.

How to eliminate wrong answers

Option A is wrong because Cloud Run is a serverless compute platform for running containers, not a GitOps synchronization tool. Option B is wrong because Config Connector allows managing Google Cloud resources via Kubernetes custom resources but does not automatically sync cluster state from a Git repository. Option C is wrong because Cloud Deploy is a continuous delivery service for deploying to GKE and other targets, but it does not provide the continuous sync and drift detection that defines a GitOps workflow.

90
MCQeasy

A DevOps engineer wants to trigger a Cloud Build pipeline automatically every time a pull request is created against the main branch of a Cloud Source Repositories repository. Which type of build trigger should they configure?

A.Push trigger
B.Pull request trigger
C.Manual trigger
D.Scheduled trigger
AnswerB

Pull request triggers are designed to fire when a PR is created or updated against the specified branch.

Why this answer

Cloud Build supports pull request triggers that fire on PR creation or update. Manual triggers require human action, push triggers fire on branch commits, and scheduled triggers run on a cron schedule.

91
MCQmedium

A team uses Kustomize to manage Kubernetes manifests for multiple environments (dev, staging, prod). They have a base directory and overlays for each environment. When deploying to a cluster, they run kustomize build and pipe to kubectl apply. How can they integrate this into Cloud Build?

A.Use a build step with image gcr.io/cloud-builders/kubectl and run kustomize build . | kubectl apply -f -.
B.Use a build step with image gcr.io/cloud-builders/kubectl and run kustomize build | kubectl apply --kustomize .
C.Use a build step with image gcr.io/k8s-skaffold/skaffold and run skaffold run.
D.Use a build step with image gcr.io/cloud-builders/kustomize and run kustomize build . | kubectl apply -f -.
AnswerD

The kustomize community builder includes kustomize. The output can be piped to kubectl apply.

Why this answer

Cloud Build can use the gcr.io/k8s-skaffold/skaffold image or the gcr.io/cloud-builders/kubectl image with kustomize built in. Alternatively, they can use the gcr.io/cloud-builders/kustomize community builder.

92
MCQmedium

A DevOps engineer needs to deploy the same application to multiple GKE clusters across environments (dev, staging, prod) with environment-specific configurations. They want to use a single source of truth for Kubernetes manifests. Which approach is most suitable?

A.Use Helm charts with separate values files per environment
B.Use kubectl apply with different manifest files for each environment
C.Use Config Connector to manage GKE clusters
D.Use Kustomize with overlays for each environment
AnswerD

Kustomize overlays inherit base and override specifics, ideal for environment-specific configs.

Why this answer

Kustomize is the most suitable approach because it allows you to maintain a single base set of Kubernetes manifests and apply environment-specific overlays (dev, staging, prod) without templating. This aligns with the requirement for a single source of truth while enabling environment-specific configurations through patches and transformers, all managed natively by kubectl.

Exam trap

The trap here is that candidates often confuse Helm's templating with a single source of truth, but the question explicitly requires a single source of truth for Kubernetes manifests, not templates, making Kustomize's overlay approach the correct choice.

How to eliminate wrong answers

Option A is wrong because Helm charts introduce a templating language that can lead to complexity and drift from raw Kubernetes manifests, and separate values files still require managing a template engine, which is not a single source of truth for the manifests themselves. Option B is wrong because using different manifest files for each environment violates the single source of truth principle, leading to duplication and potential drift between environments. Option C is wrong because Config Connector is designed for managing Google Cloud resources (like GKE clusters) declaratively, not for deploying applications with environment-specific configurations to existing clusters.

93
MCQeasy

A company is using Cloud Deploy to manage releases to GKE. They want to implement a deployment strategy where the new version is rolled out to a small subset of pods and traffic is gradually shifted based on prometheus metrics. Which deployment strategy should they configure in the delivery pipeline?

A.Blue/green strategy
B.Canary strategy
C.Rolling update strategy
D.Standard strategy
AnswerB

Canary strategy allows gradual traffic shifting and can use metrics for automated promotion.

Why this answer

B is correct because a canary strategy in Cloud Deploy allows you to gradually shift traffic to the new version based on Prometheus metrics, enabling fine-grained control and automated rollback if the metrics indicate degradation. This aligns with the requirement to roll out to a small subset of pods and shift traffic based on metrics.

Exam trap

The trap here is that candidates often confuse 'canary' with 'rolling update' because both involve incremental changes, but rolling updates do not support metric-based traffic shifting or fine-grained percentage control, which is the key differentiator in Cloud Deploy.

How to eliminate wrong answers

Option A is wrong because a blue/green strategy deploys the new version to a completely separate environment (green) and then switches all traffic at once, which does not support gradual traffic shifting based on Prometheus metrics. Option C is wrong because a rolling update strategy replaces pods incrementally but does not natively support traffic splitting based on external metrics like Prometheus; it relies on Kubernetes' default rolling update behavior. Option D is wrong because 'Standard strategy' is not a recognized deployment strategy in Cloud Deploy; the valid strategies are canary, blue/green, and rolling.

94
MCQmedium

An organization wants to deploy a Cloud Run service using Cloud Deploy. They need to run a database migration script before each new revision starts serving traffic. Which Cloud Deploy feature should they use?

A.Use a Cloud Build step in the delivery pipeline
B.Configure a preDeploy hook that runs a Cloud Run Job
C.Add a manual approval gate before deployment
D.Use a postDeploy hook to run the migration after traffic is switched
AnswerB

PreDeploy hooks run before the new revision is deployed, allowing database migrations or other preparation.

Why this answer

Cloud Deploy supports deployment hooks that execute Cloud Run Jobs before (preDeploy) or after (postDeploy) a rollout. PreDeploy hooks run before the new revision starts serving traffic, making them ideal for database migrations.

95
MCQeasy

A developer wants to deploy a containerized application to Cloud Run using the command line. They need to set the maximum number of concurrent requests per container instance to 80. Which flag should they use with 'gcloud run deploy'?

A.--platform
B.--cpu-throttling
C.--max-instances
D.--concurrency
AnswerD

--concurrency sets the maximum number of concurrent requests per instance.

Why this answer

Option D is correct because the `--concurrency` flag in `gcloud run deploy` directly sets the maximum number of simultaneous requests that a single container instance can handle. By specifying `--concurrency=80`, the developer limits each instance to processing up to 80 concurrent requests, which helps control resource usage and scaling behavior in Cloud Run.

Exam trap

Cisco often tests the distinction between instance-level limits (`--max-instances`) and per-instance request limits (`--concurrency`), leading candidates to confuse scaling limits with concurrency settings.

How to eliminate wrong answers

Option A is wrong because `--platform` specifies the target platform (e.g., `managed` or `gke`) for the deployment, not the request concurrency limit. Option B is wrong because `--cpu-throttling` does not exist as a valid flag in `gcloud run deploy`; Cloud Run uses CPU throttling based on request activity, but there is no such flag to set concurrency. Option C is wrong because `--max-instances` sets the maximum number of container instances that can be created for the service, not the number of concurrent requests per instance.

96
MCQmedium

An organization is implementing Binary Authorization for GKE. They need to ensure that only container images signed by their CI system are deployed. Which service must be enabled and configured to enforce this?

A.Cloud Key Management Service (KMS)
B.Artifact Registry with Container Analysis
C.Binary Authorization attestor and policy
D.Cloud Build service account with 'iam.serviceAccountUser' role
AnswerC

Binary Authorization uses attestors and policies to enforce that only signed images are deployed.

Why this answer

Binary Authorization is a managed service that requires an attestor to verify signatures. The attestor is configured with a public key, and the CI system signs images with the private key.

97
Multi-Selectmedium

A DevOps team uses Cloud Build to build a multi-service application. They have three services: frontend, backend, and worker. They want to run builds for all three services in parallel to speed up the pipeline. Which of the following cloudbuild.yaml configurations are valid for achieving parallel execution? (Choose TWO).

Select 1 answer
A.Set waitFor: ['-'] on the first step and omit waitFor on the others.
B.Set waitFor: ['frontend', 'backend', 'worker'] on a subsequent step to run after all three.
C.Set waitFor: ['-'] on all three steps.
D.Use a single step with multiple entrypoints and args.
E.Define three steps (frontend, backend, worker) without any waitFor field.
AnswersC

This makes each step run immediately, i.e., in parallel.

Why this answer

Only option C is valid: setting `waitFor: ['-']` on all three steps makes them start simultaneously in parallel. Options A, B, D, and E do not achieve parallel execution; A runs only the first step immediately, B defines a dependency but not parallelism, D uses a single step, and E uses default sequential behavior. Although the question states 'Choose TWO', only one correct configuration is provided among the options.

98
MCQhard

An organization has a Cloud Deploy delivery pipeline with a canary deployment strategy to GKE. They want to automatically pause the rollout if the canary revision's error rate exceeds 5% for 5 minutes. Which feature should they use?

A.Canary deployment strategy with metric analysis
B.PreDeploy hook
C.Rollback on deploy failure
D.Manual approval gate
AnswerA

Cloud Deploy's canary strategy can use Cloud Monitoring metrics to automatically verify and progress or rollback.

Why this answer

Cloud Deploy can integrate with Cloud Monitoring metrics to automate canary verification. By defining a canary deployment strategy with metric-based analysis, the rollout can be paused or rolled back if predefined thresholds are breached.

99
MCQmedium

A company uses Cloud Deploy with a delivery pipeline that has dev, staging, and prod targets. They want to require manual approval before promoting a release to prod. How should they configure this?

A.Add an approval gate in the prod target configuration
B.Configure a postDeploy hook that requires approval
C.Use Cloud Build triggers with manual invocation for prod deployments
D.Set the prod target's deployment strategy to 'BlueGreen'
AnswerA

Cloud Deploy supports approval gates on targets; manual approval is required before promotion.

100
Multi-Selecteasy

A developer needs to deploy a containerized application to Cloud Run using the gcloud command. Which two flags are required to successfully deploy?

Select 2 answers
A.--region
B.--max-instances
C.--image
D.--concurrency
E.--ingress
AnswersA, C

Required to specify the region where the service will be deployed.

Why this answer

The gcloud run deploy command requires --image to specify the container image and --region to specify the region. Other flags like --ingress and --max-instances are optional.

101
Multi-Selecthard

A DevOps engineer is designing a CI/CD pipeline for a Cloud Run service. They need to implement a canary deployment that sends 10% of traffic to a new revision initially, then gradually increases to 100% if metrics are healthy. They also need to roll back instantly if the canary fails. Which THREE configurations should they use? (Select THREE)

Select 3 answers
A.Configure Cloud Deploy with a canary strategy and metric thresholds
B.Use tags on the new revision for testing without affecting traffic
C.Use gcloud run deploy with --no-traffic to deploy the new revision without receiving traffic
D.Use gcloud run deploy with --to-revisions to split traffic, e.g., NEW=10, OLD=90
E.Use a manual approval gate in Cloud Deploy
AnswersA, B, D

Cloud Deploy can automate canary progression with metrics and rollback.

Why this answer

Option A is correct because Cloud Deploy supports canary deployments with automated metric thresholds (e.g., latency, error rate) that control traffic progression. This allows the pipeline to gradually shift from 10% to 100% traffic based on real-time health checks, enabling automated rollback if thresholds are breached.

Exam trap

Cisco often tests the distinction between deploying a revision without traffic (Option C) and implementing a fully automated canary with metric-based progression (Option A), where candidates mistakenly think `--no-traffic` alone satisfies the gradual increase requirement.

102
Multi-Selectmedium

A team wants to implement a GitOps workflow for deploying applications to GKE. They want to use a tool that continuously reconciles the cluster state with a Git repository. Which TWO tools can they use? (Select TWO)

Select 2 answers
A.Cloud Deploy
B.Cloud Build
C.Argo CD
D.Skaffold
E.Config Sync
AnswersC, E

Argo CD is a popular GitOps operator for Kubernetes.

Why this answer

Argo CD is a declarative GitOps tool that continuously monitors a Git repository and automatically reconciles the cluster state to match the desired state defined in the repository. It directly supports the GitOps workflow requirement by polling or using webhooks to detect changes and applying them to GKE clusters.

Exam trap

Cisco often tests the distinction between CI/CD pipeline tools (Cloud Build, Cloud Deploy) and GitOps reconciliation tools (Argo CD, Config Sync), leading candidates to select Cloud Deploy or Cloud Build because they associate them with deployment automation, even though they lack continuous drift detection from a Git repository.

103
MCQmedium

A DevOps engineer is using Cloud Deploy to promote a release from staging to production. They want to require a manual approval before the release is deployed to production. What should they configure in the delivery pipeline?

A.Use a Cloud Build trigger with a manual approval step.
B.Add a preDeploy hook to the production target that runs a Cloud Run Job to send a notification.
C.Add a postDeploy hook that checks for approval.
D.Configure the production target with requireApproval: true.
AnswerD

This adds a manual approval gate. The deployment will pause until approved via Cloud Deploy console or CLI.

Why this answer

Option D is correct because Cloud Deploy natively supports manual approval gates at the target level. Setting `requireApproval: true` on the production target in the delivery pipeline configuration ensures that a release must receive explicit approval via the Cloud Deploy console or API before it can proceed to that target. This is the intended mechanism for adding a manual approval step without external services or hooks.

Exam trap

Cisco often tests the distinction between hooks (which execute code but do not pause for human input) and the native `requireApproval` setting, leading candidates to mistakenly think a preDeploy hook can implement a manual approval gate.

How to eliminate wrong answers

Option A is wrong because Cloud Build triggers are used for building and testing, not for managing deployment approvals within Cloud Deploy; manual approval in Cloud Build is a separate feature for build pipelines, not for release promotion. Option B is wrong because a preDeploy hook runs custom logic before deployment but does not pause for manual approval; it cannot block the deployment pending human sign-off. Option C is wrong because a postDeploy hook runs after deployment has already occurred, so it cannot prevent the release from being deployed to production.

104
MCQhard

A company is implementing Binary Authorization with Cloud Deploy. They want to ensure that only images signed by the CI system (using Cloud Build) are deployed to production. What must be configured?

A.Configure Artifact Registry to automatically sign images on push
B.Use Cloud Deploy's canary deployment with audit logging to verify image provenance
C.Enable Binary Authorization on the GKE cluster and configure the admission controller to use Cloud Key Management Service
D.In Cloud Build, use the `gcloud beta artifacts docker images sign` command after building the image, and set the Binary Authorization policy to require attestations from that signer
AnswerD

Correct: signing occurs in the pipeline, and policy requires attestation.

Why this answer

Option D is correct because it describes the exact workflow: Cloud Build signs the container image using the `gcloud beta artifacts docker images sign` command, which creates a cryptographic attestation stored in Cloud Key Management Service (KMS). The Binary Authorization policy is then configured to require an attestation from that specific signer (the CI system's KMS key), ensuring only images signed by the CI pipeline can be deployed to production.

Exam trap

Candidates often assume that enabling Binary Authorization on the GKE cluster alone ensures only signed images are deployed. They overlook the critical steps of actually signing the image in Cloud Build and configuring the Binary Authorization policy to require attestations from that specific KMS key signer.

How to eliminate wrong answers

Option A is wrong because Artifact Registry does not automatically sign images on push; signing is a separate, explicit step that must be performed by a trusted entity like Cloud Build. Option B is wrong because canary deployment and audit logging verify deployment behavior and provenance, but they do not enforce cryptographic attestation or prevent unsigned images from being deployed. Option C is wrong because while enabling Binary Authorization on the GKE cluster is necessary, simply configuring the admission controller to use Cloud KMS is insufficient; the policy must specifically require attestations from a known signer, and the images must be signed by that signer.

105
Multi-Selectmedium

Which THREE are valid Cloud Deploy deployment strategies? (Choose three.)

Select 3 answers
A.Rolling update
B.Blue/Green
C.Shadow
D.Standard
E.Canary
AnswersB, D, E

Blue/Green switches between two environments.

Why this answer

Option B (Blue/Green) is a valid Cloud Deploy deployment strategy because it allows you to run two separate environments (blue and green) and switch traffic between them, enabling instant rollback and zero-downtime deployments. Cloud Deploy natively supports Blue/Green deployments via its Skaffold-based pipeline, where you can define target environments and use load balancer switching to shift traffic. This strategy is particularly useful for critical production services where risk mitigation is paramount.

Exam trap

Cisco often tests the distinction between Cloud Deploy's native strategies and generic Kubernetes deployment methods, so the trap here is that candidates might confuse 'Rolling update' (a Kubernetes-native update method) with a Cloud Deploy strategy, or assume 'Shadow' is a valid strategy due to its use in service mesh testing.

106
MCQmedium

An engineer needs to create a build trigger in Cloud Build that runs tests on every pull request to the 'develop' branch. They also want to prevent the build from running if the PR is from a forked repository. What should they do?

A.Create a trigger with pull request event and branch pattern 'develop'
B.Use a separate repository for external contributions
C.Use a Cloud Build filter to ignore fork PRs
D.Add a condition in cloudbuild.yaml to skip if fork
AnswerC

Cloud Build triggers have a checkbox to ignore pull requests from forks.

Why this answer

Cloud Build triggers can be configured to ignore pull requests from forked repositories by setting the 'ignore pull request from forks' option in the trigger configuration.

107
Multi-Selectmedium

A company wants to deploy a microservice to Google Cloud. They require canary deployments with automatic rollback if error rate increases. Which TWO services should they use together?

Select 2 answers
A.Cloud Build
B.Cloud Endpoints
C.Cloud Functions
D.Cloud Deploy
E.Cloud Run
AnswersD, E

Cloud Deploy provides canary strategies with automated rollback based on metrics.

108
MCQhard

A CI/CD pipeline uses Cloud Build to build a Docker image. The Dockerfile copies dependencies from a private repository in the same VPC. The build takes a long time due to repeated downloads. How can the engineer optimize the build?

A.Use a larger machine type
B.Increase the build timeout
C.Enable Kaniko layer caching and push cache to Artifact Registry
D.Use Cloud Build's local SSD for temporary storage
AnswerC

Kaniko layer caching stores layer cache in a remote registry, speeding up builds.

Why this answer

Option C is correct because Kaniko layer caching stores intermediate Docker image layers in Artifact Registry, allowing subsequent builds to reuse cached layers instead of re-downloading dependencies from the private repository. This directly addresses the repeated downloads causing long build times, as Kaniko checks the cache before executing each RUN command in the Dockerfile.

Exam trap

The trap here is that candidates confuse increasing resources (machine type or timeout) with optimizing the build process, failing to recognize that caching is the correct approach to eliminate redundant downloads.

How to eliminate wrong answers

Option A is wrong because using a larger machine type increases CPU and memory but does not reduce the time spent downloading dependencies; the bottleneck is network I/O, not compute resources. Option B is wrong because increasing the build timeout only extends the maximum allowed duration for the build to complete, it does not optimize the build process or reduce download time. Option D is wrong because Cloud Build's local SSD provides ephemeral storage for build artifacts but does not cache Docker layers across builds; dependencies would still be downloaded fresh each time.

109
Multi-Selecthard

An engineer is configuring a Cloud Build build pool to connect to resources in a VPC network. They need to ensure the build can access a private Artifact Registry repository. Which three steps should they take?

Select 3 answers
A.Set up Private Service Connect for Artifact Registry
B.Enable public access on the Artifact Registry repository
C.Create a private build pool with the 'network' field set to the VPC network
D.Configure a Cloud NAT gateway for the VPC
E.Grant the Cloud Build service account the 'Artifact Registry Reader' role
AnswersA, C, E

Artifact Registry uses Private Service Connect to expose a private endpoint in the VPC.

Why this answer

Private pools allow builds to use a VPC network. To access private Artifact Registry, the pool must be in the same VPC as the registry endpoint (which uses Private Service Connect or VPC peering), and the service account must have permission to read from the registry.

110
MCQhard

A team is setting up a Cloud Build private pool to build Docker images that need access to resources in a VPC. After creating the private pool, builds fail with network errors. What is the most likely missing step?

A.Grant the Cloud Build service account the 'compute.networkUser' role
B.Configure Service Directory (private connection) between the pool and the VPC
C.Enable Cloud NAT on the VPC
D.Assign a public IP to the build instances
AnswerB

A private pool needs a Service Directory connection to access VPC resources.

Why this answer

Private pools require a Service Directory private connection (or VPC peering) to access VPC resources. Without that, the pool cannot reach the VPC.

111
MCQmedium

An engineer wants to cache Docker layers in Cloud Build to speed up subsequent builds. The build uses Kaniko to build images. What should they include in the cloudbuild.yaml?

A.Set `--cache=true` and `--cache-repo` in the Kaniko builder arguments
B.Add a step that runs `docker save` and `docker load`
C.Use the `docker` builder instead of Kaniko and set `--cache-from`
D.Enable Cloud Build's built-in caching by setting `cache: true` in cloudbuild.yaml
AnswerA

Correct: Kaniko's `--cache` flag caches layers in the specified repo.

Why this answer

Kaniko uses `--cache=true` and `--cache-repo` to enable layer caching in a registry.

112
MCQeasy

An engineer wants to trigger a Cloud Build pipeline automatically whenever a pull request is created against the main branch of a GitHub repository. Which type of build trigger should they configure?

A.Scheduled trigger
B.Pull request trigger
C.Manual trigger
D.Push to branch trigger
AnswerB

Pull request triggers fire when a PR is created or updated.

Why this answer

Cloud Build supports push-to-branch and pull request triggers. For pull requests, the 'Pull Request' trigger type is used, which can be scoped to a specific branch like main.

113
Multi-Selecthard

A team uses Cloud Build to build and push Docker images to Artifact Registry. They need to ensure that only images built from the main branch and signed by a trusted key can be deployed to GKE using Binary Authorization. Which THREE components must be in place?

Select 3 answers
A.A Binary Authorization attestor configured to verify the attestation key
B.A Cloud Build step that creates a signed attestation using KMS
C.A Cloud Deploy delivery pipeline with a canary strategy
D.An Artifact Registry repository configured with vulnerability scanning
E.A Binary Authorization policy that requires at least one attestation
AnswersA, B, E

The attestor holds the public key to verify attestations.

Why this answer

Option A is correct because a Binary Authorization attestor is the component that defines the trusted key(s) used to verify that an image has been signed. Without an attestor configured with the correct public key, Binary Authorization cannot validate the attestation signature, and the policy cannot enforce that only signed images are deployed.

Exam trap

Cisco often tests the misconception that vulnerability scanning or deployment strategies are part of Binary Authorization enforcement, when in fact only attestors, signed attestations, and a policy requiring attestations are the mandatory components.

114
MCQeasy

An organization is deploying a containerized application to Cloud Run. They want to gradually roll out a new revision to 10% of traffic, monitor for errors, and then fully promote if stable. Which Cloud Run feature should they use?

A.Use the --to-revisions flag with gcloud run deploy to assign traffic percentages.
B.Deploy two separate Cloud Run services and use a global load balancer.
C.Use Cloud Deploy with a canary strategy.
D.Use Cloud Load Balancing with a backend bucket to split traffic.
AnswerA

This allows sending a percentage of traffic to the new revision for canary testing.

Why this answer

The `--to-revisions` flag with `gcloud run deploy` allows you to specify traffic percentages for revisions in a single Cloud Run service. This enables a gradual rollout by sending 10% of traffic to the new revision, monitoring for errors, and then promoting it to 100% without deploying a separate service or using external load balancers.

Exam trap

Cisco often tests the distinction between native Cloud Run traffic splitting and external tools like Cloud Deploy or Load Balancers, expecting candidates to recognize that Cloud Run's built-in `--to-revisions` flag is the simplest and most direct method for gradual rollouts.

How to eliminate wrong answers

Option B is wrong because deploying two separate Cloud Run services and using a global load balancer adds unnecessary complexity and cost; Cloud Run natively supports traffic splitting between revisions within a single service, making this approach overengineered. Option C is wrong because Cloud Deploy is designed for continuous delivery to GKE or GKE Autopilot clusters, not for Cloud Run; it does not directly manage Cloud Run revision traffic splits. Option D is wrong because Cloud Load Balancing with a backend bucket is used for serving static content (e.g., from Cloud Storage), not for splitting traffic between application revisions in Cloud Run.

115
MCQmedium

An organization uses Config Sync to manage Kubernetes resources across multiple GKE clusters. They want to automatically remediate configuration drift. What must they ensure?

A.Set the Config Sync policy to 'allow-drift'
B.Enable 'sync' and set 'sync-repo' to the desired repository
C.Configure 'source-format' as 'structured'
D.Use a GitOps tool like Config Sync with 'sync-mode' set to 'force'
AnswerD

Config Sync's force mode automatically reverts any manual changes to match the repo.

Why this answer

Config Sync's 'sync-mode' set to 'force' ensures that any manual changes to the cluster (configuration drift) are automatically reverted to match the desired state defined in the Git repository. This mode overwrites any modifications made outside of Config Sync, enforcing strict reconciliation. Without 'force', Config Sync may detect drift but not automatically correct it, leaving the cluster in a non-compliant state.

Exam trap

Cisco often tests the misconception that simply enabling Config Sync with a repository (Option B) is sufficient for drift remediation, but candidates must recognize that the 'sync-mode' parameter must be explicitly set to 'force' to enforce automatic correction of unauthorized changes.

How to eliminate wrong answers

Option A is wrong because 'allow-drift' is not a valid Config Sync policy; Config Sync does not have such a setting, and allowing drift would defeat the purpose of automatic remediation. Option B is wrong because enabling 'sync' and setting 'sync-repo' only establishes the initial synchronization source but does not specify how drift should be handled; it lacks the enforcement mechanism needed for automatic remediation. Option C is wrong because 'source-format' as 'structured' refers to the format of the configuration files (e.g., using Namespace configs) and has no impact on drift remediation behavior.

116
Multi-Selectmedium

A company wants to implement a CI/CD pipeline for a multi-service application where each service is built from a separate repository. They need to run unit tests, build container images, and deploy to both Cloud Run and GKE. Which two Google Cloud services should be combined to achieve this?

Select 2 answers
A.Config Sync
B.Artifact Registry
C.Cloud Build
D.Cloud Source Repositories
E.Cloud Deploy
AnswersC, E

Cloud Build can be configured with triggers from multiple repos to build and test.

Why this answer

Cloud Build is correct because it is a fully managed CI/CD platform that can pull source code from multiple repositories (including Cloud Source Repositories, GitHub, or Bitbucket), run unit tests, build container images, and push them to Artifact Registry. Cloud Deploy is correct because it provides managed continuous delivery to both Cloud Run and GKE, supporting progressive delivery strategies like canary and blue-green deployments, and integrates directly with Cloud Build as a delivery pipeline target.

Exam trap

A common trap is selecting Artifact Registry (B) or Cloud Source Repositories (D) because they are related to storing artifacts or source code. However, the question asks for services that form the CI/CD pipeline itself. Artifact Registry is a repository for container images, not a pipeline service, and Cloud Source Repositories is a source code hosting service.

The correct combination is Cloud Build for continuous integration (testing and building) and Cloud Deploy for continuous delivery (deploying to Cloud Run and GKE).

117
MCQhard

A team uses Cloud Deploy with a delivery pipeline that deploys to GKE clusters across dev, staging, and prod targets. They want to automatically roll back a release if the canary deployment in staging fails to meet a defined service-level objective (SLO) for error rate. Which Cloud Deploy feature enables this?

A.Use preDeploy and postDeploy hooks to run Cloud Run jobs that check error rate and roll back.
B.Configure canary deployment with the '--canary-percentage' flag and enable SLO verification in the delivery pipeline.
C.Use Binary Authorization with a custom attestor that checks error rate.
D.Set an approval gate on the staging target that requires manual review.
AnswerB

Cloud Deploy supports metrics-based canary verification and automatic rollback when SLOs are not met.

Why this answer

Option B is correct because Cloud Deploy's canary deployment strategy supports SLO verification via the `--canary-percentage` flag combined with a `canaryDeployment` configuration that includes a `verify` phase. This allows the pipeline to automatically roll back the release if the canary fails to meet the defined error rate SLO, without manual intervention or external services.

Exam trap

Cisco often tests the distinction between Cloud Deploy's built-in canary SLO verification and external mechanisms like hooks or Binary Authorization, leading candidates to overcomplicate the solution when a native feature exists.

How to eliminate wrong answers

Option A is wrong because preDeploy and postDeploy hooks are designed for custom actions like running Cloud Run jobs, but they do not natively integrate with canary SLO verification or automatic rollback; they require custom scripting and lack the built-in SLO monitoring and rollback logic of Cloud Deploy's canary strategy. Option C is wrong because Binary Authorization with a custom attestor is used for verifying container image provenance and enforcing deployment policies based on attestations, not for monitoring real-time error rates during a canary deployment or triggering automatic rollbacks. Option D is wrong because an approval gate on the staging target requires manual review, which contradicts the requirement for an automatic rollback based on SLO failure; it introduces human delay and does not provide automated SLO verification.

118
Multi-Selectmedium

A company wants to enforce that only approved images from Artifact Registry can be deployed to their GKE clusters. They also want to ensure that images are scanned for vulnerabilities. Which TWO services should they use together?

Select 2 answers
A.Cloud IAM
B.Binary Authorization
C.Cloud Build
D.Container Analysis
E.Artifact Registry
AnswersB, D

Enforces that only signed/approved images are deployed.

Why this answer

Binary Authorization enforces deployment policies based on attestations; Container Analysis scans images for vulnerabilities. Artifact Registry stores images; Cloud Build builds them; IAM controls access.

119
MCQmedium

A team uses Cloud Build with a private pool to access resources in a VPC. After configuring the private pool, builds fail with a timeout error when pulling images from Artifact Registry. What is the most likely cause?

A.The Artifact Registry repository is in a different region than the private pool
B.The image name contains a typo
C.The Cloud Build service account lacks permissions to pull images from Artifact Registry
D.The private pool is not peered with the VPC that contains Artifact Registry
AnswerD

Private pools require VPC peering to access resources in the VPC; without it, network timeout occurs.

Why this answer

When using a Cloud Build private pool, the pool runs in a Google-managed environment that must be peered with your VPC to access internal resources. If the private pool is not peered with the VPC that contains Artifact Registry (which is a regional service accessible via Private Service Connect or VPC peering), the build worker cannot reach the Artifact Registry API endpoint over the private network, causing a timeout when pulling images. Option D directly addresses this missing network connectivity.

Exam trap

Cisco often tests the distinction between permission errors (which produce explicit denial messages) and network connectivity errors (which produce timeouts), tempting candidates to select IAM-related options when the symptom is a timeout.

How to eliminate wrong answers

Option A is wrong because Artifact Registry is a regional service, and a private pool can pull images from any region as long as network connectivity exists; the timeout is not caused by a region mismatch. Option B is wrong because a typo in the image name would result in an 'image not found' error, not a timeout error. Option C is wrong because insufficient permissions would produce a 'denied' or 'unauthorized' error, not a timeout; the timeout indicates a network connectivity issue, not an IAM failure.

120
MCQmedium

A company uses Cloud Build to deploy to Google Kubernetes Engine (GKE). They want to use a Helm chart stored in a Cloud Storage bucket. What should they do in the cloudbuild.yaml?

A.Use `kubectl apply -f` with the Helm chart URL
B.Use `helm repo add` with a GCS bucket URL
C.Store the chart in Artifact Registry and use `helm install` from there
D.Use the `gcloud storage cp` command to copy the chart, then run `helm upgrade`
AnswerD

Correct: download chart from GCS, then use Helm.

Why this answer

Option D is correct because Cloud Build cannot directly access a Helm chart stored in a Cloud Storage bucket. You must first copy the chart to the build environment using `gcloud storage cp`, then run `helm upgrade` to deploy it to GKE. This ensures the chart is locally available for Helm to process.

Exam trap

Cisco often tests the misconception that Helm can directly consume a chart from a URL or cloud storage without explicit download, or that `kubectl apply` can interpret Helm charts as Kubernetes manifests.

How to eliminate wrong answers

Option A is wrong because `kubectl apply -f` expects a Kubernetes manifest (YAML/JSON), not a Helm chart URL; Helm charts are not raw Kubernetes resources. Option B is wrong because `helm repo add` with a GCS bucket URL is not supported by Helm natively; Helm does not have a built-in GCS repository protocol. Option C is wrong because while Artifact Registry can host Helm charts, the question explicitly states the chart is stored in a Cloud Storage bucket, so migrating to Artifact Registry is not the required action.

121
MCQhard

An organization uses GitOps with Config Sync to manage multiple GKE clusters. They want to automatically deploy a new version of a microservice by pushing to a Git repository. Which component validates and applies the changes to the clusters?

A.Cloud Build trigger
B.Admission webhook
C.Anthos Service Mesh
D.Config Sync reconciler
AnswerD

The reconciler continuously syncs the cluster state with the Git repository.

Why this answer

Config Sync's core component is the 'reconciler', which runs in each cluster, watches the Git repo, and applies changes to ensure cluster state matches the repo. The 'admission webhook' provides validation but does not apply.

122
MCQmedium

A team uses Helm charts to deploy applications to GKE. They need to manage environment-specific configurations (e.g., dev, staging, prod) using a single chart. Which tool should they use?

A.Kustomize
B.Skaffold
C.Config Connector
D.Helm with values files
AnswerD

Helm uses values.yaml files for environment-specific overrides, making it the correct choice.

123
MCQhard

An organization uses Cloud Deploy to promote releases across dev, staging, and prod. They want to automatically run integration tests after a deployment to a Cloud Run target, before proceeding to the next stage. How should they implement this?

A.Create a separate Cloud Build trigger that runs tests after detecting the deployment
B.Use a preDeploy hook on the staging target to run tests
C.Configure a postDeploy hook on the staging target that runs a Cloud Run Job for integration tests
D.Add an approval gate after staging that requires manual test results
AnswerC

postDeploy hooks run after the deployment, suitable for running tests.

Why this answer

Cloud Deploy supports deployment hooks: custom scripts that run before (preDeploy) or after (postDeploy) a deployment. postDeploy hooks run after the target is deployed and can be implemented as Cloud Run Jobs.

124
MCQeasy

An organization wants to implement GitOps for their GKE clusters. They need to automatically sync the cluster state with a Git repository. Which Google Cloud service should they use?

A.Argo CD
B.Cloud Build
C.Config Sync
D.Cloud Source Repositories
AnswerC

Config Sync is a native GitOps solution that syncs Kubernetes resources from a Git repo to GKE clusters.

125
MCQeasy

A DevOps engineer wants to trigger a Cloud Build pipeline automatically whenever a developer pushes a new Git tag in the format 'v*.*.*'. Which trigger configuration should be used?

A.Set the trigger event to 'Push a tag' with tag regex 'v.*'.
B.Use a manual trigger invoked via gcloud builds submit --tag.
C.Set the trigger event to 'Pull request' and check the 'Ignore tags' box.
D.Set the trigger event to 'Push to a branch' with branch regex 'v*.*.*'.
AnswerA

This fires on any tag matching 'v.*' (e.g., v1.0.0).

Why this answer

Cloud Build supports tag triggers that fire when a Git tag matching a regex is pushed. This is the correct way to trigger on tag creation.

126
MCQhard

A deployment pipeline uses Cloud Deploy with canary strategy targeting Cloud Run. The engineer wants to run a data migration job before the new revision receives traffic. How should they implement this?

A.Add a postDeploy hook that runs the migration
B.Include a Cloud Build step before the deploy step
C.Add a preDeploy hook in the delivery pipeline that runs a Cloud Run job
D.Use a startup command in the Cloud Run service
AnswerC

Correct: preDeploy hooks run before the deployment.

Why this answer

Cloud Deploy supports preDeploy hooks that run Cloud Run jobs before the deployment proceeds.

127
MCQeasy

A developer needs to push a Docker image to Artifact Registry from their local machine. They have installed the gcloud CLI. Which command should they run first to authenticate Docker with Artifact Registry?

A.gcloud container clusters get-credentials
B.gcloud auth configure-docker
C.gcloud auth login
D.docker login -u oauth2accesstoken -p "$(gcloud auth print-access-token)" https://LOCATION-docker.pkg.dev
AnswerB

This updates Docker config to use gcloud's credential helper for pushing/pulling.

Why this answer

gcloud auth configure-docker configures Docker to use gcloud as a credential helper for all supported registries. gcloud auth login authenticates the user but does not configure Docker.

128
MCQeasy

A DevOps engineer wants to build a CI/CD pipeline that automatically builds and tests code every time a developer pushes a new branch to a Git repository. Which Cloud Build trigger type should they use?

A.Scheduled trigger
B.Manual trigger
C.Push to any branch trigger
D.Pull request trigger
AnswerC

This trigger fires on any branch push, including new branches.

Why this answer

Option C is correct because a 'Push to any branch' trigger in Cloud Build automatically initiates a build whenever a developer pushes code to any branch in the repository. This matches the requirement to build and test code on every new branch push, without manual intervention or branch-specific filters.

Exam trap

Cisco often tests the distinction between 'push to any branch' and 'pull request' triggers, where candidates mistakenly choose the pull request trigger because they confuse branch push events with PR creation events.

How to eliminate wrong answers

Option A is wrong because a scheduled trigger runs builds at specified times (e.g., cron-based), not in response to Git push events, so it cannot automatically build on every branch push. Option B is wrong because a manual trigger requires explicit user invocation via the console or API, defeating the automation goal of a CI/CD pipeline. Option D is wrong because a pull request trigger only fires when a pull request is created or updated, not on every branch push, and it typically targets the source branch of the PR, not all branches.

129
Multi-Selectmedium

A company is migrating CI/CD pipelines to Google Cloud. They want to deploy containerized applications to GKE using GitOps principles with Config Sync. Which two components are required? (Choose 2)

Select 2 answers
A.Artifact Registry
B.Cloud Build trigger
C.Config Sync operator (reconciler) installed on the GKE cluster
D.A Git repository containing the desired Kubernetes manifests
E.Binary Authorization
AnswersC, D

The operator is essential; it syncs the cluster state with the repo.

Why this answer

Config Sync requires a Git repository as the source of truth (source of truth) and the Config Sync operator installed on the cluster to sync. Cloud Build is not required for Config Sync itself.

130
MCQmedium

You are designing a CI/CD pipeline for a microservice application that uses feature flags to decouple deployment from release. The team wants to automatically enable a feature flag after the deployment is verified in production for a subset of users. Which tool or approach should you integrate into the pipeline to manage feature flags?

A.Embed the feature flag logic in the application code and use environment variables to enable it.
B.Use Cloud Build substitution variables to set the feature flag status at build time.
C.Use Config Sync to update a ConfigMap with the flag status.
D.Use Cloud Deploy hooks to call the LaunchDarkly API after the deployment succeeds.
AnswerD

Cloud Deploy hooks can trigger external actions, such as enabling a feature flag via API.

Why this answer

Option D is correct because it uses Cloud Deploy hooks to trigger a post-deployment action that calls the LaunchDarkly API, enabling the feature flag for a subset of users after the deployment has been verified in production. This decouples deployment from release, allowing the feature flag to be toggled dynamically without redeploying or modifying the application code.

Exam trap

Cisco often tests the distinction between build-time, deploy-time, and runtime configuration management, and the trap here is assuming that environment variables or build-time substitutions can handle post-deployment feature flag toggling, when in fact they require a new build or redeployment to take effect.

How to eliminate wrong answers

Option A is wrong because embedding feature flag logic in application code with environment variables requires a redeployment or restart to change the flag, which defeats the purpose of decoupling deployment from release and does not support gradual rollouts to a subset of users. Option B is wrong because Cloud Build substitution variables are evaluated at build time, not after deployment, so they cannot dynamically enable a feature flag based on production verification or target a subset of users. Option C is wrong because Config Sync updates a ConfigMap declaratively, but this approach typically requires a pod restart or controller reconciliation to take effect, and it does not provide the granular, real-time targeting needed for a subset of users in production.

131
Multi-Selectmedium

An organization is moving to a GitOps model for managing both application deployments and GCP infrastructure. They want to use a single tool to sync Kubernetes manifests and manage GCP resources like Cloud SQL and Pub/Sub. Which two Google Cloud services should they combine?

Select 2 answers
A.Deployment Manager
B.Cloud Build
C.Cloud Deploy
D.Config Sync
E.Config Connector
AnswersD, E

Syncs K8s manifests from Git to GKE.

Why this answer

Config Sync (D) is correct because it continuously reconciles the state of Kubernetes resources in a cluster with manifests stored in a Git repository, enabling a GitOps workflow for application deployments. Config Connector (E) is correct because it allows managing GCP resources (e.g., Cloud SQL, Pub/Sub) declaratively using Kubernetes custom resource definitions (CRDs), which can also be synced via Config Sync. Together, they provide a single Git-based toolchain for both Kubernetes and GCP infrastructure.

Exam trap

Google often tests the misconception that Cloud Build or Cloud Deploy can serve as the continuous reconciliation engine for GitOps, but they are pipeline orchestrators, not pull-based sync tools. Config Sync and Config Connector together provide the desired GitOps model for both Kubernetes and GCP resources.

132
MCQhard

A company wants to enforce Binary Authorization on images deployed to GKE. Images must be signed by an approved authority. What must be configured in the CI/CD pipeline to ensure images are signed before deployment?

A.Use cosign to sign the image in Cloud Build and store the signature in Artifact Registry
B.Add a Cloud Build step that runs gcloud container binauthz attestations create
C.Configure Cloud Deploy to sign images during the deployment process
D.Enable Container Analysis on Artifact Registry to automatically sign images
AnswerA

Signing with cosign and storing signatures in Artifact Registry is the standard way to comply with Binary Authorization.

133
MCQmedium

A team uses Skaffold for local development and wants to integrate it into their CI/CD pipeline on Cloud Build for continuous deployment to GKE. What is the recommended approach?

A.Use Cloud Build's built-in kubectl deployer
B.Run 'skaffold dev' in the Cloud Build step
C.Convert skaffold.yaml to a Helm chart
D.Use 'skaffold run' in a Cloud Build step
AnswerD

'skaffold run' builds and deploys once, suitable for CI/CD.

Why this answer

Skaffold can be run as a step in cloudbuild.yaml. It handles building, tagging, and deploying based on skaffold.yaml configuration. Using 'skaffold run' in a Cloud Build step is the standard integration.

134
MCQeasy

A developer needs to authenticate to Artifact Registry from a CI/CD pipeline that runs on Compute Engine. The pipeline does not have access to user credentials. Which authentication method should they use?

A.Configure Workload Identity on the Compute Engine VM
B.Create a service account key and store it in Cloud Storage
C.Use a personal access token in the pipeline
D.Use gcloud auth login with a user account
AnswerA

Workload Identity allows the VM to authenticate as a service without keys.

Why this answer

Workload Identity allows a Compute Engine VM to act as a service account without needing to manage keys. The VM's service account can be granted permissions to access Artifact Registry.

135
MCQmedium

An engineer configures Cloud Deploy to promote a container to production after manual approval. The deployment strategy must gradually shift traffic from the current version to the new version while monitoring error rates. Which deployment strategy should they select in the delivery pipeline?

A.Blue/green
B.Rollback
C.Canary
D.Standard
AnswerC

Canary deploys a small percentage first, then increases based on metrics and approval.

Why this answer

Canary deployment is the correct choice because it gradually shifts traffic from the current version to the new version while allowing monitoring of error rates. In Cloud Deploy, a canary strategy uses a sequence of phases (e.g., 10%, 50%, 100%) to incrementally route traffic, enabling real-time observability and automated rollback if error thresholds are breached.

Exam trap

Cisco often tests the distinction between deployment strategies by making candidates confuse canary (gradual traffic shifting with monitoring) with blue/green (instantaneous full traffic switch), so the trap here is assuming blue/green supports gradual traffic shifting when it actually flips all traffic at once.

How to eliminate wrong answers

Option A is wrong because blue/green deployment switches all traffic at once between two environments (blue and green), not gradually, and does not inherently support phased traffic shifting with error rate monitoring. Option B is wrong because rollback is not a deployment strategy but a recovery action to revert to a previous version after a failure, not a method for gradual traffic shifting. Option D is wrong because standard deployment (also known as rolling update) replaces instances incrementally but does not provide fine-grained traffic control or canary-style phased routing with error rate monitoring.

← PreviousPage 2 of 2 · 135 questions total

Ready to test yourself?

Try a timed practice session using only Pcde Cicd Pipelines questions.

CCNA Pcde Cicd Pipelines Questions — Page 2 of 2 | Courseiva