You are developing reusable infrastructure as code modules. Each module contains integration tests that launch the module in a test project. You are using GitHub for source control. You need to Continuously test your feature branch and ensure that all code is tested before changes are accepted. You need to implement a solution to automate the integration tests. What should you do?
Correct Answer: D
Cloud Build is a service that executes your builds on Google Cloud Platform infrastructure. Cloud Build can import source code from Google Cloud Storage, Cloud Source Repositories, GitHub, or Bitbucket, execute a build to your specifications, and produce artifacts such as Docker containers or Java archives1. Cloud Build can also run integration tests as part of your build steps2. You can use Cloud Build to run tests in a specific folder by specifying the path to the folder in the dir field of your build step3. For example, if you have a folder named tests that contains your integration tests, you can use the following build step to run them: steps: - name: 'gcr.io/cloud-builders/go' args: ['test', '-v'] dir: 'tests' Copy You can use Cloud Build to trigger builds for every GitHub pull request by using the Cloud Build GitHub app. The app allows you to automatically build on Git pushes and pull requests and view your build results on GitHub and Google Cloud console4. You can configure the app to run builds on specific branches, tags, or paths5. For example, if you want to run builds on pull requests that target the master branch, you can use the following trigger configuration: includedFiles: - '**' name: 'pull-request-trigger' github: name: 'my-repo' owner: 'my-org' pullRequest: branch: '^master$' Using Cloud Build to run tests in a specific folder and trigger builds for every GitHub pull request is a good way to continuously test your feature branch and ensure that all code is tested before changes areaccepted. This way, you can catch any errors or bugs early and prevent them from affecting the main branch. Using a Jenkins server for CI/CD pipelines is not a bad option, but it would require more setup and maintenance than using Cloud Build, which is fully managed by Google Cloud. Periodically running all tests in the feature branch is not as efficient as running tests for every pull request, as it may delay the feedback loop and increase the risk of conflicts or failures. Using Cloud Build to run the tests after a pull request is merged is not a good practice, as it may introduce errors or bugs into the main branch that could have been prevented by testing before merging. Asking the pull request reviewers to run the integration tests before approving the code is not a reliable way of ensuring code quality, as it depends on human intervention and may be prone to errors or oversights. References: 1: Overview | Cloud Build Documentation | Google Cloud 2: Running integration tests | Cloud Build Documentation | Google Cloud 3: Build configuration overview | Cloud Build Documentation | Google Cloud 4: Building repositories from GitHub | Cloud Build Documentation | Google Cloud 5: Creating GitHub app triggers | Cloud Build Documentation | Google Cloud
You use Artifact Registry to store container images built with Cloud Build. You need to ensure that all existing and new images are continuously scanned for vulnerabilities. You also want to track who pushed each image to the registry. What should you do?
Correct Answer: B
Comprehensive and Detailed 150 to 200 words of Explanation From Google Cloud DevOps guides documents: To maintain a secure software supply chain, Google Cloud recommends enabling On-Demand Scanning and Continuous Analysis via the Artifact Analysis API. For Artifact Registry, you should enable automatic scanning, which scans images immediately upon upload. Crucially, your requirement asks for continuous scanning of existing images. Google Cloud's Continuous Analysis does exactly this: it monitors vulnerability databases (like the CVE list) and automatically re-scans images stored in Artifact Registry whenever new threats are discovered. This ensures that an image that was "clean" last week is flagged immediately if a new zero-day vulnerability is identified today. To address the requirement of tracking who pushed each image, Cloud Audit Logs is the standard tool. Every action in Artifact Registry, such as v1.repositories.images.create or v1.repositories.dockerImages.import, is recorded as an Administrative Write event. By inspecting these logs, security teams can identify the specific identity (service account or user email) associated with the push event. This combination of Continuous Analysis for threat detection and Cloud Audit Logs for traceability provides a robust security posture, minimizing administrative overhead compared to manual scripting or external storage solutions (Option D).
You are configuring your CI/CD pipeline natively on Google Cloud. You want builds in a pre-production Google Kubernetes Engine (GKE) environment to be automatically load-tested before being promoted to the production GKE environment. You need to ensure that only builds that have passed this test are deployed to production. You want to follow Google-recommended practices. How should you configure this pipeline with Binary Authorization?
Correct Answer: B
The correct answer is B. Create an attestation for the builds that pass the load test by using a private key stored in Cloud Key Management Service (Cloud KMS) authenticated through Workload Identity. According to the Google Cloud documentation, Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE) or Cloud Run1. Binary Authorization uses attestations to certify that a specific image has completed a previous stage in the CI /CD pipeline, such as passing a load test2.Attestations are signed by private keys that are associated with attestors, which are entities that verify the attestations3.To follow Google-recommended practices, you should store your private keys in Cloud Key ManagementService (Cloud KMS), which is a secure and scalable service for managing cryptographic keys4.You should also use Workload Identity, which is a feature that allows Kubernetes service accounts to act as Google service accounts, to authenticate to Cloud KMS and sign attestations without having to manage or expose service account keys5. The other options are incorrect because they do not follow Google-recommended practices. Option A and option D require human intervention to sign the attestations, which is not scalable or automated. Option C exposes the service account JSON key as a Kubernetes Secret, which is less secure than using Workload Identity. Reference: Creating an attestor, Creating an attestor.Cloud Key Management Service Documentation, Overview. Attestations overview, Attestations overview.Using Workload Identity with Binary Authorization, Using Workload Identity with Binary Authorization.Binary Authorization, Binary Authorization.
Your company uses a CI/CD pipeline with Cloud Build and Artifact Registry to deploy container images to Google Kubernetes Engine (GKE). Images are tagged with the latest commit hash and promoted to production after successful testing in the development and pre-production environments. A recent production deployment caused the application to fail due to untested integration functionality, requiring a disruptive manual rollback. During the rollback, you noticed many old and unused container images accumulating in Artifact Registry. You need to improve rollout and rollback management and clean up the old container images. What should you do?
Correct Answer: C
Comprehensive and Detailed Explanation: Cloud Deploy is a GCP-native managed CI/CD tool for reliable and automated releases across environments. Artifact Registry Cleanup Policy automates image retention and deletion of old images, reducing storage costs and avoiding clutter. Rollback and rollback policies should be handled by Cloud Deploy, not manual interventions. #Why not other options? A## Cloud Build jobs for cleanup are not scalable or automated compared to Artifact Registry policies. B## Cloud Service Mesh is not related to deployment rollbacks or image cleanup. D## Cloud Deploy provides better rollback management than a custom rollback pipeline. #Official Reference: Google Cloud Deploy Overview Artifact Registry Cleanup Policy
You are developing the deployment and testing strategies for your CI/CD pipeline in Google Cloud You must be able to * Reduce the complexity of release deployments and minimize the duration of deployment rollbacks * Test real production traffic with a gradual increase in the number of affected users You want to select a deployment and testing strategy that meets your requirements What should you do?
Correct Answer: B
The best option for selecting a deployment and testing strategy that meets your requirements is to use blue /green deployment and canary testing. A blue/green deployment is a deployment strategy that involves creating two identical environments, one running the current version of the application (blue) and one running the new version of the application (green). The traffic is switched from blue to green after testing the new version, and if any issues are discovered, the traffic can be switched back to blue instantly. This way, you can reduce the complexity of release deployments and minimize the duration of deployment rollbacks. A canary testing is a testing strategy that involves releasing a new version of an application to a subset of users or servers and monitoring its performance and reliability. This way, you can test real production traffic with a gradual increase in the number of affected users.