Professional-Cloud-DevOps-Engineer Exam Dumps - Google Cloud Certified - Professional Cloud DevOps Engineer Exam

The best option for ensuring continued operations until the microservice is fixed is to add a HTTP liveness probe to the microservice’s deployment. A HTTP liveness probe is a type of probe that checks if a Pod is alive by sending an HTTP request and expecting a success response code. If the probe fails, Kubernetes will restart the Pod. You can add a HTTP liveness probe to your microservice’s deployment by using a livenessProbe field in your Pod spec. This way, you can ensure that any Pod that returns 403 errors after running for more than five hours will be restarted automatically and resume normal operations.

OOMKilled means the containers exceeded their allocated memory. Since the HPA isn't scaling up (stuck at min), this indicates the issue is not scale-related but container memory limits are too low.

"Pods terminated with OOMKilled have exceeded their memory limits. You should adjust the container's resource requests and limits."

— Kubernetes OOMKill Debug Guide

Scaling the number of replicas won't help if each replica crashes. You need to increase memory limits so pods can run reliably before autoscaling can even work.

Comprehensive and Detailed 150 to 200 words of Explanation From Google Cloud DevOps guides documents:

To maintain a secure software supply chain, Google Cloud recommends enabling On-Demand Scanning and Continuous Analysis via the Artifact Analysis API. For Artifact Registry, you should enable automatic scanning, which scans images immediately upon upload. Crucially, your requirement asks for continuous scanning of existing images. Google Cloud’s Continuous Analysis does exactly this: it monitors vulnerability databases (like the CVE list) and automatically re-scans images stored in Artifact Registry whenever new threats are discovered. This ensures that an image that was "clean" last week is flagged immediately if a new zero-day vulnerability is identified today.

To address the requirement of tracking who pushed each image, Cloud Audit Logs is the standard tool. Every action in Artifact Registry, such as v1.repositories.images.create or v1.repositories.dockerImages.import, is recorded as an Administrative Write event. By inspecting these logs, security teams can identify the specific identity (service account or user email) associated with the push event. This combination of Continuous Analysis for threat detection and Cloud Audit Logs for traceability provides a robust security posture, minimizing administrative overhead compared to manual scripting or external storage solutions (Option D).

https://sre.google/sre-book/service-level-objectives/

You want the application's SLO to more closely reflect it's observed reliability. The key here is error budget never goes over 5%. This means they can have additional downtime and still stay within their budget.

https://medium.com/velotio-perspectives/exploring-upgrade-strategies-for-stateful-sets-in-kubernetes-c02b8286f251

The best option for storing and using the API key in your application by following Google-recommended practices is to save the API key in Secret Manager as a secret and reference the secret as an environment variable in the Cloud Run application. Secret Manager is a service that allows you to store and manage sensitive data, such as API keys, passwords, and certificates, in Google Cloud. A secret is a resource that represents a logical secret, such as an API key. You can save the API key in Secret Manager as a secret and use IAM policies to control who can access it. You can also reference the secret as an environment variable in the Cloud Run application by using the ${SECRET_NAME} syntax. This way, you can securely store and use the API key in your application without exposing it in your code or configuration files.

https://www.atlassian.com/incident-management/kpis/common-metrics

https://linkedin.github.io/school-of-sre/

The best option for creating the development and production environments for each team while minimizing costs and ensuring isolation is to create a development and a production GKE cluster in separate projects, in each cluster create a Kubernetes namespace per team, and then configure Kubernetes role-based access control (RBAC) so that each team can only access its own namespace. This option allows you to use fewer clusters and projects than creating one project or cluster per team, which reduces costs and complexity. It also allows you to isolate each team’s environment by using namespaces and RBAC, which prevents teams from accessing other teams’ environments.