Google Updated Professional-Cloud-DevOps-Engineer Exam Questions and Answers by malaika

https://cloud.google.com/monitoring/agent/monitoring/troubleshooting#checklist

The correct answer is B. Create an attestation for the builds that pass the load test by using a private key stored in Cloud Key Management Service (Cloud KMS) authenticated through Workload Identity.

According to the Google Cloud documentation, Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE) or Cloud Run1. Binary Authorization uses attestations to certify that a specific image has completed a previous stage in the CI/CD pipeline, such as passing a load test2. Attestations are signed by private keys that are associated with attestors, which are entities that verify the attestations3. To follow Google-recommended practices, you should store your private keys in Cloud Key Management Service (Cloud KMS), which is a secure and scalable service for managing cryptographic keys4. You should also use Workload Identity, which is a feature that allows Kubernetes service accounts to act as Google service accounts, to authenticate to Cloud KMS and sign attestations without having to manage or expose service account keys5.

The other options are incorrect because they do not follow Google-recommended practices. Option A and option D require human intervention to sign the attestations, which is not scalable or automated. Option C exposes the service account JSON key as a Kubernetes Secret, which is less secure than using Workload Identity.

Rollback to previous stable version. Then you need to find what is causing the issue.

The best options for ensuring that the pipelines that run in the Pods have the appropriate IAM permissions to perform the Terraform deployments are to create a new Kubernetes service account and assign the service account to the Pods, and to use Workload Identity to authenticate as the Google service account. A Kubernetes service account is an identity that represents an application or a process running in a Pod. A Google service account is an identity that represents a Google Cloud resource or service. Workload Identity is a feature that allows you to bind Kubernetes service accounts to Google service accounts. By using Workload Identity, you can avoid creating and managing JSON service account keys, which are less secure and require more maintenance. You can also assign the appropriate IAM permissions to the Google service account that corresponds to the Kubernetes service account.