ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud DevOps Engineer All Questions

View all questions & answers for the Professional Cloud DevOps Engineer exam
Go to Exam

Exam Professional Cloud DevOps Engineer topic 1 question 175 discussion

Actual exam question from Google's Professional Cloud DevOps Engineer
Question #: 175
Topic #: 1
[All Professional Cloud DevOps Engineer Questions]

You are designing a new multi-tenant Google Kubernetes Engine (GKE) cluster for a customer. Your customer is concerned with the risks associated with long-lived credentials use. The customer requires that each GKE workload has the minimum Identity and Access Management (IAM) permissions set following the principle of least privilege (PoLP). You need to design an IAM impersonation solution while following Google-recommended practices. What should you do?

  • A. 1. Create a Google service account.
    2. Create a node pool, and set the Google service account as the default identity.
    3. Ensure that workloads can only run on the designated node pool by using node selectors, taints, and tolerations.
    4. Repeat for each workload.
  • B. 1. Create a Google service account.
    2. Create a node pool without taints, and set the Google service account as the default identity.
    3. Grant IAM permissions to the Google service account.
  • C. 1. Create a Google service account.
    2. Create a Kubernetes service account in a Workload Identity-enabled cluster.
    3. Link the Google service account with the Kubernetes service account by using the roles/iam.workloadIdentityUser role and iam.gke.io/gcp-service-account annotation.
    4. Map the Kubernetes service account to the workload.
    5. Repeat for each workload.
  • D. 1. Create a Google service account.
    2. Create a service account key for the Google service account.
    3. Create a Kubernetes secret with a service account key.
    4. Ensure that workload mounts the secret and set the GOOGLE_APPLICATION_CREDENTIALS environment variable to point at the mount path.
    5. Repeat for each workload.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by GCP001 at Feb. 22, 2025, 3:37 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
cachopo
1 month, 3 weeks ago
Selected Answer: C
The recommended solution is to create a Google service account, create a Kubernetes service account in a Workload Identity-enabled cluster, and link the Google service account with the Kubernetes service account using the roles/iam.workloadIdentityUser role and the iam.gke.io/gcp-service-account annotation. By following these steps, workloads can impersonate the Google service account with the minimum IAM permissions required, ensuring the principle of least privilege (PoLP) is followed. This approach is the most secure and efficient method for enabling workload IAM impersonation in GKE while reducing the risks associated with long-lived credentials.
upvoted 1 times
cachopo
1 month, 3 weeks ago
A While creating a Google service account and setting it as the default identity for a node pool is a valid approach for node identity management, it does not address workload-specific IAM impersonation. This setup would apply the service account to all workloads running on the node pool, potentially granting excessive permissions to workloads that don't need them. It lacks the fine-grained control provided by Workload Identity.
upvoted 1 times
cachopo
1 month, 3 weeks ago
B This option is similar to A but without using taints and tolerations. While it provides the ability to use a Google service account for workloads, it still applies the same permissions to all workloads in the node pool and does not offer the fine-grained, workload-specific IAM permissions that Workload Identity provides.
upvoted 1 times
...
...
...
Mileke
2 months ago
Selected Answer: C
This is the correct order of steps to be taken to perform service account impersonation using Workload Identity. Doc: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago