Google Professional-Cloud-DevOps-Engineer - Google Cloud Certified - Professional Cloud DevOps Engineer Exam

Create log views for each project team, and only show each project team their application logs. Grant the operations team access to the _AllLogs View in the central logging project1.

This approach aligns with the Google Cloud’s recommended methodologies for Professional Cloud DevOps Engineers1. Log views allow you to create and manage access control at a finer granularity for your logs. By creating a separate log view for each project team, you can ensure that they only have access to their respective logs. The operations team, on the other hand, can be granted access to the _AllLogs view in the central logging project, allowing them to view all logs as required.

This solution not only meets the security team’s requirements but also minimizes costs as it leverages built-in features of Google Cloud’s logging and does not require exporting logs to another service like BigQuery (as suggested in option A), which could incur additional costs1.

https://cloud.google.com/logging/docs/access-control

The logging.configWriter role grants permissions to create, update, and delete log exports. This is the correct role to give team members who need to export logs2.

OOMKilled means the containers exceeded their allocated memory. Since the HPA isn't scaling up (stuck at min), this indicates the issue is not scale-related but container memory limits are too low.

"Pods terminated with OOMKilled have exceeded their memory limits. You should adjust the container's resource requests and limits."

— Kubernetes OOMKill Debug Guide

Scaling the number of replicas won't help if each replica crashes. You need to increase memory limits so pods can run reliably before autoscaling can even work.

Cloud Workstations provides a secure way to preview web applications using built-in preview links, which expose internal ports only via authenticated and authorized access — no public IP exposure required.

“To preview your app, click the preview icon in the Code OSS panel, which securely tunnels the service to your browser.”

— Cloud Workstations - Previewing your app

This adheres to Google's security best practices by avoiding public IPs or manual tunneling while enabling developer efficiency.

https://cloud.google.com/monitoring/support/notification-options#creating_channels

To configure SMS notifications, do the following:

In the SMS section, click Add new and follow the instructions. Click Save. When you set up your alerting policy, select the SMS notification type and choose a verified phone number from the list.

The best option for automating scaling by only running enough Pods and nodes for the load is to configure the Horizontal Pod Autoscaler and enable the cluster autoscaler. The Horizontal Pod Autoscaler is a feature that automatically adjusts the number of Pods in a deployment or replica set based on observed CPU utilization or custom metrics. The cluster autoscaler is a feature that automatically adjusts the size of a node pool based on the demand for node capacity. By using both features together, you can ensure that your application runs enough Pods to handle the load, and that your cluster runs enough nodes to host the Pods. This way, you can optimize your resource utilization and cost efficiency.

Creating a development environment for writing code and a test environment for configurations, experiments, and load testing is the best practice to reduce the number of bugs and outages in production and to enable testers to load test new features. This way, the production environment is isolated from changes that could affect its stability and performance.

The best option for ensuring that the three environments are consistent and following Google-recommended practices is to use Cloud Build to render and deploy the network policies and the DaemonSet, and set up Config Sync to sync the configurations for the three environments. Cloud Build is a service that executes your builds on Google Cloud infrastructure. You can use Cloud Build to render and deploy your network policies and DaemonSet as code using tools like Kustomize, Helm, or kpt. Config Sync is a feature that enables you to manage the configurations of your GKE clusters from a single source of truth, such as a Git repository. You can use Config Sync to sync the configurations for your development, staging, and production environments and ensure that they are consistent.

https://cloud.google.com/binary-authorization

Binary Authorization is a deploy-time security control that ensures only trusted container images are deployed on Google Kubernetes Engine (GKE) or Cloud Run. With Binary Authorization, you can require images to be signed by trusted authorities during the development process and then enforce signature validation when deploying. By enforcing validation, you can gain tighter control over your container environment by ensuring only verified images are integrated into the build-and-release process.