Medium PCDE practice questions
Applied — put a concept to work in a realistic situation. 141 medium questions available — no sign-up, always free.
Your team builds container images in Cloud Build and pushes them to Artifact Registry. Security requires that every image be automatically scanned for OS-level vulnerabilities as soon as it is stored, and that developers be able to query the findings without running any additional scanning jobs in the pipeline. You want the least-effort, native approach. What should you do?
You lead FinOps for a company running dozens of microservices across several GCP projects. Finance reports that last month's total spend jumped 35% with no obvious cause. Leadership wants a repeatable way to break down costs by service, SKU, project, and label, and to run ad hoc queries to pinpoint which resources drove the spike. What should you implement?
Your team runs a GKE production cluster and wants to guarantee that only container images that have passed an automated vulnerability scan and were built by your official Cloud Build pipeline can be deployed. Images built on developer laptops or without a scan must be rejected at deploy time. Which approach best meets this requirement?
Your SRE team runs a payment API on GKE with a defined SLO of 99.9% availability measured over a 28-day rolling window. Developers push changes frequently, and leadership wants to maximize release velocity without endangering the SLO. During a new rollout, you want an automated mechanism that decides whether to continue promoting a release based on the release's real impact on the service's reliability signals, halting before the error budget is materially consumed. Which approach best balances change velocity and reliability?
A retail company runs an e-commerce API on a Compute Engine managed instance group behind an external HTTP(S) load balancer. During periodic bot-driven traffic surges, the backend autoscaler adds many VMs to absorb the load, causing large unexpected compute spikes on the monthly bill even though the surge traffic is malicious and returns no revenue. The team wants to reduce cost during these events without degrading legitimate customer performance. What should they implement?
Your team uses Cloud Build to build container images that are pushed to a Docker repository in Artifact Registry. After a recent incident, an engineer accidentally re-pushed a new image using an existing tag (v1.4.2) that had already been deployed to production, causing confusion about which binary was actually running. You need to guarantee that once a tagged image is published, that exact tag can never be overwritten by a later push, while still allowing new tags. What should you do?
Your team's Cloud Build pipeline builds a large Java microservice. Each build downloads all Maven dependencies from scratch, and the container image is rebuilt entirely on every commit, causing builds to take over 20 minutes. You want to reduce build times without changing the application source. Which approach should you implement?
Your team hosts application source in GitHub and uses a Cloud Build trigger connected via the Cloud Build GitHub App. Developers open pull requests against the main branch. Leadership mandates that no code can be merged into main unless an automated build-and-test run has succeeded, and the merge must be blocked in the GitHub UI until that check passes. What is the correct way to enforce this?
Your team's Cloud Build pipeline compiles a Go binary and produces a container image. Currently the build succeeds but downstream Cloud Deploy releases cannot find the image, and audits show the built image is never stored in a central location. You need the build to reliably publish the container image to Artifact Registry so it can be referenced by digest in later stages. Which approach correctly ensures the image is pushed and its digest is recorded?
Your team's Cloud Build pipeline runs unit tests, three independent integration test suites, and a static code analysis scan. Currently all steps run sequentially, and the build takes 22 minutes, causing developer frustration. The three integration suites do not depend on each other, and the static analysis does not depend on any tests. You need to reduce total build time without removing any of the checks. What should you do?
Your platform team runs a single Cloud Build project that hosts triggers for dozens of application repositories. Currently all triggers execute using the default Cloud Build service account, which has broad Editor-level permissions across the project. A security audit flags this as excessive: a compromised build for one low-privilege app could push images and deploy to resources belonging to other teams. You must reduce blast radius while keeping each pipeline able to perform only the actions it needs. What should you do?
Your team uses a single Cloud Build pipeline that builds a container image, runs unit tests, pushes to Artifact Registry, and then deploys to a production GKE cluster. Compliance now requires that a human release manager explicitly approve the build before the production deployment steps run, while all earlier build and test steps continue to run automatically on every commit to main. You want the least complex change that satisfies this requirement natively in Cloud Build. What should you do?
Your team's Cloud Build pipeline runs integration tests that must connect to a Cloud SQL instance and internal microservices that only have private IP addresses inside a VPC. The default Cloud Build workers cannot reach these private resources, and security policy prohibits exposing the database or services to public IPs. You need the build's integration test step to successfully reach the private resources with minimal ongoing maintenance. What should you do?
Your security team requires that every container image built by your Cloud Build pipelines includes verifiable build provenance so that downstream consumers can confirm the image was produced by your trusted build system and has not been tampered with. You want to minimize custom scripting and use native platform capabilities. What should you do?
Your platform team runs a Cloud Build pipeline that builds container images, pushes them to Artifact Registry, and then deploys to a GKE cluster via Cloud Deploy. A recent security audit found that a developer was able to manually deploy an image that had never passed through the official build pipeline. Leadership now requires that only images produced by your trusted Cloud Build pipeline can ever be deployed to the production GKE cluster, and that this rule is enforced at admission time regardless of who or what initiates the deployment. Which approach best satisfies this requirement?
Your team maintains a Cloud Build pipeline that runs a lightweight unit-test build on every push to any branch. Separately, you need a heavier end-to-end integration suite that provisions ephemeral resources and takes about 45 minutes to run. The business requirement is that this integration suite runs automatically once every night at 02:00 against the latest commit on the main branch, without any developer having to push code or click a button. Which approach best meets this requirement?
Your team maintains a Cloud Build pipeline that builds and pushes container images to Artifact Registry. Currently a single trigger fires on every push to any branch and always tags images as 'latest'. The release manager wants a separate, repeatable release flow: when a semantic version Git tag (e.g., v1.4.2) is pushed, the pipeline should build an image tagged with that exact version string and push it to a 'release' repository, without changing the existing branch-based development builds. What is the most appropriate way to implement this?
Your team maintains a monorepo in Cloud Source Repositories containing a payment microservice. You must ensure that unit and integration tests run automatically only when a pull request targets the 'main' branch, and that a container image is built and pushed to Artifact Registry only after a commit is merged into 'main'. Developers frequently open feature branches, and you want to avoid running the full test-and-build pipeline on every feature branch push. Which approach best implements this using Cloud Build triggers?
Your team maintains a microservice that is built by a Cloud Build trigger on every merge to the main branch. Currently, an engineer manually runs 'gcloud deploy releases create' after each successful build to push the image through the dev, staging, and prod delivery pipeline. Leadership wants every successful main-branch build to automatically create a new Cloud Deploy release and begin rollout to the dev target, while preserving the existing manual approval gate before staging. What is the most appropriate way to connect the build to the delivery pipeline?
Your organization runs a Cloud Build pipeline that builds container images and pushes them to Artifact Registry. Security requires that only images verifiably produced by the trusted pipeline can be deployed to your production GKE cluster, and that no developer can manually push an arbitrary image that gets deployed. You have already enabled Binary Authorization on the cluster. What is the most appropriate way to complete the supply-chain control so that only pipeline-built images are admitted?
Your team hosts application source code in a self-managed GitLab instance running inside your corporate network, which is not one of Cloud Build's natively integrated SCM providers. You want each merge to the main branch to automatically start a Cloud Build pipeline. The GitLab server can make outbound HTTPS calls to Google Cloud APIs. Which approach lets you trigger the build while protecting the trigger endpoint from unauthorized invocation?
A media company serves large static video thumbnails and JavaScript bundles from a global external HTTP(S) Load Balancer backed by a Cloud Storage bucket. Monitoring shows high origin egress costs and elevated tail latency for users in distant regions. Cloud CDN is enabled, but the cache hit ratio is only 22%. Investigation reveals the origin responses include 'Cache-Control: no-store' on many objects and that unique query string parameters (used for analytics tracking) are appended to nearly every asset URL. What is the MOST effective way to reduce origin egress cost and improve latency?
Your team uses Cloud Deploy with a delivery pipeline spanning dev, staging, and prod targets. Currently an engineer manually promotes each release from staging to prod after it has run in staging for a while. Leadership wants releases to automatically promote from staging to prod, but only after the release has soaked in staging for at least 12 hours with no issues, while still keeping a manual approval requirement on the prod target. What should you configure?
Your team runs a payment API on GKE and uses Google Cloud Deploy for releases to production. Compliance requires that a fully provisioned copy of the new version receive synthetic transaction tests before any live customer traffic is shifted, and that traffic can be reverted to the previous version within seconds if the tests reveal a problem. Which deployment strategy configuration in Cloud Deploy best meets these requirements?
Your team uses Cloud Deploy to release a customer-facing service to a GKE production target. Leadership wants new releases rolled out to a small percentage of traffic first, automatically verified against error-rate metrics, and rolled back without human intervention if verification fails. What should you configure in the Cloud Deploy delivery pipeline?