Google Cloud Professional Cloud Network Engineer — Question 222

As part of your organization's modernization efforts, the application teams are migrating services to GKE on Google Cloud (GKE). The GKE clusters will live in service projects. The teams have validated the applications and configurations in their sandbox projects. When moving to production, you noticed that GKE nodes were not being created. Users were able to create Compute Engine instances, but the operation failed when they tried to create a GKE cluster. You need to enable the application teams so they can create said GKE clusters. What should you do?

Answer options

• A. Ensure that the service project's GKE service account has the compute.securityAdmin, container.hostServiceAgentUser and compute.networkUser IAM permissions in the host project.
• B. Ensure that the service project's GKE service account has the compute.securityAdmin, container.hostserviceAgentUser and compute.networkUser IAM permissions in the service project.
• C. Ensure that the service project's GKE service account has the compute.networkUser IAM permission in the service project.
• D. Review the firewall rules configuration in the VPC. Identify what rule is blocking node creation.

Correct answer: A

Explanation

The correct answer is A because the GKE service account needs specific permissions in the host project to create GKE clusters, including compute.securityAdmin, container.hostServiceAgentUser, and compute.networkUser. Options B and C limit the permissions to the service project, which is insufficient for GKE cluster creation. Option D, while important for troubleshooting, does not address the permissions issue necessary for creating GKE nodes.