Google Cloud Professional Cloud Security Engineer — Question 205

Your organization is planning to deploy a large number of Google Kubernetes Engine (GKE) clusters to run business applications in different folders and projects. You must ensure that all GKE nodes always run the latest release to minimize vulnerability risk and administrative effort. What should you do?

Answer options

• A. After creating clusters, use the Google Cloud console gcloud container node-pools describe NODE_POOL_NAME --cluster=CLUSTER_NAME command. Examine the upgradeSettings and UpdateInfo output.
• B. Create a custom organization policy constraint resource.management.autoUpgrade == true with an action type of ALLOW at the organization level before deployment.
• C. Create a new node pool with the newer version for each cluster. Migrate the workload. Eliminate the outdated node pool.
• D. Manually run the Google Cloud console gcloud container clusters upgrade CLUSTER_NAME--node-pool=NODE_POOL_NAME --cluster-version VERSION command on newly created clusters regularly.

Correct answer: B

Explanation

Option B is correct because creating a custom organization policy with autoUpgrade set to true ensures that all GKE nodes automatically upgrade to the latest version, thus reducing vulnerability risks and administrative tasks. Option A only describes a method to check node pool settings, while Options C and D require manual intervention for upgrades, which does not meet the requirement for minimizing administrative effort.