Google Cloud Professional Cloud Security Engineer — Question 52

For compliance reasons, an organization needs to ensure that in-scope PCI Kubernetes Pods reside on `in-scope` Nodes only. These Nodes can only contain the
`in-scope` Pods.
How should the organization achieve this objective?

Answer options

• A. Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.
• B. Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.
• C. Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.
• D. Run all in-scope Pods in the namespace ג€in-scope-pciג€.

Correct answer: C

Explanation

The correct answer is C because applying a taint with NoSchedule ensures that only Pods with a matching toleration can be scheduled on those Nodes, effectively isolating in-scope Pods. Option A does not enforce exclusivity since Pods could still be scheduled on other Nodes. Option B does not guarantee that Pods will only run on the labeled Nodes without additional constraints. Option D does not address the Node restrictions, as Pods could still be deployed on non-compliant Nodes.