Top GCP DevOps Questions and Answers for Freshers & Experienced [2025]

CI/CD Pipelines in GCP

1. What is Cloud Build in GCP?

• Cloud Build is a serverless CI/CD platform.
• Automates build, test, and deployment workflows.
• Uses cloudbuild.yaml for pipeline configuration.
• Integrates with Cloud Source Repositories.
• Ensures stable networking via VPC.
• Supports Docker for custom environments.

Cloud Build streamlines CI/CD for DevOps interviews.

2. Why is Cloud Build used in CI/CD pipelines?

Cloud Build provides serverless automation, integrating with GKE and Cloud Source Repositories. It scales dynamically, supports parallel builds, and secures workflows with IAM. Compared to Jenkins, it reduces infrastructure overhead. Validate pipelines in staging to demonstrate CI/CD expertise for certification interviews.

3. When do you configure Cloud Build triggers?

• Set triggers for code commits or pull requests.
• Configure branch-specific triggers in GCP Console.
• Automate builds for agile cycles.
• Validate triggers in staging.
• Monitor with Cloud Logging.
• Ensure pipeline automation.

Triggers enable efficient CI/CD for interviews.

4. Where do you store sensitive pipeline variables?

Store non-sensitive variables in cloudbuild.yaml under env. For sensitive data like API keys, use Secret Manager and reference via secretEnv. Grant secretmanager.secrets.access to the Cloud Build service account. Validate in staging and monitor with Cloud Logging to show secure pipeline skills for interviews.

5. Who designs CI/CD pipelines in DevOps teams?

• DevOps engineer designs pipelines.
• Collaborates with developers for requirements.
• Uses Cloud Build for automation.
• Validates pipelines in staging.
• Monitors with Cloud Monitoring.
• Aligns with project goals.

This role showcases CI/CD expertise for interviews.

6. Which tools integrate with Cloud Build?

Cloud Build integrates with Terraform for infrastructure, Spinnaker for multi-cloud deployments, and Ansible for configuration. Use Docker images for custom steps.

• Configure TerraformTask for IaC.
• Use Spinnaker for advanced deployments.
• Validate integrations in staging.
• Monitor with Cloud Monitoring.

This enhances CI/CD for certification.

7. How do you troubleshoot a failing Cloud Build pipeline?

• Check logs in GCP Console for errors.
• Verify cloudbuild.yaml syntax and timeouts.
• Increase machine type for resource issues.
• Inspect VPC for networking problems.
• Validate in staging.
• Monitor with Cloud Monitoring.

Scenario: A pipeline fails during testing. This shows troubleshooting skills.

8. What are Cloud Source Repositories?

Cloud Source Repositories offer version control integrated with GCP tools like Cloud Build and IAM. They simplify authentication and support private repositories. Compared to GitHub, they suit GCP-centric workflows. Validate repository access in staging to demonstrate version control skills for interviews.

9. Why implement canary deployments in Cloud Build?

• Release features to a small user subset.
• Minimize production failure risks.
• Configure for GKE pods in Cloud Build.
• Monitor with Cloud Monitoring.
• Validate in staging.
• Support progressive delivery.

Scenario: A feature risks crashes. This ensures safe deployments.

10. When do you use substitutions in Cloud Build?

Use substitutions in cloudbuild.yaml for dynamic values like environment names (_VARIABLE_NAME). They improve reusability without hardcoding. For example: substitutions: _ENV: dev. Reference in steps like echo $_ENV. Validate in staging to show automation skills for certification interviews.

11. Where do you store build artifacts?

• Use Cloud Storage with multi-region buckets.
• Configure permissions via IAM.
• Upload with gsutil cp post-build.
• Ensure global low-latency access.
• Validate in staging.
• Monitor bucket performance.

Scenario: Artifacts need global access. This supports CI/CD.

12. Who configures triggers for multi-team projects?

Scenario: Teams share a GCP project. The DevOps lead configures triggers in the GCP Console, aligning with branching strategies. They collaborate with developers for consistency.

• Define branch-specific triggers.
• Restrict permissions via IAM.
• Validate in staging.
• Monitor trigger execution.

This shows teamwork for interviews.

13. Which metrics ensure pipeline health?

• Monitor success rate in Cloud Monitoring.
• Track average build time.
• Analyze failures with RHCE scripts.
• Validate metrics in staging.
• Monitor pipeline efficiency.
• Automate metric collection.

This demonstrates observability skills.

14. How do you handle resource exhaustion in Cloud Build?

Scenario: Builds fail with "insufficient CPU". Increase machine type in cloudbuild.yaml (e.g., machineType: N1_HIGHCPU_8). Monitor with Cloud Monitoring. Scale with Terraform. Validate in staging to show resource management skills for CI/CD interviews.

15. What is Cloud Build’s role in hybrid cloud?

• Automates builds across GCP and AWS.
• Integrates with AWS via service accounts.
• Builds images for GKE or ECS.
• Ensures VPC peering for communication.
• Validates in staging.
• Monitors cross-cloud performance.

Scenario: Hybrid cloud needs automation. This supports interviews.

16. Why secure Cloud Build configurations?

Scenario: Pipelines risk data exposure. Use Secret Manager for secrets, referenced via secretEnv. Restrict permissions via IAM. Suppress logs with Cloud Logging filters. Secure networking with VPC rules. Validate in staging to show DevSecOps skills for interviews.

17. How do you optimize Cloud Build performance?

• Use dependsOn for parallel steps.
• Increase machine types for heavy tasks.
• Cache dependencies in cloudbuild.yaml.
• Validate optimizations in staging.
• Monitor with Cloud Monitoring.
• Ensure network efficiency.

Scenario: Pipelines run slowly. This shows optimization skills.

18. Which strategies prevent pipeline failures?

Scenario: Pipelines fail intermittently. Use retry policies in cloudbuild.yaml and validate dependencies. Monitor with Cloud Monitoring for trends.

• Configure retry policies in YAML.
• Validate dependencies in staging.
• Monitor failure patterns.
• Ensure robust networking.

This ensures reliable CI/CD for interviews.

GKE and Containerization

19. What is GKE in GCP?

• GKE is GCP’s managed Kubernetes service.
• Automates cluster provisioning and scaling.
• Integrates with Cloud Build for CI/CD.
• Supports observability with Cloud Monitoring.
• Uses VPC for secure networking.
• Aligns with certification requirements.

GKE streamlines Kubernetes for interviews.

20. Why use GKE for container orchestration?

GKE automates Kubernetes management, handling node upgrades and scaling. It integrates with Cloud Build and Cloud Monitoring for CI/CD and observability. Compared to self-managed Kubernetes, it reduces overhead. Validate clusters in staging to show Kubernetes skills for certification interviews.

21. When do you use GKE node pools?

• Create node pools for workload isolation.
• Use taints and tolerations for placement.
• Configure via GKE Console or gcloud.
• Validate in staging.
• Monitor node performance.
• Ensure scalability.

Scenario: Workloads need separation. This shows Kubernetes expertise.

22. Where do you configure GKE security policies?

Configure PodSecurityPolicy in GKE to restrict privileged containers. Use kubectl apply for policies, ensuring least privilege. Validate in staging to prevent unauthorized access. Monitor compliance with Cloud Monitoring to demonstrate DevSecOps skills for interviews.

23. Who manages GKE cluster upgrades?

• DevOps engineer plans upgrades.
• Uses GKE Console for scheduling.
• Coordinates with developers for downtime.
• Validates upgrades in staging.
• Monitors cluster stability.
• Prepares rollback plans.

Scenario: Upgrades risk downtime. This shows leadership for interviews.

24. Which GKE features support zero-downtime deployments?

Scenario: Deployments cause interruptions. Use rolling updates in GKE, configuring maxSurge and maxUnavailable in deployment YAML. Monitor with kubectl rollout status.

• Set rolling update strategy.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Ensure network stability.

This ensures seamless deployments for interviews.

25. How do you troubleshoot GKE pod failures?

• Check logs with kubectl logs.
• Verify pod spec for errors.
• Inspect VPC networking issues.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Use diagnostic scripts.

Scenario: A pod shows "CrashLoopBackOff". This shows troubleshooting skills.

26. What causes GKE IP address exhaustion?

Scenario: Pods fail due to IP shortages. Expand subnet ranges with gcloud compute networks subnets expand-ip-range. Use alias IPs for scalability. Validate in staging and monitor with Cloud Monitoring to show networking skills for interviews.

27. Why do GKE workloads fail to access APIs?

• Check VPC firewall rules for egress.
• Verify Cloud NAT configurations.
• Ensure service account permissions.
• Validate in staging.
• Monitor with Cloud Logging.
• Use diagnostic scripts.

Scenario: Workloads cannot reach APIs. This shows connectivity expertise.

28. When do you use GKE Workload Identity?

Use Workload Identity to bind pod service accounts to GCP IAM roles, avoiding static credentials. Configure in GKE Console and validate in staging. Monitor authentication with Cloud Logging to demonstrate secure Kubernetes skills for interviews.

29. Where do you debug GKE networking issues?

• Use kubectl describe pod for errors.
• Check VPC firewall rules.
• Verify service and ingress settings.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Use network diagnostics.

Scenario: Pods cannot communicate. This shows networking skills.

30. Who resolves GKE resource contention?

Scenario: Pods compete for CPU. The DevOps engineer adjusts resource requests and limits in pod specs with kubectl edit deployment. Monitor with Cloud Monitoring.

• Set resource limits in YAML.
• Validate in staging.
• Monitor resource allocation.
• Ensure scalability.

This shows resource management for interviews.

31. Which tools enhance GKE observability?

• Use Cloud Monitoring for cluster metrics.
• Integrate Prometheus for pod metrics.
• Configure Cloud Logging for logs.
• Validate in staging.
• Monitor metrics and logs.
• Automate alerts.

Scenario: Visibility is needed. This shows observability skills.

32. How do you automate GKE provisioning?

Scenario: Rapid cluster setup is needed. Use Terraform to provision GKE clusters, defining node pools in HCL. Run: terraform apply. Integrate with Cloud Build. Validate in staging to demonstrate automation skills for interviews.

33. What causes GKE cluster upgrade failures?

• Insufficient node resources cause failures.
• Check upgrade logs in GKE Console.
• Adjust node pool configurations.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Ensure add-on compatibility.

Scenario: An upgrade stalls. This shows troubleshooting skills.

34. Why use GKE Autopilot mode?

GKE Autopilot automates node management, reducing operational overhead. Configure via GKE Console or gcloud. It suits simplified Kubernetes management. Validate in staging and monitor with Cloud Monitoring to show cost-efficient cluster skills for interviews.

35. When do you use GKE for stateful applications?

• Use StatefulSets for databases.
• Configure persistent volumes in GKE.
• Ensure data consistency with backups.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Support stateful workloads.

Scenario: Databases need Kubernetes. This shows application expertise.

Networking and Security

36. What is a VPC in GCP?

• VPC provides isolated network environments.
• Configure subnets for segmentation.
• Support firewall rules for security.
• Enable networking with peering.
• Validate in staging.
• Monitor with Cloud Monitoring.

VPCs ensure secure networking for interviews.

37. Why use Cloud Armor for security?

• Protects against DDoS attacks.
• Configures policies for load balancers.
• Blocks malicious traffic with rules.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Aligns with DevSecOps.

Scenario: An app faces DDoS attacks. This shows security skills.

38. When do you configure VPC firewall rules?

Configure firewall rules for restricted access. Use gcloud compute firewall-rules create to define protocols and ports. Validate in staging and monitor with Cloud Logging to demonstrate secure networking skills for interviews.

39. Where do you manage VPC configurations?

• Use GCP Console under VPC network.
• Configure subnets and firewall rules.
• Enable peering or Cloud VPN.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Ensure network isolation.

Scenario: A VPC needs setup. This shows networking expertise.

40. Who manages IAM roles for VPC access?

The cloud architect assigns roles like roles/compute.networkAdmin in the GCP Console, ensuring least privilege. Validate in staging and monitor IAM logs with Cloud Logging to demonstrate security skills for interviews.

41. Which tools troubleshoot VPC connectivity?

• Use gcloud compute networks describe.
• Run ping or traceroute for connectivity.
• Analyze with networking tools like tcpdump.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Automate diagnostics.

Scenario: Services cannot communicate. This shows troubleshooting skills.

42. How do you secure a VPC with Private Google Access?

Scenario: A VPC exposes services. Enable Private Google Access to reach GCP APIs without public IPs. Configure in GCP Console under VPC network.

• Enable for subnets.
• Validate in staging.
• Monitor with Cloud Logging.
• Ensure firewall alignment.

This shows secure networking for interviews.

43. What causes load balancer failures?

• Health checks fail for backends.
• Misconfigured load balancer settings.
• Firewall rules block traffic.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Use diagnostic scripts.

Scenario: Users cannot access apps. This shows troubleshooting skills.

44. Why does a service account lack VPC permissions?

Scenario: A pipeline cannot access VPC resources. The service account lacks roles like roles/compute.networkUser. Assign roles in the GCP Console with gcloud iam service-accounts describe. Validate in staging to show security skills for interviews.

45. When do you use VPC peering?

• Use for cross-project communication.
• Configure in GCP Console.
• Ensure firewall rules allow traffic.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Support project isolation.

Scenario: Projects need shared networking. This shows networking expertise.

46. Where do you monitor VPC traffic anomalies?

Use Cloud Logging to monitor VPC flow logs, configured under VPC network > Flow logs. Analyze with BigQuery and set alerts in Cloud Monitoring. Validate in staging to demonstrate networking skills for interviews.

47. Who resolves firewall rule conflicts?

• Cloud architect resolves conflicts.
• Check rule priorities in GCP Console.
• Update with gcloud compute firewall-rules update.
• Validate in staging.
• Monitor with Cloud Logging.
• Minimize rule overlap.

Scenario: Rules block traffic. This shows security expertise.

48. Which steps secure a load balancer?

Scenario: A load balancer exposes vulnerabilities. Use Cloud Armor for DDoS protection and SSL policies for encryption. Configure in GCP Console.

• Apply Cloud Armor policies.
• Enable HTTPS with SSL certificates.
• Validate in staging.
• Monitor with Cloud Monitoring.

This shows secure networking for interviews.

49. How do you handle VPC subnet IP exhaustion?

• Expand range with gcloud compute networks subnets expand-ip-range.
• Use alias IPs for scalability.
• Verify subnet settings in GCP Console.
• Validate in staging.
• Monitor IP usage.
• Plan subnet expansions.

Scenario: Pods fail due to IPs. This shows networking skills.

50. What causes VPC peering failures?

Scenario: Services cannot communicate across peered VPCs. Check peering status with gcloud compute networks peerings list. Verify firewall rules and subnet overlaps. Reconfigure in GCP Console. Validate in staging and monitor with Cloud Logging to show networking skills for interviews.

51. Why use Cloud VPN for hybrid connectivity?

• Connect on-premises to GCP securely.
• Configure IPsec tunnels in GCP Console.
• Ensure networking encryption.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Support hybrid strategies.

Scenario: On-premises apps need GCP. This shows connectivity expertise.

52. When do you implement network tags?

Use network tags to apply firewall rules to specific instances, configured in GCP Console. Validate in staging to ensure correct traffic flow. Monitor with Cloud Logging to demonstrate networking skills for interviews.

Observability and Monitoring

53. What is Cloud Monitoring in GCP?

• Cloud Monitoring tracks resource metrics.
• Provides dashboards for CPU, memory, latency.
• Integrates with GKE and Cloud Build.
• Supports alerting for incidents.
• Validates in staging.
• Ensures observability for DevOps.

This shows monitoring skills for interviews.

54. Why does Cloud Monitoring miss metrics?

Scenario: Metrics are unavailable. The Ops Agent is missing or misconfigured. Install with gcloud compute instances install-ops-agent. Verify permissions. Validate in staging and monitor with Cloud Monitoring to demonstrate observability skills for interviews.

55. When do you set up Cloud Monitoring alerts?

• Create alerts for CPU, memory, latency.
• Configure in Cloud Monitoring under Alerting.
• Use channels like email or PagerDuty.
• Validate in staging.
• Monitor alert triggers.
• Automate with scripts.

Scenario: Outages need notifications. This shows monitoring expertise.

56. Where do you analyze performance issues?

Use Cloud Trace for request latency and Cloud Profiler for bottlenecks. Configure in GCP Console and integrate with Cloud Monitoring. Validate in staging to demonstrate performance troubleshooting skills for interviews.

57. Who configures Cloud Monitoring dashboards?

• DevOps engineer creates dashboards.
• Include metrics like CPU and latency.
• Share with team for visibility.
• Validate in staging.
• Monitor dashboard accuracy.
• Automate metric collection.

Scenario: Visibility is needed. This shows monitoring expertise.

58. Which tools enhance GKE observability?

Scenario: GKE lacks detailed metrics. Use Cloud Monitoring for cluster metrics, Prometheus for pod-level monitoring, and Cloud Logging for logs. Configure in GCP Console and validate in staging. Demonstrate observability skills for interviews.

59. How do you handle high latency in Cloud Monitoring?

• Check Cloud Trace for bottlenecks.
• Analyze resource usage in Cloud Monitoring.
• Optimize code or infrastructure.
• Validate in staging.
• Monitor latency improvements.
• Scale resources as needed.

Scenario: Users report slow responses. This shows troubleshooting skills.

60. What causes incomplete logs in Cloud Logging?

Scenario: Logs are missing. Check log sink configurations for correct filters. Verify permissions with roles/logging.logWriter. Update with gcloud logging sinks update.

• Validate sinks in staging.
• Monitor log exports.
• Ensure log reliability.

This shows logging expertise for interviews.

61. Why use Prometheus with Cloud Monitoring?

• Prometheus provides pod-level metrics.
• Integrates with Cloud Monitoring.
• Configure via GKE Workload Metrics.
• Validate in staging.
• Monitor with alerts.
• Enhance GKE visibility.

Scenario: Detailed metrics are needed. This shows observability skills.

62. When do you use log-based metrics?

Use log-based metrics in Cloud Logging to track errors or events. Configure under Metrics and set alerts in Cloud Monitoring. Validate in staging to demonstrate observability skills for interviews.

63. Where do you store observability data?

• Export logs to BigQuery for analysis.
• Store metrics in Cloud Monitoring.
• Configure sinks in Cloud Logging.
• Validate in staging.
• Monitor data exports.
• Ensure retention policies.

Scenario: Historical data is needed. This shows data management skills.

64. Who resolves missing logs in Cloud Logging?

The DevOps engineer checks log filters and permissions in Cloud Logging. Update with gcloud logging sinks update. Validate in staging to ensure complete logging. Demonstrate observability skills for interviews.

65. Which metrics track GKE performance?

• Monitor CPU/memory in Cloud Monitoring.
• Track pod restart rates.
• Analyze network throughput.
• Validate in staging.
• Set performance alerts.
• Automate with scripts.

Scenario: Cluster performance degrades. This shows monitoring expertise.

66. How do you automate observability alerts?

Scenario: Automated notifications are needed. Create alerts in Cloud Monitoring for key metrics, using channels like email or PagerDuty. Integrate with cloud scripts for custom alerts.

• Validate in staging.
• Monitor alert reliability.
• Integrate with incident response.

This shows automation skills for interviews.

67. What causes false alerts in Cloud Monitoring?

• Incorrect thresholds cause false triggers.
• Check conditions in Cloud Monitoring.
• Adjust sensitivity for metrics.
• Validate in staging.
• Monitor alert accuracy.
• Use diagnostic scripts.

Scenario: Alerts trigger unnecessarily. This shows troubleshooting skills.

68. Why does a service lack observability metrics?

Scenario: No metrics appear in Cloud Monitoring. The Ops Agent is missing or misconfigured. Install with gcloud compute instances install-ops-agent. Verify permissions. Validate in staging to show observability skills for interviews.

69. When do you use Cloud Logging for error tracking?

• Filter error logs in Cloud Logging.
• Create log-based metrics for alerts.
• Configure in Cloud Monitoring.
• Validate in staging.
• Monitor error patterns.
• Automate with scripts.

Scenario: Errors need tracking. This shows logging expertise.

Infrastructure Automation

70. What are key automation tools for GCP?

• Terraform provisions GCP resources.
• Ansible configures nodes and applications.
• Cloud Build automates deployment workflows.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Showcase automation expertise.

These tools streamline infrastructure for interviews.

71. Why does a Terraform deployment fail?

• Check logs for syntax errors.
• Verify service account permissions.
• Ensure Terraform state integrity.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Fix configuration issues.

Scenario: A Terraform job fails. This shows troubleshooting skills.

72. When do you use Cloud Deployment Manager?

• Use for GCP-native automation.
• Define templates in YAML or Jinja.
• Deploy with gcloud deployment-manager deployments create.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Integrate with CI/CD.

Scenario: GCP-specific automation is needed. This shows automation expertise.

73. Where do you store Terraform state files?

• Store in Cloud Storage for collaboration.
• Use backend block in HCL.
• Ensure bucket permissions via IAM.
• Validate in staging.
• Monitor state integrity.
• Lock state for consistency.

Scenario: Teams need shared state. This shows infrastructure skills.

74. Who manages automation scripts?

• DevOps engineer creates scripts.
• Store in Cloud Source Repositories.
• Integrate with Cloud Build.
• Validate in staging.
• Monitor execution.
• Collaborate with developers.

Scenario: Scripts need maintenance. This shows automation expertise.

75. Which tools automate GKE configuration?

• Use Terraform for cluster provisioning.
• Apply Ansible for node configuration.
• Integrate with Cloud Build.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Ensure consistent setups.

Scenario: GKE needs automation. This shows configuration skills.

76. How do you handle Terraform state corruption?

Scenario: A state file corrupts. Restore from Cloud Storage backups. Check with terraform state list and reconcile with terraform import. Validate in staging.

• Monitor state integrity.
• Implement state locking.
• Ensure backup reliability.

This shows infrastructure expertise for interviews.

77. What causes an Ansible playbook failure?

• Syntax errors in playbook YAML.
• Check with ansible-playbook --syntax-check.
• Verify variable definitions.
• Validate in staging.
• Monitor with Cloud Logging.
• Fix dependency issues.

Scenario: A playbook fails in Cloud Build. This shows troubleshooting skills.

78. Why use Config Connector for automation?

• Manage GCP resources as Kubernetes objects.
• Configure with kubectl apply for CRDs.
• Integrate with GKE for automation.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Ensure resource consistency.

Scenario: Kubernetes-native automation is needed. This shows automation expertise.

79. When do you integrate Cloud Build with Terraform?

• Use for automated infrastructure deployment.
• Define Terraform steps in cloudbuild.yaml.
• Run: terraform plan and apply.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Ensure pipeline integration.

Scenario: Infrastructure needs automation. This shows CI/CD expertise.

80. Where do you store Ansible playbooks?

• Store in Cloud Source Repositories.
• Use version control for collaboration.
• Integrate with Cloud Build.
• Validate in staging.
• Monitor with Cloud Logging.
• Ensure playbook security.

Scenario: Playbooks need management. This shows automation skills.

81. Who resolves Terraform deployment failures?

• DevOps engineer debugs failures.
• Check logs with terraform output.
• Verify service account permissions.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Fix configuration errors.

Scenario: A deployment fails. This shows troubleshooting expertise.

82. Which steps optimize Ansible playbook performance?

• Use roles for modular playbooks.
• Cache facts to reduce execution time.
• Parallelize tasks with async.
• Validate in staging.
• Monitor with Cloud Logging.
• Optimize variable usage.

Scenario: Playbooks run slowly. This shows optimization skills.

83. How do you handle Cloud Build automation failures?

Scenario: A Terraform job fails in Cloud Build. Check logs in GCP Console. Verify Terraform configuration and permissions. Re-run with terraform apply. Validate in staging and monitor with Cloud Monitoring to demonstrate automation skills for interviews.

84. What causes an Ansible playbook permission issue?

• Service account lacks IAM roles.
• Update playbook with correct credentials.
• Run: ansible-playbook --user for authentication.
• Validate in staging.
• Monitor with Cloud Logging.
• Ensure least privilege.

Scenario: A playbook cannot access resources. This shows troubleshooting skills.

85. Why does a Cloud Deployment Manager job fail?

• Check YAML/Jinja syntax errors.
• Verify service account permissions.
• Run: gcloud deployment-manager deployments describe.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Fix resource dependencies.

Scenario: A deployment fails. This shows automation expertise.

DevSecOps and Compliance

86. What are DevSecOps practices in GCP?

• Integrate security into CI/CD pipelines.
• Use SAST/DAST in Cloud Build.
• Configure IAM for least privilege.
• Validate security in staging.
• Monitor with Cloud Monitoring.
• Ensure audit compliance.

These practices enhance security for interviews.

87. Why do pipelines fail security scans?

• Vulnerable dependencies cause failures.
• Add SAST tools like Trivy to Cloud Build.
• Verify scan configurations in YAML.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Update dependencies regularly.

Scenario: Scans detect issues. This shows DevSecOps skills.

88. When do you rotate service account keys?

Rotate keys after breaches or expirations using gcloud iam service-accounts keys create. Update Cloud Build configurations. Validate in staging to ensure uninterrupted workflows. Monitor IAM logs with Cloud Logging to demonstrate DevSecOps skills for interviews.

89. Where do you check unauthorized pipeline access?

• Review IAM roles in GCP Console.
• Check Cloud Audit Logs for attempts.
• Restrict permissions to least privilege.
• Validate in staging.
• Monitor with Cloud Logging.
• Automate access audits.

Scenario: Unauthorized access occurs. This shows security expertise.

90. Who handles compliance audit failures?

• Security engineer addresses failures.
• Add SAST/DAST to Cloud Build.
• Configure audit logs in Cloud Logging.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Ensure regulatory alignment.

Scenario: A pipeline fails compliance. This shows compliance expertise.

91. Which steps fix a failed SAST scan?

• Check Trivy scan logs in Cloud Build.
• Update vulnerable dependencies.
• Re-run scans with cloudbuild.yaml.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Automate dependency updates.

Scenario: Scans detect vulnerabilities. This shows DevSecOps skills.

92. How do you handle exposed pipeline logs?

Scenario: Sensitive data appears in logs. Use Secret Manager and mask with secretEnv in cloudbuild.yaml. Configure log filters in Cloud Logging. Validate in staging to demonstrate secure logging skills for DevSecOps interviews.

93. What is IAM’s role in DevSecOps?

• Assign least privilege roles.
• Configure in GCP Console.
• Monitor IAM logs with Cloud Logging.
• Validate in staging.
• Ensure compliance with audits.
• Automate role assignments.

Scenario: Pipelines need secure access. This shows security expertise.

94. Why does a GKE cluster fail compliance?

• Missing PodSecurityPolicy configurations.
• Verify Workload Identity settings.
• Enable audit logging.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Update security policies.

Scenario: A cluster fails audits. This shows compliance skills.

95. When do you integrate SAST in pipelines?

Add SAST tools like Trivy to Cloud Build for early vulnerability detection. Configure in cloudbuild.yaml. Validate in staging to catch issues. Monitor with Cloud Monitoring to demonstrate DevSecOps skills for interviews.

96. Where do you manage service account security?

• Configure in GCP Console under IAM.
• Assign roles like roles/cloudbuild.builds.editor.
• Rotate keys with gcloud iam service-accounts keys create.
• Validate in staging.
• Monitor with Cloud Audit Logs.
• Ensure least privilege.

Scenario: A service account is compromised. This shows security expertise.

97. Who monitors security alerts in GCP?

• Security engineer monitors in Security Command Center.
• Configure alerts in Cloud Monitoring.
• Integrate with PagerDuty for notifications.
• Validate in staging.
• Monitor with Cloud Logging.
• Automate response scripts.

Scenario: Alerts indicate vulnerabilities. This shows security expertise.

98. Which steps fix pipeline compliance failures?

Scenario: A pipeline fails GDPR compliance. Add audit logging in cloudbuild.yaml and enforce branch policies. Integrate SAST/DAST with Trivy. Validate in staging to demonstrate compliance skills for DevSecOps interviews.

99. How do you implement zero-downtime deployments?

• Use rolling updates in GKE.
• Configure maxSurge and maxUnavailable in YAML.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Ensure network stability.
• Integrate canary deployments.

Scenario: Deployments cause outages. This shows deployment expertise.

100. What causes a security policy to block traffic?

Scenario: Cloud Armor blocks valid requests. Check policy rules in GCP Console and adjust filters for legitimate traffic. Validate in staging and monitor with Cloud Logging to demonstrate DevSecOps skills for interviews.

101. Why integrate DAST in CI/CD pipelines?

• DAST scans running applications for vulnerabilities.
• Add tools like OWASP ZAP to Cloud Build.
• Configure scans in cloudbuild.yaml.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Ensure runtime security.

Scenario: Runtime issues arise. This shows DevSecOps expertise.

102. When do you use Binary Authorization?

Use Binary Authorization to enforce image signatures in GKE, configured in GKE Console. Validate in staging to prevent unauthorized deployments. Monitor with Cloud Logging to demonstrate secure Kubernetes skills for interviews.

103. Where do you audit security configurations?

• Use Security Command Center for audits.
• Check IAM roles and firewall rules.
• Export logs to BigQuery.
• Validate in staging.
• Monitor with Cloud Monitoring.
• Ensure compliance alignment.

Scenario: Audits reveal gaps. This shows compliance expertise.