Google Professional-Cloud-DevOps-Engineer Exam With Confidence Using Practice Dumps

The best option for ensuring that the three environments are consistent and following Google-recommended practices is to use Cloud Build to render and deploy the network policies and the DaemonSet, and set up Config Sync to sync the configurations for the three environments. Cloud Build is a service that executes your builds on Google Cloud infrastructure. You can use Cloud Build to render and deploy your network policies and DaemonSet as code using tools like Kustomize, Helm, or kpt. Config Sync is a feature that enables you to manage the configurations of your GKE clusters from a single source of truth, such as a Git repository. You can use Config Sync to sync the configurations for your development, staging, and production environments and ensure that they are consistent.

To exclude a subset of users or projects from Data Access audit logging, you use the exempted principals configuration. This allows you to selectively disable logs for specific groups, such as developers in the CustomerService folder.

"You can configure exempted principals so that audit logs are not generated for certain users, service accounts, or groups."

— Configuring Audit Logs

"Data Access logs are disabled by default because of their high volume, and you can enable them at the organization, folder, or project level."

— Audit Logs Overview

Thus, enabling audit logging org-wide and exempting a specific set of users (i.e., CustomerService folder) meets the need.

The best option for making the third-party application work while following Google-recommended security practices is to add a rule to set the iam.disableServiceAccountKeyCreation policy to off in your project and create a key. The iam.disableServiceAccountKeyCreation policy is an organization policy that controls whether service account keys can be created in a project or organization. By default, this policy is set to on, which means that service account keys cannot be created. However, you can override this policy at a lower level, such as a project, by adding a rule to set it to off. This way, you can create a service account key for your project without affecting other projects or organizations. You should also follow the best practices for managing service account keys, such as rotating them regularly, storing them securely, and deleting them when they are no longer needed.