Professional-Cloud-DevOps-Engineer Exam Dumps : Google Cloud Certified - Professional Cloud DevOps Engineer Exam

The correct answer is B. Use shadow testing with continuous deployment.

Shadow testing is a deployment technique that involves routing a copy of the live traffic to a new version of the application, without affecting the production environment. This way, you can gather performance metrics and compare them with the current version, without exposing the new version to the users. Shadow testing can help you test against the full production load and identify any issues or bottlenecks before launching the new version. You can use continuous deployment to automate the process of deploying the new version after it passes the shadow testing.

The best options for creating a CI/CD pipeline in Cloud Build to build an application container image and ensuring that production image builds are only run against the main branch and that the change control team approves all pushes to the main branch are to create a trigger on the Cloud Build job, set the repository event setting to Push to a branch, and configure a branch protection rule for the main branch on the repository. A trigger is a resource that starts a build when an event occurs, such as a code change. By creating a trigger on the Cloud Build job and setting the repository event setting to Push to a branch, you can ensure that the image build is only run when code is pushed to a specific branch, such as the main branch. A branch protection rule is a rule that enforces certain policies on a branch, such as requiring reviews, status checks, or approvals before merging code. By configuring a branch protection rule for the main branch on the repository, you can ensure that the change control team approves all pushes to the main branch.

The best option for making the third-party application work while following Google-recommended security practices is to add a rule to set the iam.disableServiceAccountKeyCreation policy to off in your project and create a key. The iam.disableServiceAccountKeyCreation policy is an organization policy that controls whether service account keys can be created in a project or organization. By default, this policy is set to on, which means that service account keys cannot be created. However, you can override this policy at a lower level, such as a project, by adding a rule to set it to off. This way, you can create a service account key for your project without affecting other projects or organizations. You should also follow the best practices for managing service account keys, such as rotating them regularly, storing them securely, and deleting them when they are no longer needed.