50 Cloud DevOps Engineer Practice Questions: Question Bank 2025

Your organization wants to bootstrap Google Cloud so each product team can create projects safely while adhering to centralized policies. You need a scalable way to apply consistent IAM, network restrictions, and security settings across many projects. What should you do?

A team uses Cloud Build for CI. They want to prevent feature branches from deploying to production while still allowing builds and tests. What is the simplest approach?

You run a stateless web service on GKE with multiple replicas. During node maintenance events, you observe brief downtime because too many Pods are evicted at once. What should you implement to reduce disruption during voluntary disruptions?

A service shows high latency only for a subset of users. You suspect a misconfigured client-side retry policy is causing request amplification. Which Cloud Operations tool is most appropriate to confirm this by examining request patterns and latency distributions?

You manage multiple environments (dev, staging, prod) across many projects. You want to reduce manual IAM management and ensure consistent access based on employee attributes (department, employment status). What is the recommended approach?

You want to implement progressive delivery for a Cloud Run service, gradually shifting traffic to a new revision and automatically rolling back if error rate increases. Which approach best fits Google Cloud managed capabilities?

Your team needs to define and enforce SLOs for a user-facing API and be alerted based on error budget burn rate rather than simple threshold alerts. What is the best Google Cloud approach?

A batch workload runs on Compute Engine and is frequently preempted due to capacity constraints in its current region, increasing total completion time. You want to reduce cost while improving completion reliability without overprovisioning. What should you do?

You are adopting GitOps for GKE. Security requires that only changes approved in Git can reach the cluster, and that the cluster continuously reconciles to the desired state. You also need strong auditability of what changed and who approved it. What is the best solution?

After a new release, a GKE service intermittently fails only in one zone. You see readiness probes passing, but some requests hang until they time out. You suspect a zonal dependency (like a cache) is unhealthy and traffic is still being routed to impacted Pods. You need the fastest way to isolate the issue and stop serving traffic from the problematic zone while preserving capacity elsewhere. What should you do?

Your team needs to grant developers the ability to deploy to a single GKE namespace in a shared project, but prevent them from modifying cluster-wide resources (for example, CRDs, ClusterRoles) or other namespaces. What is the recommended approach?

A Cloud Build pipeline must build and push container images to Artifact Registry. Builds run with the default Cloud Build service account. The pipeline fails with permission denied when pushing images. What is the best fix that follows least privilege?

You run a stateless web service on Cloud Run. During a regional outage, you want traffic to automatically fail over to a healthy region with minimal operator intervention. Which approach best meets this requirement?

Your organization wants all projects to send Cloud Audit Logs and application logs to a central logging project, but individual teams must not be able to delete or modify the central logs. What should you implement?

A CI pipeline uses Cloud Build to run unit tests and integration tests. Integration tests require a temporary Cloud SQL instance. You want to ensure the Cloud SQL instance is always deleted even if tests fail, while keeping the build definition maintainable. What is the best approach?

Your service has an SLO of 99.9% availability measured over 30 days. You want to prevent risky releases when error budget is nearly exhausted. Which practice best implements this goal on Google Cloud?

You are optimizing costs for a GKE workload that runs 24/7 with predictable CPU usage. The application can tolerate node re-creation but must maintain stable capacity. What should you do?

A Cloud Run service experiences intermittent high latency. Traces show long tail latency caused by calls to an external API. You want to reduce end-user latency while maintaining correctness and avoiding overload of the external API. What should you implement?

Your organization uses Terraform to create projects and foundational resources. A security requirement states that no human should be able to directly modify production resources, and all changes must be traceable to a reviewed pull request. What is the best design?

You operate a multi-tenant platform on GKE. A noisy tenant causes frequent OOMKills and CPU saturation, impacting other tenants. You need strong isolation between tenants while still using a shared cluster for operational efficiency. What should you do?

Your organization wants every new Google Cloud project to automatically have standardized labels (e.g., cost_center, environment) and a predefined set of enabled APIs. You want a scalable approach that requires minimal manual steps when teams request new projects. What should you implement?

A team is using Cloud Build for CI and wants to prevent unreviewed changes from being deployed to production. They already use GitHub pull requests. What is the best practice to ensure only approved code is deployed?

You need to quickly identify why a Cloud Run service is returning increased 5xx errors after a new revision rollout. Which approach provides the most direct visibility into request-level errors and latency for the service?

Your platform team manages dozens of GKE clusters. They want a consistent way to enforce that pods do not run as privileged and that images must come from an approved Artifact Registry repository. What should they use?

A service has an SLO of 99.9% monthly availability. Mid-month, error budget burn is high due to repeated releases causing incidents. Leadership asks what to do next while still enabling teams to ship. What is the recommended SRE-aligned action?

A Cloud Build pipeline builds a container image and deploys it to GKE. You want to ensure that only images that pass vulnerability scanning are deployed. Which design best achieves this with minimal manual effort?

You operate a multi-tenant backend on GKE. During peak traffic, CPU utilization is low but request latency increases significantly. You suspect the bottleneck is at the application level due to limited concurrency per pod. What is the most appropriate first change to improve performance without over-provisioning?

Your organization wants to centrally manage and audit administrative access across all projects. Teams currently grant owners in each project, leading to inconsistent permissions and poor traceability. Which approach best aligns with least privilege and centralized governance?

A critical service uses Cloud Spanner and is fronted by Cloud Run. You need to define an SLI for user experience that correlates well with customer impact and is suitable for alerting. Which SLI is most appropriate?

You need to implement progressive delivery for a microservice on GKE with the ability to shift a small percentage of traffic to a new version, automatically analyze metrics (e.g., error rate/latency), and roll back if thresholds are exceeded. What is the best solution on Google Cloud?

Your organization wants every new Google Cloud project to automatically enforce: (1) Uniform bucket-level access on all Cloud Storage buckets, (2) VPC Service Controls perimeter protection for sensitive services, and (3) a standard set of labels. You want a scalable approach with minimal manual steps. What should you do?

A team is migrating from Jenkins to Cloud Build. They want to build container images and ensure only verified images are deployed to production GKE. Which approach best enforces this requirement?

Your service has an SLO of 99.9% availability measured over 30 days. You want to decide whether to allow a risky feature release today. Which SRE concept should you use to make this decision?

A microservice on Cloud Run experiences periodic latency spikes. You suspect cold starts during traffic bursts. You need a mitigation that improves tail latency without permanently overprovisioning too much. What should you do?

You are designing a CI/CD pipeline for multiple teams. You want to centrally manage reusable pipeline logic and enforce consistent build steps, while still allowing teams to configure app-specific parts. Which approach is best?

A production GKE workload suddenly cannot reach an external API. DNS lookups fail from pods, but node-level DNS resolution works. No recent application changes were deployed. What is the most likely GKE-specific issue to investigate first?

Your organization requires that platform administrators can troubleshoot production incidents, but they must not be able to access application data stored in BigQuery datasets. What is the best IAM design?

You need to reduce the cost of Cloud Logging for a high-traffic service, while still keeping detailed logs for security investigations and keeping fast troubleshooting logs for only a short period. What should you do?

You are implementing progressive delivery for a multi-region HTTP service behind a global external Application Load Balancer. You want to shift traffic gradually to a new revision and automatically roll back when latency SLI degrades. What is the best approach on Google Cloud?

You need an easy way to run an operations playbook automatically when a specific alert fires (for example, restart a failed Dataflow job) while maintaining auditability and least privilege. What should you use?

Your team wants to standardize project creation for new microservices. Each new project must automatically: place resources in a specific folder, attach a billing account, enable a baseline set of APIs, and apply mandatory labels. You need an approach that is repeatable and auditable. What should you do?

You maintain a Cloud Run service. After a recent deploy, error rates spiked. You need the fastest way to revert traffic to the previously known-good version without rebuilding an image. What should you do?

Your organization wants to reduce the risk of human error by ensuring production changes to Kubernetes manifests are applied only through pull requests with approval and an automated deployment step. Which approach best supports this requirement on GKE?

A GKE application experiences periodic latency spikes. Cloud Monitoring shows CPU is low, but the number of pending pods increases and some pods remain unscheduled. You suspect resource fragmentation across nodes. What is the best next step to improve schedulability and reduce pending pods?

Your team uses Cloud Build for CI. A security review requires that dependencies used during builds are verified and that only approved artifact sources are allowed. What should you implement?

You are defining SLOs for an HTTP API running on Cloud Run. Leadership wants an error budget policy that slows feature releases when reliability drops. What is the most appropriate implementation?

A BigQuery scheduled query started failing intermittently. Logs show errors about exceeding concurrent job limits during peak hours. You need to reduce failures without reducing total workload. What should you do?

An on-call engineer needs to diagnose a production incident in a sensitive project. Security requires just-in-time access, time-bound credentials, and centralized auditability. What is the recommended approach?

You operate a multi-tenant platform with dozens of projects. A new compliance requirement mandates that only approved regions can be used for resource creation across all projects, including future projects. You need centralized enforcement with minimal operational overhead. What should you do?

You use Cloud Deploy to promote releases from staging to production for a GKE service. A recent incident showed that a successful staging rollout still introduced a production outage due to an environment-specific configuration change (ConfigMap). You need to prevent promotions when critical config drifts from a known baseline. What should you implement?