Exam Associate Cloud Engineer topic 1 question 245 discussion

In a private cluster, nodes only have internal IP addresses, which means that nodes and Pods are isolated from the internet by default. https://cloud.google.com/kubernetes-engine/docs/how-to/private-clusters Shielded GKE Nodes provide strong, verifiable node identity and integrity to increase the security of Google Kubernetes Engine (GKE) nodes. Note: For GKE Autopilot clusters, the Shielded GKE Nodes feature is enabled by default and cannot be overridden. https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes

scanner2 provided the correct answer.

as per chatgpt Option A. Deploy a private autopilot cluster is a good choice because it combines: Reduced Operational Costs: Google manages the infrastructure, scaling, and maintenance, minimizing your management overhead. Enhanced Security: Private Autopilot clusters use shielded nodes, ensuring verifiable node identity and integrity, and are not accessible from the internet. Google-Recommended Practices: Autopilot clusters follow best practices for performance and security with minimal configuration required from you.

Deploying a standard private cluster and enabling shielded nodes would meet all the requirements. In a private cluster, nodes are not accessible from the internet by default, ensuring enhanced security. Enabling shielded nodes provides verifiable node identity and integrity, further strengthening the security measures. Additionally, following Google-recommended practices, such as using standard clusters instead of autopilot clusters, offers more control and helps reduce operational costs.

Reposting this subcomment because I believe most people are reading this incorrectly, and I want to contribute to the answers ratio: Why is everyone so sure that "operational cost" refers to work-hours and not money? (i.e. "operating costs") From Wikipedia: Operating costs or operational costs, are the expenses which are related to the operation of a business, or to the operation of a device, component, piece of equipment or facility. This question is asking to reduce the MONETARY cost. Standard costs less than Autopilot. Accordingly, the answer should be D.

Since A and D both seem to provide the identity/integrity and internet inaccessibility, it seems the critical distinction is based on "reduce the operational cost of managing your cluster". "Operational cost" doesn't seem to be a commonly used term (from a quick google search), but "operating costs" seem to refer specifically to monetary expenses, not work-hours. Wouldn't a standard cluster be cheaper than autopilot? Thus the answer is D, not A?

ChatGPT says Option D, By following this approach, you can meet your requirements for node security and access control while also benefitting from the operational cost savings associated with managed GKE clusters and Google's best practices for security.

Autopilot clusters are fully managed and do not have the option to restrict internet access. In a private cluster, nodes are not accessible from the internet by default. Enabling shielded nodes provides verifiable node identity and integrity.

A is correct. “reduce the operational cost of managing your cluster”, means you need to choose an autopilot cluster. Google will manage your cluster configuration. And about the “cannot be accessed from the internet” you should use shielded nodes.

Note: For GKE Autopilot clusters, the Shielded GKE Nodes feature is enabled by default and cannot be overridden.

https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes "For GKE Autopilot clusters, the Shielded GKE Nodes feature is enabled by default and cannot be overridden"

The Shielded GKE node feature is enabled by default for all Autopilot clusters and is impossible to disable manually. https://www.googlecloudcommunity.com/gc/Architecture-Framework-Community/Manage-GKE-Cluster-Security-with-Autopilot-Mode/ba-p/396435

https://cloud.google.com/kubernetes-engine/docs/how-to/shielded-gke-nodes

Shielded GKE Nodes provide strong, verifiable node identity and integrity to increase the security of GKE nodes and should be enabled on all GKE clusters.: https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster