Google Cloud Professional Cloud Security Engineer Practice Exam

To ensure in-scope PCI Kubernetes Pods only reside on specific nodes, how should this be configured?

• A. Use a node selector with a label for in-scope Pods
• B. Place a taint on the Nodes and configure a matching toleration in Pods
• C. Implement a network policy that restricts traffic
• D. Set resource quotas on in-scope nodes

The correct answer is: Place a taint on the Nodes and configure a matching toleration in Pods

To ensure that in-scope PCI Kubernetes Pods only reside on specific nodes, placing a taint on the nodes and configuring a matching toleration in the Pods is an effective approach. In Kubernetes, taints and tolerations are mechanisms that allow a node to repel certain Pods. When a node is tainted, it conditionally prevents Pods from being scheduled on it unless they have a corresponding toleration. Therefore, by tainting the nodes where you want only specific Pods to run, you can control which Pods are allowed to be deployed on those nodes. This is particularly useful in scenarios such as ensuring compliance with PCI-DSS requirements, where sensitive workloads should be isolated and protected. Using this strategy provides a clear and manageable way to enforce node and Pod placement without over-complicating the scheduling logic or requiring extensive reconfiguration. It also allows for flexibility; if you later need to allow a certain Pod to run on a tainted node, you can simply add the necessary toleration to that Pod's specification. The other choices do not specifically address the need for Pods to be restricted to certain nodes in a compliance context. For instance, a node selector with a label can direct Pods to nodes with specific labels, but it lacks the control mechanism provided