Google Cloud Professional Cloud Security Engineer Practice Exam

What should be the configuration for Pods that need to avoid being scheduled on non-in-scope Nodes?

• A. Use affinity rules for scheduling Pods
• B. Specify tolerations to match the taints of in-scope Nodes
• C. Utilize a controller for Pod lifecycle management
• D. Apply network segmentation for security

The correct answer is: Specify tolerations to match the taints of in-scope Nodes

Specifying tolerations to match the taints of in-scope Nodes is the best configuration approach for ensuring that Pods are scheduled only on designated Nodes that meet specific criteria. Taints and tolerations are key concepts in Kubernetes that facilitate this level of control. When Nodes are tainted, they are marked in such a way that Pods that do not have corresponding tolerations will not be scheduled on these Nodes. By explicitly defining tolerations in the Pod specification that match the taints applied to in-scope Nodes, you impose a condition that allows scheduling only on those selected Nodes. This mechanism effectively prevents Pods from being scheduled on non-compliant Nodes, which is crucial for maintaining a secure and optimized cluster environment. The other options also involve management of Pod scheduling and security but do not specifically address the requirement of ensuring Pod placement strictly on in-scope Nodes. While affinity rules could help influence Pod placement based on Node characteristics, they may not restrict Pods from being scheduled on undesired Nodes as effectively as using taints and tolerations. Utilizing a controller could assist in lifecycle management but does not directly impact where Pods are scheduled. Lastly, applying network segmentation deals primarily with network security rather than the scheduling of Pods on specific Nodes.