Skip to main content
CloudCertPro
  1. Home
  2. >
  3. GCP
  4. >
  5. PCA
  6. >
  7. CI/CD Deployment Controls—SRE vs Security | GCP PCA

CI/CD Deployment Controls—SRE vs Security | GCP PCA

·1005 words·5 mins·
Architecture Drills Google Cloud Platform GCP PCA GCP FinOps SRE Cloud Build GKE
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | Multi-Cloud Architect & Strategist.
Table of Contents

While preparing for the GCP PCA exam, many candidates get confused by CI/CD pipeline automation and deployment security best practices. In the real world, this is fundamentally a decision about fully automated trusted pipelines with strict access control vs. manual or developer-managed deployments. Let’s drill into a simulated scenario.

The Scenario
#

FinGrow is a fast-growing fintech startup that is building a new payments platform using microservices deployed on Google Kubernetes Engine (GKE). The engineering team follows GitOps principles and wants to automate their entire development lifecycle in a fully cloud-native way.

Their codebase lives in a GitHub repository with several microservices, and development happens primarily on the develop branch. They require that whenever a developer pushes code changes to the develop branch, the system must:

  • Automatically build and run tests on the changed microservice
  • Only on successful build and test completion, automatically deploy the updated microservice to their GKE development environment
  • Strictly enforce that no code reaches the development cluster without passing this automated CI/CD pipeline
  • Ensure deployment permissions are tightly controlled and cannot be performed manually or by unauthorized users

Key Requirements
#

Create a reliable, fully automated CI/CD pipeline triggered by changes to the GitHub develop branch that builds, tests, stores container images, and deploys only verified code to the GKE development environment, while adhering to strong access control and minimizing developer operational toil.

The Options
#

  • A) Have each developer install a pre-commit hook on their local machine that runs tests, builds container images, and then deploys directly to the development GKE cluster after a successful commit to the develop branch.
  • B) Configure a post-commit hook on the remote GitHub repository that tests the code and builds the container after each push to the develop branch. Developers deploy the container manually to the GKE development cluster once the build passes.
  • C) Create a Cloud Build trigger in GCP triggered by pushes to the develop branch that runs tests, builds container images, and stores them in Google Container Registry. Use a separate deployment pipeline that monitors the container registry and automatically deploys new images to the development GKE cluster, ensuring only the deployment tool has permissions to deploy.
  • D) Use a Cloud Build trigger on the develop branch to build and store container images in Container Registry. Use Vulnerability Scanning to validate tests. As the last step in the Cloud Build pipeline, deploy the new image directly to the GKE development cluster, with Cloud Build granted deployment permissions exclusively.

Correct Answer
#

Option C.

The Architect’s Analysis
#

Correct Answer
#

Option C

Step-by-Step Winning Logic
#

Option C implements a fully automated, cloud-native CI/CD workflow aligned with Site Reliability Engineering (SRE) principles by:

  • Using a Cloud Build trigger to automatically build and test code on pushes to the develop branch: embracing automation minimizes manual toil and reduces risk of human error.
  • Storing container images in Container Registry, a managed artifact repository, enabling traceability and secure image promotion workflows.
  • Separating build and deployment into two stages, where a deployment pipeline watches the registry and performs deployments, providing clear accountability and granular role-based access control (RBAC). Only the deployment service account has permissions to move images into the GKE development environment, supporting the Principle of Least Privilege.
  • Enabling automated enforcement that no container reaches production or development clusters without going through the tested and validated pipeline, which improves reliability and observability.
  • Following GitOps best practices where deployments are driven by immutable artifacts rather than manual pushes from developers.

This option aligns well with Google’s recommended “cattle, not pets” approach, relying on managed GCP services to provide scalable, secure, and maintainable software supply chains.

The Traps (Distractor Analysis)
#

  • Why not A? Developers running builds and deployments locally can cause inconsistencies, configuration drift, and breaks audit trails. Local pre-commit hooks are fragile, prone to bypass, and violate immutable infrastructure principles.
  • Why not B? Post-commit hooks on the remote repo cannot fully automate deployments securely if deployment permissions rest with developers rather than a controlled service account. This approach mixes build and deployment responsibility, complicating access management and SRE reliability goals.
  • Why not D? While this option automates the entire build-through-deploy process inside Cloud Build, relying on Vulnerability Scanning alone to verify tests is risky and introduces security gaps if test coverage is incomplete. Also, coupling deployment to build completion reduces deployment visibility and control, making rollback and observability harder.

The Architect Blueprint
#

Mermaid Diagram illustrating the flow of the CORRECT solution.

graph TD GitHubPush[Push to develop branch in GitHub] CloudBuildTrigger[Cloud Build trigger] BuildAndTest[Build and Test container image] ContainerRegistry[Store image in Container Registry] DeploymentPipeline[Deployment pipeline watches new images] GKEDevCluster[GKE Development Cluster] GitHubPush --> CloudBuildTrigger CloudBuildTrigger --> BuildAndTest BuildAndTest --> ContainerRegistry ContainerRegistry --> DeploymentPipeline DeploymentPipeline --> GKEDevCluster style CloudBuildTrigger fill:#4285F4,stroke:#333,color:#fff style DeploymentPipeline fill:#0F9D58,stroke:#333,color:#fff style GKEDevCluster fill:#F4B400,stroke:#333,color:#fff

Diagram Note: This pipeline decouples build/test from deployment, enforcing strong access control and automation for production-grade reliability.

The Decision Matrix
#

Option Est. Complexity Est. Monthly Cost* Pros Cons
A Low Low Simple to implement locally, no cloud build invoicing High risk of human error; fragile, poor audit and traceability
B Medium Medium Automates build, but deploy controlled by devs Manual deployment; violates least privilege; less secure
C Medium-High Medium (build + GKE usage) Fully automated; best security model; good traceability; strong SRE alignment Requires setup of deployment pipeline and RBAC
D Medium Medium-High Fully automated build and deploy in one pipeline Relies only on Vulnerability Scanning; less deployment control or observability

Cost estimates based on typical Cloud Build and GKE usage for dev environment.

Real-World Practitioner Insight
#

Exam Rule
#

For professional exams, always pick Cloud Build triggers combined with a separate deployment pipeline when you see requirements around automating build, test, and deploy stages with enforced access control.

Real World
#

Startups often start with simpler pipelines (option A or B) due to speed, but scale out to option C to embrace SRE best practices and FinOps control as teams grow. Security and reliability demands eventually mandate automation with tight IAM boundaries between build and deployment.

Related Articles

GCP Professional Cloud Architect Drills

Design, develop, and manage robust, secure, and scalable Google Cloud solutions.