Knowledge Check

1.

Your security team needs to control which users can run az aks get-credentials to download cluster credentials from Azure. Which authorization system governs this access?

Azure RBAC role assignments on the AKS cluster resource

Kubernetes ClusterRoleBinding in the cluster

Kubernetes ServiceAccount permissions

Namespace-scoped Kubernetes RoleBinding

2.

Contoso Retail's compliance policy requires that the AKS API server must have no public IP address. Which configuration meets this requirement?

A private AKS cluster

Authorized IP ranges restricted to the corporate office IP address

A Kubernetes NetworkPolicy that blocks external traffic to the API server

Disabling local accounts on the cluster

3.

A security engineer wants to enforce pod-to-pod network policies on an existing AKS cluster that was deployed without a network policy plugin. What is the correct action?

Recreate the cluster with --network-policy azure or --network-policy calico specified at cluster creation time

Run az aks update --network-policy azure to add the plugin to the existing cluster

Apply NetworkPolicy objects with kubectl to activate the enforcement engine on existing nodes

Deploy a Kubernetes DaemonSet to existing nodes to enable network policy enforcement

4.

An AI agent pod running in AKS needs to call Azure OpenAI without storing an API key as a Kubernetes secret. Which mechanism enables the pod to authenticate to Azure OpenAI without credentials stored in the cluster?

Microsoft Entra Workload ID using AKS OIDC issuer and federated identity credentials

Kubernetes RBAC with a service account token

Azure Key Vault Secrets Store CSI Driver with an imagePullSecret

Azure Container Registry integration with managed identity

5.

Your organization wants to apply the strictest supported pod security configuration to application workload namespaces in AKS. Which Pod Security Standard profile should you enforce?

Restricted

Privileged

Baseline

Default

Check your knowledge

Feedback