AZ-500 Exam QuestionsBrowse all questions from this exam
Go to Exam

AZ-500 Exam - Question 20

Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.

You are in the process of creating an Azure Kubernetes Service (AKS) cluster. The Azure Kubernetes Service (AKS) cluster must be able to connect to an Azure

Container Registry.

You want to make sure that Azure Kubernetes Service (AKS) cluster authenticates to the Azure Container Registry by making use of the auto-generated service principal.

Solution: You create an Azure Active Directory (Azure AD) role assignment.

Does the solution meet the goal?

Show Answer
Correct Answer: AB

When setting up an Azure Kubernetes Service (AKS) cluster to authenticate with an Azure Container Registry (ACR), the correct approach involves Azure Role-Based Access Control (RBAC). Specifically, this requires assigning the AcrPull role to allow the cluster's service principal to pull images from the ACR. The proposed solution of creating an Azure Active Directory (Azure AD) role assignment is incorrect since it does not directly handle the necessary permissions for interacting with ACR. Therefore, the solution does not meet the goal.

Discussion

17 comments
Sign in to comment
romaso82Option: A
Jul 9, 2021

correct answer

PKPKPKOption: B
Dec 11, 2021

i think its B as it wold need an RBAC role instead AAD role

xRiot007
Jul 15, 2024

The answer is B, but not because of that. The Microsoft Entra group will attach the AcrPull permission automatically, completing RBAC. The reason why the answer is No is because the authentication is done automatically, you don't have to create any roles. You just need to attach the service (AKS) to the container (ACR)

majstor86Option: B
Mar 2, 2023

B. NO Needs an RBAC role

zellckOption: B
May 7, 2023

B is the answer. https://learn.microsoft.com/en-us/azure/container-registry/container-registry-roles?tabs=azure-cli The Azure Container Registry service supports a set of built-in Azure roles that provide different levels of permissions to an Azure container registry. Use Azure role-based access control (Azure RBAC) to assign specific permissions to users, service principals, or other identities that need to interact with a registry, for example to pull or push container images.

JessEsquerdoOption: A
Oct 17, 2023

Correct answer is A Yes, the solution meets the goal. When using Azure Container Registry (ACR) with Azure Kubernetes Service (AKS), you need to establish an authentication mechanism. You can configure the required permissions between ACR and AKS using the Azure CLI, Azure PowerShell, or Azure portal1. The AKS to ACR integration assigns the AcrPull role to the Azure Active Directory (Azure AD) managed identity associated with the agent pool in your AKS cluster1. This is essentially creating an Azure AD role assignment. So, your solution of creating an Azure AD role assignment is correct. However, please note that there’s a latency issue with Azure Active Directory groups when attaching ACR1. If you’re running automation that requires the RBAC configuration to be complete, it’s recommended to use “Bring your own kubelet identity” as a workaround. https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli

ltjones12Option: B
Jan 5, 2023

Definitely B. This is not an Azure AD Role assignment. This needs an RBAC role

sulfur
Feb 2, 2023

https://www.examtopics.com/discussions/microsoft/view/13685-exam-az-500-topic-3-question-16-discussion/

Mazhar1993Option: B
Apr 21, 2024

The answer is No. When an AKS cluster is created, Azure automatically generates a service principal to facilitate interactions with other Azure resources, including ACR. This auto-generated service principal can be directly used for authenticating the AKS cluster to the ACR registry. Therefore, creating an additional Azure AD role assignment is unnecessary as the auto-generated service principal already fulfills the authentication requirements. The proposed solution of creating an Azure AD role assignment adds complexity without providing any additional benefit, making it unnecessary and not meeting the goal efficiently. https://learn.microsoft.com/bs-latn-ba/azure/aks/cluster-container-registry-integration?tabs=azure-cli

massnonnOption: A
Jul 20, 2023

Yes, the solution meets the goal of ensuring that the Azure Kubernetes Service (AKS) cluster can authenticate to the Azure Container Registry using the auto-generated service principal.

hfk2020Option: B
Dec 15, 2023

The AKS to ACR integration assigns the AcrPull role to the Microsoft Entra ID managed identity associated with the agent pool in your AKS cluster.

SlawekyoOption: A
May 11, 2024

In Topic 3, question 16. You have the same question but to choose answer, there "Azure Active Directory (Azure AD) role assignment" is correct so answer is def A

bernedbOption: B
May 3, 2023

Correct answer is B. Azure AD roles is not the same as Azure RBAC https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles

BonesurferOption: A
Sep 11, 2023

A: https://learn.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#delegate-access-to-other-azure-resources

zied01Option: A
Nov 15, 2023

it's just a confusion between Azure AD roles and Azure RBAC but i think that to goal of this question is to make sure that the SPN should have a permission this is the goal and not the role/permission it self i think the answer is yes

Jkayx94Option: B
Feb 29, 2024

Requires ACR-Pull which is an Azure RBAC Built in Role: https://learn.microsoft.com/bs-latn-ba/azure/role-based-access-control/built-in-roles#acrpull Answer is B

Atom270Option: B
Jun 1, 2024

Obviously answer is B, why would anyone select A as it is related to role assigment

fastline112003Option: B
Jul 20, 2024

This should be usually done with Azure RBAC: az aks update -n myAKSCluster -g myResourceGroup --attach-acr <acr-name>