You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure Kubernetes Service (AKS) cluster named AKS1.
An administrator reports that she is unable to grant access to AKS1 to the users in contoso.com.
You need to ensure that access to AKS1 can be granted to the contoso.com users.
What should you do first?
To address the access issue for the users in contoso.com to AKS1, the first step should be to modify the Organization relationships settings in contoso.com. This involves setting up the necessary trust and permission relationships between the Azure AD tenant and the AKS cluster to allow user access and management capabilities. Adjusting the Organization relationships settings ensures that users in the Azure AD tenant can effectively be granted the necessary access to AKS1.
Answer is correct B Cluster administrators can configure Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol https://docs.microsoft.com/en-us/azure/aks/managed-aad
This seems to be a correct answer in scope of listed answers, but please mind that AKS now supports direct integration with AAD, the method using OAuth 2.0 is considered legacy: https://docs.microsoft.com/en-us/azure/aks/azure-ad-integration-cli
B is correct
In 20/08/2022 exam
as of late 2023 / early 2024 Azure Kubernetes Service is NO LONGER part of the exam. This question is defunct. Please review the MS provided documentation regarding the AZ104 exam: https://learn.microsoft.com/en-us/credentials/certifications/resources/study-guides/az-104
Glad you said this because I had never heard of this during my course.
ChatGPT says D: D. From AKS1, create a namespace. To grant access to the users in the contoso.com Azure AD tenant, you need to integrate AKS with Azure AD for authentication and authorization. One of the steps involved in this process is to create a Kubernetes namespace. Once the namespace is created, you can configure RBAC (Role-Based Access Control) to grant appropriate permissions to users and groups from the Azure AD tenant. Options A and B are not relevant to granting access to AKS. Option C, recreating AKS1, is not necessary as the existing AKS cluster can be configured to integrate with Azure AD for user access control. Therefore, option D is the correct first step to enable access for contoso.com users.
This one had me confused between B and C, asking the Bing AI resulted in the following: The question does leave out some important details that would help determine the most appropriate answer. For instance, it doesn’t specify whether Azure RBAC is enabled on the AKS cluster. If Azure RBAC is not enabled, then the cluster would need to be recreated with Azure RBAC enabled (Option C). However, if Azure RBAC is already enabled and the cluster is integrated with Azure AD, then creating an OAuth 2.0 authorization endpoint could be a valid first step (Option B). The question also doesn’t specify whether the users are part of the same Azure AD tenant as the AKS cluster or if they are external users. If they are external users, additional steps might be needed to grant them access to the AKS cluster.
Creating an OAuth 2.0 authorization endpoint is not directly related to granting access to the AKS cluster for users in the contoso.com Azure AD tenant. In the context of Azure AD integration with AKS, the OAuth 2.0 authorization endpoint is typically used for applications to authenticate and obtain access tokens to access Azure resources, including AKS clusters, on behalf of a user. This is more relevant for application developers who are building applications that need to interact with AKS or other Azure services. For your scenario, where you want to grant access to the AKS cluster to users in the contoso.com Azure AD tenant, you should focus on registering the AKS cluster with Azure AD and then assigning the appropriate permissions to the users or groups in the Azure AD tenant.
Therefore the answer is A
D. From AKS1, create a namespace. To manage access to Azure Kubernetes Service (AKS) clusters effectively, namespaces are used within Kubernetes to segment resources and provide a scope for access policies. By creating a namespace in AKS1, you can define Role-Based Access Control (RBAC) policies specifically for that namespace, which can then be used to grant appropriate permissions to users from the contoso.com Azure AD tenant. This is the first operational step in ensuring users can be granted access to specific parts of the AKS cluster without recreating the cluster or modifying authentication systems.
B is correct as per https://learn.microsoft.com/en-us/azure/aks/concepts-identity
but the question states, what is THE FIRST THING U DO?
B is correct
Answer B is correct
now you can upgrade kubernetus configuration to "Azure AD and Kubernetus RBAC" or "Azure AD and Azure RBAC" in a "Cluster Configuration" tab
AKS should no longer be part of the exam
B is right
Still confuse between A and B. Can someone provide more reasons to go for A or B whatever you feel the correct answer ?
To ensure that access to AKS1 can be granted to the users in contoso.com, you should first select option A: From contoso.com, modify the Organization relationships settings. This action will allow you to establish the necessary connections and permissions between the Azure AD tenant (contoso.com) and the AKS cluster (AKS1), enabling users in contoso.com to access and manage AKS1 effectively.
To ensure that access to AKS1 can be granted to the users in the contoso.com Azure AD tenant, you should first: A. From contoso.com, modify the Organization relationships settings. Explanation: By modifying the Organization relationships settings in the contoso.com Azure AD tenant, you can establish the necessary trust relationships and permissions required for users in the tenant to access and manage resources, such as the AKS1 cluster. This step is essential for enabling user access and control over AKS1 within the Azure environment. Once the Organization relationships settings are appropriately configured, users in the contoso.com Azure AD tenant will be able to grant access to AKS1 effectively.