Microsoft Azure Solutions Architect Expert AZ-305 Practice Question
You are designing an authentication strategy for several Azure Kubernetes Service (AKS) clusters that pull container images from a single Azure Container Registry (ACR) in another subscription. The solution must meet the following requirements:
No credentials may be stored in Kubernetes manifests or cluster nodes.
Credential rotation must occur automatically, without administrative action.
Each cluster must have only the AcrPull permission on the registry.
Future clusters deployed from an ARM template must obtain access with no additional scripting.
Which approach should you recommend?
Create an Azure AD service principal, assign it the AcrPull role, and reference its client secret in each cluster's imagePullSecret.
Create a user-assigned managed identity for each AKS cluster and assign it the AcrPull role on the target ACR.
Enable the ACR admin user and configure its username and password as a Kubernetes secret in every cluster.
Register a single Azure AD application protected by a certificate, assign AcrPull on the registry, and configure Azure AD pod-identity in each cluster to use that application.
Granting the cluster's managed identity the AcrPull role on the registry meets every requirement. The kubelet identity that backs a managed-identity enabled AKS cluster is automatically injected by the platform; it authenticates to ACR with Azure AD tokens, so no credentials are stored in the cluster. The underlying secret is managed and rotated by Azure, and assigning only the AcrPull built-in role enforces least privilege. When new clusters are provisioned from a template, their managed identity is created automatically and can be granted the same role assignment declaratively.
Using a service principal or the registry's admin account would require storing a password or client secret in the cluster and setting up a manual rotation process. Using a single shared Azure AD application with certificates still involves certificate management and secret distribution, and pod-identity only affects pods, not the kubelet's image-pull operation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a user-assigned managed identity in Azure?
Open an interactive chat with Bash
Why is it better to use a managed identity for AKS instead of a service principal?
Open an interactive chat with Bash
How can managed identities simplify the deployment of new AKS clusters using ARM templates?
Open an interactive chat with Bash
Microsoft Azure Solutions Architect Expert AZ-305
Design identity, governance, and monitoring solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .