Accessing Azure Kubernetes Service (AKS) for contoso.com Users | Troubleshooting Guide | Microsoft Exam AZ-104

Granting Access to AKS1 for contoso.com Users

Prev Question Next Question

Question

You have an Azure subscription that contains an Azure Active Directory (Azure AD) tenant named contoso.com and an Azure Kubernetes Service (AKS) cluster named AKS1.

An administrator reports that she is unable to grant access to AKS1 to the users in contoso.com.

You need to ensure that access to AKS1 can be granted to the contoso.com users.

What should you do first?

Answers

A. From contoso.com, modify the Organization relationships settings.

B. From contoso.com, create an OAuth 2.0 authorization endpoint.

C. Recreate AKS1.

D. From AKS1, create a namespace.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

https://kubernetes.io/docs/reference/access-authn-authz/authentication/

The issue at hand is that the administrator is unable to grant access to the AKS1 cluster to the users in the Azure AD tenant contoso.com. To resolve this issue, the following steps can be taken:

First, check if the users in contoso.com are synced to the Azure AD tenant associated with the subscription that contains the AKS1 cluster. This can be done by navigating to the Azure AD tenant in the Azure portal and verifying if the users in question are present in the tenant. If they are not present, then the users need to be synced to the Azure AD tenant from the on-premises AD environment.

Next, verify if the users in contoso.com have been assigned the necessary roles to access the AKS1 cluster. Users can be assigned roles such as AKS Cluster Admin, AKS Cluster User, or AKS Service Reader to access the AKS cluster. This can be done by navigating to the Access control (IAM) blade of the AKS1 cluster and checking the assigned roles.

If the users in contoso.com are synced to the Azure AD tenant and have been assigned the necessary roles, but are still unable to access the AKS1 cluster, then it is possible that the Azure AD tenant and the AKS cluster are not properly connected. In this case, the following steps can be taken:

Verify that the Azure AD tenant is associated with the subscription that contains the AKS1 cluster. This can be done by navigating to the Subscriptions blade in the Azure portal and checking the associated Azure AD tenant.
Verify that the AKS cluster is properly configured to use the Azure AD tenant for authentication. This can be done by checking the Azure AD integration settings of the AKS1 cluster. The Azure AD integration should be enabled, and the tenant ID of the Azure AD tenant should be specified.
If the Azure AD integration is not enabled or the tenant ID is incorrect, then it may be necessary to recreate the AKS1 cluster with the correct settings. However, recreating the AKS1 cluster should only be considered as a last resort.

Therefore, option C, which is to recreate AKS1, should only be considered if all other options have been exhausted. The correct option in this case would be to verify that the users in contoso.com are synced to the Azure AD tenant and have been assigned the necessary roles to access the AKS1 cluster. If these steps do not resolve the issue, then further investigation can be done to verify if the Azure AD tenant and the AKS1 cluster are properly connected.

Prev Question Next Question