BenchMark Quizzes by MDFT Pro

Evaluate Azure Policy for AKS Resource Management

You work as a Kubernetes Platform Engineer for MDFT Pro, a well-known training agency that delivers certification courses to students worldwide. Mark, the Container Orchestration Lead, is developing a comprehensive AKS-based solution for the Container Learning Lab that students use to practice Kubernetes skills. The solution includes a custom VNet for network isolation, Azure Container Registry images for pre-built training containers, and an Azure Storage account for persistent course data. The platform must support dynamic creation and management of all Azure resources directly from within the AKS cluster—for example, when students create a lab environment, the application running in AKS should automatically provision storage accounts, configure network resources, and pull images from ACR using Azure Resource Manager APIs. You need to configure the AKS cluster to enable this dynamic resource management capability.

Solution: Enable the Azure Policy Add-on for Kubernetes to connect the Azure Policy service to the Gatekeeper admission controller for the AKS cluster. Apply a built-in policy to the cluster.

Does the solution meet the requirements?

Choose the correct answer from the options below.

Explanations for each answer:

Yes, Azure Policy Add-on enables dynamic resource management via Azure APIs is incorrect. Azure Policy for Kubernetes enforces governance and compliance policies on cluster resources (like pod security, allowed images, or resource limits) but does not enable dynamic creation and management of external Azure resources like VNets, Container Registry, or Storage accounts. Policy enforcement validates and controls what resources can be created within the cluster, not outside it.
No, this solution does not meet the goal is correct. To dynamically create and manage Azure resources (VNet, ACR, Storage) from within an AKS cluster, you need Azure Identity integration with managed identities or workload identity, not the Azure Policy Add-on. The Policy Add-on with Gatekeeper enforces governance rules within the cluster but doesn't provide the authentication and authorization needed for Azure Resource Manager API calls. You should enable workload identity or managed identity with appropriate RBAC permissions.
No, Gatekeeper admission controller does not integrate with Azure Policy is incorrect. Gatekeeper does integrate with Azure Policy when you enable the Azure Policy Add-on for AKS. The add-on connects the Azure Policy service to the Open Policy Agent Gatekeeper v3 admission controller, allowing you to apply and enforce Azure Policy compliance on your cluster. The issue is not the integration but the fact that policy enforcement doesn't enable Azure resource management.
No, Azure Policy cannot be applied at the AKS cluster scope is incorrect. Azure Policy can definitely be applied to AKS clusters. You can assign policies at various scopes including subscription, resource group, or individual cluster level. The Azure Policy Add-on allows you to apply both built-in and custom policies to enforce compliance within the cluster. The problem is that policy enforcement is not the same as resource management capability.

Learn more about Managed Identity:

AKS Managed Identity Integration

Practice Exam

Evaluate Azure Policy for AKS Resource Management

Discuss this question on social media: