Create Service Principal

B

When you create an AKS cluster, Azure also creates a service principal to support cluster operability with other Azure resources. You can use this auto-generated service principal for authentication with an ACR registry. To do so, you need to create an Azure AD role assignment that grants the cluster's service principal access to the container registry.

The correct answer is B. an Azure Active Directory (Azure AD) role assignment.

Explanation:

When an Azure Kubernetes Service (AKS) cluster connects to an Azure Container Registry, it needs to authenticate itself to the registry to pull the container images. AKS uses a Kubernetes secret to store the credentials required to authenticate to the registry. These credentials are provided by an Azure Active Directory (Azure AD) service principal, which is auto-generated when the AKS cluster is created.

To use the auto-generated service principal to authenticate to the Azure Container Registry, you need to create an Azure Active Directory (Azure AD) role assignment. This will grant the necessary permissions to the service principal to pull images from the registry.

The Azure AD role assignment you need to create is the AcrPull role. This role allows a user or service principal to pull images from an Azure Container Registry. To create the role assignment, follow these steps:

1. Open the Azure portal and navigate to the Azure Container Registry.
2. Click on "Access Control (IAM)" in the left-hand menu.
3. Click on the "+ Add" button to add a new role assignment.
4. Select "Add role assignment" from the dropdown.
5. Select the "AcrPull" role from the "Role" dropdown.
6. Select "User, group, or service principal" from the "Assign access to" dropdown.
7. Enter the name of the auto-generated service principal in the search box.
8. Select the service principal from the search results.
9. Click the "Save" button to create the role assignment.

After creating the Azure AD role assignment, you can configure the AKS cluster to use the auto-generated service principal to authenticate to the Azure Container Registry by specifying the name of the Kubernetes secret that contains the service principal credentials in the AKS cluster's imagePullSecrets configuration.