Question 38
Domain 6: Security and ComplianceA company is using Amazon Elastic Kubernetes Service (Amazon EKS) to run its applications. The EKS cluster is successfully running multiple pods. The company stores the pod images in Amazon Elastic Container Registry (Amazon ECR). The company needs to configure Pod Identity access for the EKS cluster. The company has already updated the node IAM role by using the permissions for Pod Identity access. Which solution will meet these requirements?
Correct answer: B
Explanation
EKS Pod Identity requires the node IAM role permissions and the Pod Identity agent on the cluster to broker credentials for pods. AWS states that you must "add and configure the EKS Pod Identity Agent add-on" and that nodes must be able to reach the EKS Auth API so the agent can communicate with the service.
Why each option is right or wrong
A. Create an IAM OpenID Connect (OIDC) provider for the EKS cluster.
OIDC is typically associated with IAM Roles for Service Accounts, not the EKS Pod Identity agent flow.
B. Ensure that the nodes can reach the EKS Auth API. Add and configure the EKS Pod Identity Agent add-on for the EKS cluster.
Amazon EKS Pod Identity is implemented through the EKS Pod Identity Agent, which must be installed as an add-on in the cluster so it can broker credentials for pods; without that add-on, the pod-to-AWS credential flow cannot function. In addition, the worker nodes must have network reachability to the EKS Auth API endpoint, because the agent uses that service to obtain and refresh pod credentials; if the nodes cannot reach it, Pod Identity access fails even if the node IAM role has already been updated.
C. Create an EKS access entry that uses the API_AND-CONFIG_MAP cluster authentication mode.
Access entries control cluster authentication and authorization for users or roles, not pod AWS credential delivery.
D. Configure the AWS Security Token Service (AWS STS) endpoint for the Kubernetes service account that the pods in the EKS cluster use.
STS is used in some credential flows, but Pod Identity is not configured by setting STS endpoints on service accounts.