Q26 — AWS DOP-C02 Ch.3

Question 26 of 100 | ← Chapter 3

A company is running a mission-critical application on Amazon Elastic Kubernetes Service (Amazon EKS). The EKS cluster is successfully running multiple pods. The company stores pod images in Amazon Elastic Container Registry (Amazon ECR). The company needs to configure pod identity access for the EKS cluster. The company has already updated node IAM roles to enable pod identity access.

Correct Answer: A. Create an IAM OpenID Connect (OIDC) provider for the EKS cluster.

Explanation

The recommended method to configure pod identity access in AWS EKS is IAM Roles for Service Accounts (IRSA), which depends on the cluster's OIDC identity provider. AWS documentation explicitly states that enabling an OIDC identity provider for the EKS cluster is a prerequisite for using IRSA, enabling Kubernetes service accounts to directly assume IAM roles. Option B refers to outdated solutions such as kiam or kube2iam. Option C's 'cluster authentication mode' relates to node-level authentication, not pod identity. Option D describes a specific implementation step within IRSA setup, not the foundational configuration. Correct answer A aligns with AWS official infrastructure requirements for IRSA.