AWS Certified DevOps Engineer – Professional (DOP-C02) — Question 282

A company is using Amazon Elastic Kubernetes Service (Amazon EKS) to run its applications. The EKS cluster is successfully running multiple pods. The company stores the pod images in Amazon Elastic Container Registry (Amazon ECR).

The company needs to configure Pod Identity access for the EKS cluster. The company has already updated the node IAM role by using the permissions for Pod Identity access.

Which solution will meet these requirements?

Answer options

• A. Create an IAM OpenID Connect (OIDC) provider for the EKS cluster.
• B. Ensure that the nodes can reach the EKS Auth API. Add and configure the EKS Pod Identity Agent add-on for the EKS cluster.
• C. Create an EKS access entry that uses the API_AND-CONFIG_MAP cluster authentication mode.
• D. Configure the AWS Security Token Service (AWS STS) endpoint for the Kubernetes service account that the pods in the EKS cluster use.

Correct answer: B

Explanation

To use EKS Pod Identity, the EKS Pod Identity Agent add-on must be deployed to the cluster, and the worker nodes require network connectivity to the EKS Auth API to retrieve credentials. Option A describes the setup for IAM Roles for Service Accounts (IRSA), which is a different authentication mechanism that is not required for Pod Identity. Options C and D are incorrect because neither configuring the API_AND-CONFIG_MAP access entry nor modifying the service account's STS endpoint will enable the Pod Identity agent functionality.