Oracle Cloud Infrastructure 2020 Architect Professional — Question 50

You work for a large bank where security and compliance are critical. As part of the security overview meeting, your company decided to minimize the installation of local tools on your laptop. You have been running Ansible and kubectl to spin up Oracle Container Engine for Kubernetes (OKE) clusters and deployed your application.
For authentication, you are using an Oracle Cloud Infrastructure (OCI) CLI config file that contains OCIDs, Fingerprint, and a locally stored PEM file. Your security team doesn't want you to store any local API key and certificate, or any other local tools.
Which two actions should you perform to spin up the OKE cluster and interact with it? (Choose two.)

Answer options

• A. Create a developer workstation on OCI. Install Ansible and kubectl on it. Use resource principal to authenticate against OCI API and create the OKE Cluster.
• B. Develop your own code using OCI SDK to deploy the OKE cluster.
• C. Work on OCI Cloud Shell to use built-in Ansible and kubectl to deploy the OKE cluster. Use OCI_CLI_AUTH=instance_obo_user environment variable to authenticate using built-in token.
• D. Work on OCI Cloud Shell to use built-in Ansible and kubectl to deploy the OKE cluster. Bring in your own config file and certificate to authenticate against OCI API.
• E. Create a developer workstation on OCI. Install Ansible and kubectl on it. Use instance principal to authenticate against OCI API and create the OKE Cluster.

Correct answer: C, E

Explanation

Option C is correct because using OCI Cloud Shell allows you to avoid local installations and utilize built-in tools while authenticating with an instance-based token, adhering to security policies. Option E is also valid, but it requires setting up a developer workstation, which contradicts the requirement to minimize local tools. Options A, B, and D do not comply with the security team's restrictions regarding local API keys and certificates.