Cloud Identity & Secrets
IRSA (AWS), Workload Identity (GCP), Managed Identity (Azure), External Secrets Operator, Vault patterns
1What is the main advantage of using IRSA (IAM Roles for Service Accounts) in an EKS cluster rather than static AWS access keys?
What is the main advantage of using IRSA (IAM Roles for Service Accounts) in an EKS cluster rather than static AWS access keys?
Antwort
IRSA allows Kubernetes pods to assume temporary IAM roles via OIDC, eliminating the need to store static credentials in Secrets. Permissions are scoped per ServiceAccount, following the principle of least privilege. Credentials are automatically rotated by AWS STS (Security Token Service), reducing the attack surface if a pod is compromised.
2In GCP, how does Workload Identity Federation allow a GKE pod to access Google Cloud resources?
In GCP, how does Workload Identity Federation allow a GKE pod to access Google Cloud resources?
Antwort
Workload Identity binds a Kubernetes ServiceAccount to a Google Service Account via an annotation. The pod obtains an OIDC token from the Kubernetes API server, which is exchanged for a GCP token via the metadata server. This avoids storing static service account JSON keys in the cluster, following the zero-trust model and enabling automatic credential rotation.
3What is the main difference between Azure Managed Identity and traditional service principals?
What is the main difference between Azure Managed Identity and traditional service principals?
Antwort
Managed Identity eliminates the need to manually manage credentials (client secret, certificate). Azure automatically handles the credential lifecycle, including rotation. Managed Identities can be system-assigned (tied to a resource's lifecycle) or user-assigned (independent). This reduces the risk of secret leakage compared to service principals where secrets must be stored and manually rotated.
How does External Secrets Operator synchronize secrets from an external provider (AWS Secrets Manager, Vault) to Kubernetes?
What is the role of the mutating admission webhook controller in automatic secret injection via Vault Agent Injector?
+19 Interview-Fragen
Weitere DevOps-Interviewthemen
Version Control & Git
Linux Fundamentals
Shell Scripting & Bash
Networking Basics
Docker Fundamentals
CI/CD Fundamentals
GitHub Actions
GitLab CI/CD
Jenkins
Kubernetes Basics
Kubernetes Networking
Kubernetes Advanced
Ingress & API Gateway
Terraform Basics
Terraform Advanced
Ansible & Configuration Management
AWS Essentials
Azure Fundamentals
GCP Fundamentals
Monitoring & Prometheus
Logging & ELK Stack
Alerting & Incident Response
CI/CD Pipeline Security
Helm & Kubernetes
Runtime & Cluster Security
Container Supply Chain Security
Service Mesh & Istio
GitOps & ArgoCD
Progressive Delivery
Distributed Observability
Disaster Recovery & Backup
Performance Optimization
Cloud Cost Optimization
SRE Principles
Chaos Engineering
Platform Engineering
Meistere DevOps für dein nächstes Interview
Zugang zu allen Fragen, Flashcards, technischen Tests, Code-Review-Übungen und Interview-Simulatoren.
Kostenlos starten