{"results":[{"id":"acr-auth-entra-service-principal-admin","text":"ACR authentication options are Azure identity, Microsoft Entra service principal, or admin account; all image transfers use HTTPS with TLS.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-authentication-entra-service-principal-admin","text":"ACR authentication options are Azure identity, Microsoft Entra service principal, or admin account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-best-practice-same-region-as-deployments","text":"Best practice is to create an ACR registry in the same Azure region as deployment targets for network-close storage and reduced latency.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-global-endpoint-routes-by-network-performance","text":"The ACR global endpoint (`myregistry.azurecr.io`) routes to the geo-replica with the best network performance, not necessarily geographic proximity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-network-close-deployment-same-region","text":"ACR should be placed in the same Azure region as container hosts to minimize latency and avoid cross-region egress fees.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-three-sku-tiers","text":"Azure Container Registry offers three SKU tiers: Basic (dev/test), Standard (most production), and Premium (high-volume/enterprise).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-azure-disk-readwriteonce","text":"Azure Disk volumes in AKS are mounted as ReadWriteOnce (single node); Azure Files supports ReadWriteMany (multi-node)","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-azure-disks-single-pod-files-multi-pod","text":"Azure Disks CSI provides single-pod access; Azure Files CSI provides multiple concurrent pod access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-azure-files-smb-311-nfs-41","text":"Azure Files CSI driver supports SMB 3.1.1 and NFS 4.1 protocols, enabling multi-node and multi-pod concurrent access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-bring-your-own-cni-supported","text":"AKS supports bring-your-own CNI for third-party networking plugins in addition to Azure-provided CNI options.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-control-plane-managed-by-azure","text":"The AKS control plane (kube-apiserver, etcd, kube-scheduler, kube-controller-manager, cloud-controller-manager) is fully managed by Azure; users manage only worker nodes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-custom-vnet-nsg-ports-443-4443-9988","text":"Custom VNet NSG rules for AKS must allow TCP 443 and 4443 from cluster subnet to API server subnet, and TCP 9988 from Azure Load Balancer to API server subnet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-custom-vnet-nsg-required-ports","text":"Custom VNet NSGs for AKS must allow TCP 443/4443 from cluster subnet to API server subnet, and TCP 9988 from Azure Load Balancer to API server subnet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-custom-vnet-nsg-tcp-443-4443-9988","text":"Custom VNet NSG rules for AKS must allow TCP 443 and 4443 from cluster subnet to API server subnet, and TCP 9988 from Azure Load Balancer to API server subnet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-custom-vnet-zero-trust-control-plane","text":"AKS custom VNet deployments inherit the Standard Load Balancer's zero-trust default-deny posture, requiring explicit NSG allowlisting of control plane ports (TCP 443, 4443 from cluster subnet to API server, TCP 9988 from Azure LB) — making AKS custom networking a manual allowlisting exercise where missing a single rule silently breaks cluster communication.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-default-os-ubuntu-linux","text":"The default operating system for AKS nodes is Ubuntu Linux; Azure Linux and Windows Server 2022 are also available as options.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-full-zero-trust-secrets-at-rest","text":"AKS achieves full zero-trust protection for secrets at rest when combining infrastructure-level network zero-trust (inherited from Azure's NSG/LB default-deny stack) with Key Vault's network-isolated defense-in-depth key lifecycle for external secret storage.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-immutable-os-guard-fips-selinux","text":"Azure Linux OS Guard (preview) is an immutable, read-only OS that enforces FIPS + Trusted Launch and uses SELinux for mandatory access control.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-immutable-os-options-os-guard-flatcar","text":"AKS offers two container-optimized immutable OS options: Azure Linux OS Guard (preview, Microsoft-built, FIPS/Trusted Launch/SELinux enforced) and Flatcar Container Linux (preview, vendor-neutral, CNCF-based). Both are read-only at runtime with cryptographic integrity protection.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-managed-disks-encrypted-at-rest","text":"AKS node storage uses Azure Managed Disks with automatic encryption at rest.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":1146,"limit":20,"offset":0}