{"results":[{"id":"acr-best-practice-same-region-as-deployments","text":"Best practice is to create an ACR registry in the same Azure region as deployment targets for network-close storage and reduced latency.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-disabled-replica-still-syncs-and-costs","text":"Disabling `--region-endpoint-enabled` on an ACR geo-replica excludes it from global routing but data still syncs and storage costs still accrue.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-geo-replicated-storage-usage-home-region-only","text":"Storage usage in a geo-replicated ACR is reported for the home region only; multiply by replica count for total consumption.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-geo-storage-usage-home-region-only","text":"Storage usage in a geo-replicated ACR is reported for the home region only; multiply by replica count for total consumption.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-included-storage-basic-10-standard-100-premium-500","text":"ACR included storage: Basic 10 GiB, Standard 100 GiB, Premium 500 GiB; additional storage billed per-GiB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-max-storage-basic-standard-40tib-premium-100tib","text":"ACR maximum storage limits: Basic/Standard max 40 TiB, Premium max 100 TiB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acr-premium-enterprise-feature-gate","text":"ACR gates all enterprise capabilities behind Premium SKU: geo-replication, private link (up to 200 endpoints), content trust, customer-managed keys, and 2.5x higher storage limits (100 TiB vs 40 TiB for Basic/Standard).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-default-storage-class-managed-csi","text":"AKS default storage class is `managed-csi` backed by Standard SSD LRS","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-default-storage-classes-reconciled","text":"AKS reconciles built-in default storage classes — manual changes to them are overwritten by the platform.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-ephemeral-os-disk-requires-128gib-temp","text":"Ephemeral OS disk default sizing in AKS requires the VM SKU to have at least 128 GiB of temporary storage.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-full-zero-trust-secrets-at-rest","text":"AKS achieves full zero-trust protection for secrets at rest when combining infrastructure-level network zero-trust (inherited from Azure's NSG/LB default-deny stack) with Key Vault's network-isolated defense-in-depth key lifecycle for external secret storage.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-managed-disks-encrypted-at-rest","text":"AKS node storage uses Azure Managed Disks with automatic encryption at rest.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-multi-az-zrs-default-k8s-1-29","text":"AKS multi-AZ clusters default to ZRS storage from Kubernetes 1.29","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-nvme-data-disks-ephemeral","text":"Ephemeral NVMe data disks in AKS provide high-performance temporary storage; data is lost on deallocation and they are managed via Azure Container Storage.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-nvme-data-disks-ephemeral-container-storage","text":"NVMe data disks in AKS are ephemeral (data lost on deallocation) and are managed via Azure Container Storage.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-reconciles-default-storage-classes","text":"AKS reconciles built-in default storage classes — manual changes to built-in classes are overwritten by the platform.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-runtime-security-defense-in-depth","text":"AKS provides runtime security defense-in-depth across compute and storage layers: AppArmor and seccomp profiles restrict container actions following least-privilege, while managed disks provide automatic encryption at rest for node storage — but the defense-in-depth model has a gap at the application data layer where Kubernetes Secrets use base64 encoding rather than encryption.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-secrets-end-to-end-protected","text":"AKS provides end-to-end secret protection at rest: customer-managed keys encrypt etcd storage via KMS encryption, backed by Key Vault where Microsoft cannot see or extract the encryption keys — ensuring the full chain from secret storage to key management is cryptographically secured.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-storage-complete-cross-os","text":"AKS provides complete persistent storage coverage across all access modes when Azure Disk supplies ReadWriteOnce with topology-aware zone-aligned provisioning and Azure Files supplies ReadWriteMany — unless the workload requires cross-OS persistent volume sharing in mixed Windows/Linux clusters.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aks-storage-disks-single-files-multi-netapp-throughput-containerstore-block","text":"AKS storage options: Azure Disks CSI (single pod), Azure Files CSI (multi-pod concurrent), Azure NetApp Files (high-throughput/low-latency), Azure Container Storage (fully managed block storage).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":207,"limit":20,"offset":0}