A Security Operations Analyst needs to configure access for an external OIDC provider (e.g., Okta) to allow developers to authenticate to TKG clusters.
Review the available configuration interfaces:
1. vSphere Client > Administration > Single Sign-On > Configuration > Identity Provider
2. Supervisor Control Plane VM (via SSH) > /etc/pam.d/
3. NSX Manager > System > Users > External
4. Tanzu Mission Control > Identity
Where must the analyst configure the upstream OIDC Identity Provider trust relationship so that it applies to the Supervisor Cluster and its Namespaces?

• A.Interface 2
• B.Interface 1
• C.Interface 4
• D.Interface 3

Comment: *

Name: *

Email: *

Verification: *

Which statement accurately describes the function of the vSphere Plugin for kubectl (also known as vsphere-plugin) when authenticating to a vSphere with Tanzu environment?

• A.It is used solely for deploying vSphere Pods and cannot be used to interact with Tanzu Kubernetes Grid (TKG) clusters.
• B.It is a client-side helper that integrates with vCenter Single Sign-On (SSO) to generate a valid kubeconfig file and authentication token for accessing the Supervisor Cluster and TKG clusters.
• C.It is a server-side component installed on the Supervisor Control Plane that translates Kubernetes API calls into vSphere API calls.
• D.It acts as a proxy that tunnels all kubectl commands directly to the ESXi hosts bypassing the Supervisor Control Plane.

Comment: *

Name: *

Email: *

Verification: *

Which type of storage is used by VMware vSphere Kubernetes Service (VKS) pods to store non-persistent data?

• A.Container image storage
• B.Ephemeral storage
• C.Object storage
• D.vSphere local storage

Comment: *

Name: *

Email: *

Verification: *

An administrator is tasked to protect a VKS cluster at a point in time. To satisfy the request, the administrator creates a pre-provisioned snapshot of the target cluster.
Drag and drop the four configuration tasks Into the correct order from "Configuration Steps" on the left and place them into the "Configuration Order" on the right. (Choose four.)

Correct Answer:

Explanation:
Configuration Order (in order):
* Verify the name of the original VolumeSnapshot object in the Supervisor.
* Create a VolumeSnapshotContent object.
* Create a VolumeSnapshot object.
* Verify that the VolumeSnapshot is marked with ReadyToUse as true.
Apre-provisioned snapshotworkflow means the snapshot already exists at the Supervisor/storage layer, and you are "importing" it into Kubernetes by creating the Kubernetes objects that reference it. That's why the first step is toidentify/verify the exact snapshot nameas it exists in the Supervisor context-this is the authoritative identifier you must point to when you create Kubernetes snapshot metadata. Next, you create theVolumeSnapshotContentobject, which represents theactual snapshot on the storage backendand includes the handle/reference to that pre-existing snapshot. With the content object in place, you then create theVolumeSnapshotobject, which is theuser-facing Kubernetes object(namespaced) that binds to the pre- provisioned VolumeSnapshotContent (either explicitly or via binding rules). Finally, you validate the outcome by checking that theVolumeSnapshot shows ReadyToUse: true, confirming the binding succeeded and Kubernetes can use the snapshot for restore/clone workflows.

Comment: *

Name: *

Email: *

Verification: *

A Cloud Administrator needs to resolve a "Condition: False" error on a Supervisor Cluster related to network connectivity. The Supervisor cannot reach the external image registry to pull system images.
Review the following log snippet from the Supervisor's WCP service:
E1121 10:05:01.442 controller.go:120] Failed to pull image 'projects.registry.vmware.com/tkg/tanzu- kubernetes-grid-service-v2.0.0':
rpc error: code = Unknown desc = Error response from daemon: Get
https://projects.registry.vmware.com/v2/: dial tcp 10.128.0.45:443: i/o timeout The administrator verifies that the firewall rules allow traffic from the Supervisor Management Network IP range to the internet.
What configuration on the Supervisor is most likely missing or incorrect, preventing this connection?
(Select all that apply.)

• A.The Supervisor's Management Network Gateway is configured incorrectly.
• B.The Image Registry Service has not been enabled on the Supervisor.
• C.The Proxy Settings (HTTP/HTTPS Proxy) have not been configured or are incorrect on the Supervisor, preventing it from routing internet-bound traffic through the corporate gateway.
• D.The Egress CIDR for the Namespaces is exhausted.
• E.The DNS Server settings on the Supervisor are incorrect, causing name resolution to fail.

Comment: *

Name: *

Email: *

Verification: *