What is the purpose of the --authorization-mode=RBAC flag on the API server?
RBAC is the standard authorization mode for Kubernetes.
Why this answer
The `--authorization-mode=RBAC` flag configures the Kubernetes API server to use Role-Based Access Control (RBAC) as its authorization mode. This means that when a request reaches the API server, after authentication, the authorization module checks the request against RBAC roles and role bindings to determine if the user or service account has permission to perform the requested action. Without this flag, the API server would default to other modes (e.g., AlwaysAllow) or require explicit configuration of a different authorizer.
Exam trap
CNCF often tests the distinction between authorization modes and other API server flags (like admission plugins or audit logging), so candidates may confuse `--authorization-mode=RBAC` with enabling audit logging or admission controllers, when in fact each flag controls a completely separate subsystem.
How to eliminate wrong answers
Option B is wrong because anonymous authentication is controlled by the `--anonymous-auth` flag (defaults to true), not by the `--authorization-mode` flag; disabling anonymous auth is a separate configuration. Option C is wrong because the NodeRestriction admission plugin is enabled via the `--enable-admission-plugins` flag, not through the authorization mode flag. Option D is wrong because audit logging for RBAC events is configured via the `--audit-policy-file` flag and audit policy rules, not by setting the authorization mode to RBAC.