######Question:2######
We have set up a service account named blue-sa-cka21-arch, along with a cluster role blue-role-cka21-arch and a corresponding cluster role binding blue-role-binding-cka21-arch.
You need to adjust the permissions for the service account so it no longer has cluster-wide access. Update the service account to ensure it can only has get access for pods within the default namespace of cluster1.
####DOUBT#######
In this scenario as its mentioned in the question (only has get access for pods within the default namespace) should we need to delete both cluster role and cluster rolebinding and create a role and rolebinding in default namespace
OR
Should we just create a rolebinding in default namespace referencing the already created clusterrole.
####DOUBT#######
##################
Here the question has a solution that appears in the End Exam page for the mock exam; you should look at those for answering these sorts of questions. In this case, you cannot reuse the clusterrole, since it does not allow for getting pods:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: "2024-11-23T18:56:16Z"
name: blue-role-cka21-arch
resourceVersion: "2280"
uid: 0ea7378e-1b7b-4adf-966b-245889bc2af7
rules:
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
Since the clusterrole isn’t relevant to the problem, you’ll need to delete it, and then, you can solve the problem by creating a role that allows for get pods in default, and create a rolebinding that links that to the named service account.
Hi,
@rob_kodekloud
As in the Question :
You need to adjust the permissions for the service account so it no longer has cluster-wide access. Update the service account to ensure it can only has get access for pods within the default namespace of cluster1.
Can we create a rolebinding in default namespace referencing the already created clusterrole . Wouldnt this satisfy the requirement as the question does not explicitly specify to create a role and rolebinding rather than just restrict the permissions in such a way that the service account get access for pods within the default namespace ? Please correct me if iam wrong .
Using the clusterrole would not do you any good, since it refers to deployments, and not to pods. So either you’d need to create a rolebinding in default (one way of solving the problem) or you’d need to fix the clusterrole and refer to it in a rolebinding binding in default (way #2 to solve the problem). But simply referring to the unmodified clusterrole won’t do it for you, since the result of that will be to allow for deployments only in default – not what the question asks.
Hi,
@rob_kodekloud
Thanks for the clarification! It was my mistake earlier that I didn’t mention modifying the ClusterRole. What I actually meant was to go with way #2: create a RoleBinding in the default namespace that references the existing ClusterRole, and modify the ClusterRole to give the service account access (verb=get) to the pods (resource=pods) within the default namespace. Just to confirm, will proceeding with both ways (way #1 and way#2)solve the problem as required by the question?
I would recommend trying the answer you think is correct, and if it does not pass the grader, tell us. As you’ve seen, sometimes the grader is too narrow as to what it accepts. If a valid answer won’t pass, that’s a grader bug, and we should fix it.
1 Like
Hi,
@rob_kodekloud
Thank you for your response! I’ll try way #2 in my next attempt and let you know if it resolves the issue. I really appreciate your help!