In the mock CKA exam series, there is a question:
We have created a service account called blue-sa-cka21-arch, a cluster role called blue-role-cka21-arch and a cluster role binding called blue-role-binding-cka21-arch.
Update the permissions of this service account so that it can get the pods only in default namespace of cluster1.
The answer it expected was to update the clusterrole, which does not meet the needs of the limitation on the namespace. I believe the correct answer would be to create a new “Role” specific to the permissions needed in the default namespace, then binding that role to the service account. The current suggested answer opens up the get pods action for the serviceaccount to any namespace in the cluster as can be verified with the k auth can-i get pods command against the kube-system namespace for that service account.