Cks mock exam 1 q1 sas and rolebindings

hyakunin · July 9, 2022, 8:12am

In the q1 it says to look at the rolebinding to know what’s the service account to be used. However, the used sa in the solution doesn’t have a rolebinding

oot@controlplane:/# kubectl get rolebindings,roles,sa -n omni 
NAME                                             ROLE            AGE
rolebinding.rbac.authorization.k8s.io/fe         Role/fe         61m
rolebinding.rbac.authorization.k8s.io/frontend   Role/frontend   61m

NAME                                      CREATED AT
role.rbac.authorization.k8s.io/fe         2022-07-09T07:08:18Z
role.rbac.authorization.k8s.io/frontend   2022-07-09T07:08:18Z

NAME                              SECRETS   AGE
serviceaccount/default            1         61m
serviceaccount/fe                 1         61m
serviceaccount/frontend           1         61m
serviceaccount/frontend-default   1         61m

the ones with a rolebinding are actually the ones to be deleted according to the solution

Alistair_KodeKloud · July 10, 2022, 9:43am

the ones with a rolebinding are actually the ones to be deleted according to the solution

Correct @hyakunin . This is because the SA without rolebinding is the one with least privilege, i.e. it has no privilege.

hyakunin · July 10, 2022, 5:36pm

actually I don’t get why would we want to attach an sa without any permission. The pod won’t be able to do anything at all. So it’s even more restricted than the default sa

Alistair_KodeKloud · July 10, 2022, 7:26pm

Unless the application within the pod needs to work with the Kubernetes API (e.g. a dashboard app for the cluster), it doesn’t require an SA with permissions.

A regular web or API application that could be run anywhere (not specifically in a k8s cluster), and you don’t specify serviceAccountName in the manifest would get the default service account - which has no permissions.