Query in lab-cka-mock-exam-1

Kubernetes
#1

in lab-cka-mock-exam-1, given question is

===============================

"Create a service account called pink-sa-cka24-arch . Further create a cluster role called pink-role-cka24-arch with full permissions on all resources in the core api group under default namespace in cluster1 .

Finally create a cluster role binding called pink-role-binding-cka24-arch to bind pink-role-cka24-arch cluster role with pink-sa-cka24-arch service account."

========================

Based on my understanding and reference of kubernetes doc,it is supposed to be a role that needs to be created to fulfill the answer but the given solution for this question is pointing out to create a clusterrole, which is not the right answer since cluster role does not belong to any namespace.

kubernetes doc: Using RBAC Authorization | Kubernetes

#2

Yes, correct - the question is misleading and it has been pointed out to the labs team.

Simply create the cluuserrole and binding with permissions requested to pass this question.

#3

I got this question correct however when I ran this command:

k auth can-i --as=system:serviceaccount:default:pink-sa-cka24-arch get deploy, it said no.
when I put anything else like pod, svc, secret it said yes.

when I created the clusterrole I used the imperative command:
k create clusterrole pink-role-cka24-arch --verb=* --resource=*

why wouldn’t I be able to get deployments?

#4

The problem is that you’re not granting access for anything outside of the core group of APIs, and a deployment is API group “apps”. Take a look at what YAML your imperative command generates:

$ k create clusterrole pink-role-cka24-arch --verb=* --resource=* --dry-run=client -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: pink-role-cka24-arch
rules:
- apiGroups:
  - ""
  resources:
  - '*'
  verbs:
  - '*'

The apiGroup field is "", which is equivalent to allowing all of the resource types in the core group; this does not include the API group “apps”.

#5

ok got it. core api groups does not include apps, thanks