This kind of question is quite confusing as clusterrole are not namespaced.
Service accounts are always namespaced.
If you have a workload running in a particular namespace that should be able to do things in all namespaces (kubernetes operators commonly need to do this), then you bind the SA to a clusterrole using a clusterrolebinding.
And question in CKA exams also doesn’t clearly says to create clusterrole and clusterrolebinding.
so it was confusing what resource to create.
Because of this there are 4 different RBAC combinations and 3 valid ones:
Role + RoleBinding (available in single Namespace, applied in single Namespace)
ClusterRole + ClusterRoleBinding (available cluster-wide, applied cluster-wide)
ClusterRole + RoleBinding (available cluster-wide, applied in single Namespace)
Role + ClusterRoleBinding (NOT POSSIBLE: available in single Namespace, applied cluster-wide)
I think ClusterRole + RoleBinding (available cluster-wide, applied in single Namespace) is one we should create.
what do you think ?
It really depends on the use case, however you have correctly identified the valid combinations.
The exam questions are usually pretty clear about what they want you to do - but always think in terms of least privilege required to solve the problem so in order from least to most privilege it’s
yes correct we should go with least privilege.
But in question it was mentioned create clusterrole and bind it to a role.
With this phrase in sentence I should go with clusterrole + rolebinding.
But I don’t know if it is correct in CKA exam or how examiner interprets it.
The examiner is a script, not a person. A question is correct if the objects that should be in the cluster are in the cluster.
If the question states to create a clusterrole and bind it to a role, then that is what you must do.
But it won’t actually say that because you cannot bind a clusterrole to a role.
Perhaps you meant bind a clusterrole using a rolebinding