Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam CKA topic 1 question 1 discussion

Actual exam question from CNCF's CKA
Question #: 1
Topic #: 1
[All CKA Questions]

SIMULATION -


Context -
You have been asked to create a new ClusterRole for a deployment pipeline and bind it to a specific ServiceAccount scoped to a specific namespace.

Task -
Create a new ClusterRole named deployment-clusterrole, which only allows to create the following resource types:
✑ Deployment
✑ Stateful Set
✑ DaemonSet
Create a new ServiceAccount named cicd-token in the existing namespace app-team1.
Bind the new ClusterRole deployment-clusterrole to the new ServiceAccount cicd-token, limited to the namespace app-team1.

Show Suggested Answer Hide Answer
Suggested Answer:

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
schlagzeuger1
Highly Voted 1 year, 8 months ago
I would suggest a role binding instead of the clusterrolebinding exposed in the solution as: $ k create rolebinding deploy-b -n app-team1 --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token With this, we scope resource creation to the namespace app-team1 as stated in the excercise. To check, simply issue commands: $ k auth can-i create deployment -n app-team1 --as system:serviceaccount:app-team1:cicd-token ==> yes $ k auth can-i create deployment -n default --as system:serviceaccount:app-team1:cicd-token ==> no
upvoted 39 times
Sukon_Desknot
1 year, 5 months ago
The question specifically asked for clusterRole.
upvoted 2 times
dirkdirkdirk
1 year, 5 months ago
Yes, but not clusterRoleBinding.
upvoted 6 times
sonixrw
1 year, 1 month ago
"limited to the namespace app-team" means roleBinding also fine. Are the question on exam really in this broken english?
upvoted 2 times
spocknimoy
1 year ago
make sense
upvoted 1 times
...
...
...
...
memoor
11 months, 3 weeks ago
root@master-node-1:~# kubectl create clusterrole deployment-clusterrole --verb=create --resource=deployments,statefulsets,daemonsets -o yaml --dry-run=client | kubectl apply -f - clusterrole.rbac.authorization.k8s.io/deployment-clusterrole configured root@master-node-1:~# kubectl create serviceaccount cicd-token -n app-team1 serviceaccount/cicd-token created root@master-node-1:~# kubectl create clusterrolebinding deployment-clusterrolebinding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token --namespace=app-team1 -o yaml --dry-run=client | kubectl apply -f - clusterrolebinding.rbac.authorization.k8s.io/deployment-clusterrolebinding created root@master-node-1:~# kubectl auth can-i create deployment -n app-team1 --as system:serviceaccount:app-team1:cicd-token yes root@master-node-1:~# kubectl auth can-i create daemonsets --namespace app-team1 --as=system:serviceaccount no
upvoted 2 times
...
...
Vihar112
Highly Voted 9 months, 3 weeks ago
Setting Configuration Context: kubectl config use-context k8s Creating the ClusterRole: kubectl create clusterrole deployment-clusterrole --verb=create --resource=deployments,statefulsets,daemonsets -n app-team1 Creating the ServiceAccount: kubectl create serviceaccount cicd-token -n app-team1 Binding the ClusterRole to the ServiceAccount: To bind the ClusterRole to the ServiceAccount in a specific namespace, you'll use a RoleBinding: kubectl create rolebinding deployment-clusterrole-binding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token -n app-team1
upvoted 10 times
...
Saransundar
Most Recent 3 months, 2 weeks ago
First needs to create clusterrole: $ kubectl create clusterrole deployment-clusterrole --verb=create --resource=dployments,statefulsets,daemonsets Step:2 create service account kubectl create sa cicd-token -n app-team1 step:3 Create rolebinding to clusterrole for specific namespace $kubectl create rolebinding deployment-binding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token -n app-team1 step:4 test the role and actions $kubectl auth can-i create deployment --as=system:serviceaccount:app-team1:cicd-token -n app-team1
upvoted 4 times
...
ProfXsamson
3 months, 3 weeks ago
Alternatively, a RoleBinding can reference a ClusterRole and bind that ClusterRole to the namespace of the RoleBinding. If you want to bind a ClusterRole to all the namespaces in your cluster, you use a ClusterRoleBinding.
upvoted 1 times
...
BABU97
5 months ago
dont fall for this! create clusterrole and follow instructions given! you can specify the namespace when your creating a clusterrolebdinding just as you have been asked in the question 'limited to the namespace app-team, also dont forget to create the serviceaccount on the same namespace app-team1
upvoted 1 times
...
mKrishna
6 months, 2 weeks ago
k create clusterrole deployment-clusterrole -n app-team1 --resource=deployment,statefulset,daemonset --verb=create k create serviceaccount cicd-token -n app-team1 k create clusterrolebinding rb-deployment-clusterrole --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token -n app-team1
upvoted 2 times
...
sandip_k8s
9 months, 1 week ago
k create rolebinding deployments,statefulsets,daemonsets --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token -n app-team1
upvoted 1 times
...
Samm1
11 months, 1 week ago
The question is structured this way: kubectl create ns app-team1. #ns already exist kubectl create sa cicd-token -n app-team1 kubectl api-resources # to verify the resources names kubectl create clusterrole deployment-clusterrole --verb=create --resource=deployments,statefulsets,daemonsets kubectl create rolebinding deployment-role-binding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token --namespace=app-team1 kubectl auth can-i create deployments --as=system:serviceaccount:app-team1:cicd-token -n app-team1
upvoted 2 times
...
[Removed]
1 year ago
cluster roles do not belong to a namespace. This means the cluster role does not scope permission to a single namespace. However, when a cluster role is linked to a service account via a role binding, the cluster role permissions only apply to the namespace in which the role binding has been created. so I suggest to have role binding in this scenario. Thanks !!
upvoted 3 times
...
spocknimoy
1 year ago
Clusterrolebinding or rolebinding ? Some confusing answers
upvoted 1 times
orangelemons
1 year ago
the question clearly states to create a clusterrole but never mentioned using a clusterrolebinding, instead it states to limit the binding to the namespace app-team1. So, it should be rolebinding.
upvoted 1 times
...
...
ghsotq
1 year, 1 month ago
kubectl create rolebinding deployment-clusterrole-binding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token -n app-team1
upvoted 1 times
...
Magodi
1 year, 1 month ago
controlplane $ k create ns app-team1 namespace/app-team1 created controlplane $ k create sa -n app-team1 cicd-token serviceaccount/cicd-token created controlplane $ k create clusterrole deployment-clusterrole --verb=create --resource=deploy,sts,ds clusterrole.rbac.authorization.k8s.io/deployment-clusterrole created controlplane $ k create clusterrolebinding deployment-clusterrole --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-tokenclusterrolebinding.rbac.authorization.k8s.io/deployment-clusterrole created controlplane $ controlplane $ k auth can-i create sts --as=system:serviceaccount:default:cicd-token no controlplane $ k auth can-i create sts --as=system:serviceaccount:app-team1:cicd-token yes controlplane $
upvoted 3 times
...
Khaled_Rashwan
1 year, 4 months ago
Create the ClusterRole: kubectl create clusterrole deployment-clusterrole --verb=create --resource=deployments,statefulsets,daemonsets Create a new ServiceAccount: kubectl create serviceaccount -n app-team1 cicd-token Bind the new ClusterRole "deployment-clusterrole" to the new ServiceAccount: kubectl create clusterrolebinding cicd-token-binding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token -n app-team1
upvoted 2 times
RD2022
1 year, 2 months ago
kubectl create clusterrolebinding cicd-token-binding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token -n app-team1 - will not work as there is no namespace (-n) option for clusterrolebinding - if you do create a CRB it will give CR permissions to the user for the whole cluster
upvoted 2 times
...
...
Nirms
1 year, 6 months ago
1. k create clusterrole deployment-clusterrole --verb=create --resource=Deployment,StatefulSet,DaemonSet 2. k create sa cicd-token -n app-team1 3. k create rolebinding deploy-b -n app-team1 --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token 4. k auth can-i create deployment -n app-team1 --as system:serviceaccount:app-team1:cicd-token 5. k auth can-i create deployment --as system:serviceaccount:app-team1:cicd-token
upvoted 2 times
...
angdatabase
1 year, 6 months ago
k create rolebinding deploy-b -n app-team1 --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token ======= This is Currect
upvoted 1 times
...
greyhats13
1 year, 7 months ago
so there's only 20 question on CKA exams?
upvoted 3 times
...
pentium2000
1 year, 7 months ago
1.k create clusterrole deployment-clusterrole --verb=create --resource=Deployment,StatefulSet,DaemonSet 2.k create sa cicd-token --namespace=app-team1 3.k create rolebinding -n app-team1 deployment-clusterrole-binding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token 4. k auth can-i create deployment -n app-team1 --as system:serviceaccount:app-team1:cicd-token
upvoted 3 times
karsstars
1 year, 7 months ago
i did the mistake of putting clusterrolebinding instead of rolebinding, as it is related to a namespace..
upvoted 1 times
...
zizibagnon
1 year, 7 months ago
It working ! controlplane $ k create clusterrole deployment-clusterrole --verb=create --resource=Deployment,StatefulSet,DaemonSet clusterrole.rbac.authorization.k8s.io/deployment-clusterrole created controlplane $ controlplane $ #k create sa cicd-token --namespace=app-team1 controlplane $ k create ns app-team1 namespace/app-team1 created controlplane $ k create sa cicd-token --namespace=app-team1 serviceaccount/cicd-token created controlplane $ k create rolebinding -n app-team1 deployment-clusterrole-binding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token rolebinding.rbac.authorization.k8s.io/deployment-clusterrole-binding created controlplane $ controlplane $ k auth can-i create deployment -n app-team1 --as system:serviceaccount:app-team1:cicd-token yes controlplane $ controlplane $ k auth can-i create deployment -n default --as system:serviceaccount:app-team1:cicd-token no controlplane $
upvoted 3 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
ex Want to SAVE BIG on Certification Exam Prep?
close
ex Unlock All Exams with ExamTopics Pro 75% Off
  • arrow Choose From 1000+ Exams
  • arrow Access to 10 Exams per Month
  • arrow PDF Format Available
  • arrow Inline Discussions
  • arrow No Captcha/Robot Checks
Limited Time Offer
Ends in