ExamTopics Logo
Mail Us[email protected]
Menu
Cncf Discussions
exam questions

Exam CKA All Questions

View all questions & answers for the CKA exam
Go to Exam

Exam CKA topic 1 question 1 discussion

Actual exam question from CNCF's CKA
Question #: 1
Topic #: 1
[All CKA Questions]

SIMULATION -


Context -
You have been asked to create a new ClusterRole for a deployment pipeline and bind it to a specific ServiceAccount scoped to a specific namespace.

Task -
Create a new ClusterRole named deployment-clusterrole, which only allows to create the following resource types:
✑ Deployment
✑ Stateful Set
✑ DaemonSet
Create a new ServiceAccount named cicd-token in the existing namespace app-team1.
Bind the new ClusterRole deployment-clusterrole to the new ServiceAccount cicd-token, limited to the namespace app-team1.

Show Suggested Answer Hide Answer
Suggested Answer:
by gcpengineer at Oct. 20, 2022, 10:18 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
schlagzeuger1
Highly Voted 2 years, 4 months ago
I would suggest a role binding instead of the clusterrolebinding exposed in the solution as: $ k create rolebinding deploy-b -n app-team1 --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token With this, we scope resource creation to the namespace app-team1 as stated in the excercise. To check, simply issue commands: $ k auth can-i create deployment -n app-team1 --as system:serviceaccount:app-team1:cicd-token ==> yes $ k auth can-i create deployment -n default --as system:serviceaccount:app-team1:cicd-token ==> no
upvoted 43 times
137eceb
5 months, 3 weeks ago
clusterRoles are not bound to a namespace. If we wanted to bind the pemissions to a specific namspace, we would create a role and not a clusterrole. So, clusterrolebinding is correct.
upvoted 1 times
...
Sukon_Desknot
2 years, 2 months ago
The question specifically asked for clusterRole.
upvoted 3 times
dirkdirkdirk
2 years, 1 month ago
Yes, but not clusterRoleBinding.
upvoted 7 times
sonixrw
1 year, 9 months ago
"limited to the namespace app-team" means roleBinding also fine. Are the question on exam really in this broken english?
upvoted 3 times
spocknimoy
1 year, 9 months ago
make sense
upvoted 1 times
...
Load full discussion...
...
...
...
memoor
1 year, 8 months ago
root@master-node-1:~# kubectl create clusterrole deployment-clusterrole --verb=create --resource=deployments,statefulsets,daemonsets -o yaml --dry-run=client | kubectl apply -f - clusterrole.rbac.authorization.k8s.io/deployment-clusterrole configured root@master-node-1:~# kubectl create serviceaccount cicd-token -n app-team1 serviceaccount/cicd-token created root@master-node-1:~# kubectl create clusterrolebinding deployment-clusterrolebinding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token --namespace=app-team1 -o yaml --dry-run=client | kubectl apply -f - clusterrolebinding.rbac.authorization.k8s.io/deployment-clusterrolebinding created root@master-node-1:~# kubectl auth can-i create deployment -n app-team1 --as system:serviceaccount:app-team1:cicd-token yes root@master-node-1:~# kubectl auth can-i create daemonsets --namespace app-team1 --as=system:serviceaccount no
upvoted 2 times
...
...
Vihar112
Highly Voted 1 year, 6 months ago
Setting Configuration Context: kubectl config use-context k8s Creating the ClusterRole: kubectl create clusterrole deployment-clusterrole --verb=create --resource=deployments,statefulsets,daemonsets -n app-team1 Creating the ServiceAccount: kubectl create serviceaccount cicd-token -n app-team1 Binding the ClusterRole to the ServiceAccount: To bind the ClusterRole to the ServiceAccount in a specific namespace, you'll use a RoleBinding: kubectl create rolebinding deployment-clusterrole-binding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token -n app-team1
upvoted 11 times
...
cajif66766
Most Recent 3 months ago
controlplane ~ ➜ k create clusterrole deployment-clusterrole --verb create --resource=deployments --resource=statefulsets --resource=daemonset clusterrole.rbac.authorization.k8s.io/deployment-clusterrole created controlplane ~ ➜ k describe clusterrole deployment-clusterrole Name: deployment-clusterrole Labels: <none> Annotations: <none> PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- daemonsets.apps [] [] [create] deployments.apps [] [] [create] statefulsets.apps [] [] [create] controlplane ~ ➜ k create sa cicd-token -n app-team1 serviceaccount/cicd-token created controlplane ~ ➜ k get sa -n app-team1 NAME SECRETS AGE cicd-token 0 10s default 0 12s
upvoted 1 times
...
nahid0002
4 months, 4 weeks ago
kubectl create clusterrole deployment-clusterrole --verb=create --resource=deployments,statefulsets,daemonsets kubectl create serviceaccount cicd-token -n app-team1 kubectl create rolebinding deployment-rolebinding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token --namespace=app-team1
upvoted 1 times
...
noahsark
5 months ago
killer_sh_lab: k create ns app-team1 k create clusterrole deployment-clusterrole --verb=create --resource=Deployment,StatefulSet,DaemonSet k create sa cicd-token -n=app-team1 k create rolebinding rb --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token -n=app-team1 Checks: k auth can-i create deployment -n=app-team1 --as system:serviceaccount:app-team1:cicd-token => yes k auth can-i create deployment -n=default --as system:serviceaccount:app-team1:cicd-token ⇒ no
upvoted 2 times
...
14b2b2e
6 months, 1 week ago
If I used a clusterrolebind here as per the answer will it still be correct?
upvoted 1 times
...
Saransundar
11 months, 4 weeks ago
First needs to create clusterrole: $ kubectl create clusterrole deployment-clusterrole --verb=create --resource=dployments,statefulsets,daemonsets Step:2 create service account kubectl create sa cicd-token -n app-team1 step:3 Create rolebinding to clusterrole for specific namespace $kubectl create rolebinding deployment-binding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token -n app-team1 step:4 test the role and actions $kubectl auth can-i create deployment --as=system:serviceaccount:app-team1:cicd-token -n app-team1
upvoted 6 times
...
ProfXsamson
1 year ago
Alternatively, a RoleBinding can reference a ClusterRole and bind that ClusterRole to the namespace of the RoleBinding. If you want to bind a ClusterRole to all the namespaces in your cluster, you use a ClusterRoleBinding.
upvoted 1 times
...
BABU97
1 year, 1 month ago
dont fall for this! create clusterrole and follow instructions given! you can specify the namespace when your creating a clusterrolebdinding just as you have been asked in the question 'limited to the namespace app-team, also dont forget to create the serviceaccount on the same namespace app-team1
upvoted 1 times
...
mKrishna
1 year, 2 months ago
k create clusterrole deployment-clusterrole -n app-team1 --resource=deployment,statefulset,daemonset --verb=create k create serviceaccount cicd-token -n app-team1 k create clusterrolebinding rb-deployment-clusterrole --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token -n app-team1
upvoted 2 times
...
sandip_k8s
1 year, 5 months ago
k create rolebinding deployments,statefulsets,daemonsets --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token -n app-team1
upvoted 1 times
...
Samm1
1 year, 7 months ago
The question is structured this way: kubectl create ns app-team1. #ns already exist kubectl create sa cicd-token -n app-team1 kubectl api-resources # to verify the resources names kubectl create clusterrole deployment-clusterrole --verb=create --resource=deployments,statefulsets,daemonsets kubectl create rolebinding deployment-role-binding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token --namespace=app-team1 kubectl auth can-i create deployments --as=system:serviceaccount:app-team1:cicd-token -n app-team1
upvoted 2 times
...
spocknimoy
1 year, 9 months ago
Clusterrolebinding or rolebinding ? Some confusing answers
upvoted 1 times
orangelemons
1 year, 9 months ago
the question clearly states to create a clusterrole but never mentioned using a clusterrolebinding, instead it states to limit the binding to the namespace app-team1. So, it should be rolebinding.
upvoted 1 times
...
...
ghsotq
1 year, 9 months ago
kubectl create rolebinding deployment-clusterrole-binding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token -n app-team1
upvoted 1 times
...
Magodi
1 year, 9 months ago
controlplane $ k create ns app-team1 namespace/app-team1 created controlplane $ k create sa -n app-team1 cicd-token serviceaccount/cicd-token created controlplane $ k create clusterrole deployment-clusterrole --verb=create --resource=deploy,sts,ds clusterrole.rbac.authorization.k8s.io/deployment-clusterrole created controlplane $ k create clusterrolebinding deployment-clusterrole --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-tokenclusterrolebinding.rbac.authorization.k8s.io/deployment-clusterrole created controlplane $ controlplane $ k auth can-i create sts --as=system:serviceaccount:default:cicd-token no controlplane $ k auth can-i create sts --as=system:serviceaccount:app-team1:cicd-token yes controlplane $
upvoted 3 times
...
Khaled_Rashwan
2 years, 1 month ago
Create the ClusterRole: kubectl create clusterrole deployment-clusterrole --verb=create --resource=deployments,statefulsets,daemonsets Create a new ServiceAccount: kubectl create serviceaccount -n app-team1 cicd-token Bind the new ClusterRole "deployment-clusterrole" to the new ServiceAccount: kubectl create clusterrolebinding cicd-token-binding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token -n app-team1
upvoted 2 times
RD2022
1 year, 10 months ago
kubectl create clusterrolebinding cicd-token-binding --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token -n app-team1 - will not work as there is no namespace (-n) option for clusterrolebinding - if you do create a CRB it will give CR permissions to the user for the whole cluster
upvoted 2 times
...
...
Nirms
2 years, 2 months ago
1. k create clusterrole deployment-clusterrole --verb=create --resource=Deployment,StatefulSet,DaemonSet 2. k create sa cicd-token -n app-team1 3. k create rolebinding deploy-b -n app-team1 --clusterrole=deployment-clusterrole --serviceaccount=app-team1:cicd-token 4. k auth can-i create deployment -n app-team1 --as system:serviceaccount:app-team1:cicd-token 5. k auth can-i create deployment --as system:serviceaccount:app-team1:cicd-token
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago