Bird
Raised Fist0
Kubernetesdevops~20 mins

Roles and ClusterRoles in Kubernetes - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
RBAC Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
1:30remaining
Difference between Role and ClusterRole

Which statement correctly describes the difference between a Role and a ClusterRole in Kubernetes?

ABoth Role and ClusterRole define permissions cluster-wide.
BA Role defines permissions cluster-wide, while a ClusterRole defines permissions within a specific namespace.
CBoth Role and ClusterRole define permissions only within a specific namespace.
DA Role defines permissions within a specific namespace, while a ClusterRole defines permissions cluster-wide.
Attempts:
2 left
💡 Hint

Think about the scope where each permission applies.

💻 Command Output
intermediate
1:30remaining
kubectl command output for ClusterRole listing

What is the output of the command kubectl get clusterroles in a default Kubernetes cluster?

Kubernetes
kubectl get clusterroles
AA list of all ClusterRoles including default ones like 'admin', 'edit', and 'view'.
BA list of Roles limited to the current namespace.
CAn error stating 'clusterroles' resource not found.
DNo output because ClusterRoles are not created by default.
Attempts:
2 left
💡 Hint

ClusterRoles are cluster-wide and many default ones exist.

Configuration
advanced
2:30remaining
YAML for Role with Pod read permissions

Which YAML snippet correctly defines a Role named pod-reader that allows reading pods only in the development namespace?

A
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: development
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
B
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
C
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
D
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
Attempts:
2 left
💡 Hint

Remember Roles are namespace-scoped and need the namespace field.

Troubleshoot
advanced
2:00remaining
Why does a RoleBinding fail to grant permissions?

You created a RoleBinding in the production namespace that references a ClusterRole named view. The user still cannot list pods in production. What is the most likely cause?

ARoleBindings can only reference Roles, not ClusterRoles.
BRoleBindings can reference ClusterRoles, but the ClusterRole must have namespace-scoped rules.
CThe RoleBinding must be created in the same namespace as the user.
DThe RoleBinding must be a ClusterRoleBinding to reference a ClusterRole.
Attempts:
2 left
💡 Hint

Think about how ClusterRoles and RoleBindings interact with namespaces.

Best Practice
expert
3:00remaining
Best practice for granting cluster-wide read access to nodes

You want to grant a service account read-only access to all nodes in the cluster. Which is the best approach?

ACreate a ClusterRole with node read permissions and bind it to the service account with a RoleBinding in any namespace.
BCreate a Role with node read permissions in the default namespace and bind it to the service account with a RoleBinding.
CCreate a ClusterRole with node read permissions and bind it to the service account with a ClusterRoleBinding.
DCreate a Role with node read permissions in each namespace and bind it to the service account with multiple RoleBindings.
Attempts:
2 left
💡 Hint

Consider the scope of nodes and how to grant cluster-wide permissions.

Practice

(1/5)
1. What is the main difference between a Role and a ClusterRole in Kubernetes?
easy
A. Role applies permissions within a single namespace, ClusterRole applies cluster-wide.
B. Role applies cluster-wide, ClusterRole applies within a single namespace.
C. Role is for users, ClusterRole is for service accounts only.
D. Role manages nodes, ClusterRole manages pods.

Solution

  1. Step 1: Understand Role scope

    A Role defines permissions limited to a specific namespace in Kubernetes.

  2. Step 2: Understand ClusterRole scope

    A ClusterRole defines permissions that can apply across all namespaces or cluster-wide resources.

  3. Final Answer:

    Role applies permissions within a single namespace, ClusterRole applies cluster-wide. -> Option A

  4. Quick Check:

    Role = namespace, ClusterRole = cluster-wide [OK]
Hint: Role = namespace only, ClusterRole = whole cluster [OK]
Common Mistakes:
  • Confusing Role and ClusterRole scopes
  • Thinking ClusterRole is only for nodes
  • Assuming Role applies cluster-wide
2. Which of the following is the correct YAML snippet to create a Role that allows reading pods in a namespace?
easy
A. apiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n name: pod-reader\nrules:\n- apiGroups: ['']\n resources: ['pods']\n verbs: ['get', 'watch', 'list']
B. apiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRole\nmetadata:\n name: pod-reader\nrules:\n- apiGroups: ['']\n resources: ['pods']\n verbs: ['create', 'delete']
C. apiVersion: rbac.authorization.k8s.io/v1\nkind: RoleBinding\nmetadata:\n name: pod-reader-binding\nroleRef:\n kind: Role\n name: pod-reader\nsubjects:\n- kind: User\n name: alice
D. apiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n name: pod-reader\nrules:\n- apiGroups: ['apps']\n resources: ['pods']\n verbs: ['get', 'watch', 'list']

Solution

  1. Step 1: Check kind and apiVersion

    The resource is a Role with apiVersion rbac.authorization.k8s.io/v1, which is correct for RBAC.

  2. Step 2: Verify rules for reading pods

    Pods are in the core API group (empty string), and verbs for reading are get, watch, and list. apiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n name: pod-reader\nrules:\n- apiGroups: ['']\n resources: ['pods']\n verbs: ['get', 'watch', 'list'] matches this exactly.

  3. Final Answer:

    The YAML snippet with kind: Role, apiGroups: [''], resources: ['pods'], verbs: ['get', 'watch', 'list']. -> Option A

  4. Quick Check:

    Role + core API + read verbs = apiVersion: rbac.authorization.k8s.io/v1\nkind: Role\nmetadata:\n name: pod-reader\nrules:\n- apiGroups: ['']\n resources: ['pods']\n verbs: ['get', 'watch', 'list'] [OK]
Hint: Role for namespace, core API group is empty string [''] [OK]
Common Mistakes:
  • Using ClusterRole instead of Role for namespace scope
  • Wrong apiGroups value like 'apps' for pods
  • Confusing RoleBinding with Role definition
3. Given this RoleBinding YAML snippet, what namespace will the binding apply to?
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: dev
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: User
  name: jane
medium
A. default namespace
B. Cluster-wide
C. kube-system namespace
D. dev namespace

Solution

  1. Step 1: Check metadata namespace in RoleBinding

    The RoleBinding has namespace: dev in its metadata, so it applies in the 'dev' namespace.

  2. Step 2: Understand RoleBinding scope

    RoleBindings are namespace-scoped, so they only apply in the namespace where they are created.

  3. Final Answer:

    The RoleBinding applies to the dev namespace. -> Option D

  4. Quick Check:

    RoleBinding namespace = binding scope [OK]
Hint: RoleBinding namespace field sets scope [OK]
Common Mistakes:
  • Assuming RoleBinding applies cluster-wide
  • Confusing RoleBinding with ClusterRoleBinding
  • Ignoring the metadata namespace field
4. You created a ClusterRoleBinding but users report they cannot access cluster resources. Which is the most likely mistake?
medium
A. The subjects field is missing the user names.
B. The roleRef kind is set to Role instead of ClusterRole.
C. The ClusterRoleBinding is created in a namespace.
D. The apiVersion is set to v1 instead of rbac.authorization.k8s.io/v1.

Solution

  1. Step 1: Check roleRef kind for ClusterRoleBinding

    A ClusterRoleBinding must reference a ClusterRole in its roleRef.kind. Using Role is invalid and prevents access.

  2. Step 2: Verify other fields

    While missing subjects or wrong apiVersion cause issues, the most common cause is wrong roleRef.kind. ClusterRoleBindings are cluster-scoped and do not belong to namespaces.

  3. Final Answer:

    The roleRef kind must be ClusterRole, not Role. -> Option B

  4. Quick Check:

    ClusterRoleBinding needs ClusterRole in roleRef [OK]
Hint: ClusterRoleBinding must reference ClusterRole kind [OK]
Common Mistakes:
  • Using Role instead of ClusterRole in roleRef
  • Creating ClusterRoleBinding in a namespace
  • Forgetting to specify subjects
5. You want to allow a user to list pods in all namespaces but only create pods in the 'test' namespace. Which combination of Kubernetes RBAC objects should you create?
hard
A. A ClusterRoleBinding granting create pods cluster-wide.
B. A single Role with both permissions in the 'test' namespace.
C. A ClusterRole with list pods permission and a Role with create pods permission, plus respective bindings.
D. A RoleBinding in 'test' namespace granting list and create pods.

Solution

  1. Step 1: Understand permission scopes

    Listing pods in all namespaces requires a ClusterRole because it is cluster-wide permission.

  2. Step 2: Restrict create pods to 'test' namespace

    Creating pods only in 'test' namespace requires a Role scoped to that namespace.

  3. Step 3: Bind roles to user

    Use a ClusterRoleBinding for the cluster-wide list permission and a RoleBinding for the create permission in 'test'.

  4. Final Answer:

    Create a ClusterRole for list pods and a Role for create pods with bindings. -> Option C

  5. Quick Check:

    ClusterRole = cluster-wide, Role = namespace [OK]
Hint: Use ClusterRole for cluster-wide, Role for namespace-specific [OK]
Common Mistakes:
  • Trying to use a single Role for cluster-wide permissions
  • Using ClusterRoleBinding for namespace-only permissions
  • Not creating separate bindings for each role