0
0
Kubernetesdevops~20 mins

Roles and ClusterRoles in Kubernetes - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
RBAC Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
1:30remaining
Difference between Role and ClusterRole

Which statement correctly describes the difference between a Role and a ClusterRole in Kubernetes?

ABoth Role and ClusterRole define permissions cluster-wide.
BA Role defines permissions cluster-wide, while a ClusterRole defines permissions within a specific namespace.
CBoth Role and ClusterRole define permissions only within a specific namespace.
DA Role defines permissions within a specific namespace, while a ClusterRole defines permissions cluster-wide.
Attempts:
2 left
💡 Hint

Think about the scope where each permission applies.

💻 Command Output
intermediate
1:30remaining
kubectl command output for ClusterRole listing

What is the output of the command kubectl get clusterroles in a default Kubernetes cluster?

Kubernetes
kubectl get clusterroles
AA list of all ClusterRoles including default ones like 'admin', 'edit', and 'view'.
BA list of Roles limited to the current namespace.
CAn error stating 'clusterroles' resource not found.
DNo output because ClusterRoles are not created by default.
Attempts:
2 left
💡 Hint

ClusterRoles are cluster-wide and many default ones exist.

Configuration
advanced
2:30remaining
YAML for Role with Pod read permissions

Which YAML snippet correctly defines a Role named pod-reader that allows reading pods only in the development namespace?

A
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: development
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
B
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
C
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
D
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
Attempts:
2 left
💡 Hint

Remember Roles are namespace-scoped and need the namespace field.

Troubleshoot
advanced
2:00remaining
Why does a RoleBinding fail to grant permissions?

You created a RoleBinding in the production namespace that references a ClusterRole named view. The user still cannot list pods in production. What is the most likely cause?

ARoleBindings can only reference Roles, not ClusterRoles.
BRoleBindings can reference ClusterRoles, but the ClusterRole must have namespace-scoped rules.
CThe RoleBinding must be created in the same namespace as the user.
DThe RoleBinding must be a ClusterRoleBinding to reference a ClusterRole.
Attempts:
2 left
💡 Hint

Think about how ClusterRoles and RoleBindings interact with namespaces.

Best Practice
expert
3:00remaining
Best practice for granting cluster-wide read access to nodes

You want to grant a service account read-only access to all nodes in the cluster. Which is the best approach?

ACreate a ClusterRole with node read permissions and bind it to the service account with a RoleBinding in any namespace.
BCreate a Role with node read permissions in the default namespace and bind it to the service account with a RoleBinding.
CCreate a ClusterRole with node read permissions and bind it to the service account with a ClusterRoleBinding.
DCreate a Role with node read permissions in each namespace and bind it to the service account with multiple RoleBindings.
Attempts:
2 left
💡 Hint

Consider the scope of nodes and how to grant cluster-wide permissions.