Lesson 12.1: Practice Exam

Question 1:

Create a new ClusterRole named deployment-clusterrole, which only allows to create the following resource types:

• Deployment
• StatefulSet
• DaemonSet

Create a new ServiceAccount named cicd-token in the existing namespace app-team1. Bind the new ClusterRole deployment-clusterrole to the new ServiceAccount cicd-token, limit to the namespace app-team1.

Answer >

Step 1: Create ClusterRole

• https://kubernetes.io/docs/reference/access-authn-authz/rbac/#kubectl-create-clusterrole

[root@master exam]# kubectl create clusterrole deployment-clusterrole --verb=create --resource=Deployment,StatefulSet,DaemonSet
clusterrole.rbac.authorization.k8s.io/deployment-clusterrole created

Step 2: Create Namespace if not present and service account

[root@master exam]# kubectl create ns app-team1 
namespace/app-team1 created
 
[root@master exam]# kubectl create sa cicd-token -n app-team1 
serviceaccount/cicd-token created

Step 3: Create a rolebinding

• https://kubernetes.io/docs/reference/access-authn-authz/rbac/#kubectl-create-rolebinding
• As rolebinding name is not provided, you should use the name of the clusterrole created for the rolebinding name.

[root@master exam]# kubectl create rolebinding deployment-clusterrole \
> --clusterrole=deployment-clusterrole \
> --serviceaccount=app-team1:cicd-token \
> --namespace=app-team1
rolebinding.rbac.authorization.k8s.io/deployment-clusterrole created