Skip to content

Quiz: RBAC

← Back to quiz index

4 questions

L0 (1 questions)

1. What are the four RBAC object types in Kubernetes and what scope does each have?

Show answer Role (namespace-scoped permissions), ClusterRole (cluster-wide permissions), RoleBinding (grants Role/ClusterRole to subjects in one namespace), ClusterRoleBinding (grants ClusterRole to subjects across the entire cluster). Roles define what is allowed; bindings connect roles to users, groups, or service accounts.

L1 (1 questions)

1. How do you give a CI/CD pipeline read-only access to pods and logs in the 'staging' namespace only?

Show answer 1. Create a ServiceAccount in the staging namespace.
2. Create a Role with rules: apiGroups [''], resources ['pods', 'pods/log'], verbs ['get', 'list', 'watch'].
3. Create a RoleBinding that binds the Role to the ServiceAccount.
4. Configure the CI/CD pipeline to use the ServiceAccount's token. This limits access to staging only.

L2 (1 questions)

1. A developer reports 'forbidden' errors when trying to create deployments in the 'dev' namespace, but can list pods. How do you diagnose and fix this?

Show answer 1. Check their permissions: kubectl auth can-i create deployments --as= -n dev.
2. List their bindings: kubectl get rolebindings -n dev -o yaml and check which roles are bound.
3. The existing role likely allows pods but not deployments. Fix: add apiGroups ['apps'], resources ['deployments'], verbs ['create', 'update', 'patch'] to their Role.
4. Verify: kubectl auth can-i --list --as= -n dev.

L3 (1 questions)

1. You discover a service account in the 'default' namespace has cluster-admin privileges via a ClusterRoleBinding. What is the risk and how do you safely remediate?

Show answer Risk: Any pod using the default service account in that namespace has full cluster access — reads secrets, deletes namespaces, modifies RBAC. An attacker who compromises any pod there owns the cluster. Remediation: (1) Identify all pods using that SA. (2) Create least-privilege Roles/ClusterRoles for each workload's actual needs. (3) Create dedicated ServiceAccounts per workload. (4) Update deployments to use the new SAs. (5) Remove the ClusterRoleBinding. (6) Set automountServiceAccountToken: false on the default SA.