CKS · Question #1
CKS Question #1: Real Exam Question with Answer & Explanation
This question tests your ability to create a Kubernetes ServiceAccount with RBAC permissions to list Pods, then mount that ServiceAccount into a Pod and verify the access works. It covers the full RBAC chain: ServiceAccount → Role → RoleBinding → Pod.
Question
Create a new ServiceAccount backend-sa in the existing namespace default, which has the capability to list the pods inside the namespace default. Create a new Pod named backend-pod in the namespace default, mount the newly created sa backend-sa to the pod, and Verify that the pod is able to list pods. Ensure that the Pod is running.
Explanation
This question tests your ability to create a Kubernetes ServiceAccount with RBAC permissions to list Pods, then mount that ServiceAccount into a Pod and verify the access works. It covers the full RBAC chain: ServiceAccount → Role → RoleBinding → Pod.
Approach. 1) Create the ServiceAccount: kubectl create serviceaccount backend-sa -n default. 2) Create a Role with pods list permission: kubectl create role pod-reader --verb=list --resource=pods -n default. 3) Bind the Role to the SA: kubectl create rolebinding pod-reader-binding --role=pod-reader --serviceaccount=default:backend-sa -n default. 4) Create the Pod with serviceAccountName: backend-sa in the spec, then verify with kubectl exec backend-pod -- kubectl get pods or by using curl against the API server from inside the pod using the mounted token at /var/run/secrets/kubernetes.io/serviceaccount/token. The pod must show Running status before verification.
Concept tested. Kubernetes RBAC - ServiceAccount creation, Role/RoleBinding for namespace-scoped resource access, and mounting a ServiceAccount into a Pod to grant API server permissions
Reference. https://kubernetes.io/docs/reference/access-authn-authz/rbac/#service-account-permissions
Topics
Community Discussion
No community discussion yet for this question.