In CKA practice tests, Security - Cluster Roles : Question:
A new user michelle joined the team. She will be focusing on the nodes in the cluster. Create the required ClusterRoles and ClusterRoleBindings so she gets access to the nodes.
Answer:
After creating the clusterrole & cluster rolebindings, on executing the below command as root user it is able to get the nodes but gives error for user michelle.
controlplane $ kubectl get nodes --as user=michelle
Error from server (Forbidden): nodes is forbidden: User “user=michelle” cannot list resource “nodes” in API group “” at the cluster scope
I was expecting to see that michelle has been granted permissions to access nodes (get, list, watch, delete, create) based on the clusterrole & clusterrolebindings created, but i am getting the above error. Same error with the answers provided in /var/answers.
However the below command did not work, bcz clusterroles are cluster wide and it is not scoped to any namespace.
I tried creating with namespace as default it did not take the changes. kubectl get nodes --as michelle --namespace=default
Please let me know if you get to know the solution.
I have another question:
Kubectl does not have the option to list resources like kubectl list …, but if we look at the command it has (get, list, watch, create, etc)
I would like to know how to use only list command(not using get) for eg i grant permission to only list the nodes. Is there a way.
Coming back to the actual issue on clusterroles its still not clear and the command( kubectl get nodes --as michelle --namespace=default ) is not working as expected.
