Hi, I am getting "no" instead of "yes" in the below output: ``` controlplane $ . . .

Mudit:
Hi,
I am getting “no” instead of “yes” in the below output:

controlplane $ kubectl -n blue auth can-i create deployments --as dev-user
no
controlplane $

Although below is the output of roles and rolebindings, wherein the create deployment is allowed for dev-user and role is configured in the rolebinding as well. Where am I missing?

controlplane $ kubectl -n blue describe role developer
Name:         developer
Labels:       <none>
Annotations:  <none>
PolicyRule:
  Resources               Non-Resource URLs  Resource Names   Verbs
  ---------               -----------------  --------------   -----
  deployments.apps        []                 [blue-app]       [get watch create delete]
  deployments.apps        []                 [dark-blue-app]  [get watch create delete]
  pods.apps               []                 [blue-app]       [get watch create delete]
  pods.apps               []                 [dark-blue-app]  [get watch create delete]
  deployments.extensions  []                 [blue-app]       [get watch create delete]
  deployments.extensions  []                 [dark-blue-app]  [get watch create delete]
  pods.extensions         []                 [blue-app]       [get watch create delete]
  pods.extensions         []                 [dark-blue-app]  [get watch create delete]
controlplane $

controlplane $ kubectl apply -f 11rb.yaml
<http://rolebinding.rbac.authorization.k8s.io/dev-user-binding|rolebinding.rbac.authorization.k8s.io/dev-user-binding> created
controlplane $
controlplane $ kubectl -n blue describe <http://rolebindings.rbac.authorization.k8s.io|rolebindings.rbac.authorization.k8s.io> dev-user-binding
Name:         dev-user-binding
Labels:       &lt;none&gt;
Annotations:  &lt;none&gt;
Role:
  Kind:  Role
  Name:  developer
Subjects:
  Kind  Name      Namespace
  ----  ----      ---------
  User  dev-user
controlplane $

PS: This is the 11th ques of “Practice role based access control”. Although the solution is given in some file placed in the lab, but I did not use it, rather edited the yaml files i created for dev-user in previous question and re-used it. There is not much difference in the yaml which is provided in the solution and the yaml which I used to create roles and rolebinding, apart from the names of the roles and the rolebinding itself.

praveen bhat:
your resource should be pods, deployments etc not the the app name’s itself

Mudit:
It seems defined correctly, below are the yaml files. Not sure where am I missing.

roles yaml:
controlplane $ cat 11role.yaml
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: Role
metadata:
annotations:
<http://kubectl.kubernetes.io/last-applied-configuration|kubectl.kubernetes.io/last-applied-configuration>: |
{"apiVersion":"<http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>","kind":"Role","metadata":{"annotations":{},"creationTimestamp":"2020-12-21T11:54:41Z","managedFields":[{"apiVersion":"<http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>","fieldsType":"FieldsV1","fieldsV1":{"f:rules":{}},"manager":"kubectl-create","operation":"Update","time":"2020-12-21T11:54:41Z"}],"name":"developer","namespace":"blue","resourceVersion":"977","selfLink":"/apis/rbac.authorization.k8s.io/v1/namespaces/blue/roles/developer","uid":"64f2f556-e9cc-40a1-b15d-ced69f80b8e8"},"rules":[{"apiGroups":[""],"resourceNames":["blue-app","dark-blue-app"],"resources":["pods"],"verbs":["get","watch","create","delete"]}]}
creationTimestamp: "2020-12-21T11:54:41Z"
managedFields:
- apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:<http://kubectl.kubernetes.io/last-applied-configuration|kubectl.kubernetes.io/last-applied-configuration>: {}
f:rules: {}
manager: kubectl-client-side-apply
operation: Update
time: "2020-12-21T12:19:19Z"
name: developer
namespace: blue
resourceVersion: "4368"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/blue/roles/developer
uid: 64f2f556-e9cc-40a1-b15d-ced69f80b8e8
rules:
- apiGroups:
- "apps"
- "extensions"
resourceNames:
- blue-app
- dark-blue-app
resources:
- pods
- deployments
verbs:
- get
- watch
- create
- delete
controlplane $

rolebinding yaml:
controlplane $ cat 11rb.yaml
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: RoleBinding
metadata:
creationTimestamp: "2020-12-21T11:54:41Z"
managedFields:
- apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
fieldsType: FieldsV1
fieldsV1:
f:roleRef:
f:apiGroup: {}
f:kind: {}
f:name: {}
f:subjects: {}
manager: kubectl-create
operation: Update
time: "2020-12-21T11:54:41Z"
name: dev-user-binding
namespace: blue
resourceVersion: "978"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/blue/rolebindings/dev-user-binding
uid: da97210c-434b-4b0b-a770-02fb049aa7a2
roleRef:
apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
kind: Role
name: developer
subjects:
- apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
kind: User
name: dev-user
controlplane $

Mudit:
Hi @Tej_Singh_Rana/team your thoughts on this would be appreciable

Tej_Singh_Rana:
Hello, @Mudit
Please have a look at this discussion.
https://kodekloud.com/community/t/hi-guys-when-i-create-a-service-account-and-test-its-permissions-without-associ/15020