Gaurav Karki:
I cannot see the rolebindings with frontend-default
controlplane $ kubectl -n omni get roles
NAME CREATED AT
fe 2021-05-01T14:12:00Z
frontend 2021-05-01T14:12:00Z
controlplane $ kubectl -n omni describe roles
Name: fe
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
configmaps [] [] [create delete]
secrets [] [] [create delete]
Name: frontend
Labels: <none>
Annotations: <none>
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
secrets [] [] [create]
controlplane $
Fernando Jordan Silva:
It’s the one that doesn’t have any associated role or clusterrole.
Gaurav Karki:
Thanks @Fernando Jordan Silva. My confusion is, there are two SA without rolebindings, default and frontend-default. however the question consider “frontend-default” as correct answer. If no roles are assigned, what’s the default permission does a role has? and why “default” is not the correct answer.
Luis Leon Toribios:
“There are several service accounts created in the omni namespace. Apply the principle of least privilege and use the service account with the minimum privileges (excluding default).”
Gaurav Karki:
@Luis Leon Toribios yes the question does say exclude the system default SA. I was trying to find out what permissions are assigned to defaults and frontend-default SAs.
Luis Leon Toribios:
I read this: “By default, the default service account in a namespace has no permissions other than those of an unauthenticated user.”