👋 I have a problem understanding RBAC. Tried this both in a plain Katacoda . . .

Konrad:
:wave: I have a problem understanding RBAC. Tried this both in a plain Katacoda environment as well as in the “Practice Test Role Based Access Control” environment provided with this course. There are two namespaces A and B. Some pod scheduled in namespace A using an image that ships kubectl is able to patch an existing secret in both namespace A and B. Is that supposed to be allowed? I had thought that I would need to create one role per namespace allowing “patch” on the “secrets” type and bind that to the default service account or to a custom service account and make the pod use that. But it just works out of the box. :confused:

JohnC:
were you using Role or ClusterRole?

Konrad:
Nothing, it just worked without any RBAC modifications.

Tried it in a real cluster now where these RBAC modifications are required (I use Role).

The demo environments seem to put cluster-admin or similar to default service accounts, that’s why it just worked.