Security: Cluster Roles - error accessing nodes


In CKA practice tests, Security - Cluster Roles :
A new user michelle joined the team. She will be focusing on the nodes in the cluster. Create the required ClusterRoles and ClusterRoleBindings so she gets access to the nodes.

After creating the clusterrole & cluster rolebindings, on executing the below command as root user it is able to get the nodes but gives error for user michelle.

controlplane $ kubectl get nodes --as user=michelle
Error from server (Forbidden): nodes is forbidden: User “user=michelle” cannot list resource “nodes” in API group “” at the cluster scope

I was expecting to see that michelle has been granted permissions to access nodes (get, list, watch, delete, create) based on the clusterrole & clusterrolebindings created, but i am getting the above error. Same error with the answers provided in /var/answers.

Please let me know if i am missing something.


Hello @selvakumar,
Type this command i think it will solve the problem i try it:

kubectl get nodes --as michelle --namespace=default

Thanks for your input.

However the below command did not work, bcz clusterroles are cluster wide and it is not scoped to any namespace.
I tried creating with namespace as default it did not take the changes.
kubectl get nodes --as michelle --namespace=default

Please let me know if you get to know the solution.

I have another question:
Kubectl does not have the option to list resources like kubectl list …, but if we look at the command it has (get, list, watch, create, etc)
I would like to know how to use only list command(not using get) for eg i grant permission to only list the nodes. Is there a way.


hello @selvakumar i think the following link will help a lot to answer both the first and the second question please fill free to check it :slightly_smiling_face:

Okay. I am clear on the query about list.

Coming back to the actual issue on clusterroles its still not clear and the command( kubectl get nodes --as michelle --namespace=default ) is not working as expected.


Okay @selvakumar,
Try to use this option: