Kubernetes CKA sample exam question 22 with answer

Question
A new user named alok need to be created. Grant him access to the cluster.
User alok should have permissions to create, list, get, update and delete pods in the space namespace.
The private key and csr exists at location: /root/alok.key and /root/alok.csr

Answer
Check the keys:

pwd
ls

we can see the key and csr in the /root folder
Check if space namespace is created:

kubectl get ns

Create a CertificateSigningRequest object. Go to Kubernetes Documentation and get the manifest and modify it in this way:

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: alok
spec:
  request: {{ base64 encoded csr data }}
  signerName: kubernetes.io/kube-apiserver-client
  usages:
  - client auth

The request is the base64 encoded value of the CSR file content. You can get the content using this command:

cat alok.csr | base64 | tr -d

Apply CSR and check:

kubectl apply -f csr.yaml
kubectl get csr

You can see that the CSR is in the pending state. Approve it and verify:

kubectl certificate approve alok
kubectl get csr

It should be in Approved,Issued state
Try to see if user alok have access to get pods in the space namespace:

kubectl -n space get po --as alok

You can notice that the action is forbidden. To make it happen - we should create Role and RoleBinding objects.
Get a Role example from documentation and modify it in this way:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: space
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list", "update", "delete"]

Apply and check:

kubectl apply -f role.yaml
kubectl -n space get role

With same procedure, create RoleBinding manifest:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: space
subjects:
- kind: User
  name: alok
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io

Apply and check:

kubectl apply -f rolebinding.yaml
kubectl -n space get rolebinding

Try again to see if user alok have access to get pods in the space namespace:

kubectl -n space get po --as alok

You can see that this time - operation is successfull
The same procedure to check:

kubectl auth can-i get po -n space --as alok