Kubernetes CKA sample exam question 78 with answer

Question
Generate a new certificates for user johndoe and setup a context for him.
List the available contexts and identify the current context you are in. Write the current context to the file current-context.txt.
The contents of the file should have the format authentication-information@cluster-name, e.g., betsyhale@mycluster.
Check the permissions assigned to the user johndoe for the verbs list, get, watch, delete in the default namespace. Which of the operations is currently allowed?
Create a Role with the name pod-reader, and the RoleBinding named read-pods in the default namespace. Map the user johndoe to the API resources pods with the operations watch, list, get.
Switch to the context johndoe-context associated with the user johndoe.
Create a Pod named nginx with the image nginx:1.21.1 in the namespace default. Expose the container port 80. Write the output to the file create-pod.txt.
List the Pods in the default namespace. Write the output to the file list-pods.txt.

Answer
Generate a new certificates for user johndoe and setup a context for him:

mkdir cert && cd cert
openssl genrsa -out johndoe.key 2048
openssl req -new -key johndoe.key -out johndoe.csr -subj "/CN=johndoe/O=cka-study-guide"
openssl x509 -req -in johndoe.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out johndoe.crt -days 364
kubectl config set-credentials johndoe --client-certificate=johndoe.crt --client-key=johndoe.key
kubectl config set-context johndoe-context --cluster=kubernetes --user=johndoe

List all contexts:

kubectl config get-contexts

the output marks the current context with the * character in the column CURRENT.
Write the current context to the file current-context.txt:

kubectl config current-context > current-context.txt

Use the auth can-i command to check the permissions for specific verbs. The --as command line option impersonates the user to identify the user's permissions:

kubectl auth can-i list pods --as johndoe
kubectl auth can-i get pods --as johndoe
kubectl auth can-i watch pods --as johndoe
kubectl auth can-i delete pods --as johndoe

From the output can be observed that nothing above is allowed. Right now, the user johndoe does not have permissions to list, get, watch, delete Pods in the default namespace.
Create the Role imperatively:

kubectl create role pod-reader --verb=watch,list,get --resource=pods

Creating the RoleBinding:

kubectl create rolebinding read-pods --user=johndoe --role=pod-reader

Switch to the context johndoe-context:

kubectl config use-context johndoe-context

Creating a new Pod won't work as the user johndoe doesn't have the proper permissions:

kubectl run nginx --image=nginx --port=80
kubectl run nginx --image=nginx --port=80 2>create-pod.txt

The list operation is allowed for the user johndoe and therefore can be used properly. Write the contents to the file list-pods.txt:

kubectl get pods
kubectl get pods 2>list-pods.txt

Verify:

cat create-pod.txt list-pods.txt