Kubernetes CKA sample exam question 79 with answer

Question
Generate a new certificates for user ellasmith and setup a context for her.
Create a ClusterRole with the name service-view to the API resources services with the operations get and list.
Create the RoleBinding named ellasmith-service-view in the development namespace. Map the user ellasmith to the ClusterRole service-view,
Create a ClusterRole with the name combined. Aggregate cluster roles based on the matching label key-value pair rbac.cka.cncf.com/aggregate: "true".
Render the selected rules of the ClusterRole combined. How many rules do you see?
Create a ClusterRole with the name deployment-modify to the API resources deployments with the operations create, delete, patch, update. Assign the label key-value pair rbac.cka.cncf.com/aggregate: "true".
Render the selected rules of the ClusterRole combined. How many rules do you see?
Run a command to figure out if the user ellasmith can list Services in the namespace development. Write the output of the command to the file list-services-ellasmith.txt. The output is either "no" or "yes."
Run a command to figure out if the user ellasmith can watch Deployments in the namespace production. Write the output of the command to the file watch-deployments-ellasmith.txt. The output is either "no" or "yes."

Answer
Generate a new certificates for user ellasmith and setup a context for her.

mkdir cert && cd cert
penssl genrsa -out ellasmith.key 2048
openssl req -new -key ellasmith.key -out ellasmith.csr -subj "/CN=ellasmith/O=cka-study-guide"
openssl x509 -req -in ellasmith.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out ellasmith.crt -days 364
kubectl config set-credentials ellasmith --client-certificate=ellasmith.crt --client-key=ellasmith.key
kubectl config set-context ellasmith-context --cluster=kubernetes --user=ellasmith

Create namsspace development:

kubectl create namespace development

Create a ClusterRole imperatively:

kubectl create clusterrole service-view --resource=services --verb=get,list

Create the RoleBinding:

kubectl create rolebinding ellasmith-service-view --user=ellasmith --clusterrole=service-view -n development

Create aggregating ClusterRole:

kubectl create clusterrole combined --aggregation-rule="rbac.cka.cncf.com/aggregate=true"

Verify that the ClusterRole has been created properly and render it:

kubectl get clusterrole combined
kubectl create clusterrolebinding ellasmith-service-view-crb --user=ellasmith --clusterrole=combined
kubectl describe clusterrole combined

it shows an empty list as no ClusterRoles were selected by label selection.
Creating another ClusterRole - generate manifest, because the command does not provide an option for adding a label:

kubectl create clusterrole deployment-modify --verb=create,delete,patch,update --resource=deployments --dry-run=client -o yaml

Adjust manifest to look like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    rbac.cka.cncf.com/aggregate: "true"
  name: deployment-modify
rules:
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - create
  - delete
  - patch
  - update

Create the ClusterRole from the YAML file:

kubectl apply -f cr.yaml

Verify:

kubectl get clusterrole deployment-modify

Rendering the rules for the Clusterrole combined lists the rules defined by the ClusterRole deployment-modify:

kubectl describe clusterrole combined

Listing Services is allowed for the user ellasmith in the namespace development. This is taken care by RoleBinding ellasmith-service-view:

kubectl auth can-i list services --as=ellasmith --namespace=development
kubectl auth can-i list services --as=ellasmith --namespace=development > list-services-ellasmith.txt

Watching Deployments is not allowed for the user ellasmith in the namespace production. The ClusterRole named deployment-modify only allows the verbs create, delete, patch, update:

kubectl auth can-i watch deployments --as=ellasmith --namespace=production
kubectl auth can-i watch deployments --as=ellasmith --namespace=production > watch-deployments-ellasmith.txt