Goal
Give a ServiceAccount read-only access to Pods — nothing more — using a Role and a RoleBinding in your lab namespace.
Requirements (your default namespace, lab)
- A ServiceAccount
viewer - A Role
pod-readerallowing onlyget,list,watchonpods - A RoleBinding
viewer-can-readbinding the Role to the ServiceAccount
The judge asserts the SA + binding exist and that the Role is read-only (exactly get/list/watch on pods — no create/update/delete), proving the grant is scoped rather than broad.