Skip to main content

4. RBAC, ServiceAccounts & authorization

Roles vs ClusterRoles, bindings, ServiceAccounts, kubectl auth can-i.

⏱ ≈ 30 min this module · 📚 ≈ 6.9 h full track

🔒 Unlock this course to read the material and run the labs.

See options to unlock →
🔒 The written material unlocks with the course.
🧪 Hands-on lab Medium · 170 XP · 30min

Goal

Give a ServiceAccount read-only access to Pods — nothing more — using a Role and a RoleBinding in your lab namespace.

Requirements (your default namespace, lab)

  • A ServiceAccount viewer
  • A Role pod-reader allowing only get, list, watch on pods
  • A RoleBinding viewer-can-read binding the Role to the ServiceAccount

The judge asserts the SA + binding exist and that the Role is read-only (exactly get/list/watch on pods — no create/update/delete), proving the grant is scoped rather than broad.

🔒 Unlock the course to run this lab.