Question 28 - ClusterRole for Deployment Pipeline

Question 28

Context - kubectl config use-context k8s

You have been asked to create a new ClusterRole for a deployment pipeline and bind it to a specific ServiceAccount scoped to a specific namespace.

Task - Create a new ClusterRole named deployment-clusterrole, which only allows to create the following resource types: ✑ Deployment ✑ Stateful Set ✑ DaemonSet Create a new ServiceAccount named cicd-token in the existing namespace app-team1. Bind the new ClusterRole deployment-clusterrole to the new ServiceAccount cicd-token, limited to the namespace app-team1

kubectl config use-context k8s

k create clusterrole deployment-clusterrole --verb=create --resource=Deployment,StatefulSet,DaemonSet
clusterrole.rbac.authorization.k8s.io/deployment-clusterrole created

k get clusterrole deployment-clusterrole -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: "2024-04-14T13:20:52Z"
  name: deployment-clusterrole
  resourceVersion: "1371868"
  uid: 389dffea-8be0-482f-a84c-687b257476d8
rules:
- apiGroups:
  - apps # This came automatically. If it hadn't come it would be necessary to add
  resources:
  - deployments
  - statefulsets
  - daemonsets
  verbs:
  - create

k create sa cicd-token -n app-team1
serviceaccount/cicd-token created

k create clusterrolebinding deploy-b --clusterrole deployment-clusterrole --serviceaccount=app-team1:cicd-token
clusterrolebinding.rbac.authorization.k8s.io/deploy-b created

# Checking. there's an example for this command in kubectl auth can-i -h
kubectl auth can-i create deployment --as=system:serviceaccount:app-team1:cicd-token -n app-team1
yes

kubectl auth can-i create pod --as=system:serviceaccount:app-team1:cicd-token -n app-team1
no

kubectl auth can-i create statefulset --as=system:serviceaccount:app-team1:cicd-token -n app-team1
yes

kubectl auth can-i create daemonset --as=system:serviceaccount:app-team1:cicd-token -n app-team1
yes