Question 6
Domain 2: Cluster HardeningA RoleBinding references a ClusterRole named view inside one namespace. What scope will the granted permissions have?
Correct answer: B
Explanation
A RoleBinding is namespaced, so it grants access only within that namespace even when it references a ClusterRole. RBAC distinguishes “ClusterRole vs Role, ClusterRoleBinding vs RoleBinding,” and a RoleBinding binds permissions in its own namespace, making the scope namespace-scoped.
Why each option is right or wrong
A. Cluster-wide because the referenced role is cluster-scoped
ClusterRoles define permissions, but a RoleBinding applies them only in one namespace.
B. Namespace-scoped because the binding is namespaced
Under the RBAC API, a RoleBinding is a namespaced object in `rbac.authorization.k8s.io/v1`, and it can only grant permissions within the namespace where it exists, even if its `roleRef` points to a ClusterRole such as `view`. The ClusterRole contributes the rule set, but the binding’s scope is still limited to that single namespace; cross-namespace or cluster-wide access would require a ClusterRoleBinding instead.
C. Node-scoped because view is read-only
Read-only access is an RBAC verb set, not a node-level scope.
D. No permissions at all because ClusterRoles cannot be used in RoleBindings
RoleBindings can reference ClusterRoles and still grant namespaced permissions.