Question 38
Domain 6: Security, RBAC & ConfigurationWhich Kubernetes RBAC object should be created in the cka-20834 namespace to allow a user to get and list Deployments?
Correct answer: A
Explanation
Kubernetes RBAC uses a Role for permissions scoped to a single namespace, and the role must grant the needed verbs on the target resource. To allow access in the "cka-20834" namespace, create a Role named "deployment-reader" with "get" and "list" on "deployments" so the user can read Deployment objects there.
Why each option is right or wrong
A. A Role named deployment-reader granting the verbs get and list on the deployments resource
Under Kubernetes RBAC, namespace-scoped access is defined with a `Role`, not a `ClusterRole`; `Role` rules apply only within the `cka-20834` namespace. The rule must explicitly allow the `get` and `list` verbs on the `deployments` resource in the `apps` API group, which is the standard resource for Deployment objects.
B. A ClusterRole named deployment-reader granting get and list on all resources
C. A RoleBinding named deployment-reader granting access to deployments
D. A ServiceAccount named deployment-reader in the cka-20834 namespace