Challenge, Medium,  on  Kubernetes

Debug and Resolve RBAC Failures for Two Deployments

Scenario

Your company runs two monitoring applications in the one-piece namespace: monkey-d-luffy for service discovery and crew-monitor for endpoint health monitoring. Both are currently failing due to missing RBAC permissions.

Task

Fix Service Discovery Monitoring (`monkey-d-luffy`)
Fix Endpoint Health Monitoring (`crew-monitor`)

The monkey-d-luffy deployment is trying to list services in the one-piece namespace — specifically test-svc — but the default ServiceAccount does not have permission, resulting in this log error:

🔍 [monkey-d-luffy] Checking services at 10:15:23...
Error from server (Forbidden): services is forbidden
 FAILED: Permission denied

Create proper RBAC configuration:

  1. Create ServiceAccount thousand-sunny in the one-piece namespace
  2. Create Role strawhat-role that allows get, list, and watch operations on services resources
  3. Create RoleBinding strawhat-rb to bind the Role to the ServiceAccount
  4. Update the monkey-d-luffy deployment to use the thousand-sunny ServiceAccount

The crew-monitor deployment is trying to list endpoints in the one-piece namespace — specifically the endpoints of test-svc — but the nami-navigator ServiceAccount has no Role or RoleBinding, resulting in this log error:

🔍 [crew-monitor] Checking endpoints at 05:59:08...
 FAILED: Permission denied

Create proper RBAC configuration:

  1. Create Role navigator-role that allows get, list, and watch operations on endpoints resources
  2. Create RoleBinding navigator-rb to bind the role to the existing nami-navigator ServiceAccount

After fixing both, verify the logs show successful operations with ✅ SUCCESS messages.

Hint
  • kubectl create serviceaccount <n> -n one-piece
  • Role needs: apiGroups: "", resources: "services" or "endpoints", verbs: "get", "list", "watch"
  • kubectl create rolebinding <n> --role=<role> --serviceaccount=one-piece:<sa> -n one-piece
  • Update deployment SA: kubectl set serviceaccount deployment <n> <sa> -n one-piece

Test Cases

How to Author Challenges on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull challenge content

labctl content pull challenge resolve-rbac-errors-in-multiple-deployments-94aa2ae8

This will create a local copy of the challenge content in a directory named resolve-rbac-errors-in-multiple-deployments-94aa2ae8. You only need to do this once per challenge.

Stream your changes

labctl content push -fw challenge resolve-rbac-errors-in-multiple-deployments-94aa2ae8

Run this command in a separate terminal to continuously upload your changes to the server while editing the challenge in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start challenge