Challenge, Medium,  on  Kubernetes

Troubleshoot RBAC Permissions for a Failing Deployment

Scenario

A Deployment named pod-explorer in the qa-tools namespace is failing with the following error:

Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:qa-tools:sa-explorer" cannot list resource "pods" in API group "" in the namespace "qa-tools"FAILED

The security team has created several Roles in the namespace with generic names for different purposes.

Task

  1. Analyse all Roles in the qa-tools namespace, examine each one, and identify which Role grants permission to list Pods within the same namespace.
  2. Create a RoleBinding named explorer-rolebinding that binds the correct Role to the ServiceAccount sa-explorer
  3. Verify that the Deployment logs show successful pod listing without permission errors
Hint
  • Use kubectl get roles -n qa-tools to list available Roles
  • Use kubectl describe role <role-name> -n qa-tools to inspect each Role's permissions
  • Look at the Resources and Verbs fields to understand what each Role allows
  • Use kubectl create rolebinding -h to see available flags for binding a Role to a ServiceAccount

See the official docs: Using RBAC Authorization

Test Cases

How to Author Challenges on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull challenge content

labctl content pull challenge troubleshoot-rbac-permissions-for-a-failing-deployment-7d545b29

This will create a local copy of the challenge content in a directory named troubleshoot-rbac-permissions-for-a-failing-deployment-7d545b29. You only need to do this once per challenge.

Stream your changes

labctl content push -fw challenge troubleshoot-rbac-permissions-for-a-failing-deployment-7d545b29

Run this command in a separate terminal to continuously upload your changes to the server while editing the challenge in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start challenge