U.S. Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Linux Foundation CKS Exam - Topic 5 Question 85 Discussion

ContextA Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions.TaskGiven an existing Pod named web-pod running in the namespace security.Edit the existing Role bound to the Pod's ServiceAccount sa-dev-1 to only allow performing watch operations, only on resources of type services.Create a new Role named role-2 in the namespace security, which only allows performing updateoperations, only on resources of type namespaces.Create a new RoleBinding named role-2-binding binding the newly created Role to the Pod's ServiceAccount.
A) Explanation:

Linux Foundation CKS Exam - Topic 5 Question 85 Discussion

Actual exam question for Linux Foundation's CKS exam
Question #: 85
Topic #: 5
[All CKS Questions]

Context

A Role bound to a Pod's ServiceAccount grants overly permissive permissions. Complete the following tasks to reduce the set of permissions.

Task

Given an existing Pod named web-pod running in the namespace security.

Edit the existing Role bound to the Pod's ServiceAccount sa-dev-1 to only allow performing watch operations, only on resources of type services.

Create a new Role named role-2 in the namespace security, which only allows performing update

operations, only on resources of type namespaces.

Create a new RoleBinding named role-2-binding binding the newly created Role to the Pod's ServiceAccount.

Show Suggested Answer Hide Answer
Suggested Answer: A

by Lai at Nov 22, 2025, 01:02 AM

Limited Time Offer

25%

Off

Get Premium CKS Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Arlean
3 months ago
Yes, role-2 for namespaces is crucial. Good catch!
upvoted 0 times
...
Velda
3 months ago
But we also need to create that new Role, right?
upvoted 0 times
...
Elina
3 months ago
Agreed. Watch operations are safer for services.
upvoted 0 times
...
Denny
3 months ago
I think option A is the best choice. It limits access well.
upvoted 0 times
...
Vannessa
3 months ago
I feel the same. Need to focus on the specifics.
upvoted 0 times
...
Gearldine
4 months ago
Sounds good, but are we sure this won't break anything?
upvoted 0 times
...
Jolene
4 months ago
Wait, we can create a Role for namespaces? That’s new to me!
upvoted 0 times
...
Susana
4 months ago
Totally agree, less is more when it comes to permissions!
upvoted 0 times
...
Annamaria
4 months ago
Just need to limit permissions to watch services only.
upvoted 0 times
...
Bobbie
5 months ago
Wait, we have to create a new Role and RoleBinding? That's a lot of steps.
upvoted 0 times
...
Dick
5 months ago
Haha, I bet the exam writer had a good laugh coming up with this one.
upvoted 0 times
...
Laquita
5 months ago
Hmm, I'm not sure about the namespace update permission. Seems a bit overkill.
upvoted 0 times
...
Santos
5 months ago
This looks straightforward, I think I can handle it.
upvoted 0 times
...
Ronnie
5 months ago
I recall that we had to bind Roles to ServiceAccounts in a previous exercise. I hope I can remember the steps to create the RoleBinding correctly.
upvoted 0 times
...
Stanford
5 months ago
I think I need to look up the exact syntax for defining permissions in a Role. I feel like I might mix up the resource types.
upvoted 0 times
...
An
6 months ago
This seems like a good opportunity to demonstrate my RBAC knowledge. I'm confident I can complete all the tasks efficiently and accurately. I'll make sure to follow the exact requirements and pay close attention to the details.
upvoted 0 times
...
Denise
6 months ago
Okay, let's break this down step-by-step. First, I'll edit the existing Role to only allow watch operations on services. Then, I'll create a new Role for updating namespaces and bind it to the Pod's ServiceAccount. I think I can handle this, but I'll double-check my work before submitting.
upvoted 0 times
...
Doretha
6 months ago
This question is tricky. Permissions can get complicated.
upvoted 0 times
...
Brett
6 months ago
This seems similar to that practice question where we had to create a RoleBinding. I think I can manage that part, but the specifics on namespaces are a bit fuzzy.
upvoted 0 times
...
Eric
6 months ago
I remember we practiced editing Roles before, but I'm not entirely sure how to limit permissions specifically to watch operations.
upvoted 0 times
...
Jovita
7 months ago
I think updating namespaces is a bit risky, but okay.
upvoted 0 times
...
Nenita
7 months ago
Hmm, I'm a bit unsure about the specifics of the RBAC resources and their interactions. I'll need to carefully read through the question and make sure I understand the expected changes before attempting to implement them.
upvoted 0 times
...
Delmy
7 months ago
This looks like a straightforward RBAC question. I'll start by reviewing the existing Role bound to the Pod's ServiceAccount and then create a new Role and RoleBinding as per the requirements.
upvoted 0 times
James
2 months ago
And we must bind it to sa-dev-1 with role-2-binding.
upvoted 0 times
...
Dahlia
2 months ago
Don't forget to create role-2 for updating namespaces!
upvoted 0 times
...
Lelia
2 months ago
After that, we can edit it for watch operations on services.
upvoted 0 times
...
Edda
2 months ago
Let's check the current Role for the web-pod.
upvoted 0 times
...
Delisa
7 months ago
Good idea! We need to see what permissions it has.
upvoted 0 times
...
...

Save Cancel