Interview Kubernetes, Docker, Helm & Podman

What is RBAC, and what are Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings?

Kubernetes, Docker, Helm & Podman · Intermediate level

Answer

RBAC controls who can perform which verbs on which Kubernetes resources. Roles and RoleBindings are namespace-scoped, while ClusterRoles and ClusterRoleBindings are cluster-scoped or reusable across namespaces.

Technical explanation

RBAC grants are additive; Kubernetes does not have an RBAC deny rule, so least privilege requires carefully scoped grants.

ClusterRoleBinding is powerful and should be rare for human and workload identities.

Scheduling controls place workloads correctly; RBAC and ServiceAccounts decide what identities can do after placement.

Use labels consistently because Services, Deployments, affinities, policies, and topology spread all depend on label selection.

Every constraint should be testable with events: FailedScheduling, denied API calls, or observed placement.

Hands-on example

1. Create a lab namespace for this exercise with explicit labels, ServiceAccounts, roles, node labels, or taints: create a read-only Role and RoleBinding for a namespace.

2. Use kubectl auth can-i, kubectl describe pod, and scheduling events to verify the expected decision.

3. Test a negative case, such as missing permission, missing toleration, or impossible affinity, and capture the exact error.

4. Convert the validated YAML into a reusable platform pattern with clear naming and labels.

Preparing for an interview?

Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.

More Kubernetes, Docker, Helm & Podman interview questions

← All Kubernetes, Docker, Helm & Podman questions