# 第九题 RBAC & ServiceAccount ###### tags: `真题讲解` 切换集群kubectl config use-context k8s **Context** A Pod fails to run because of an incorrectly specified ServiceAcccount. **Task** create a new ServiceAccount named **frontend-sa** in the existing namespace qa, which must not have access to **any secrets**. Inspect the Pod named frontend running inthe namespace qa. Edit the Pod to use the newly created serviceAccount **frontend-sa**. You can find the Pod's manifest file at/cks/9/pod9.yaml Ensure that the modified specification is applied and the Pod is running. Finally, clean-up and delete the now unused serviceAccount that the Pod used initially. ## 解法 ``` kubectl create sa frontend-sa -n qa ``` ``` kubectl create clusterrolebinding crb:view:qa:frontend-sa --clusterrole view --serviceaccount qa:frontend-sa ``` 校验该SA的权限 ``` kubectl auth can-i --as system:serviceaccount:qa:frontend-sa get pod -n qa yes kubectl auth can-i --as system:serviceaccount:qa:frontend-sa get secret -n qa no kubectl auth can-i --as system:serviceaccount:qa:frontend-sa get secret no ``` 再给定的YAML中替换Pod的ServiceAccount, 重启部署Pod. **切记: 删除原SA**