Cloud / HELM Interview Questions
How do you manage Helm RBAC permissions for different team roles?
Implementing least-privilege RBAC for Helm operations requires careful permission design across teams.
1. Role-based access by team: # Developer role (can deploy to dev namespace) apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: dev name: helm-developer rules: - apiGroups: ["apps", "extensions"] resources: ["deployments", "statefulsets", "daemonsets"] verbs: ["get", "list", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["services", "configmaps", "secrets", "persistentvolumeclaims"] verbs: ["get", "list", "create", "update", "patch", "delete"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses"] verbs: ["get", "list", "create", "update", "patch", "delete"] - apiGroups: ["batch"] resources: ["jobs", "cronjobs"] verbs: ["get", "list", "create", "update", "patch", "delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: namespace: dev name: helm-developer-binding subjects: - kind: Group name: developers apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: helm-developer apiGroup: rbac.authorization.k8s.io
2. Platform team (full cluster access): apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: helm-platform-engineer rules: - apiGroups: ["*"] resources: ["*"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - nonResourceURLs: ["/metrics", "/healthz"] verbs: ["get"]
3. Read-only auditor: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: helm-auditor rules: - apiGroups: ["*"] resources: ["*"] verbs: ["get", "list", "watch"] - apiGroups: ["helm.cattle.io"] resources: ["helmchartconfigs"] verbs: ["get", "list"]
4. Service account for CI/CD: apiVersion: v1 kind: ServiceAccount metadata: name: helm-cicd namespace: pipelines --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: helm-cicd-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: helm-cicd-deployer subjects: - kind: ServiceAccount name: helm-cicd namespace: pipelines
5. Namespace isolation with Helm: # Deploy with specific namespace permissions kubectl create namespace team-a kubectl create rolebinding helm-deployer-team-a \\ --clusterrole=helm-deployer \\ --serviceaccount=team-a:default \\ --namespace=team-a
6. Fine-grained resource permissions: # Allow specific operations only rules: - apiGroups: ["apps"] resources: ["deployments/scale"] verbs: ["get", "patch"] # Allow scaling but not full deployment updates
7. Audit RBAC usage: # Check effective permissions kubectl auth can-i create deployments --as=system:serviceaccount:dev:default kubectl auth can-i get secrets --as=jane.doe # Audit existing RBAC kubectl get clusterrole,clusterrolebinding,role,rolebinding -A
Invest now in Acorns!!! 🚀
Join Acorns and get your $5 bonus!
Acorns is a micro-investing app that automatically invests your "spare change" from daily purchases into diversified, expert-built portfolios of ETFs. It is designed for beginners, allowing you to start investing with as little as $5. The service automates saving and investing. Disclosure: I may receive a referral bonus.
Invest now!!! Get Free equity stock (US, UK only)!
Use Robinhood app to invest in stocks. It is safe and secure. Use the Referral link to claim your free stock when you sign up!.
The Robinhood app makes it easy to trade stocks, crypto and more.
Webull! Receive free stock by signing up using the link: Webull signup.
More Related questions...
