Solution

.infrastructure/security/rbac.yml

@@ -0,0 +1,30 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: secrets-reader
+  namespace: todoapp
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: secrets-reader-role
+  namespace: todoapp
+rules:
+- apiGroups: [""]
+  resources: ["pods", "secrets"]
+  verbs: ["list", "get"]
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: secret-reader-binding
+  namespace: todoapp
+subjects:
+- kind: ServiceAccount
+  name: secrets-reader
+roleRef:
+  kind: Role
+  name: secrets-reader-role
+  apiGroup: rbac.authorization.k8s.io

INSTRUCTION.MD

@@ -0,0 +1,34 @@
+# RBAC for TodoApp
+
+## 1. Create a Kubernetes cluster:
+```bash
+kubectl create cluster --config cluster.yml
+```
+
+## 2. Deploy the application and additional resources:
+```bash
+./bootstrap.sh
+```
+
+## 3. Wait for 1-2 minutes for all pods to initialize. Once ready, verify the pod statuses:
+```bash
+kubectl get pods -n todoapp
+```
+
+## 4. Connect to a pod:
+```bash
+kubectl exec <pod name> -it -n todoapp -- sh
+```
+
+## 5. Set Up and Execute the cURL Command:
+```bash
+SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
+APISERVER=https://kubernetes.default.svc
+TOKEN=$(cat ${SERVICEACCOUNT}/token)
+CACERT=${SERVICEACCOUNT}/ca.crt
+
+curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/todoapp/secrets
+```
+
+## 6. Verify the Output.
+The response should include the details of the secrets in the todoapp namespace. 

bootstrap.sh

@@ -15,6 +15,8 @@ kubectl apply -f .infrastructure/app/nodeport.yml
 kubectl apply -f .infrastructure/app/hpa.yml
 kubectl apply -f .infrastructure/app/deployment.yml
 
+kubectl apply -f .infrastructure/security/rbac.yml
+
 # Install Ingress Controller
 kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
 # kubectl apply -f .infrastructure/ingress/ingress.yml