A ClusterRoleBinding grants permissions to a user, but the user is unable to perform the action. What is a possible cause?
If the subject (user) is incorrectly specified, the binding will not apply to the intended user.
Why this answer
A ClusterRoleBinding grants permissions to a user by specifying a subject (user, group, or ServiceAccount) and a ClusterRole. If the subject's name is misspelled or the `kind` field is missing (e.g., omitted `kind: User`), Kubernetes cannot match the binding to the actual user attempting the action. This results in the user having no effective permissions, even though the ClusterRole itself may be correctly defined.
Exam trap
The trap here is that candidates assume the ClusterRole itself is the problem (Option B) or that namespace-scoped bindings can override cluster-scoped ones (Option D), when the real issue is a mismatch between the subject in the binding and the actual user identity.
How to eliminate wrong answers
Option B is wrong because if the ClusterRole lacks the required rules, the user would correctly be denied, but the question states the ClusterRoleBinding grants permissions — implying the binding exists but fails to apply. Option C is wrong because an incorrect kubeconfig context would prevent the user from authenticating or targeting the correct cluster, not specifically cause a ClusterRoleBinding to fail; the binding itself is still valid. Option D is wrong because a RoleBinding in a namespace cannot override a ClusterRoleBinding; RoleBindings and ClusterRoleBindings are additive, and if a ClusterRoleBinding grants a permission, a RoleBinding cannot revoke it — the user would still have the permission from the ClusterRoleBinding.