Which statement about Roles and ClusterRoles is true?

• A. Roles grant cluster-wide permissions, while ClusterRoles grant namespace-level permissions.
• B. Roles are used only for pod-level access control.
• C. ClusterRoles are used for cluster-wide permissions and Roles for namespace-level permissions.
• D. ClusterRoles cannot be bound to users.

Answer: (C)

In Kubernetes RBAC, scope matters: Roles are defined per namespace, while ClusterRoles are defined cluster-wide. That means a Role controls permissions only inside its specific namespace, whereas a ClusterRole can grant access to resources across the entire cluster (including multiple namespaces and cluster-scoped resources). To apply these roles, you use RoleBinding to attach a Role to a subject within a namespace, or use ClusterRoleBinding to attach a ClusterRole to a subject across the whole cluster. You can also bind a ClusterRole in a single namespace by using a RoleBinding that references the ClusterRole, allowing the same set of permissions to be reused in many namespaces.

So the statement that ClusterRoles are used for cluster-wide permissions and Roles for namespace-level permissions is correct. The other options are off because roles are not limited to pod-level access, cluster roles can be bound to users (via ClusterRoleBinding or by binding ClusterRoles in a namespace), and Role cannot grant cluster-wide permissions by itself.