Is your feature request related to a problem? Please describe.
When using Terraform Kubernetes provider our CD process needs to read cluster configuration with minimal required rights. We observed failures on the Terraform plan when trying to read prorityClass resources as these are cluster scoped. Currently, there is no cluster-wide reader built-in role defined.
Describe the solution you'd like
It may be beneficial to add the Azure Kubernetes Service RBAC Cluster Reader role with such permissions (it may be improved by excluding secrets):
{
"assignableScopes": [
"/"
],
"description": "Lets you read all resources in the cluster.",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ContainerService/managedClusters/*/read"
],
"notDataActions": []
}
],
"roleName": "Azure Kubernetes Service RBAC Cluster Reader",
}
Describe alternatives you've considered
Create such a custom role definition manually.
Is your feature request related to a problem? Please describe. When using Terraform Kubernetes provider our CD process needs to read cluster configuration with minimal required rights. We observed failures on the Terraform plan when trying to read
prorityClass
resources as these are cluster scoped. Currently, there is no cluster-wide reader built-in role defined.Describe the solution you'd like It may be beneficial to add the Azure Kubernetes Service RBAC Cluster Reader role with such permissions (it may be improved by excluding secrets):
Describe alternatives you've considered Create such a custom role definition manually.