Why can't the cluster-reader ClusterRole access all resources in a cluster?
Issue
When using an account with the cluster-reader
ClusterRole, it can not access Secrets, EgressFirewall, ServiceMonitor and many other resource types.
Why is the definition of cluster-reader not:
apiVersion: authorization.openshift.io/v1
kind: ClusterRole
metadata:
name: view-all-the-things
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
Is there a security reason for not doing this?
Environment
- OpenShift Container Platform
- 4.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.