Why can't the cluster-reader ClusterRole access all resources in a cluster?

Solution Verified - Updated -

Issue

When using an account with the cluster-reader ClusterRole, it can not access Secrets, EgressFirewall, ServiceMonitor and many other resource types.

Why is the definition of cluster-reader not:

    apiVersion: authorization.openshift.io/v1
    kind: ClusterRole
    metadata:
      name: view-all-the-things
    rules:
    - apiGroups:
      - '*'
      resources:
      - '*'
      verbs:
      - get
      - list

Is there a security reason for not doing this?

Environment

  • OpenShift Container Platform
    • 4.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content