I was trying to create a ClusterRole based on the default view ClusterRole, and apply extra rules to the new ClusterRole. The problem is that the default system clusterRole view does not have a unique label selector.
I would like to achive something like:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deployment-clusterrole
aggregationRule:
clusterRoleSelectors:
- selectors:
metadata.name: "view"
rules:
- apiGroups: ["*"] # "" indicates the core API group
resources: ["deployment"]
verbs: ["create", "delete"]
From the docs ClusterRole aggregation, we know that we can aggregate several ClusterRoles into one combined ClusterRole.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: monitoring
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.example.com/aggregate-to-monitoring: "true"
rules: [] # The control plane automatically fills in the rules
refer to select-a-pod-by-name
