Automagically aggregate rules into new ClusterRoles
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: monitoring
aggregationRule:
clusterRoleSelectors:
- matchLabels:
aggregate-to-monitoring: "true"
rules: []
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: monitoring-endpoints
labels:
aggregate-to-monitoring: "true"
rules:
- apiGroups: [""]
resources: ["services", "endpointslices", "pods"]
verbs: ["get", "list", "watch"]
Rules from ClusterRole monitoring-endpoints
are aggregated into monitoring
based on labels
Heavily used in builtin ClusterRoles
rbac.authorization.k8s.io/aggregate-to-(admin|edit|view)
–
Inspect builtin ClusterRoles with aggregation
Create custom aggregation