Aggregating ClusterRoles

Aggregating ClusterRoles

Automagically aggregate rules into new ClusterRoles

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: monitoring
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      aggregate-to-monitoring: "true"
rules: []
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: monitoring-endpoints
  labels:
    aggregate-to-monitoring: "true"
rules:
- apiGroups: [""]
  resources: ["services", "endpointslices", "pods"]
  verbs: ["get", "list", "watch"]

Rules from ClusterRole monitoring-endpoints are aggregated into monitoring based on labels

Heavily used in builtin ClusterRoles

Demo

Inspect builtin ClusterRoles with aggregation

Create custom aggregation