Add a view only permission role

[timsanwald]

Describe the feature

Currently theres only TenantOwner as a concept. I would like to add one more role which is the TenantReader which gets only viewing permissions to all tenant resources. Theres often Auditor/Operatore roles which needs viewing access to the cluster resources but should not necessary be a Tenant Owner. Another field in the Tenant resource would make it simpler to setup and maintain these roles.

What would the new user story look like?

Tenant CRD gets a new entry "readers" which acts like the "owners" attribute but grants only viewing permissions on the tenant resources.

[prometherion]

Isn't this already possible with the AdditionalRoleBinding field in the Tenant specification?

[oliverbaehler]

Yeas correct, we are also redesigning the whole permission approach in upcoming releases you should use Replications to distribute namespaced viewing capabilities

[niuxe]

The issue, if it's the same as I've noticed, is that AdditionalRoleBining doesn't create a ClusterRoleBinding, and some operators require RBAC to resources at cluster scope. In those cases it's required to make a ClusterRoleBinding.

But, as @oliverbaehler mentioned, it's in the works to support this.

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.