{ apiVersion = "rbac.authorization.k8s.io/v1"; kind = "ClusterRole"; metadata = { labels = { app = "istio-reader"; release = "istio-istiod"; }; name = "istio-reader-clusterrole-istio-system"; }; rules = [ { apiGroups = ["config.istio.io" "security.istio.io" "networking.istio.io" "authentication.istio.io" "rbac.istio.io"]; resources = ["*"]; verbs = ["get" "list" "watch"]; } { apiGroups = [""]; resources = ["endpoints" "pods" "services" "nodes" "replicationcontrollers" "namespaces" "secrets"]; verbs = ["get" "list" "watch"]; } { apiGroups = ["networking.istio.io"]; resources = ["workloadentries"]; verbs = ["get" "watch" "list"]; } { apiGroups = ["networking.x-k8s.io" "gateway.networking.k8s.io"]; resources = ["gateways"]; verbs = ["get" "watch" "list"]; } { apiGroups = ["apiextensions.k8s.io"]; resources = ["customresourcedefinitions"]; verbs = ["get" "list" "watch"]; } { apiGroups = ["discovery.k8s.io"]; resources = ["endpointslices"]; verbs = ["get" "list" "watch"]; } { apiGroups = ["multicluster.x-k8s.io"]; resources = ["serviceexports"]; verbs = ["get" "list" "watch" "create" "delete"]; } { apiGroups = ["multicluster.x-k8s.io"]; resources = ["serviceimports"]; verbs = ["get" "list" "watch"]; } { apiGroups = ["apps"]; resources = ["replicasets"]; verbs = ["get" "list" "watch"]; } { apiGroups = ["authentication.k8s.io"]; resources = ["tokenreviews"]; verbs = ["create"]; } { apiGroups = ["authorization.k8s.io"]; resources = ["subjectaccessreviews"]; verbs = ["create"]; } ]; }