kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: readonly
rules:
  - apiGroups: [""]
    resources:
      - bindings
      - componentstatuses
      - configmaps
      - endpoints
      - events
      - limitranges
      - namespaces
      - nodes
      - persistentvolumeclaims
      - persistentvolumes
      - pods
      - podtemplates
      - replicationcontrollers
      - resourcequotas
      - serviceaccounts
      - services
    verbs: ["get", "list"]
  - apiGroups:
      - cert-manager.io
      - admissionregistration.k8s.io
      - apiextensions.k8s.io
      - apiregistration.k8s.io
      - apps
      - authentication.k8s.io
      - autoscaling
      - batch
      - certificaterequests.cert-manager.io
      - certificates.cert-manager.io
      - certificates.k8s.io
      - cloud.tencent.com
      - coordination.k8s.io
      - discovery.k8s.io
      - events.k8s.io
      - extensions
      - install.istio.io
      - metrics.k8s.io
      - monitoring.coreos.com
      - networking.istio.io
      - node.k8s.io
      - policy
      - rbac.authorization.k8s.io
      - scheduling.k8s.io
      - security.istio.io
      - storage.k8s.io
    resources: ["*"]
    verbs: ["get", "list"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: roc
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: readonly
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: roc