Azure Kubernetes Service RBAC Reader

{
  "properties": {
    "roleName": "Azure Kubernetes Service RBAC Reader",
    "type": "BuiltInRole",
    "description": "Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Authorization/*/read",
          "Microsoft.Resources/subscriptions/operationresults/read",
          "Microsoft.Resources/subscriptions/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read"
        ],
        "notActions": [],
        "dataActions": [
          "Microsoft.ContainerService/managedClusters/apps/controllerrevisions/read",
          "Microsoft.ContainerService/managedClusters/apps/daemonsets/read",
          "Microsoft.ContainerService/managedClusters/apps/deployments/read",
          "Microsoft.ContainerService/managedClusters/apps/replicasets/read",
          "Microsoft.ContainerService/managedClusters/apps/statefulsets/read",
          "Microsoft.ContainerService/managedClusters/autoscaling/horizontalpodautoscalers/read",
          "Microsoft.ContainerService/managedClusters/batch/cronjobs/read",
          "Microsoft.ContainerService/managedClusters/batch/jobs/read",
          "Microsoft.ContainerService/managedClusters/configmaps/read",
          "Microsoft.ContainerService/managedClusters/discovery.k8s.io/endpointslices/read",
          "Microsoft.ContainerService/managedClusters/endpoints/read",
          "Microsoft.ContainerService/managedClusters/events.k8s.io/events/read",
          "Microsoft.ContainerService/managedClusters/events/read",
          "Microsoft.ContainerService/managedClusters/extensions/daemonsets/read",
          "Microsoft.ContainerService/managedClusters/extensions/deployments/read",
          "Microsoft.ContainerService/managedClusters/extensions/ingresses/read",
          "Microsoft.ContainerService/managedClusters/extensions/networkpolicies/read",
          "Microsoft.ContainerService/managedClusters/extensions/replicasets/read",
          "Microsoft.ContainerService/managedClusters/limitranges/read",
          "Microsoft.ContainerService/managedClusters/metrics.k8s.io/pods/read",
          "Microsoft.ContainerService/managedClusters/metrics.k8s.io/nodes/read",
          "Microsoft.ContainerService/managedClusters/namespaces/read",
          "Microsoft.ContainerService/managedClusters/networking.k8s.io/ingresses/read",
          "Microsoft.ContainerService/managedClusters/networking.k8s.io/networkpolicies/read",
          "Microsoft.ContainerService/managedClusters/persistentvolumeclaims/read",
          "Microsoft.ContainerService/managedClusters/pods/read",
          "Microsoft.ContainerService/managedClusters/policy/poddisruptionbudgets/read",
          "Microsoft.ContainerService/managedClusters/replicationcontrollers/read",
          "Microsoft.ContainerService/managedClusters/resourcequotas/read",
          "Microsoft.ContainerService/managedClusters/serviceaccounts/read",
          "Microsoft.ContainerService/managedClusters/services/read"
        ],
        "notDataActions": []
      }
    ],
    "createdOn": "2020-07-02T17:53:05.572Z",
    "updatedOn": "2023-04-26T15:25:35.875Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "7f6c6a51-bcf8-42ba-9220-52d62157d7db"
}